Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03
Andy Bierman <andy@yumaworks.com> Wed, 06 April 2016 11:16 UTC
Return-Path: <andy@yumaworks.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5A3112D7BC for <secdir@ietfa.amsl.com>; Wed, 6 Apr 2016 04:16:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gfMJsnAHqYOG for <secdir@ietfa.amsl.com>; Wed, 6 Apr 2016 04:15:58 -0700 (PDT)
Received: from mail-lb0-x232.google.com (mail-lb0-x232.google.com [IPv6:2a00:1450:4010:c04::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF75B12D7D6 for <secdir@ietf.org>; Wed, 6 Apr 2016 04:15:50 -0700 (PDT)
Received: by mail-lb0-x232.google.com with SMTP id u8so27540225lbk.0 for <secdir@ietf.org>; Wed, 06 Apr 2016 04:15:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=5YRucDUJIOmO6ZYjaEglBZQD4oNabUsrzLv6z+awgt8=; b=yu81RydjK1SlCQeHVVUDg2gzUAlPW7i23DdIehty8Oj/qpcn6R9E86Xfm4HglRXFZZ 3QBk4LP9PM3mCMSpeZhFZ0lqj6GBPL0f3jr+wOBMgY1TNxZ0htadsVOufn/L4G1mBq+4 bEoXkcXGuvFYSHVOdT3eQNK2ibC9ELMC6Mz5ihowHE1qfqxO1JjKaqrryCeNWzZOFXr5 x8MmG3uxGETlWqZqgshFM5FZ2McTD4AR+20CfpFVGKw5R0eVtyeCVlD8301Ys3KSwk30 s2MFTD+Pve4QpKDiPBicPzdYkjvUQRJV27aPkck4K1GvSNq9JoF0yRYqhyT6z92dYuqt 00ug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=5YRucDUJIOmO6ZYjaEglBZQD4oNabUsrzLv6z+awgt8=; b=GVyDFkZdMJUXMi0Oat89kzMf5Km25Qhv1caDCCHJ1UKii6ztv7Tvn+3+o3jEo8ibvQ IxyNFC8cIMZo+eQekgzYE2krCkKPUQYcHrtphdyj5iZmu24jUYfc53N2koeEh7O7S5+n 3zI/K4xdp0JhGonlHagMNU1TSId1zyk+zUp/dYreFrEYGxh2gylL0hm5aAgIZJ4dQvBV YGz5ZlfWEuOUQ8MkgbuFaeMFJ8X3K3whNL67Cq0S+Wu465etjpszVQple3dHNcxERds2 UNrnAMJI809v8WcrrJUfN9d/pv0ocbCAfb6oaXxJPkVoO5nPnbbEIvA2kvqIJNCCoh+0 zzYw==
X-Gm-Message-State: AD7BkJKjhQCFtCF3PQQC+V/p494HtfptunjbApyoAHzuURAoFOv+X/BOMuEIbV6g7bhHRjtVJ9bhPZo74xEL+g==
MIME-Version: 1.0
X-Received: by 10.112.147.101 with SMTP id tj5mr5829762lbb.119.1459941348914; Wed, 06 Apr 2016 04:15:48 -0700 (PDT)
Received: by 10.112.135.97 with HTTP; Wed, 6 Apr 2016 04:15:48 -0700 (PDT)
In-Reply-To: <56F3FFE0.3040408@cisco.com>
References: <ldvbn7z6f7s.fsf@sarnath.mit.edu> <6AAFCD6E-4F8D-409C-ACB1-53C03413AF7F@gmail.com> <ldvwppsjnde.fsf@sarnath.mit.edu> <CABCOCHRxkgQ+pPaDQWGNWvVohA5cbdJtHGaH6RW9O-JFCG2-0A@mail.gmail.com> <ldv7fgu42vj.fsf@sarnath.mit.edu> <CABCOCHSv9yr6sJijuRLZ5UYfCdCBsy78M6hundbYiX9=fDV6Jg@mail.gmail.com> <ldvvb4d2dca.fsf@sarnath.mit.edu> <CABCOCHTWmaWxHBMYYPLSVywZW-3GciqfEcgaNJByzoXdd6cUwQ@mail.gmail.com> <56F3FFE0.3040408@cisco.com>
Date: Wed, 06 Apr 2016 04:15:48 -0700
Message-ID: <CABCOCHS4XkCHNjfezcskd=EZU8ES4h6K4gmqrKCgL4f9b-AKow@mail.gmail.com>
From: Andy Bierman <andy@yumaworks.com>
To: Benoit Claise <bclaise@cisco.com>
Content-Type: multipart/alternative; boundary="047d7b3a8bd27ecf70052fcf1540"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/cukF0T9oTOQlV52-j5X-r3m_jWU>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, draft-ietf-netconf-yang-library.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2016 11:16:02 -0000
Hi,
Here is the proposed text:
OLD:
o /modules-state/module: The module list used in a server
implementation may help an attacker identify the server
capabilities and server implementations with known bugs. Server
vulnerabilities may be specific to particular modules, module
revisions, module features, or even module deviations. This
information is included in each module entry. ...
