IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03

Benoit Claise <bclaise@cisco.com> Thu, 24 March 2016 15:10 UTC

Return-Path: <bclaise@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3F5312DD10; Thu, 24 Mar 2016 08:10:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.53
X-Spam-Level:
X-Spam-Status: No, score=-14.53 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oyv8wPfvumJi; Thu, 24 Mar 2016 08:10:22 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5418112DD2B; Thu, 24 Mar 2016 07:55:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11720; q=dns/txt; s=iport; t=1458831331; x=1460040931; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=GhelxFEmUmjt0HKTUx6OcGnFBALNxYujc2wxFyg6Nbk=; b=le+YfbHe8DyMDX/ws1ekdBtgh0Zr8QZhF/aSHoiQYixzGgMoLuUgWkqu OTJ03KKg8qmaty4caLaNUFWEgOeagPWIghBxqfpe5ls8G4M6KmcpvLnmh tJ3xrZQ16V650w0CMYdqU05MnZjjZeyt+vTg0PgFSzVZblgY/rhgEY6hc w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DSBABJ//NW/xbLJq1eDoN5fbVlhmwhhWwCgXsBAQEBAQFlJ4RBAQEBAwEjVQEFCwsYCRYIAwICCQMCAQIBNBEGAQwGAgEBiBsIDrAGkGoBAQEBAQEBAQEBAQEBAQEBAQEBAQERBIYehESEJIMYglYFkwWEWYVxiBOBZodRI4Uxjwligyo8OzABiVMBAQE
X-IronPort-AV: E=Sophos;i="5.24,385,1454976000"; d="scan'208,217";a="636512449"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Mar 2016 14:55:29 +0000
Received: from [10.60.67.86] (ams-bclaise-8915.cisco.com [10.60.67.86]) by aer-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id u2OEtStl000530; Thu, 24 Mar 2016 14:55:28 GMT
To: Andy Bierman <andy@yumaworks.com>, Tom Yu <tlyu@mit.edu>
References: <ldvbn7z6f7s.fsf@sarnath.mit.edu> <6AAFCD6E-4F8D-409C-ACB1-53C03413AF7F@gmail.com> <ldvwppsjnde.fsf@sarnath.mit.edu> <CABCOCHRxkgQ+pPaDQWGNWvVohA5cbdJtHGaH6RW9O-JFCG2-0A@mail.gmail.com> <ldv7fgu42vj.fsf@sarnath.mit.edu> <CABCOCHSv9yr6sJijuRLZ5UYfCdCBsy78M6hundbYiX9=fDV6Jg@mail.gmail.com> <ldvvb4d2dca.fsf@sarnath.mit.edu> <CABCOCHTWmaWxHBMYYPLSVywZW-3GciqfEcgaNJByzoXdd6cUwQ@mail.gmail.com>
From: Benoit Claise <bclaise@cisco.com>
Message-ID: <56F3FFE0.3040408@cisco.com>
Date: Thu, 24 Mar 2016 15:55:28 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CABCOCHTWmaWxHBMYYPLSVywZW-3GciqfEcgaNJByzoXdd6cUwQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------060603080609070803000102"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/i6c8lVq7G0K8_JP9phyy-VhfVNk>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, draft-ietf-netconf-yang-library.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2016 15:10:25 -0000

On 3/23/2016 9:30 PM, Andy Bierman wrote:
>
>
> On Wed, Mar 23, 2016 at 12:39 PM, Tom Yu <tlyu@mit.edu 
> <mailto:tlyu@mit.edu>> wrote:
>
>     Andy Bierman <andy@yumaworks.com <mailto:andy@yumaworks.com>> writes:
>
>     > The YANG library provides the revision date of the deviations
>     module,
>     > which is not included in the NETCONF <hello>.
>     >
>     > It  also lists the submodules and their revisions, which is
>     > not contained in the NETCONF <hello>.
>     >
>     > The NETCONF <hello> message is not specified well enough to
>     > make any other generalizations about the differences.
>
>     I think it would be good to explicitly mention that the YANG library
>     provides a superset of the module and version information that
>     might be
>     available by other means, e.g.,
>
>     OLD
>
>        Some of the readable data nodes in this YANG module may be
>     considered
>        sensitive or vulnerable in some network environments. It is thus
>        important to control read access (e.g., via get, get-config, or
>        notification) to these data nodes.  These are the subtrees and data
>        nodes and their sensitivity/vulnerability:
>
>     NEW
>
>        Some of the readable data nodes in this YANG module may be
>     considered
>        sensitive or vulnerable in some network environments and
>        authorization configurations.  Although some of this
>     information may
>        be available to all users via the NETCONF <hello> message (or
>     similar
>        messages in other management protocols), this YANG module
>     potentially
>        exposes additional details that could be of some assistance to an
>        attacker.  It is thus important to control read access (e.g., via
>        get, get-config, or notification) to these data nodes. These
>     are the
>        subtrees and data nodes and their sensitivity/vulnerability:
>
>
>
>
> This is the security boilterplate text that is supposed to
> go into every YANG module
>
>
> https://tools.ietf.org/html/rfc6087#section-6.1
>
>
> I prefer to leave the boilerplate alone and move your text into
> YANG library specific part.
I would support this.

Regards, Benoit
>
>
> Andy
>
>     I think if NETCONF access is restricted to a small number of trusted
>     users (even for read-only access), the incremental risk posed by
>     revealing more details about the modules is small.  I imagine that
>     there
>     are use cases for providing (restricted) read-only NETCONF access to a
>     wider, mostly untrusted population, in which case the detailed module
>     version information provided by the YANG library could constitute a
>     non-trivial additional risk.  I'm not sure of a good, concise way to
>     express this.
>
>     > The library is intended for other protocols such as RESTCONF.
>     >
>     > Is there some specific text you want changed?
>
>     I think there could be ambiguity about whether "server" refers to the
>     NETCONF (or other management protocol) server process on the
>     device, or
>     to the overall capabilities of the device.  If the YANG library could
>     provide details that could reveal to an attacker the existence of
>     vulnerabilities in the underlying network device capabilities, it
>     might
>     be good to mention it, e.g.,
>
>         In addition to revealing the potential existence of
>     vulnerabilities
>         in the network management protocol server on a device, the
>     detailed
>         version information available in the module list could help an
>         attacker to discover the existence of vulnerable code in the
>         implementation of the underlying network capabilities (or other
>         functionality) of the device on which the management server is
>         running.
>
>

v2.23.0 | Report a Bug | By Email