Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03
Tom Yu <tlyu@mit.edu> Thu, 07 April 2016 22:52 UTC
Return-Path: <tlyu@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 640F912D718; Thu, 7 Apr 2016 15:52:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w5o18_uOcHgA; Thu, 7 Apr 2016 15:52:10 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C878512D103; Thu, 7 Apr 2016 15:52:09 -0700 (PDT)
X-AuditID: 1209190f-c8fff70000004b9e-7b-5706e4987c47
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 0C.20.19358.894E6075; Thu, 7 Apr 2016 18:52:08 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id u37Mq7Sv016688; Thu, 7 Apr 2016 18:52:08 -0400
Received: from localhost (sarnath.mit.edu [18.18.1.190]) (authenticated bits=0) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u37Mq5SI014893; Thu, 7 Apr 2016 18:52:06 -0400
From: Tom Yu <tlyu@mit.edu>
To: Benoit Claise <bclaise@cisco.com>
References: <ldvbn7z6f7s.fsf@sarnath.mit.edu> <6AAFCD6E-4F8D-409C-ACB1-53C03413AF7F@gmail.com> <ldvwppsjnde.fsf@sarnath.mit.edu> <CABCOCHRxkgQ+pPaDQWGNWvVohA5cbdJtHGaH6RW9O-JFCG2-0A@mail.gmail.com> <ldv7fgu42vj.fsf@sarnath.mit.edu> <CABCOCHSv9yr6sJijuRLZ5UYfCdCBsy78M6hundbYiX9=fDV6Jg@mail.gmail.com> <ldvvb4d2dca.fsf@sarnath.mit.edu> <CABCOCHTWmaWxHBMYYPLSVywZW-3GciqfEcgaNJByzoXdd6cUwQ@mail.gmail.com> <56F3FFE0.3040408@cisco.com> <CABCOCHS4XkCHNjfezcskd=EZU8ES4h6K4gmqrKCgL4f9b-AKow@mail.gmail.com> <5705C32C.2010200@cisco.com>
Date: Thu, 07 Apr 2016 18:52:05 -0400
In-Reply-To: <5705C32C.2010200@cisco.com> (Benoit Claise's message of "Wed, 6 Apr 2016 23:17:16 -0300")
Message-ID: <ldvtwjdxca2.fsf@sarnath.mit.edu>
Lines: 169
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrBIsWRmVeSWpSXmKPExsUixCmqrTvjCVu4QeNvLYsHR2axWxx9LGHx 4HALm8WMPxOZLU6/Wcdm8WHhQxYHNo8pvzeyeuycdZfdY8mSn0weXy5/ZvNo6b/IEsAaxWWT kpqTWZZapG+XwJVx/eZS5oL1BhWHtl1kbGA8oNjFyMkhIWAicWzSXrYuRi4OIYE2JonlzauZ IZwNjBJ75jUxQTivGSV+PpnFDtLCJiAtcfzyLiYQW0RAVaJ/6xYWkCJmgUuMEh3vzjCDJIQF HCR2nl/HCNG9jEWiYfsWsAQLUMfVb0/BJnEKZErc23GTDcTmFdCVWHFqK9BUDg4eAS6JNdc5 IcKCEidnPmEBsZkFtCRu/HvJNIGRfxaS1CwkqQWMTKsYZVNyq3RzEzNzilOTdYuTE/PyUot0 TfRyM0v0UlNKNzGCA1iSfwfjnAbvQ4wCHIxKPLwWnazhQqyJZcWVuYcYJTmYlER5ZXayhQvx JeWnVGYkFmfEF5XmpBYfYpTgYFYS4ZW8D5TjTUmsrEotyodJSXOwKInzMjIwMAgJpCeWpGan phakFsFkZTg4lCR4Jz8GahQsSk1PrUjLzClBSDNxcIIM5wEa3gJSw1tckJhbnJkOkT/FqCgl zhsIkhAASWSU5sH1ghOMEOO+V4ziQK8I88qAVPEAkxNc9yugwUxAgy/wgw0uSURISTUwKhm3 rdOzfPDzUpzCO5sqq4X/rpQEvU2+dS1I2OnDwwjZxas+/wiNMjXg5OHcsdNy3fdbHa9V+M6v 1zn3qSPzxTdfKdvIBbwm+xld5jcXri0+tahVULKP45X2npdhbxQSA8UvpUxeF6v7/MLHooC1 1hLSk87u1LQNuMYyIYqfq7dzc9iEvC+pSizFGYmGWsxFxYkA043V+wsDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/erATWzsGzS10tJRkYbuk05R4oU0>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, draft-ietf-netconf-yang-library.all@tools.ietf.org, secdir@ietf.org, Andy Bierman <andy@yumaworks.com>, The IESG <iesg@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 22:52:12 -0000
I also think that is reasonable. -Tom Benoit Claise <bclaise@cisco.com> writes: > Hi Andy, > > I believe it works. > > Regards, Benoit >> Hi, >> >> Here is the proposed text: >> >> >> OLD: >> >> o /modules-state/module: The module list used in a server >> implementation may help an attacker identify the server >> capabilities and server implementations with known bugs. Server >> vulnerabilities may be specific to particular modules, module >> revisions, module features, or even module deviations. This >> information is included in each module entry. ... >> >> NEW: >> >> o /modules-state/module: The module list used in a server >> implementation may help an attacker identify the server >> capabilities and server implementations with known bugs. Although >> some of this information may be available to all users via the >> NETCONF <hello> message (or similar messages in other management >> protocols), this YANG module potentially exposes additional >> details that could be of some assistance to an attacker. Server >> vulnerabilities may be specific to particular modules, module >> revisions, module features, or even module deviations. This >> information is included in each module entry. ... >> >> >> If this is