Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03
Benoit Claise <bclaise@cisco.com> Thu, 07 April 2016 19:31 UTC
Return-Path: <bclaise@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71C0C12D0EF; Thu, 7 Apr 2016 12:31:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.481
X-Spam-Level:
X-Spam-Status: No, score=-13.481 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_12_24=1.049, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VSZKtRXlgBOs; Thu, 7 Apr 2016 12:31:07 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76E3812D0BA; Thu, 7 Apr 2016 12:31:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18507; q=dns/txt; s=iport; t=1460057467; x=1461267067; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=RGtFypzpTrqU2SryRkZHChEWWh4AtIfwcOWPa7tR4K4=; b=NZ3AHm2BAsafmZ2+L/ynOBQis0M1wrzgr9Feh4af98YeVV/sU/GK+35f bT5ebElZzw3mYi//Yt7IpUf5XLwMQUJ9qdjGjOuoWEbj5gvjfFHL93OzW AYkge863mMtSCtzp8bLrO+de0TM32fnPE6BcMFOKKohCOw+dhrMLY+l+3 g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AaAgBVtAZX/4YNJK1TCoM3U326QwENgXMhhWwCgUU4FAEBAQEBAQFlJ4RBAQEBAwEjVQEFCwsYCRYIAwICCQMCAQIBNBEGDAEGAgEBiBsIDq9okX0BAQEBAQEBAQEBAQEBAQEBAQEBAQERBIYhhEuEFRKDGIJWBZMZhGuFd4gVgWeHUiOFMo8kHgEBQoQBIjABiTgBAQE
X-IronPort-AV: E=Sophos;i="5.24,449,1454976000"; d="scan'208,217";a="257939009"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 07 Apr 2016 19:31:05 +0000
Received: from [10.24.90.81] ([10.24.90.81]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id u37JUwiO013774; Thu, 7 Apr 2016 19:30:59 GMT
To: Andy Bierman <andy@yumaworks.com>
References: <ldvbn7z6f7s.fsf@sarnath.mit.edu> <6AAFCD6E-4F8D-409C-ACB1-53C03413AF7F@gmail.com> <ldvwppsjnde.fsf@sarnath.mit.edu> <CABCOCHRxkgQ+pPaDQWGNWvVohA5cbdJtHGaH6RW9O-JFCG2-0A@mail.gmail.com> <ldv7fgu42vj.fsf@sarnath.mit.edu> <CABCOCHSv9yr6sJijuRLZ5UYfCdCBsy78M6hundbYiX9=fDV6Jg@mail.gmail.com> <ldvvb4d2dca.fsf@sarnath.mit.edu> <CABCOCHTWmaWxHBMYYPLSVywZW-3GciqfEcgaNJByzoXdd6cUwQ@mail.gmail.com> <56F3FFE0.3040408@cisco.com> <CABCOCHS4XkCHNjfezcskd=EZU8ES4h6K4gmqrKCgL4f9b-AKow@mail.gmail.com>
From: Benoit Claise <bclaise@cisco.com>
Message-ID: <5705C32C.2010200@cisco.com>
Date: Wed, 06 Apr 2016 23:17:16 -0300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CABCOCHS4XkCHNjfezcskd=EZU8ES4h6K4gmqrKCgL4f9b-AKow@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------080201010401070606030905"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/ivjSY5sRBnQ1J0vEbkqsWp77O38>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, draft-ietf-netconf-yang-library.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 19:31:11 -0000
Hi Andy, I believe it works. Regards, Benoit > Hi, > > Here is the proposed text: > > > OLD: > > o /modules-state/module: The module list used in a server > implementation may help an attacker identify the server > capabilities and server implementations with known bugs. Server > vulnerabilities may be specific to particular modules, module > revisions, module features, or even module deviations. This > information is included in each module entry. ... > > NEW: > > o /modules-state/module: The module list used in a server > implementation may help an attacker identify the server > capabilities and server implementations with known bugs. Although > some of this information may be available to all users via the > NETCONF <hello> message (or similar messages in other management > protocols), this YANG module potentially exposes additional > details that could be of some assistance to an attacker. Server > vulnerabilities may be specific to particular modules, module > revisions, module features, or even module deviations. This > information is included in each module entry. ... > > > If this is acceptable, I will post a -05 version. > > > Andy > > > On Thu, Mar 24, 2016 at 7:55 AM, Benoit Claise <bclaise@cisco.com > <mailto:bclaise@cisco.com>> wrote: > > On 3/23/2016 9:30 PM, Andy Bierman wrote: >> >> >> On Wed, Mar 23, 2016 at 12:39 PM, Tom Yu <tlyu@mit.edu >> <mailto:tlyu@mit.edu>> wrote: >> >> Andy Bierman <andy@yumaworks.com <mailto:andy@yumaworks.com>> >> writes: >> >> > The YANG library provides the revision date of the >> deviations module, >> > which is not included in the NETCONF <hello>. >> > >> > It also lists the submodules and their revisions, which is >> > not contained in the NETCONF <hello>. >> > >> > The NETCONF <hello> message is not specified well enough to >> > make any other generalizations about the differences. >> >> I think it would be good to explicitly mention that the YANG >> library >> provides a superset of the module and version information >> that might be >> available by other means, e.g., >> >> OLD >> >> Some of the readable data nodes in this YANG module may be >> considered >> sensitive or vulnerable in some network environments. It >> is thus >> important to control read access (e.g., via get, >> get-config, or >> notification) to these data nodes. These are the subtrees >> and data >> nodes and their sensitivity/vulnerability: >> >> NEW >> >> Some of the readable data nodes in this YANG module may be >> considered >> sensitive or vulnerable in some network environments and >> authorization configurations. Although some of this >> information may >> be available to all users via the NETCONF <hello> message >> (or similar >> messages in other management protocols), this YANG module >> potentially >> exposes additional details that could be of some >> assistance to an >> attacker. It is thus important to control read access >> (e.g., via >> get, get-config, or notification) to these data nodes. >> These are the >> subtrees and data nodes and their sensitivity/vulnerability: >> >> >> >> >> This is the security boilterplate text that is supposed to >> go into every YANG module >> >> >> https://tools.ietf.org/html/rfc6087#section-6.1 >> >> >> I prefer to leave the boilerplate alone and move your text into >> YANG library specific part. > I would support this. > > Regards, Benoit >> >> >> Andy >> >> I think if NETCONF access is restricted to a small number of >> trusted >> users (even for read-only access), the incremental risk posed by >> revealing more details about the modules is small. I imagine >> that there >> are use cases for providing (restricted) read-only NETCONF >> access to a >> wider, mostly untrusted population, in which case the >> detailed module >> version information provided by the YANG library could >> constitute a >> non-trivial additional risk. I'm not sure of a good, concise >> way to >> express this. >> >> > The library is intended for other protocols such as RESTCONF. >> > >> > Is there some specific text you want changed? >> >> I think there could be ambiguity about whether "server" >> refers to the >> NETCONF (or other management protocol) server process on the >> device, or >> to the overall capabilities of the device. If the YANG >> library could >> provide details that could reveal to an attacker the existence of >> vulnerabilities in the underlying network device >> capabilities, it might >> be good to mention it, e.g., >> >> In addition to revealing the potential existence of >> vulnerabilities >> in the network management protocol server on a device, >> the detailed >> version information available in the module list could >> help an >> attacker to discover the existence of vulnerable code in the >> implementation of the underlying network capabilities (or >> other >> functionality) of the device on which the management >> server is >> running. >> >> > >
- [secdir] secdir review of draft-ietf-netconf-yang… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Mahesh Jethanandani
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Benoit Claise
- Re: [secdir] secdir review of draft-ietf-netconf-… Andy Bierman
- Re: [secdir] secdir review of draft-ietf-netconf-… Benoit Claise
- Re: [secdir] secdir review of draft-ietf-netconf-… Tom Yu