Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03

Benoit Claise <bclaise@cisco.com> Thu, 07 April 2016 19:31 UTC

Return-Path: <bclaise@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71C0C12D0EF; Thu, 7 Apr 2016 12:31:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.481
X-Spam-Level:
X-Spam-Status: No, score=-13.481 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_12_24=1.049, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VSZKtRXlgBOs; Thu, 7 Apr 2016 12:31:07 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76E3812D0BA; Thu, 7 Apr 2016 12:31:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18507; q=dns/txt; s=iport; t=1460057467; x=1461267067; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=RGtFypzpTrqU2SryRkZHChEWWh4AtIfwcOWPa7tR4K4=; b=NZ3AHm2BAsafmZ2+L/ynOBQis0M1wrzgr9Feh4af98YeVV/sU/GK+35f bT5ebElZzw3mYi//Yt7IpUf5XLwMQUJ9qdjGjOuoWEbj5gvjfFHL93OzW AYkge863mMtSCtzp8bLrO+de0TM32fnPE6BcMFOKKohCOw+dhrMLY+l+3 g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AaAgBVtAZX/4YNJK1TCoM3U326QwENg?= =?us-ascii?q?XMhhWwCgUU4FAEBAQEBAQFlJ4RBAQEBAwEjVQEFCwsYCRYIAwICCQMCAQIBNBE?= =?us-ascii?q?GDAEGAgEBiBsIDq9okX0BAQEBAQEBAQEBAQEBAQEBAQEBAQERBIYhhEuEFRKDG?= =?us-ascii?q?IJWBZMZhGuFd4gVgWeHUiOFMo8kHgEBQoQBIjABiTgBAQE?=
X-IronPort-AV: E=Sophos;i="5.24,449,1454976000"; d="scan'208,217";a="257939009"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 07 Apr 2016 19:31:05 +0000
Received: from [10.24.90.81] ([10.24.90.81]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id u37JUwiO013774; Thu, 7 Apr 2016 19:30:59 GMT
To: Andy Bierman <andy@yumaworks.com>
References: <ldvbn7z6f7s.fsf@sarnath.mit.edu> <6AAFCD6E-4F8D-409C-ACB1-53C03413AF7F@gmail.com> <ldvwppsjnde.fsf@sarnath.mit.edu> <CABCOCHRxkgQ+pPaDQWGNWvVohA5cbdJtHGaH6RW9O-JFCG2-0A@mail.gmail.com> <ldv7fgu42vj.fsf@sarnath.mit.edu> <CABCOCHSv9yr6sJijuRLZ5UYfCdCBsy78M6hundbYiX9=fDV6Jg@mail.gmail.com> <ldvvb4d2dca.fsf@sarnath.mit.edu> <CABCOCHTWmaWxHBMYYPLSVywZW-3GciqfEcgaNJByzoXdd6cUwQ@mail.gmail.com> <56F3FFE0.3040408@cisco.com> <CABCOCHS4XkCHNjfezcskd=EZU8ES4h6K4gmqrKCgL4f9b-AKow@mail.gmail.com>
From: Benoit Claise <bclaise@cisco.com>
Message-ID: <5705C32C.2010200@cisco.com>
Date: Wed, 6 Apr 2016 23:17:16 -0300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CABCOCHS4XkCHNjfezcskd=EZU8ES4h6K4gmqrKCgL4f9b-AKow@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------080201010401070606030905"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/ivjSY5sRBnQ1J0vEbkqsWp77O38>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, draft-ietf-netconf-yang-library.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-netconf-yang-library-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 19:31:11 -0000

Hi Andy,

I believe it works.

Regards, Benoit
> Hi,
>
> Here is the proposed text:
>
>
> OLD:
>
>    o  /modules-state/module: The module list used in a server
>       implementation may help an attacker identify the server
>       capabilities and server implementations with known bugs. Server
>       vulnerabilities may be specific to particular modules, module
>       revisions, module features, or even module deviations. This
>       information is included in each module entry. ...
>
> NEW:
>
>    o  /modules-state/module: The module list used in a server
>       implementation may help an attacker identify the server
>       capabilities and server implementations with known bugs.  Although
>       some of this information may be available to all users via the
>       NETCONF <hello> message (or similar messages in other management
>       protocols), this YANG module potentially exposes additional
>       details that could be of some assistance to an attacker.  Server
>       vulnerabilities may be specific to particular modules, module
>       revisions, module features, or even module deviations.  This
>       information is included in each module entry. ...
>
>
> If this is acceptable, I will post a -05 version.
>
>
> Andy
>
>
> On Thu, Mar 24, 2016 at 7:55 AM, Benoit Claise <bclaise@cisco.com 
> <mailto:bclaise@cisco.com>> wrote:
>
>     On 3/23/2016 9:30 PM, Andy Bierman wrote:
>>
>>
>>     On Wed, Mar 23, 2016 at 12:39 PM, Tom Yu <tlyu@mit.edu
>>     <mailto:tlyu@mit.edu>> wrote:
>>
>>         Andy Bierman <andy@yumaworks.com <mailto:andy@yumaworks.com>>
>>         writes:
>>
>>         > The YANG library provides the revision date of the
>>         deviations module,
>>         > which is not included in the NETCONF <hello>.
>>         >
>>         > It  also lists the submodules and their revisions, which is
>>         > not contained in the NETCONF <hello>.
>>         >
>>         > The NETCONF <hello> message is not specified well enough to
>>         > make any other generalizations about the differences.
>>
>>         I think it would be good to explicitly mention that the YANG
>>         library
>>         provides a superset of the module and version information
>>         that might be
>>         available by other means, e.g.,
>>
>>         OLD
>>
>>            Some of the readable data nodes in this YANG module may be
>>         considered
>>            sensitive or vulnerable in some network environments.  It
>>         is thus
>>            important to control read access (e.g., via get,
>>         get-config, or
>>            notification) to these data nodes.  These are the subtrees
>>         and data
>>            nodes and their sensitivity/vulnerability:
>>
>>         NEW
>>
>>            Some of the readable data nodes in this YANG module may be
>>         considered
>>            sensitive or vulnerable in some network environments and
>>            authorization configurations.  Although some of this
>>         information may
>>            be available to all users via the NETCONF <hello> message
>>         (or similar
>>            messages in other management protocols), this YANG module
>>         potentially
>>            exposes additional details that could be of some
>>         assistance to an
>>            attacker.  It is thus important to control read access
>>         (e.g., via
>>            get, get-config, or notification) to these data nodes. 
>>         These are the
>>            subtrees and data nodes and their sensitivity/vulnerability:
>>
>>
>>
>>
>>     This is the security boilterplate text that is supposed to
>>     go into every YANG module
>>
>>
>>     https://tools.ietf.org/html/rfc6087#section-6.1
>>
>>
>>     I prefer to leave the boilerplate alone and move your text into
>>     YANG library specific part.
>     I would support this.
>
>     Regards, Benoit
>>
>>
>>     Andy
>>
>>         I think if NETCONF access is restricted to a small number of
>>         trusted
>>         users (even for read-only access), the incremental risk posed by
>>         revealing more details about the modules is small.  I imagine
>>         that there
>>         are use cases for providing (restricted) read-only NETCONF
>>         access to a
>>         wider, mostly untrusted population, in which case the
>>         detailed module
>>         version information provided by the YANG library could
>>         constitute a
>>         non-trivial additional risk.  I'm not sure of a good, concise
>>         way to
>>         express this.
>>
>>         > The library is intended for other protocols such as RESTCONF.
>>         >
>>         > Is there some specific text you want changed?
>>
>>         I think there could be ambiguity about whether "server"
>>         refers to the
>>         NETCONF (or other management protocol) server process on the
>>         device, or
>>         to the overall capabilities of the device.  If the YANG
>>         library could
>>         provide details that could reveal to an attacker the existence of
>>         vulnerabilities in the underlying network device
>>         capabilities, it might
>>         be good to mention it, e.g.,
>>
>>             In addition to revealing the potential existence of
>>         vulnerabilities
>>             in the network management protocol server on a device,
>>         the detailed
>>             version information available in the module list could
>>         help an
>>             attacker to discover the existence of vulnerable code in the
>>             implementation of the underlying network capabilities (or
>>         other
>>             functionality) of the device on which the management
>>         server is
>>             running.
>>
>>
>
>