[secdir] Review of draft-ietf-netconf-rfc4742bis-07.txt
Rob Austein <sra@hactrn.net> Wed, 02 March 2011 17:32 UTC
Return-Path: <sra@hactrn.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4EEE63A67B6; Wed, 2 Mar 2011 09:32:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lOzN2EiOwmQY; Wed, 2 Mar 2011 09:32:20 -0800 (PST)
Received: from cyteen.hactrn.net (cyteen.hactrn.net [IPv6:2002:425c:4242:0:210:5aff:fe86:1f54]) by core3.amsl.com (Postfix) with ESMTP id 1D2D93A6844; Wed, 2 Mar 2011 09:32:20 -0800 (PST)
Received: from thrintun.hactrn.net (thrintun.hactrn.net [IPv6:2002:425c:4242:0:219:d1ff:fe12:5d30]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "thrintun.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by cyteen.hactrn.net (Postfix) with ESMTPS id D79992844C; Wed, 2 Mar 2011 17:33:23 +0000 (UTC)
Received: from thrintun.hactrn.net (localhost [IPv6:::1]) by thrintun.hactrn.net (Postfix) with ESMTP id 8849622829; Wed, 2 Mar 2011 12:33:23 -0500 (EST)
Date: Wed, 02 Mar 2011 12:33:23 -0500
From: Rob Austein <sra@hactrn.net>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-netconf-rfc4742bis.all@tools.ietf.org
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20110302173323.8849622829@thrintun.hactrn.net>
Subject: [secdir] Review of draft-ietf-netconf-rfc4742bis-07.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Mar 2011 17:32:21 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft is an updated specification for transport of NETCONF message streams over SSH connections using the SSHv2 "subsystem" protocol. These message streams are bi-directional channels conveying multiple complete XML documents in each direction. The main change from RFC 4742 to this draft is a revision to the framing protocol. The original framing protocol in RFC 4742 used a magic delimiter string "]]>]]>" in the mistaken belief that such a string could never appear in a well-formed XML document. The current document defines a new counted-length framing protocol, but preserves vestiges of the old framing protocol for backwards compatibility and requires use of the old protocol during the initial capability exchange. I have no serious security concerns regarding this document, but I do have two comments: 1) If it's worth changing the framing protocol at all, which I'm willing to accept as a given, it is far from obvious to me that the current negotiated upgrade is the right way to do it, as this will require implementation of the old bad mechanism forever. Switching to a new SSH subsystem name seems like a much simpler solution. 2) As a matter of stylistic consistency with the last several decades of Internet protocols, the delimiter sequence in the new framing protocol should have been <CRLF>, not <LF>. Sigh.