IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-netmod-smi-yang-04

Leif Johansson <leifj@sunet.se> Wed, 11 April 2012 10:08 UTC

Return-Path: <leifj@sunet.se>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA7B811E8086; Wed, 11 Apr 2012 03:08:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0q3GeMaBsH6P; Wed, 11 Apr 2012 03:08:48 -0700 (PDT)
Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by ietfa.amsl.com (Postfix) with ESMTP id 83C6621F866A; Wed, 11 Apr 2012 03:08:43 -0700 (PDT)
Received: from [109.105.104.178] (dhcp44.se-tug.nordu.net [109.105.104.178] (may be forged)) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id q3BA8b4Z017721 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Apr 2012 12:08:40 +0200 (CEST)
Message-ID: <4F855825.1090409@sunet.se>
Date: Wed, 11 Apr 2012 12:08:37 +0200
From: Leif Johansson <leifj@sunet.se>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20120329 Thunderbird/11.0.1
MIME-Version: 1.0
To: Leif Johansson <leifj@nordu.net>, draft-ietf-netmod-smi-yang.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
References: <4F853D62.1090204@sunet.se> <20120411091551.GA26732@elstar.local> <4F854E70.4060900@sunet.se> <20120411094234.GA26959@elstar.local>
In-Reply-To: <20120411094234.GA26959@elstar.local>
X-Enigmail-Version: 1.4
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [secdir] secdir review of draft-ietf-netmod-smi-yang-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2012 10:08:48 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/11/2012 11:42 AM, Juergen Schoenwaelder wrote:
> On Wed, Apr 11, 2012 at 11:27:12AM +0200, Leif Johansson wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 04/11/2012 11:15 AM, Juergen Schoenwaelder wrote:
>>> On Wed, Apr 11, 2012 at 10:14:26AM +0200, Leif Johansson
>>> wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>> 
>>>> 
>>>> Hi,
>>>> 
>>>> I have reviewed this document as part of the security 
>>>> directorate's ongoing effort to review all IETF documents
>>>> being processed by the IESG.  These comments were written
>>>> primarily for the benefit of the security area directors.
>>>> Document editors and WG chairs should treat these comments
>>>> just like any other last call comments.
>>>> 
>>>> The document specifies a translation between SMIv2 (and by 
>>>> reference to RFC 3584, SMIv1) and YANG. YANG is the
>>>> information model language used in NETCONF.
>>>> 
>>>> This draft is outside my subject-matter expertise but the
>>>> core security issue seems to be around translation of the
>>>> SMIv2 MAX-ACCESS macro to YANG. Since YANG doesn't define
>>>> any corresponding element an extension to YANG is defined.
>>>> 
>>>> However there doesn't seem to be any requirement to
>>>> implement that extension. The security considerations section
>>>> refers the reader to the security considerations sections for
>>>> YANG, NETCONF, SMI etc but claims that "The translation
>>>> itself has no security impact on the Internet.".
>>>> 
>>>> I would have liked to see a clear normative statement to the 
>>>> effect that if you relied on MAX-ACCESS in the SMIv2 version
>>>> of a MIB then you MUST implement the YANG extension for SMI
>>>> and that the NETCONF implementation used MUST respect the
>>>> resulting smiv2:max-access statements.
>>> 
>>> Hi,
>>> 
>>> the MAX-ACCESS in the SMIv2 really has nothing to do with
>>> access control. See section 7.3 of RFC 2578 for the details.
>>> Also note that the SMiv2 to YANG mapping is readonly, that is
>>> even if the SMIv2 MAX-ACCESS is "read-write" or "read-create",
>>> the corresponsing YANG leaf is read-only.
>>> 
>>> Note that access control in the SNMP world is handled by VACM
>>> (RFC 3415) and in the NETCONF world by NACM (RFC 6536).
>>> 
>>> /js
>>> 
>> 
>> As I said this is somewhat outside my comfort-zone but I don't 
>> understand how MAX-ACCESS isn't related to access restrictions 
>> given the security considerations section of rfc 3584.
> 
> The MAX-ACCESS documents whether an object from a data modeling 
> perspective is in principle writable/creatable or always readonly.
> In other words, it documents that maximum possible access to an
> object from a data modeling perspective. There are objects (e.g.,
> counters) that are inherently readonly and hence have a MAX-ACCESS
> readonly. Other objects may in principle be writable from a
> modeling perspective. There are two ways to constrain a MAX-ACCESS
> in the SNMP world:
> 
> * First, implementation may implement writable objects as readonly 
> objects.  Sometimes there are specific conformance definitions
> that specifically allow for such implementations. Sometimes 
> implementations do this on their own choice, ideally documented in 
> so call AGENT-CAPABILITIES (a machine readable documentation of 
> deviations from a conformance definition).
> 
> * Second, an access control model (with a collection of access
> control rules) is used to determine at runtime whether the
> MAX-ACCESS should be restricted.
> 
> The MIB security considerations boilerplate commonly used in MIB 
> documents requires that MIB authors document which objects may be 
> criticial to protect. This is essentially advise to people
> deploying MIB modules on how to construct their runtime access
> control rules.
> 
> Coming back to the SMIv2 to YANG translation, it turned out that
> for various other technical reasons, the translation to YANG is
> readonly (or config false as we say in the YANG community). Hence,
> even if an SMIv2 object has a MAX-ACCESS of readwrite, the
> corresponding YANG leaf will be config false. Hence, the current
> text in the security considerations says:
> 
> 13.  Security Considerations
> 
> This document defines a translation of SMIv2 MIB modules into YANG 
> modules, enabling read-only access to data objects defined in
> SMIv2 MIB modules via NETCONF.  The translation itself has no
> security impact on the Internet.
> 
> Does this help?
> 
> /js
> 

It helps me right now but how do we help future readers? I jumped to
this conclusion just by tracing some of the security considerations
sections. Perhaps you should add a a condensed version of your excellent
explanation to the security considerations?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+FWCUACgkQ8Jx8FtbMZncLkgCfapCD+u5r5atcyG1v7b0fTNca
FVMAn0V2cLrHYjhqRMTMzjnsNII1DPzn
=2P16
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email