IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03

Andy Bierman <andy@yumaworks.com> Wed, 23 March 2016 20:31 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7A9912D8C9 for <secdir@ietfa.amsl.com>; Wed, 23 Mar 2016 13:31:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PS33RFIf8csb for <secdir@ietfa.amsl.com>; Wed, 23 Mar 2016 13:30:59 -0700 (PDT)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3837012D8C8 for <secdir@ietf.org>; Wed, 23 Mar 2016 13:30:57 -0700 (PDT)
Received: by mail-lf0-x229.google.com with SMTP id o73so20106827lfe.0 for <secdir@ietf.org>; Wed, 23 Mar 2016 13:30:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=NvGqufQ9z8k7eU2j4+7jct2fGtOrwakDYaAyTV3jv0k=; b=T76T6ZbEKVstocpy2ErO5+wboT6N2l+Z4SLOHg1ANyYewPxas5ONrDGVwPwu3eYXvB ssCVMrsOqMYdyghzpz28Wiguh6QVpcZKx/Y9jRIdZQVTh4j6RQ2XxZvLBW/zU85NN9yD IkkfZwhnnZgpZVMHAPdft4+bv5L3wa+f/UawJI6zlYdBz3Xy6qFir/rI5BCc0RIUseaJ ySDnxgb3SRtIb5k5p7XTx4ALfzFzbj+VVulvyCTD2odvN9eSFEpOa/HzGfYsFgBSc5fi 0PZHyqNKQqVHFwfy7ztLF+3pEoc4ptEdGPADjYOqC0YBVcdCyT36d9itApWLUX2T3nxP 3RBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=NvGqufQ9z8k7eU2j4+7jct2fGtOrwakDYaAyTV3jv0k=; b=CTIJUZ0y+t5su2uK1M63fLo/xhhzC1X9R55hvkNktHmnJ71M0qIdm013fVXGXfOcHU 5VH/lZ5k5qdIPjUmHMo3Kg2iLDVVGROfmtEv0y6JiHkYQpLemmj+lIDx9slAK1G0WVvr hecBhZBd6snOt6GRaqXbJCkuyGFlCqXUW+iI95odd9Ryem83SehN9mO7//hALZx1PLOE 9UnmUZrcLVKUiBww0TkB/LP7UC17zFCZazkqLRAqX1cj3Zwcxiiv8lMVCjX81xQx2UfP RaZsVrQtZ1gnrM87EJSb59KxC2l1e168bgQpCADsxuULUOO+S+5wlPVva5cpctEN9B19 KekA==
X-Gm-Message-State: AD7BkJLuXaOTr6U7eS7amK1UpjpjdnrIagsUw52JEQo6BP+fWC8Y9RnY9ssQv8z/HZOHlFD80paXMygeWVcefw==
MIME-Version: 1.0
X-Received: by 10.25.154.65 with SMTP id c62mr2153916lfe.54.1458765055431; Wed, 23 Mar 2016 13:30:55 -0700 (PDT)
Received: by 10.112.135.97 with HTTP; Wed, 23 Mar 2016 13:30:55 -0700 (PDT)
In-Reply-To: <ldvvb4d2dca.fsf@sarnath.mit.edu>
References: <ldvbn7z6f7s.fsf@sarnath.mit.edu> <6AAFCD6E-4F8D-409C-ACB1-53C03413AF7F@gmail.com> <ldvwppsjnde.fsf@sarnath.mit.edu> <CABCOCHRxkgQ+pPaDQWGNWvVohA5cbdJtHGaH6RW9O-JFCG2-0A@mail.gmail.com> <ldv7fgu42vj.fsf@sarnath.mit.edu> <CABCOCHSv9yr6sJijuRLZ5UYfCdCBsy78M6hundbYiX9=fDV6Jg@mail.gmail.com> <ldvvb4d2dca.fsf@sarnath.mit.edu>
Date: Wed, 23 Mar 2016 13:30:55 -0700
Message-ID: <CABCOCHTWmaWxHBMYYPLSVywZW-3GciqfEcgaNJByzoXdd6cUwQ@mail.gmail.com>
From: Andy Bierman <andy@yumaworks.com>
To: Tom Yu <tlyu@mit.edu>
Content-Type: multipart/alternative; boundary="001a114012b4f0ac3f052ebd3474"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/QZUnoJ_SQzMBex6FvwI9aw9DBzc>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, draft-ietf-netconf-yang-library.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2016 20:31:00 -0000

On Wed, Mar 23, 2016 at 12:39 PM, Tom Yu <tlyu@mit.edu> wrote:

> Andy Bierman <andy@yumaworks.com> writes:
>
> > The YANG library provides the revision date of the deviations module,
> > which is not included in the NETCONF <hello>.
> >
> > It  also lists the submodules and their revisions, which is
> > not contained in the NETCONF <hello>.
> >
> > The NETCONF <hello> message is not specified well enough to
> > make any other generalizations about the differences.
>
> I think it would be good to explicitly mention that the YANG library
> provides a superset of the module and version information that might be
> available by other means, e.g.,
>
> OLD
>
>    Some of the readable data nodes in this YANG module may be considered
>    sensitive or vulnerable in some network environments.  It is thus
>    important to control read access (e.g., via get, get-config, or
>    notification) to these data nodes.  These are the subtrees and data
>    nodes and their sensitivity/vulnerability:
>
> NEW
>
>    Some of the readable data nodes in this YANG module may be considered
>    sensitive or vulnerable in some network environments and
>    authorization configurations.  Although some of this information may
>    be available to all users via the NETCONF <hello> message (or similar
>    messages in other management protocols), this YANG module potentially
>    exposes additional details that could be of some assistance to an
>    attacker.  It is thus important to control read access (e.g., via
>    get, get-config, or notification) to these data nodes.  These are the
>    subtrees and data nodes and their sensitivity/vulnerability:
>
>


This is the security boilterplate text that is supposed to
go into every YANG module


https://tools.ietf.org/html/rfc6087#section-6.1


I prefer to leave the boilerplate alone and move your text into
YANG library specific part.


Andy



> I think if NETCONF access is restricted to a small number of trusted
> users (even for read-only access), the incremental risk posed by
> revealing more details about the modules is small.  I imagine that there
> are use cases for providing (restricted) read-only NETCONF access to a
> wider, mostly untrusted population, in which case the detailed module
> version information provided by the YANG library could constitute a
> non-trivial additional risk.  I'm not sure of a good, concise way to
> express this.
>
> > The library is intended for other protocols such as RESTCONF.
> >
> > Is there some specific text you want changed?
>
> I think there could be ambiguity about whether "server" refers to the
> NETCONF (or other management protocol) server process on the device, or
> to the overall capabilities of the device.  If the YANG library could
> provide details that could reveal to an attacker the existence of
> vulnerabilities in the underlying network device capabilities, it might
> be good to mention it, e.g.,
>
>     In addition to revealing the potential existence of vulnerabilities
>     in the network management protocol server on a device, the detailed
>     version information available in the module list could help an
>     attacker to discover the existence of vulnerable code in the
>     implementation of the underlying network capabilities (or other
>     functionality) of the device on which the management server is
>     running.
>

v2.23.0 | Report a Bug | By Email