Re: [secdir] [Netconf] Sec-Dir Review: draft-mm-netconf-time-capability-05.tx

Tal Mizrahi <> Thu, 30 July 2015 06:43 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 54FD41A8849; Wed, 29 Jul 2015 23:43:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.266
X-Spam-Status: No, score=-2.266 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FVTLXE9zgHgH; Wed, 29 Jul 2015 23:43:08 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2D9231A870F; Wed, 29 Jul 2015 23:43:08 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id t6U6YfdI024771; Wed, 29 Jul 2015 23:43:07 -0700
Received: from ([]) by with ESMTP id 1vv91rpu8d-1 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 29 Jul 2015 23:43:06 -0700
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1044.25; Thu, 30 Jul 2015 09:43:03 +0300
Received: from ([fe80::41:1c9f:8611:3a4a]) by ([fe80::41:1c9f:8611:3a4a%20]) with mapi id 15.00.1044.021; Thu, 30 Jul 2015 09:43:03 +0300
From: Tal Mizrahi <>
To: Andy Bierman <>, Olafur Gudmundsson <>
Thread-Topic: [Netconf] Sec-Dir Review: draft-mm-netconf-time-capability-05.tx
Thread-Index: AQHQykcigNupE2ajyEaQCVpIBzXexJ3zkGIg
Date: Thu, 30 Jul 2015 06:43:02 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_0960eb5365954b73afde1c70ba5164a0ILEXCH01marvellcom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2015-07-30_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=inbound_notspam policy=inbound score=0 kscore.is_bulkscore=0 kscore.compositescore=1 compositescore=0.9 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 kscore.is_spamscore=0 rbsscore=0.9 spamscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1506180000 definitions=main-1507300120
Archived-At: <>
Cc: Netconf <>, "" <>, ietf <>, "" <>
Subject: Re: [secdir] [Netconf] Sec-Dir Review: draft-mm-netconf-time-capability-05.tx
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Jul 2015 06:43:10 -0000

Hi Andy,

You make a good point.
We intend to add text (see below) that describes this point in the next version of the draft.
Please let us know if you have further comments.

Here is the updated text on the last paragraph of the security section:

This YANG module defines the <cancel-schedule> RPC. This RPC may be considered sensitive or vulnerable in some network environments. Since the value of the <schedule-id> is known to all the clients that are subscribed to notifications from the server, the <cancel-schedule> RPC may be used maliciously to attack servers by canceling their pending RPCs. This attack is addressed in two layers: (i) security at the transport layer, limiting the attack only to clients that have successfully initiated a secure session with the server, and (ii) the authorization level required to cancel an RPC should be the same as the level required to schedule it, limiting the attack only to attackers with an authorization level that is equal to or higher than that of the client that initiated the scheduled RPC.


From: Netconf [] On Behalf Of Andy Bierman
Sent: Thursday, July 30, 2015 12:40 AM
To: Olafur Gudmundsson
Cc:;; ietf; Netconf
Subject: Re: [Netconf] Sec-Dir Review: draft-mm-netconf-time-capability-05.tx


I am curious if this is a security concern.
When an event is scheduled, the ID and its scheduled time
are sent out in a notification to potentially all clients.

notification netconf-scheduled-message {

        leaf schedule-id {

          type string;


            "The ID of the scheduled message.";


        leaf scheduled-time {

          type yang:date-and-time;


            "The time at which the RPC is scheduled to be performed.";



          "Indicates that a scheduled message was received.";



           Time Capability in NETCONF";


Any client can get these notifications and know the ID (to cancel it)
and the scheduled time.

Is is a security issue that any client can get the schedule-id
and use it to cancel the scheduled RPC?


On Wed, Jul 29, 2015 at 2:15 PM, Olafur Gudmundsson <<>> wrote:
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document is ready for publication
The document is well written.

The security considerations are clear and accurate. I would like highlight one omission though.
This capability allows an attacker once it has gained access to schedule events in the future even
though attackers access has been detected and revoked.


Netconf mailing list<>