IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03

Andy Bierman <andy@yumaworks.com> Tue, 15 March 2016 17:28 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D46A12D65C for <secdir@ietfa.amsl.com>; Tue, 15 Mar 2016 10:28:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 50C7NxDP1qaJ for <secdir@ietfa.amsl.com>; Tue, 15 Mar 2016 10:28:56 -0700 (PDT)
Received: from mail-lb0-x22a.google.com (mail-lb0-x22a.google.com [IPv6:2a00:1450:4010:c04::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CAC312DA35 for <secdir@ietf.org>; Tue, 15 Mar 2016 10:28:56 -0700 (PDT)
Received: by mail-lb0-x22a.google.com with SMTP id k12so31729765lbb.1 for <secdir@ietf.org>; Tue, 15 Mar 2016 10:28:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=na1pJBJY4aW15aWAo7stMvzGsPbYnEu/ds0ri8Il1LI=; b=jHJXOZ/aGYCjsw74PBKjf7ihWHr9s0pU/bBBWbIqrekCgvYtOpSzvB+l/W70jcIdS1 aGD0ExrJC7sPqbyqnV3oA5OJbW0w8IR+t2G/YHOVPysjji87u06xCb9FF4xYn6M2qqMz njgKmOnwQ+bWKe4DxGqd2XEmSo7K7o6PMjz1O7HCownnHE6/QGGQj8gzYAjKUhEeflFS UWh/gAl/MgYuwaT4mNGKXh8JcUjyEQvbOKiRVcHQwNt4MpiU78NQEzzcfJldQ0ut1IMU aHBFltQes/dfald6wrlWrMy1Ikfd32UTfHCR6tuq25iesG5zWSRAwl9DkxhN86h75Uni RbuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=na1pJBJY4aW15aWAo7stMvzGsPbYnEu/ds0ri8Il1LI=; b=GYuezH+CRLs4MUXJituJNECjYxaQaJM9WDBBkjuwhSAuo1mlyCP5c5EvdkKF7hOuJq +iftq0qb/JLNA87lxusCbnkJQVc7+de6xw6WhRDUfE4yFnBjGY6Y3wc0Bb4fzawNi0p/ BL9soJKaCw2OFfHQ9tkD+XYD0tUpbA9QBgKho1BpK8oFDXI7ucTUzHsMprcHzTflg3GX P8zT6e52PXqivdKftTffYAeQlrni/gkNBUDbyAfD4m7AMxXQHY8HOc2ypeHVfCTuIo0b PIQgF7ko4DvK/1gXUAEJJKo/L8FaFP9UNkZqrrJpWvmDOXy2zLyOOScFgM4GbA3nUpGj iieA==
X-Gm-Message-State: AD7BkJJJ4uFYfYv9ctOAL8FKEObBSk9fi28UBet0hUmlG86VEh8AAtpV2cqzG/58LtzO4+A6B+DiiXUUaPlAUQ==
MIME-Version: 1.0
X-Received: by 10.112.156.6 with SMTP id wa6mr10187326lbb.66.1458062934593; Tue, 15 Mar 2016 10:28:54 -0700 (PDT)
Received: by 10.112.135.97 with HTTP; Tue, 15 Mar 2016 10:28:54 -0700 (PDT)
In-Reply-To: <ldvwppsjnde.fsf@sarnath.mit.edu>
References: <ldvbn7z6f7s.fsf@sarnath.mit.edu> <6AAFCD6E-4F8D-409C-ACB1-53C03413AF7F@gmail.com> <ldvwppsjnde.fsf@sarnath.mit.edu>
Date: Tue, 15 Mar 2016 10:28:54 -0700
Message-ID: <CABCOCHRxkgQ+pPaDQWGNWvVohA5cbdJtHGaH6RW9O-JFCG2-0A@mail.gmail.com>
From: Andy Bierman <andy@yumaworks.com>
To: Tom Yu <tlyu@mit.edu>
Content-Type: multipart/alternative; boundary="089e01161bf446edf0052e19bbd5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/IXy9UypRRgZnSwo7nGbwrU1coBo>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, draft-ietf-netconf-yang-library.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2016 17:28:58 -0000

On Thu, Feb 25, 2016 at 5:01 PM, Tom Yu <tlyu@mit.edu> wrote:

> Hi Mahesh,
>
> Sorry about the delay.
>
> I was looking at the specific comments in the Security Considerations of
> this document about the sensitivity of the contents of /modules/module.
> How do the risks of an attacker being able to inspect /modules/module
> compare with other information that could be available to an attacker,
> such as fingerprinting through non-NETCONF means?
>
> If an attacker has limited NETCONF access on a server, what would the
> contents of /modules/module reveal to the attacker that might not
> otherwise be discovered by other kinds of probing within the NETCONF
> protocol?
>
>

The YANG library provides the same information that is currently
in the NETCONF <hello> message.

It is expected that NACM (RFC 6536) will be used to prevent access
to sensitive operations, notifications, and data.
However NACM is optional-to-implement with NETCONF and RESTCONF.

The risk is the same as current NETCONF.
If a specific module/revision implementation is known to
be vulernable, then NETCONF and this library both let
the client know it is running on the server.





> These other risks might be trivial in comparison to the one mentioned in
> the document, but lacking specific knowledge of the broader context of
> NETCONF and how it is deployed, I'm not sure how they compare.  For
> example, is it expected that anonymous or minimally trusted users could
> be authorized to use NETCONF to access some public information about a
> server?
>


If NACM is implemented and deployed correctly, no.
Otherwise -- yes, if all users have all access to all YANG modules,


>
> If these other risks are similar in magnitude to the possible exposures
> allowed by /modules/module, you should consider mentioning them, and
> give the implementor or operator some guidance about how to weigh these
> risks.  If the exposures allowed by /modules/module vastly outweigh
> those from other avenues of obtaining similar capability or
> configuration information, in most environments and forseeable
> deployments, maybe the current text is sufficient.
>
> -Tom
>


Andy


>
> Mahesh Jethanandani <mjethanandani@gmail.com> writes:
>
> > Tom,
> >
> > It is not entirely clear from this e-mail, what action you want the
> authors to take.
> >
> > YANG module information or more like its encodings are sent over a
> secure session (SSH/TLS) and are no more specific to this draft than they
> are to any NETCONF/RESTCONF session. As such it is not clear what you want
> the authors to do. Could you clarify or provide text for the Security
> Consideration section?
> >
> > Thanks.
> >
> >> On Feb 1, 2016, at 6:03 PM, Tom Yu <tlyu@mit.edu> wrote:
> >>
> >> I have reviewed this document as part of the security directorate's
> >> ongoing effort to review all IETF documents being processed by the
> >> IESG.  These comments were written primarily for the benefit of the
> >> security area directors.  Document editors and WG chairs should treat
> >> these comments just like any other last call comments.
> >>
> >> The Security Considerations of this document seem reasonable.  It might
> >> be useful to add a comparison of the risks posed by sensitive
> >> information exposed by this YANG module with information exposed by
> >> other aspects of NETCONF, or available through methods such as
> >> fingerprinting.  Admittedly, a meaningful comparison might be highly
> >> context-specific, so a general comparison might have limited utility.
> >
> > Mahesh Jethanandani
> > mjethanandani@gmail.com
>

v2.23.0 | Report a Bug | By Email