NEW:
o /modules-state/module: The module list used in a server
implementation may help an attacker identify the server
capabilities and server implementations with known bugs. Although
some of this information may be available to all users via the
NETCONF <hello> message (or similar messages in other management
protocols), this YANG module potentially exposes additional
details that could be of some assistance to an attacker. Server
vulnerabilities may be specific to particular modules, module
revisions, module features, or even module deviations. This
information is included in each module entry. ...
If this is acceptable, I will post a -05 version.
Andy
On Thu, Mar 24, 2016 at 7:55 AM, Benoit Claise <bclaise@cisco.com> wrote:
> On 3/23/2016 9:30 PM, Andy Bierman wrote:
>
>
>
> On Wed, Mar 23, 2016 at 12:39 PM, Tom Yu <tlyu@mit.edu> wrote:
>
>> Andy Bierman <andy@yumaworks.com> writes:
>>
>> > The YANG library provides the revision date of the deviations module,
>> > which is not included in the NETCONF <hello>.
>> >
>> > It also lists the submodules and their revisions, which is
>> > not contained in the NETCONF <hello>.
>> >
>> > The NETCONF <hello> message is not specified well enough to
>> > make any other generalizations about the differences.
>>
>> I think it would be good to explicitly mention that the YANG library
>> provides a superset of the module and version information that might be
>> available by other means, e.g.,
>>
>> OLD
>>
>> Some of the readable data nodes in this YANG module may be considered
>> sensitive or vulnerable in some network environments. It is thus
>> important to control read access (e.g., via get, get-config, or
>> notification) to these data nodes. These are the subtrees and data
>> nodes and their sensitivity/vulnerability:
>>
>> NEW
>>
>> Some of the readable data nodes in this YANG module may be considered
>> sensitive or vulnerable in some network environments and
>> authorization configurations. Although some of this information may
>> be available to all users via the NETCONF <hello> message (or similar
>> messages in other management protocols), this YANG module potentially
>> exposes additional details that could be of some assistance to an
>> attacker. It is thus important to control read access (e.g., via
>> get, get-config, or notification) to these data nodes. These are the
>> subtrees and data nodes and their sensitivity/vulnerability:
>>
>>
>
>
> This is the security boilterplate text that is supposed to
> go into every YANG module
>
>
> https://tools.ietf.org/html/rfc6087#section-6.1
>
>
> I prefer to leave the boilerplate alone and move your text into
> YANG library specific part.
>
> I would support this.
>
> Regards, Benoit
>
>
>
> Andy
>
>
>
>> I think if NETCONF access is restricted to a small number of trusted
>> users (even for read-only access), the incremental risk posed by
>> revealing more details about the modules is small. I imagine that there
>> are use cases for providing (restricted) read-only NETCONF access to a
>> wider, mostly untrusted population, in which case the detailed module
>> version information provided by the YANG library could constitute a
>> non-trivial additional risk. I'm not sure of a good, concise way to
>> express this.
>>
>> > The library is intended for other protocols such as RESTCONF.
>> >
>> > Is there some specific text you want changed?
>>
>> I think there could be ambiguity about whether "server" refers to the
>> NETCONF (or other management protocol) server process on the device, or
>> to the overall capabilities of the device. If the YANG library could
>> provide details that could reveal to an attacker the existence of
>> vulnerabilities in the underlying network device capabilities, it might
>> be good to mention it, e.g.,
>>
>> In addition to revealing the potential existence of vulnerabilities
>> in the network management protocol server on a device, the detailed
>> version information available in the module list could help an
>> attacker to discover the existence of vulnerable code in the
>> implementation of the underlying network capabilities (or other
>> functionality) of the device on which the management server is
>> running.
>>
>
>
>
- [secdir] secdir review of draft-ietf-netconf-yang… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Benoit Claise
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Benoit Claise
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu