Re: [secdir] secdir review of draft-ietf-netmod-smi-yang-04

Benoit Claise <bclaise@cisco.com> Wed, 25 April 2012 13:26 UTC

Return-Path: <bclaise@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B163E21F85C7; Wed, 25 Apr 2012 06:26:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.57
X-Spam-Level:
X-Spam-Status: No, score=-2.57 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5hYTzX8vleoo; Wed, 25 Apr 2012 06:26:35 -0700 (PDT)
Received: from av-tac-bru.cisco.com (weird-brew.cisco.com [144.254.15.118]) by ietfa.amsl.com (Postfix) with ESMTP id AB1C321F85B4; Wed, 25 Apr 2012 06:26:34 -0700 (PDT)
X-TACSUNS: Virus Scanned
Received: from strange-brew.cisco.com (localhost.cisco.com [127.0.0.1]) by av-tac-bru.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id q3PDQXpg017301; Wed, 25 Apr 2012 15:26:33 +0200 (CEST)
Received: from [10.60.67.86] (ams-bclaise-8915.cisco.com [10.60.67.86]) by strange-brew.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id q3PDQWnf018949; Wed, 25 Apr 2012 15:26:32 +0200 (CEST)
Message-ID: <4F97FB88.7020300@cisco.com>
Date: Wed, 25 Apr 2012 15:26:32 +0200
From: Benoit Claise <bclaise@cisco.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: Leif Johansson <leifj@sunet.se>
References: <4F853D62.1090204@sunet.se> <20120411091551.GA26732@elstar.local> <4F854E70.4060900@sunet.se> <20120411094234.GA26959@elstar.local> <4F855825.1090409@sunet.se>
In-Reply-To: <4F855825.1090409@sunet.se>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-netmod-smi-yang.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, Leif Johansson <leifj@nordu.net>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-netmod-smi-yang-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Apr 2012 13:26:35 -0000

Hi Juergen,
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/11/2012 11:42 AM, Juergen Schoenwaelder wrote:
>> On Wed, Apr 11, 2012 at 11:27:12AM +0200, Leif Johansson wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>> On 04/11/2012 11:15 AM, Juergen Schoenwaelder wrote:
>>>> On Wed, Apr 11, 2012 at 10:14:26AM +0200, Leif Johansson
>>>> wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> I have reviewed this document as part of the security
>>>>> directorate's ongoing effort to review all IETF documents
>>>>> being processed by the IESG.  These comments were written
>>>>> primarily for the benefit of the security area directors.
>>>>> Document editors and WG chairs should treat these comments
>>>>> just like any other last call comments.
>>>>>
>>>>> The document specifies a translation between SMIv2 (and by
>>>>> reference to RFC 3584, SMIv1) and YANG. YANG is the
>>>>> information model language used in NETCONF.
>>>>>
>>>>> This draft is outside my subject-matter expertise but the
>>>>> core security issue seems to be around translation of the
>>>>> SMIv2 MAX-ACCESS macro to YANG. Since YANG doesn't define
>>>>> any corresponding element an extension to YANG is defined.
>>>>>
>>>>> However there doesn't seem to be any requirement to
>>>>> implement that extension. The security considerations section
>>>>> refers the reader to the security considerations sections for
>>>>> YANG, NETCONF, SMI etc but claims that "The translation
>>>>> itself has no security impact on the Internet.".
>>>>>
>>>>> I would have liked to see a clear normative statement to the
>>>>> effect that if you relied on MAX-ACCESS in the SMIv2 version
>>>>> of a MIB then you MUST implement the YANG extension for SMI
>>>>> and that the NETCONF implementation used MUST respect the
>>>>> resulting smiv2:max-access statements.
>>>> Hi,
>>>>
>>>> the MAX-ACCESS in the SMIv2 really has nothing to do with
>>>> access control. See section 7.3 of RFC 2578 for the details.
>>>> Also note that the SMiv2 to YANG mapping is readonly, that is
>>>> even if the SMIv2 MAX-ACCESS is "read-write" or "read-create",
>>>> the corresponsing YANG leaf is read-only.
>>>>
>>>> Note that access control in the SNMP world is handled by VACM
>>>> (RFC 3415) and in the NETCONF world by NACM (RFC 6536).
>>>>
>>>> /js
>>>>
>>> As I said this is somewhat outside my comfort-zone but I don't
>>> understand how MAX-ACCESS isn't related to access restrictions
>>> given the security considerations section of rfc 3584.
>> The MAX-ACCESS documents whether an object from a data modeling
>> perspective is in principle writable/creatable or always readonly.
>> In other words, it documents that maximum possible access to an
>> object from a data modeling perspective. There are objects (e.g.,
>> counters) that are inherently readonly and hence have a MAX-ACCESS
>> readonly. Other objects may in principle be writable from a
>> modeling perspective. There are two ways to constrain a MAX-ACCESS
>> in the SNMP world:
>>
>> * First, implementation may implement writable objects as readonly
>> objects.  Sometimes there are specific conformance definitions
>> that specifically allow for such implementations. Sometimes
>> implementations do this on their own choice, ideally documented in
>> so call AGENT-CAPABILITIES (a machine readable documentation of
>> deviations from a conformance definition).
>>
>> * Second, an access control model (with a collection of access
>> control rules) is used to determine at runtime whether the
>> MAX-ACCESS should be restricted.
>>
>> The MIB security considerations boilerplate commonly used in MIB
>> documents requires that MIB authors document which objects may be
>> criticial to protect. This is essentially advise to people
>> deploying MIB modules on how to construct their runtime access
>> control rules.
>>
>> Coming back to the SMIv2 to YANG translation, it turned out that
>> for various other technical reasons, the translation to YANG is
>> readonly (or config false as we say in the YANG community). Hence,
>> even if an SMIv2 object has a MAX-ACCESS of readwrite, the
>> corresponding YANG leaf will be config false. Hence, the current
>> text in the security considerations says:
>>
>> 13.  Security Considerations
>>
>> This document defines a translation of SMIv2 MIB modules into YANG
>> modules, enabling read-only access to data objects defined in
>> SMIv2 MIB modules via NETCONF.  The translation itself has no
>> security impact on the Internet.
>>
>> Does this help?
>>
>> /js
>>
> It helps me right now but how do we help future readers? I jumped to
> this conclusion just by tracing some of the security considerations
> sections. Perhaps you should add a a condensed version of your excellent
> explanation to the security considerations?
Do you plan on adding such an explanation in the draft, or at least give 
pointers to the different RFCs?

Regards, Benoit (trying to evaluate if/how we can close this issue)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk+FWCUACgkQ8Jx8FtbMZncLkgCfapCD+u5r5atcyG1v7b0fTNca
> FVMAn0V2cLrHYjhqRMTMzjnsNII1DPzn
> =2P16
> -----END PGP SIGNATURE-----
>
>