Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03
Andy Bierman <andy@yumaworks.com> Tue, 15 March 2016 17:28 UTC
Return-Path: <andy@yumaworks.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D46A12D65C for <secdir@ietfa.amsl.com>; Tue, 15 Mar 2016 10:28:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 50C7NxDP1qaJ for <secdir@ietfa.amsl.com>; Tue, 15 Mar 2016 10:28:56 -0700 (PDT)
Received: from mail-lb0-x22a.google.com (mail-lb0-x22a.google.com [IPv6:2a00:1450:4010:c04::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CAC312DA35 for <secdir@ietf.org>; Tue, 15 Mar 2016 10:28:56 -0700 (PDT)
Received: by mail-lb0-x22a.google.com with SMTP id k12so31729765lbb.1 for <secdir@ietf.org>; Tue, 15 Mar 2016 10:28:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=na1pJBJY4aW15aWAo7stMvzGsPbYnEu/ds0ri8Il1LI=; b=jHJXOZ/aGYCjsw74PBKjf7ihWHr9s0pU/bBBWbIqrekCgvYtOpSzvB+l/W70jcIdS1 aGD0ExrJC7sPqbyqnV3oA5OJbW0w8IR+t2G/YHOVPysjji87u06xCb9FF4xYn6M2qqMz njgKmOnwQ+bWKe4DxGqd2XEmSo7K7o6PMjz1O7HCownnHE6/QGGQj8gzYAjKUhEeflFS UWh/gAl/MgYuwaT4mNGKXh8JcUjyEQvbOKiRVcHQwNt4MpiU78NQEzzcfJldQ0ut1IMU aHBFltQes/dfald6wrlWrMy1Ikfd32UTfHCR6tuq25iesG5zWSRAwl9DkxhN86h75Uni RbuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=na1pJBJY4aW15aWAo7stMvzGsPbYnEu/ds0ri8Il1LI=; b=GYuezH+CRLs4MUXJituJNECjYxaQaJM9WDBBkjuwhSAuo1mlyCP5c5EvdkKF7hOuJq +iftq0qb/JLNA87lxusCbnkJQVc7+de6xw6WhRDUfE4yFnBjGY6Y3wc0Bb4fzawNi0p/ BL9soJKaCw2OFfHQ9tkD+XYD0tUpbA9QBgKho1BpK8oFDXI7ucTUzHsMprcHzTflg3GX P8zT6e52PXqivdKftTffYAeQlrni/gkNBUDbyAfD4m7AMxXQHY8HOc2ypeHVfCTuIo0b PIQgF7ko4DvK/1gXUAEJJKo/L8FaFP9UNkZqrrJpWvmDOXy2zLyOOScFgM4GbA3nUpGj iieA==
X-Gm-Message-State: AD7BkJJJ4uFYfYv9ctOAL8FKEObBSk9fi28UBet0hUmlG86VEh8AAtpV2cqzG/58LtzO4+A6B+DiiXUUaPlAUQ==
MIME-Version: 1.0
X-Received: by 10.112.156.6 with SMTP id wa6mr10187326lbb.66.1458062934593; Tue, 15 Mar 2016 10:28:54 -0700 (PDT)
Received: by 10.112.135.97 with HTTP; Tue, 15 Mar 2016 10:28:54 -0700 (PDT)
In-Reply-To: <ldvwppsjnde.fsf@sarnath.mit.edu>
References: <ldvbn7z6f7s.fsf@sarnath.mit.edu> <6AAFCD6E-4F8D-409C-ACB1-53C03413AF7F@gmail.com> <ldvwppsjnde.fsf@sarnath.mit.edu>
Date: Tue, 15 Mar 2016 10:28:54 -0700
Message-ID: <CABCOCHRxkgQ+pPaDQWGNWvVohA5cbdJtHGaH6RW9O-JFCG2-0A@mail.gmail.com>
From: Andy Bierman <andy@yumaworks.com>
To: Tom Yu <tlyu@mit.edu>
Content-Type: multipart/alternative; boundary="089e01161bf446edf0052e19bbd5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/IXy9UypRRgZnSwo7nGbwrU1coBo>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, draft-ietf-netconf-yang-library.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2016 17:28:58 -0000
On Thu, Feb 25, 2016 at 5:01 PM, Tom Yu <tlyu@mit.edu> wrote: > Hi Mahesh, > > Sorry about the delay. > > I was looking at the specific comments in the Security Considerations of > this document about the sensitivity of the contents of /modules/module. > How do the risks of an attacker being able to inspect /modules/module > compare with other information that could be available to an attacker, > such as fingerprinting through non-NETCONF means? > > If an attacker has limited NETCONF access on a server, what would the > contents of /modules/module reveal to the attacker that might not > otherwise be discovered by other kinds of probing within the NETCONF > protocol? > > The YANG library provides the same information that is currently in the NETCONF <hello> message. It is expected that NACM (RFC 6536) will be used to prevent access to sensitive operations, notifications, and data. However NACM is optional-to-implement with NETCONF and RESTCONF. The risk is the same as current NETCONF. If a specific module/revision implementation is known to be vulernable, then NETCONF and this library both let the client know it is running on the server. > These other risks might be trivial in comparison to the one mentioned in > the document, but lacking specific knowledge of the broader context of > NETCONF and how it is deployed, I'm not sure how they compare. For > example, is it expected that anonymous or minimally trusted users could > be authorized to use NETCONF to access some public information about a > server? > If NACM is implemented and deployed correctly, no. Otherwise -- yes, if all users have all access to all YANG modules, > > If these other risks are similar in magnitude to the possible exposures > allowed by /modules/module, you should consider mentioning them, and > give the implementor or operator some guidance about how to weigh these > risks. If the exposures allowed by /modules/module vastly outweigh > those from other avenues of obtaining similar capability or > configuration information, in most environments and forseeable > deployments, maybe the current text is sufficient. > > -Tom > Andy > > Mahesh Jethanandani <mjethanandani@gmail.com> writes: > > > Tom, > > > > It is not entirely clear from this e-mail, what action you want the > authors to take. > > > > YANG module information or more like its encodings are sent over a > secure session (SSH/TLS) and are no more specific to this draft than they > are to any NETCONF/RESTCONF session. As such it is not clear what you want > the authors to do. Could you clarify or provide text for the Security > Consideration section? > > > > Thanks. > > > >> On Feb 1, 2016, at 6:03 PM, Tom Yu <tlyu@mit.edu> wrote: > >> > >> I have reviewed this document as part of the security directorate's > >> ongoing effort to review all IETF documents being processed by the > >> IESG. These comments were written primarily for the benefit of the > >> security area directors. Document editors and WG chairs should treat > >> these comments just like any other last call comments. > >> > >> The Security Considerations of this document seem reasonable. It might > >> be useful to add a comparison of the risks posed by sensitive > >> information exposed by this YANG module with information exposed by > >> other aspects of NETCONF, or available through methods such as > >> fingerprinting. Admittedly, a meaningful comparison might be highly > >> context-specific, so a general comparison might have limited utility. > > > > Mahesh Jethanandani > > mjethanandani@gmail.com >
- [secdir] secdir review of draft-ietf-netconf-yang… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Benoit Claise
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Benoit Claise
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu