Re: Benjamin Kaduk's Discuss on draft-ietf-bfd-yang-16: (with DISCUSS and COMMENT)

[PFFC JHAAS <jhaas@pfrc.org>]

Benjamin,

Your proposal would be fine. It basically says be mindful of the relationship. 

Jeff

> On Jul 30, 2018, at 10:41, Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> Hi Reshad,
> 
>> On Thu, Jul 26, 2018 at 12:16:05AM +0000, Reshad Rahman (rrahman) wrote:
>> Hi Benjamin and Jeff,
>> 
>> Following our discussion in Montreal, would the following, or something along these lines, be OK with you in the Security Considerations section.
>> 
>>   When BFD clients are used to modify BFD configuration (as described
>>   in Section 2.1), any authentication and authorization for the BFD
>>   configuration changes have to take place in the BFD clients.  For
>>   example, if the BFD client is an IGP then the IGP SHOULD be
>>   authenticated. Also, consideration should be given to the access control of
>>   the BFD clients.
> 
> I can't speak for Jeff, but I think this is edging closer to the bits he
> doesn't like.  (It seems to capture the topics I had in mind just fine,
> though.)
> 
>> From our discussion in Montreal, it seemed like we might end up at
> something more like:
> 
> When BFD clients are used to modify BFD configuration (as described
> in Section 2.1), the BFD clients need to be included in an analysis of
> the security properties of the BFD-using system (e.g., when considering the
> authentication and authorization of control actions).  In many cases, BFD
> is not the most vulnerable portion of such a composite system, since BFD is
> limited to generating well-defined traffic at a fixed rate on a given path;
> in the case of an IGP as BFD client, attacking the IGP could cause more
> broad-scale disruption than (de)configuring a BFD session could cause.
> 
> -Benjamin
> 
> 
>> On 2018-07-15, 9:05 AM, "Benjamin Kaduk" <kaduk@mit.edu> wrote:
>> 
>>>    On Wed, Jul 11, 2018 at 11:32:18AM -0400, Jeffrey Haas wrote:
>>> Benjamin,
>>> 
>>>> On Wed, Jul 11, 2018 at 10:02:41AM -0500, Benjamin Kaduk wrote:
>>>> "may be overkill in some circumstances" sounds exactly like an RFC 2119
>>>> SHOULD, does it not?
>>> 
>>> Putting it slightly a different way, I am always wary of trying to embed too
>>> much operational and security wisdom in documents for the following reasons:
>>> - What's wise in one set of circumstances may not be in another.  By being
>>>  proscriptive, you may lead to implementations that lack necessary
>>>  flexibility.
>> 
>>    In my opinion, including guidance with the supporting motivation suffices
>>    to leave flexibility for unanticipated future cases with differing needs.
>> 
>>> - You're imposing a level of fate binding between mechanisms that may
>>>  contravene desired behaviors from some operators that have split
>>>  operational roles.
>> 
>>    If the stated motivation does not apply to operators with such split roles,
>>    do we not think they are smart enough to see that the prerequisite is not
>>    met and ignore the advice?
>> 
>>> [...]
>>>> To frame the same idea in a different fashion, we have this nice security
>>>> considerations boilerplate for YANG modules, talking about how the usual
>>>> access methods are NETCONF/RESTCONF, with MTI secure transport of ssh/TLS.
>>>> The scheme being described here is effectively providing a new access
>>>> mechanism (IGP) for a subset of the YANG module,
>>> 
>>> This is perhaps my personal disconnect.
>>> 
>>> Much of the point of providing a common configuration grouping for BFD for
>>> client protocols was to encapsulate, "I'm a client of BFD, here's my
>>> parameters".  An implementation is free to use the "please use bfd with
>>> these parameters for my protocol" or perhaps ignore them.  But in
>>> circumstances that an operator may wish to limit access to protocol BFD
>>> behavior, it has the existing ability in NACM to enforce its policy on those
>>> BFD nodes within the protocol tree.
>>> 
>>> What I feel you're saying is we need to call special attention to these
>>> instantiations that may be imported by some module.  
>>> 
>>> What I'm confused about is why such an import is any more special than any
>>> other import from another module.
>> 
>>    I've been trying to wrap my head around your explanation for the past few
>>    days, and I'm not sure I'm succeeding at it.  The only reason I'm raising
>>    this point with this document is because there is text in the document like
>>    "[f]or example, when a new IGP peer is discovered, the IGP would create a
>>    BFD session to the newly discovered peer and similarly when an IGP peer
>>    goes away, the IGP would remove the BFD session to that peer."  Imagine if
>>    I was writing a document about a device that controls a physical door, and
>>    the usual way to operate the device is to manually enter a PIN while
>>    physically in front of the door.  If I also said "some people expose this
>>    door-unlocking device to the internet and accept unlock requests over
>>    HTTP", that would be incredibly unresponsible of me unless I added some
>>    extra qualifier.  Perhaps it would be "and these people are crazy", or
>>    perhaps "but HTTP itself is insecure, so in such situations TLS ought to be
>>    used with mutual authentication, authorization checks for the party
>>    requesting unlocking, and the best practices from RFC 7525".
>> 
>>    So, in my head, I see this document as using a not-quite-throwaway example
>>    to make a point about the limitations of the main focus of the document,
>>    and should properly qualify the different security properties of that
>>    example.  Your description above still reads to me as if it's focusing on
>>    YANG modules not specified in this document but that also use the same BFD
>>    grouping.  In such a case, when the NACM applies, isn't that still going
>>    through normal management paths for that respective YANG module?  I'm still
>>    trapped in a rut thinking about "received IGP packet from the network that
>>    instantiates a new IGP session; as a side effect instantiate a BFD session
>>    as well", where the incoming IGP packet is just the IGP implementation and
>>    not a "management function" per se.
>> 
>>    -Benjamin
>> 
>>