[secdir] Review of draft-ietf-netconf-rfc4742bis-07.txt

Rob Austein <sra@hactrn.net> Wed, 02 March 2011 17:32 UTC

Return-Path: <sra@hactrn.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4EEE63A67B6; Wed, 2 Mar 2011 09:32:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lOzN2EiOwmQY; Wed, 2 Mar 2011 09:32:20 -0800 (PST)
Received: from cyteen.hactrn.net (cyteen.hactrn.net [IPv6:2002:425c:4242:0:210:5aff:fe86:1f54]) by core3.amsl.com (Postfix) with ESMTP id 1D2D93A6844; Wed, 2 Mar 2011 09:32:20 -0800 (PST)
Received: from thrintun.hactrn.net (thrintun.hactrn.net [IPv6:2002:425c:4242:0:219:d1ff:fe12:5d30]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "thrintun.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by cyteen.hactrn.net (Postfix) with ESMTPS id D79992844C; Wed, 2 Mar 2011 17:33:23 +0000 (UTC)
Received: from thrintun.hactrn.net (localhost [IPv6:::1]) by thrintun.hactrn.net (Postfix) with ESMTP id 8849622829; Wed, 2 Mar 2011 12:33:23 -0500 (EST)
Date: Wed, 02 Mar 2011 12:33:23 -0500
From: Rob Austein <sra@hactrn.net>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-netconf-rfc4742bis.all@tools.ietf.org
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20110302173323.8849622829@thrintun.hactrn.net>
Subject: [secdir] Review of draft-ietf-netconf-rfc4742bis-07.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Mar 2011 17:32:21 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This draft is an updated specification for transport of NETCONF
message streams over SSH connections using the SSHv2 "subsystem"
protocol.  These message streams are bi-directional channels conveying
multiple complete XML documents in each direction.  The main change
from RFC 4742 to this draft is a revision to the framing protocol.

The original framing protocol in RFC 4742 used a magic delimiter
string "]]>]]>" in the mistaken belief that such a string could never
appear in a well-formed XML document.  The current document defines a
new counted-length framing protocol, but preserves vestiges of the old
framing protocol for backwards compatibility and requires use of the
old protocol during the initial capability exchange.

I have no serious security concerns regarding this document, but I do
have two comments:

1) If it's worth changing the framing protocol at all, which I'm
   willing to accept as a given, it is far from obvious to me that the
   current negotiated upgrade is the right way to do it, as this will
   require implementation of the old bad mechanism forever.  Switching
   to a new SSH subsystem name seems like a much simpler solution.

2) As a matter of stylistic consistency with the last several decades
   of Internet protocols, the delimiter sequence in the new framing
   protocol should have been <CRLF>, not <LF>.  Sigh.