Re: [NGO] access control
Andy Bierman <ietf@andybierman.com> Tue, 18 March 2008 20:39 UTC
Return-Path: <ngo-bounces@ietf.org>
X-Original-To: ietfarch-ngo-archive@core3.amsl.com
Delivered-To: ietfarch-ngo-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DB32E3A6A56; Tue, 18 Mar 2008 13:39:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.894
X-Spam-Level:
X-Spam-Status: No, score=-100.894 tagged_above=-999 required=5 tests=[AWL=-0.457, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A1ex9Y-0KQz0; Tue, 18 Mar 2008 13:39:15 -0700 (PDT)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D22EF3A688D; Tue, 18 Mar 2008 13:39:15 -0700 (PDT)
X-Original-To: ngo@core3.amsl.com
Delivered-To: ngo@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D0C13A688D for <ngo@core3.amsl.com>; Tue, 18 Mar 2008 13:39:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eZgEiEe0NyI3 for <ngo@core3.amsl.com>; Tue, 18 Mar 2008 13:39:13 -0700 (PDT)
Received: from smtp118.sbc.mail.sp1.yahoo.com (smtp118.sbc.mail.sp1.yahoo.com [69.147.64.91]) by core3.amsl.com (Postfix) with SMTP id E966D3A67F6 for <ngo@ietf.org>; Tue, 18 Mar 2008 13:39:12 -0700 (PDT)
Received: (qmail 34763 invoked from network); 18 Mar 2008 20:36:56 -0000
Received: from unknown (HELO ?127.0.0.1?) (andybierman@att.net@67.126.242.5 with plain) by smtp118.sbc.mail.sp1.yahoo.com with SMTP; 18 Mar 2008 20:36:54 -0000
X-YMail-OSG: ZkscTJYVM1no12V9yweLCtXkbhysD7P.y_wn66RBYI0wbqCXjOkGVhn.Hdhy06UC6fO4MsxvM7ILaUHLZLHtr9gH
X-Yahoo-Newman-Property: ymail-3
Message-ID: <47E027E5.6080502@andybierman.com>
Date: Tue, 18 Mar 2008 13:36:53 -0700
From: Andy Bierman <ietf@andybierman.com>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: David B Harrington <dbharrington@comcast.net>
References: <012e01c88919$53aa3330$6c02a8c0@china.huawei.com>
In-Reply-To: <012e01c88919$53aa3330$6c02a8c0@china.huawei.com>
Cc: 'NETCONF Goes On' <ngo@ietf.org>
Subject: Re: [NGO] access control
X-BeenThere: ngo@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NETCONF Goes On - discussions on future work and extensions to NETCONF <ngo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ngo>, <mailto:ngo-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/ngo>
List-Post: <mailto:ngo@ietf.org>
List-Help: <mailto:ngo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ngo>, <mailto:ngo-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ngo-bounces@ietf.org
Errors-To: ngo-bounces@ietf.org
David B Harrington wrote: > Hi, > > Mehmet, Andy, and I think access control needs to be discussed > somewhat. Many people in this WG do not have much experience with > access control issues, so let me try to provide a touch of background > why this is important to discuss. > Thanks for clarifying some things. With NETCONF, the actual XML subtree can be a relevant unit of data, depending on the DM design. Using 'entire subtree' as the appropriate granularity, and a well-constrained Xpath expression to specify the start of the sub-tree, the same mechanism can be used to achieve arbitrary granularity. I think there is some consensus in this approach to specifying a configuration data subset. Full Xpath would be very risky, but not a YANG instance-identifier. NETCONF has user-defined actions/methods/procedures built-in. This has to fully considered in the design. It is not enough to protect the routing config knobs, but leave the 'reset-entire-chassis' type of RPC operation unprotected. There may be DML clauses for authorization to protocol operations and configuration data needed beyond 'config true/false', so this topic is relevant now. Perhaps tagging security-sensitive data/operations somehow in the DML would help. One of the many lessons learned from SMING was that vendors would not tolerate a MIB language that changed -- at all. It is way too expensive to support multiple DML variants. A development approach in the IETF that relied on 'adding on' bits and pieces to the MIB language was soundly rejected. I think that logic still holds today. While an an-hoc, piece at-at-a-time approach may work well for protocol extensions, it doesn't work well for the MIB language. Andy > I am going to change terminology a bit. In ISMS we have found that the > SNMP term "access control" conflicts with other definitions of access > control, especially the access to network services provided by AAA > protocols. Really what we need to talk about is authorization, and it > is authorization to have access to something. > > RADEXT and ISMS are developing an authorization solution based on > named policies, and the solution will work for SNMP, CLI, Netconf, and > other management protocols. This work will work with RADIUS and > Diameter and can be extended to other AAA protocols. Effectively, it > will provide a way to dynamically determine which authorization policy > should be applied to a user. This should solve part of the problem for > you. > > What the RADEXT/ISMS solution won't do is discuss how to apply the > policy to your protocol and data models. This WG needs to think about > what types of authorization need to be applied. we need to consider > whether authorization to read/write/create configuration information > will be applied at the level of the data elements, or the document, or > the operation, or the class, or something else. It might be possible > to do it multiple ways, but having one standard approach will improve > security and interoperability. > > We need to understand how authorization approaches might impact the > way our protocol works, and **especially** the way operators have to > "think about" authorization policies. > > In SNMP, using the View-based access control approach, operators need > to think about authorizing read and write access to trees of data > elements. When operators perform a task such as provisioning a > service, all the knobs they need to manipulate are not necesarily in > the same subtree. In addition, an administrator manager might want to > authorize an operator to be able to perform a particular task, but not > other tasks that might happen to touch the same data elements. There > is a mismatch between a task-based "model" and the tree-based data > model in SNMP. This mismatch can make defining authorization policies > NOT very operator-friendly. > > If authorization is based on operations, and all operations are > defined as part of the base protocol, this is fairly easy. If new > operations can be added as part of data models, this becomes more > complex. It becomes especially complex if vendors add new data models > in each release, or data models can be added incrementally in a > master-subagent implementation, or if users somehow can add new data > models the administrators don't even know about such as by adding a > new blade to a chassis. And if we don't standardize how > operation-based authorization is going to be done before we start > publishing models with new operations, then the onus will be on the > operators to figure it out. That is NOT operator-friendly. > > If authorization is based on XML documents, and those XML documents > represent full configuration datastores, then we don't have much > granularity. If we can authorize access to parts of an XML document, > then we have to work out how one defines the parts including those > that might be developed as vendor-specific models. Do operators think > about configuration in terms of parts of XML documents? Some probably > do, depending on how they do configuration management. > > Does anybody think that defining authorization rules defining a long > list of XPath expressions and evaluating how those rules will > intersect and overlap will be human-friendly? > > As we design a human-friendly modeling language, we need to think > about what will make defining authorization rules for Netconf > human-friendly. > > > David Harrington > dbharrington@comcast.net > ietfdbh@comcast.net > dharrington@huawei.com > > > > _______________________________________________ > NGO mailing list > NGO@ietf.org > https://www.ietf.org/mailman/listinfo/ngo > > > _______________________________________________ NGO mailing list NGO@ietf.org https://www.ietf.org/mailman/listinfo/ngo
- [NGO] access control David B Harrington
- Re: [NGO] access control Andy Bierman
- Re: [NGO] access control Juergen Schoenwaelder
- Re: [NGO] access control Andy Bierman
- Re: [NGO] access control Bert Wijnen - IETF
- Re: [NGO] access control Juergen Schoenwaelder
- Re: [NGO] access control Andy Bierman
- Re: [NGO] access control Juergen Schoenwaelder