Re: [secdir] secdir review of draft-ietf-netconf-partial-lock-09.txt
Andy Bierman <ietf@andybierman.com> Thu, 13 August 2009 15:28 UTC
Return-Path: <ietf@andybierman.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2886028C0F1 for <secdir@core3.amsl.com>; Thu, 13 Aug 2009 08:28:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uHPnu7+FfyrG for <secdir@core3.amsl.com>; Thu, 13 Aug 2009 08:28:17 -0700 (PDT)
Received: from smtp110.sbc.mail.mud.yahoo.com (smtp110.sbc.mail.mud.yahoo.com [68.142.198.209]) by core3.amsl.com (Postfix) with SMTP id C956628C0EF for <secdir@ietf.org>; Thu, 13 Aug 2009 08:28:15 -0700 (PDT)
Received: (qmail 657 invoked from network); 13 Aug 2009 15:25:18 -0000
Received: from unknown (HELO ?192.168.0.10?) (ietf@67.125.157.61 with plain) by smtp110.sbc.mail.mud.yahoo.com with SMTP; 13 Aug 2009 15:25:18 -0000
X-YMail-OSG: bWQ0oZ0VM1nNdLT2TL7AWbez_vUN_jnlY5eQhKGiBJPwGPs30AfvH1hFSGtK6a6R9ddF7a9SQwzZhcZIoVkhH2_73VkkqvZcJ8txWjLZXxBZWUPrPxbS5NKTMGue_4ukt8128xtVNfDB00sozxrzgg5l4p6CH7H7nMnauXWoal1tMfXNqQxk.hVwU5p8PdCWTFKQBJab.vpBTsb8sluji6n.kKJnaCpLBCbGU39Cqt16Cn.QmRukuKYh_F1EdcHHrDSlZtecUJsM4t0-
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4A8430BE.2050701@andybierman.com>
Date: Thu, 13 Aug 2009 08:26:54 -0700
From: Andy Bierman <ietf@andybierman.com>
User-Agent: Thunderbird 2.0.0.22 (X11/20090608)
MIME-Version: 1.0
To: Stephen Hanna <shanna@juniper.net>
References: <AC6674AB7BC78549BB231821ABF7A9AE8E775BCA45@EMBX01-WF.jnpr.net> <016701ca1bf7$400ac480$0601a8c0@allison> <AC6674AB7BC78549BB231821ABF7A9AE8E777C002A@EMBX01-WF.jnpr.net> <4A83FA7D.9040209@bwijnen.net> <AC6674AB7BC78549BB231821ABF7A9AE8E777C00E6@EMBX01-WF.jnpr.net>
In-Reply-To: <AC6674AB7BC78549BB231821ABF7A9AE8E777C00E6@EMBX01-WF.jnpr.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 13 Aug 2009 08:31:49 -0700
Cc: "draft-ietf-netconf-partial-lock@tools.ietf.org" <draft-ietf-netconf-partial-lock@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "Bert (IETF) Wijnen" <bertietf@bwijnen.net>, "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-netconf-partial-lock-09.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2009 15:28:17 -0000
Stephen Hanna wrote:
> Thanks to Dan and Bert for answering my question.
> If most NETCONF implementations authenticate users
> and implement some form of authorization scheme,
> there should be no problem with including text
> in draft-ietf-netconf-partial-lock-09.txt that
> says "NETCONF servers that implement partial
> locks MUST ensure that only an authenticated
> and authorized user can request a partial lock."
> Even a server that implements authentication but
> does not implement fine-grained authorization
> would meet this requirement. It would just be
> saying that all authenticated users are fully
> authorized to perform any operation on the server.
>
> Are there any concerns with this proposal?
> If so, please explain.
>
The partial-lock operation does not work on the candidate
database, yet the draft insists that this database is supported.
It also says it works on the startup database, yet there
is no way to edit this database, so why does it need
to be partially locked?
There is a global commit operation issued by a session.
That session must be authorized to make all the changes
to the running config that are contained in the candidate
(all-or-nothing).
The partial-lock design does not really have any affect
on the candidate -- using it is just as ineffective as
not using any locking at all. So it is subject to
the 'candidate-deadlock' first described by Wes Hardaker:
Let's say there is a simple config to edit:
<config>
<foo>3</foo>
<bar>fred</bar>
</config>
Let's say user A is authorized to write /foo and
user B is authorized to write /bar.
1) user A does partial-lock(target='candidate', data='/foo')
2) user B skips the lock and just edits the /bar leaf directly
in the candidate database (even if user B took out a partial
lock on /bar, the result would be the same)
HALT:
User A is not authorized to issue commit
User B is not authorized to issue commit
The database is wedged until somebody issues a discard-changes.
discard-changes only works because authorization is ignored,
otherwise the agent would be deadlocked.
Only the global lock operation defined in RFC 4741
can prevent this problem.
> Thanks,
>
> Steve
Andy
- [secdir] secdir review of draft-ietf-netconf-part… Stephen Hanna
- Re: [secdir] secdir review of draft-ietf-netconf-… Stephen Hanna
- Re: [secdir] secdir review of draft-ietf-netconf-… Romascanu, Dan (Dan)
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom.Petch
- Re: [secdir] secdir review of draft-ietf-netconf-… Bert (IETF) Wijnen
- Re: [secdir] secdir review of draft-ietf-netconf-… Stephen Hanna
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Wes Hardaker
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Wes Hardaker
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom.Petch