acceptable, I will post a -05 version. >> >> >> Andy >> >> >> On Thu, Mar 24, 2016 at 7:55 AM, Benoit Claise <bclaise@cisco.com >> <mailto:bclaise@cisco.com>> wrote: >> >> On 3/23/2016 9:30 PM, Andy Bierman wrote: >>> >>> >>> On Wed, Mar 23, 2016 at 12:39 PM, Tom Yu <tlyu@mit.edu >>> <mailto:tlyu@mit.edu>> wrote: >>> >>> Andy Bierman <andy@yumaworks.com <mailto:andy@yumaworks.com>> >>> writes: >>> >>> > The YANG library provides the revision date of the >>> deviations module, >>> > which is not included in the NETCONF <hello>. >>> > >>> > It also lists the submodules and their revisions, which is >>> > not contained in the NETCONF <hello>. >>> > >>> > The NETCONF <hello> message is not specified well enough to >>> > make any other generalizations about the differences. >>> >>> I think it would be good to explicitly mention that the YANG >>> library >>> provides a superset of the module and version information >>> that might be >>> available by other means, e.g., >>> >>> OLD >>> >>> Some of the readable data nodes in this YANG module may be >>> considered >>> sensitive or vulnerable in some network environments. It >>> is thus >>> important to control read access (e.g., via get, >>> get-config, or >>> notification) to these data nodes. These are the subtrees >>> and data >>> nodes and their sensitivity/vulnerability: >>> >>> NEW >>> >>> Some of the readable data nodes in this YANG module may be >>> considered >>> sensitive or vulnerable in some network environments and >>> authorization configurations. Although some of this >>> information may >>> be available to all users via the NETCONF <hello> message >>> (or similar >>> messages in other management protocols), this YANG module >>> potentially >>> exposes additional details that could be of some >>> assistance to an >>> attacker. It is thus important to control read access >>> (e.g., via >>> get, get-config, or notification) to these data nodes. >>> These are the >>> subtrees and data nodes and their sensitivity/vulnerability: >>> >>> >>> >>> >>> This is the security boilterplate text that is supposed to >>> go into every YANG module >>> >>> >>> https://tools.ietf.org/html/rfc6087#section-6.1 >>> >>> >>> I prefer to leave the boilerplate alone and move your text into >>> YANG library specific part. >> I would support this. >> >> Regards, Benoit >>> >>> >>> Andy >>> >>> I think if NETCONF access is restricted to a small number of >>> trusted >>> users (even for read-only access), the incremental risk posed by >>> revealing more details about the modules is small. I imagine >>> that there >>> are use cases for providing (restricted) read-only NETCONF >>> access to a >>> wider, mostly untrusted population, in which case the >>> detailed module >>> version information provided by the YANG library could >>> constitute a >>> non-trivial additional risk. I'm not sure of a good, concise >>> way to >>> express this. >>> >>> > The library is intended for other protocols such as RESTCONF. >>> > >>> > Is there some specific text you want changed? >>> >>> I think there could be ambiguity about whether "server" >>> refers to the >>> NETCONF (or other management protocol) server process on the >>> device, or >>> to the overall capabilities of the device. If the YANG >>> library could >>> provide details that could reveal to an attacker the existence of >>> vulnerabilities in the underlying network device >>> capabilities, it might >>> be good to mention it, e.g., >>> >>> In addition to revealing the potential existence of >>> vulnerabilities >>> in the network management protocol server on a device, >>> the detailed >>> version information available in the module list could >>> help an >>> attacker to discover the existence of vulnerable code in the >>> implementation of the underlying network capabilities (or >>> other >>> functionality) of the device on which the management >>> server is >>> running. >>> >>> >> >>
- [secdir] secdir review of draft-ietf-netconf-yang… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Benoit Claise
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Benoit Claise
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu