Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03
Andy Bierman <andy@yumaworks.com> Wed, 23 March 2016 20:31 UTC
Return-Path: <andy@yumaworks.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7A9912D8C9 for <secdir@ietfa.amsl.com>; Wed, 23 Mar 2016 13:31:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PS33RFIf8csb for <secdir@ietfa.amsl.com>; Wed, 23 Mar 2016 13:30:59 -0700 (PDT)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3837012D8C8 for <secdir@ietf.org>; Wed, 23 Mar 2016 13:30:57 -0700 (PDT)
Received: by mail-lf0-x229.google.com with SMTP id o73so20106827lfe.0 for <secdir@ietf.org>; Wed, 23 Mar 2016 13:30:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=NvGqufQ9z8k7eU2j4+7jct2fGtOrwakDYaAyTV3jv0k=; b=T76T6ZbEKVstocpy2ErO5+wboT6N2l+Z4SLOHg1ANyYewPxas5ONrDGVwPwu3eYXvB ssCVMrsOqMYdyghzpz28Wiguh6QVpcZKx/Y9jRIdZQVTh4j6RQ2XxZvLBW/zU85NN9yD IkkfZwhnnZgpZVMHAPdft4+bv5L3wa+f/UawJI6zlYdBz3Xy6qFir/rI5BCc0RIUseaJ ySDnxgb3SRtIb5k5p7XTx4ALfzFzbj+VVulvyCTD2odvN9eSFEpOa/HzGfYsFgBSc5fi 0PZHyqNKQqVHFwfy7ztLF+3pEoc4ptEdGPADjYOqC0YBVcdCyT36d9itApWLUX2T3nxP 3RBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=NvGqufQ9z8k7eU2j4+7jct2fGtOrwakDYaAyTV3jv0k=; b=CTIJUZ0y+t5su2uK1M63fLo/xhhzC1X9R55hvkNktHmnJ71M0qIdm013fVXGXfOcHU 5VH/lZ5k5qdIPjUmHMo3Kg2iLDVVGROfmtEv0y6JiHkYQpLemmj+lIDx9slAK1G0WVvr hecBhZBd6snOt6GRaqXbJCkuyGFlCqXUW+iI95odd9Ryem83SehN9mO7//hALZx1PLOE 9UnmUZrcLVKUiBww0TkB/LP7UC17zFCZazkqLRAqX1cj3Zwcxiiv8lMVCjX81xQx2UfP RaZsVrQtZ1gnrM87EJSb59KxC2l1e168bgQpCADsxuULUOO+S+5wlPVva5cpctEN9B19 KekA==
X-Gm-Message-State: AD7BkJLuXaOTr6U7eS7amK1UpjpjdnrIagsUw52JEQo6BP+fWC8Y9RnY9ssQv8z/HZOHlFD80paXMygeWVcefw==
MIME-Version: 1.0
X-Received: by 10.25.154.65 with SMTP id c62mr2153916lfe.54.1458765055431; Wed, 23 Mar 2016 13:30:55 -0700 (PDT)
Received: by 10.112.135.97 with HTTP; Wed, 23 Mar 2016 13:30:55 -0700 (PDT)
In-Reply-To: <ldvvb4d2dca.fsf@sarnath.mit.edu>
References: <ldvbn7z6f7s.fsf@sarnath.mit.edu> <6AAFCD6E-4F8D-409C-ACB1-53C03413AF7F@gmail.com> <ldvwppsjnde.fsf@sarnath.mit.edu> <CABCOCHRxkgQ+pPaDQWGNWvVohA5cbdJtHGaH6RW9O-JFCG2-0A@mail.gmail.com> <ldv7fgu42vj.fsf@sarnath.mit.edu> <CABCOCHSv9yr6sJijuRLZ5UYfCdCBsy78M6hundbYiX9=fDV6Jg@mail.gmail.com> <ldvvb4d2dca.fsf@sarnath.mit.edu>
Date: Wed, 23 Mar 2016 13:30:55 -0700
Message-ID: <CABCOCHTWmaWxHBMYYPLSVywZW-3GciqfEcgaNJByzoXdd6cUwQ@mail.gmail.com>
From: Andy Bierman <andy@yumaworks.com>
To: Tom Yu <tlyu@mit.edu>
Content-Type: multipart/alternative; boundary="001a114012b4f0ac3f052ebd3474"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/QZUnoJ_SQzMBex6FvwI9aw9DBzc>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, draft-ietf-netconf-yang-library.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2016 20:31:00 -0000
On Wed, Mar 23, 2016 at 12:39 PM, Tom Yu <tlyu@mit.edu> wrote: > Andy Bierman <andy@yumaworks.com> writes: > > > The YANG library provides the revision date of the deviations module, > > which is not included in the NETCONF <hello>. > > > > It also lists the submodules and their revisions, which is > > not contained in the NETCONF <hello>. > > > > The NETCONF <hello> message is not specified well enough to > > make any other generalizations about the differences. > > I think it would be good to explicitly mention that the YANG library > provides a superset of the module and version information that might be > available by other means, e.g., > > OLD > > Some of the readable data nodes in this YANG module may be considered > sensitive or vulnerable in some network environments. It is thus > important to control read access (e.g., via get, get-config, or > notification) to these data nodes. These are the subtrees and data > nodes and their sensitivity/vulnerability: > > NEW > > Some of the readable data nodes in this YANG module may be considered > sensitive or vulnerable in some network environments and > authorization configurations. Although some of this information may > be available to all users via the NETCONF <hello> message (or similar > messages in other management protocols), this YANG module potentially > exposes additional details that could be of some assistance to an > attacker. It is thus important to control read access (e.g., via > get, get-config, or notification) to these data nodes. These are the > subtrees and data nodes and their sensitivity/vulnerability: > > This is the security boilterplate text that is supposed to go into every YANG module https://tools.ietf.org/html/rfc6087#section-6.1 I prefer to leave the boilerplate alone and move your text into YANG library specific part. Andy > I think if NETCONF access is restricted to a small number of trusted > users (even for read-only access), the incremental risk posed by > revealing more details about the modules is small. I imagine that there > are use cases for providing (restricted) read-only NETCONF access to a > wider, mostly untrusted population, in which case the detailed module > version information provided by the YANG library could constitute a > non-trivial additional risk. I'm not sure of a good, concise way to > express this. > > > The library is intended for other protocols such as RESTCONF. > > > > Is there some specific text you want changed? > > I think there could be ambiguity about whether "server" refers to the > NETCONF (or other management protocol) server process on the device, or > to the overall capabilities of the device. If the YANG library could > provide details that could reveal to an attacker the existence of > vulnerabilities in the underlying network device capabilities, it might > be good to mention it, e.g., > > In addition to revealing the potential existence of vulnerabilities > in the network management protocol server on a device, the detailed > version information available in the module list could help an > attacker to discover the existence of vulnerable code in the > implementation of the underlying network capabilities (or other > functionality) of the device on which the management server is > running. >
- [secdir] secdir review of draft-ietf-netconf-yang… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Benoit Claise
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Benoit Claise
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu