Re: [secdir] SECDIR review of draft-ietf-netmod-system-mgmt-11

Martin Bjorklund <mbj@tail-f.com> Fri, 31 January 2014 20:16 UTC

Return-Path: <mbj@tail-f.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D6971A0423; Fri, 31 Jan 2014 12:16:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.436
X-Spam-Level:
X-Spam-Status: No, score=-2.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZuyA7tLFOZ5z; Fri, 31 Jan 2014 12:16:46 -0800 (PST)
Received: from mail.tail-f.com (mail.tail-f.com [109.74.15.94]) by ietfa.amsl.com (Postfix) with ESMTP id 7A07E1A03F5; Fri, 31 Jan 2014 12:16:46 -0800 (PST)
Received: from localhost (unknown [193.12.32.88]) by mail.tail-f.com (Postfix) with ESMTPSA id 5984E37C197; Fri, 31 Jan 2014 21:16:41 +0100 (CET)
Date: Fri, 31 Jan 2014 21:16:40 +0100 (CET)
Message-Id: <20140131.211640.309066023.mbj@tail-f.com>
To: d3e3e3@gmail.com
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <CAF4+nEGv-3px=XbFksFwSOMk8htSnE5f3EyRR_gDe2egRYr02Q@mail.gmail.com>
References: <CAF4+nEGv-3px=XbFksFwSOMk8htSnE5f3EyRR_gDe2egRYr02Q@mail.gmail.com>
X-Mailer: Mew version 6.5rc2 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-netmod-system-mgmt.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] SECDIR review of draft-ietf-netmod-system-mgmt-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2014 20:16:49 -0000

Hi,

Thank you for your review!

Donald Eastlake <d3e3e3@gmail.com>; wrote:
> Hi,
> 
> Sorry this review is late.
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG. Document editors and WG chairs should treat these comments just
> like any other last call comments.
> 
> I believe this draft is ready with issues.
> 
> This draft specifies a YANG data model for configuration and
> identification of NETCONF server device information. You might think
> there would not be much in the way of Security Considerations for a
> "data model" but the model includes User Authentication,  sensitive
> writable data objects, and the like.
> 
> For user password authentication, there are provisions for storing a
> plain text of the password or a salted hash. Hash functions available
> are MD5, SHA-256, and SHA-512.
> 
> Security Considerations:
> 
> The Security Considerations section seems pretty thorough in covering
> NETCONF security features such as SSH transport and access controls.
> However, I believe the Security Considerations should recommend not
> storing passwords as plaintext but rather as a salted hash.

Actually, the clear text password is never stored:

       The '$0$' prefix signals that the value is clear text.  When
       such a value is received by the server, a hash value is
       calculated, and the string '$<id>$<salt>$' or
       $<id>$<parameter>$<salt>$ is prepended to the result.  This
       value is stored in the configuration data store.

The client can send a clear text password (over SSH or TLS) but the
server will never store it in clear text.

> While the
> Security Considerations section refers to RFC 6151 for MD5 Security
> Considerations and having that reference is good, I believe this
> document should also recommend that MD5 not be used as the password
> salted hash function.

This was discussed in the WG, and we felt that whatever we would say
would be better stated in RFC 6151.  Maybe we can be more explicit
about the recommendation:

OLD:

This YANG model defines a type "crypt-hash" that can be used to store
MD5 hashes.  ^RFC6151^ discusses security considerations for MD5.


NEW:

This YANG model defines a type "crypt-hash" that can be used to store
MD5 hashes.  ^RFC6151^ discusses security considerations for MD5.  The
usage of MD5 is NOT RECOMMENDED.


> For the list of sensitive readable data and sensitive remote procedure
> call operations, the draft is careful to say "It is thus important to
> control access to these operations." However, while it is pretty
> obvious, these words or equivalent seem to be missing in reference to
> the sensitive writable data.

The Security Consideration section is modeled after a template found
at:

http://trac.tools.ietf.org/area/ops/trac/wiki/yang-security-guidelines

I don't mind an update, but I believe we should update the template as
well in this case.

The current text says that "write operations [...] without protection
can have a negative effect [...]".

The other paragraphs use the phrase:

"It is thus important to control [...] access [to these data nodes]".

I think the current text says the same thing, but I guess it can be
made more explicit:

OLD:

There are a number of data nodes defined in this YANG module which are
writable/creatable/deletable (i.e. config true, which is the
default). These data nodes may be considered sensitive or vulnerable
in some network environments. Write operations (e.g. edit-config) to
these data nodes without proper protection can have a negative effect
on network operations. These are the subtrees and data nodes and their
sensitivity/vulnerability:


NEW:

There are a number of data nodes defined in this YANG module which are
writable/creatable/deletable (i.e. config true, which is the
default). These data nodes may be considered sensitive or vulnerable
in some network environments. Write operations to these data nodes can
have a negative effect on network operations.  It is thus important to
control write access (e.g., via edit-config) to these data nodes.
These are the subtrees and data nodes and their
sensitivity/vulnerability:


> Trivial:
> 
> Section 2.3, first line: "need" -> "needs"
> Section 2.3, 2nd paragraph, second line: "need" -> "needs"
> I believe RPC should be expanded to "remote procedure call" at its one
> use in the text of the draft, unless I've expanded the acronym wrong,
> which would be proof that whatever it stands for it should be spelled
> out.

All fixed.


/martin