IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03

Tom Yu <tlyu@mit.edu> Wed, 23 March 2016 19:39 UTC

Return-Path: <tlyu@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F4FC127058; Wed, 23 Mar 2016 12:39:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mnCYulZHk98A; Wed, 23 Mar 2016 12:39:40 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 616A812D6B8; Wed, 23 Mar 2016 12:39:39 -0700 (PDT)
X-AuditID: 1209190c-debff70000000e13-44-56f2f0f97a16
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 32.09.03603.9F0F2F65; Wed, 23 Mar 2016 15:39:37 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id u2NJdan3013708; Wed, 23 Mar 2016 15:39:37 -0400
Received: from localhost (sarnath.mit.edu [18.18.1.190]) (authenticated bits=0) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u2NJdYqw030527; Wed, 23 Mar 2016 15:39:35 -0400
From: Tom Yu <tlyu@mit.edu>
To: Andy Bierman <andy@yumaworks.com>
References: <ldvbn7z6f7s.fsf@sarnath.mit.edu> <6AAFCD6E-4F8D-409C-ACB1-53C03413AF7F@gmail.com> <ldvwppsjnde.fsf@sarnath.mit.edu> <CABCOCHRxkgQ+pPaDQWGNWvVohA5cbdJtHGaH6RW9O-JFCG2-0A@mail.gmail.com> <ldv7fgu42vj.fsf@sarnath.mit.edu> <CABCOCHSv9yr6sJijuRLZ5UYfCdCBsy78M6hundbYiX9=fDV6Jg@mail.gmail.com>
Date: Wed, 23 Mar 2016 15:39:33 -0400
In-Reply-To: <CABCOCHSv9yr6sJijuRLZ5UYfCdCBsy78M6hundbYiX9=fDV6Jg@mail.gmail.com> (Andy Bierman's message of "Tue, 22 Mar 2016 14:57:04 -0700")
Message-ID: <ldvvb4d2dca.fsf@sarnath.mit.edu>
Lines: 62
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrPIsWRmVeSWpSXmKPExsUixCmqrfvzw6cwg08HjC0eHJnFbvHgcAub xYw/E5ktTr9Zx2bxYeFDFgdWj52z7rJ7LFnyk8njy+XPbB4t/RdZAliiuGxSUnMyy1KL9O0S uDIurNnFWrBfvOL8u+ssDYwPhboYOTkkBEwkTj7cyQxiCwm0MUncPKrcxcgFZG9klFg15xYj hPOGUWLJ9iVgVWwC0hLHL+9iArFFBFQlLsydyAxSxCywjFGi++FnVpCEsICDxM7z66C6tzFJ vFh6Bcjh4GAB6lhyKhgkzikwkVHi8Pn7YFN5BXQlXu/5xwhi8whwSkz+P4cVIi4ocXLmExYQ m1lAS+LGv5dMExj5ZyFJzUKSWsDItIpRNiW3Sjc3MTOnODVZtzg5MS8vtUjXUC83s0QvNaV0 EyM4XCV5djCeeeN1iFGAg1GJh1fyzMcwIdbEsuLK3EOMkhxMSqK8u55+ChPiS8pPqcxILM6I LyrNSS0+xCjBwawkwlv+DCjHm5JYWZValA+TkuZgURLnLdx/OkxIID2xJDU7NbUgtQgmK8PB oSTBmwyMSyHBotT01Iq0zJwShDQTByfIcB6g4YEgNbzFBYm5xZnpEPlTjIpS4rxRIAkBkERG aR5cLzidCDHue8UoDvSKMO+m90BVPMBUBNf9CmgwE9DghT5gg0sSEVJSDYxGLMtWlS7o979Y 9rGh9HWDX2iHt8rkcu2P318l7y2d7XPj1nIJ/y8Mpz69637T9CLrHHP9B7tt7s9fy92vi/Ts /VUdtqHe6IK5lCPbJGH7y1kpjh/ObJO88V7w/JNQg8nff82w+W3GMf/F9hO1gd49k2Uaniow a/FNKtf3Ydjzk/no++dXtWcosRRnJBpqMRcVJwIAeHOzTAIDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/4ZZWTD-ZJSQzSuvur63JvmNilGk>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, draft-ietf-netconf-yang-library.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2016 19:39:42 -0000

Andy Bierman <andy@yumaworks.com> writes:

> The YANG library provides the revision date of the deviations module,
> which is not included in the NETCONF <hello>.
>
> It  also lists the submodules and their revisions, which is
> not contained in the NETCONF <hello>.
>
> The NETCONF <hello> message is not specified well enough to
> make any other generalizations about the differences.

I think it would be good to explicitly mention that the YANG library
provides a superset of the module and version information that might be
available by other means, e.g.,

OLD

   Some of the readable data nodes in this YANG module may be considered
   sensitive or vulnerable in some network environments.  It is thus
   important to control read access (e.g., via get, get-config, or
   notification) to these data nodes.  These are the subtrees and data
   nodes and their sensitivity/vulnerability:

NEW

   Some of the readable data nodes in this YANG module may be considered
   sensitive or vulnerable in some network environments and
   authorization configurations.  Although some of this information may
   be available to all users via the NETCONF <hello> message (or similar
   messages in other management protocols), this YANG module potentially
   exposes additional details that could be of some assistance to an
   attacker.  It is thus important to control read access (e.g., via
   get, get-config, or notification) to these data nodes.  These are the
   subtrees and data nodes and their sensitivity/vulnerability:

I think if NETCONF access is restricted to a small number of trusted
users (even for read-only access), the incremental risk posed by
revealing more details about the modules is small.  I imagine that there
are use cases for providing (restricted) read-only NETCONF access to a
wider, mostly untrusted population, in which case the detailed module
version information provided by the YANG library could constitute a
non-trivial additional risk.  I'm not sure of a good, concise way to
express this.

> The library is intended for other protocols such as RESTCONF.
>
> Is there some specific text you want changed?

I think there could be ambiguity about whether "server" refers to the
NETCONF (or other management protocol) server process on the device, or
to the overall capabilities of the device.  If the YANG library could
provide details that could reveal to an attacker the existence of
vulnerabilities in the underlying network device capabilities, it might
be good to mention it, e.g.,

    In addition to revealing the potential existence of vulnerabilities
    in the network management protocol server on a device, the detailed
    version information available in the module list could help an
    attacker to discover the existence of vulnerable code in the
    implementation of the underlying network capabilities (or other
    functionality) of the device on which the management server is
    running.

v2.23.0 | Report a Bug | By Email