IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-netmod-smi-yang-04

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Wed, 11 April 2012 09:42 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 500EB21F86E8; Wed, 11 Apr 2012 02:42:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.127
X-Spam-Level:
X-Spam-Status: No, score=-103.127 tagged_above=-999 required=5 tests=[AWL=0.123, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WUXzV98vbmwI; Wed, 11 Apr 2012 02:42:34 -0700 (PDT)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by ietfa.amsl.com (Postfix) with ESMTP id 2329021F86D3; Wed, 11 Apr 2012 02:42:34 -0700 (PDT)
Received: from localhost (demetrius4.jacobs-university.de [212.201.44.49]) by hermes.jacobs-university.de (Postfix) with ESMTP id 6A02820B6C; Wed, 11 Apr 2012 11:42:33 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius4.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id CTI2hF9TcpgH; Wed, 11 Apr 2012 11:42:33 +0200 (CEST)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 000B220AFA; Wed, 11 Apr 2012 11:42:32 +0200 (CEST)
Received: by elstar.local (Postfix, from userid 501) id E91C41E5D612; Wed, 11 Apr 2012 11:42:34 +0200 (CEST)
Date: Wed, 11 Apr 2012 11:42:34 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Leif Johansson <leifj@sunet.se>
Message-ID: <20120411094234.GA26959@elstar.local>
Mail-Followup-To: Leif Johansson <leifj@sunet.se>, Leif Johansson <leifj@nordu.net>, draft-ietf-netmod-smi-yang.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
References: <4F853D62.1090204@sunet.se> <20120411091551.GA26732@elstar.local> <4F854E70.4060900@sunet.se>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4F854E70.4060900@sunet.se>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: draft-ietf-netmod-smi-yang.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, Leif Johansson <leifj@nordu.net>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-netmod-smi-yang-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2012 09:42:35 -0000

On Wed, Apr 11, 2012 at 11:27:12AM +0200, Leif Johansson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 04/11/2012 11:15 AM, Juergen Schoenwaelder wrote:
> > On Wed, Apr 11, 2012 at 10:14:26AM +0200, Leif Johansson wrote:
> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >> 
> >> 
> >> Hi,
> >> 
> >> I have reviewed this document as part of the security
> >> directorate's ongoing effort to review all IETF documents being
> >> processed by the IESG.  These comments were written primarily for
> >> the benefit of the security area directors. Document editors and
> >> WG chairs should treat these comments just like any other last
> >> call comments.
> >> 
> >> The document specifies a translation between SMIv2 (and by
> >> reference to RFC 3584, SMIv1) and YANG. YANG is the information
> >> model language used in NETCONF.
> >> 
> >> This draft is outside my subject-matter expertise but the core 
> >> security issue seems to be around translation of the SMIv2
> >> MAX-ACCESS macro to YANG. Since YANG doesn't define any
> >> corresponding element an extension to YANG is defined.
> >> 
> >> However there doesn't seem to be any requirement to implement
> >> that extension. The security considerations section refers the
> >> reader to the security considerations sections for YANG, NETCONF,
> >> SMI etc but claims that "The translation itself has no security
> >> impact on the Internet.".
> >> 
> >> I would have liked to see a clear normative statement to the
> >> effect that if you relied on MAX-ACCESS in the SMIv2 version of a
> >> MIB then you MUST implement the YANG extension for SMI and that
> >> the NETCONF implementation used MUST respect the resulting
> >> smiv2:max-access statements.
> > 
> > Hi,
> > 
> > the MAX-ACCESS in the SMIv2 really has nothing to do with access 
> > control. See section 7.3 of RFC 2578 for the details. Also note
> > that the SMiv2 to YANG mapping is readonly, that is even if the
> > SMIv2 MAX-ACCESS is "read-write" or "read-create", the
> > corresponsing YANG leaf is read-only.
> > 
> > Note that access control in the SNMP world is handled by VACM (RFC 
> > 3415) and in the NETCONF world by NACM (RFC 6536).
> > 
> > /js
> > 
> 
> As I said this is somewhat outside my comfort-zone but I don't
> understand how MAX-ACCESS isn't related to access restrictions
> given the security considerations section of rfc 3584.

The MAX-ACCESS documents whether an object from a data modeling
perspective is in principle writable/creatable or always readonly. In
other words, it documents that maximum possible access to an object
from a data modeling perspective. There are objects (e.g., counters)
that are inherently readonly and hence have a MAX-ACCESS readonly.
Other objects may in principle be writable from a modeling
perspective. There are two ways to constrain a MAX-ACCESS in the SNMP
world:

* First, implementation may implement writable objects as readonly
  objects.  Sometimes there are specific conformance definitions that
  specifically allow for such implementations. Sometimes
  implementations do this on their own choice, ideally documented in
  so call AGENT-CAPABILITIES (a machine readable documentation of
  deviations from a conformance definition).

* Second, an access control model (with a collection of access control
  rules) is used to determine at runtime whether the MAX-ACCESS should
  be restricted.

The MIB security considerations boilerplate commonly used in MIB
documents requires that MIB authors document which objects may be
criticial to protect. This is essentially advise to people deploying
MIB modules on how to construct their runtime access control rules.

Coming back to the SMIv2 to YANG translation, it turned out that for
various other technical reasons, the translation to YANG is readonly
(or config false as we say in the YANG community). Hence, even if an
SMIv2 object has a MAX-ACCESS of readwrite, the corresponding YANG
leaf will be config false. Hence, the current text in the security
considerations says:

  13.  Security Considerations

     This document defines a translation of SMIv2 MIB modules into YANG
     modules, enabling read-only access to data objects defined in SMIv2
     MIB modules via NETCONF.  The translation itself has no security
     impact on the Internet.

Does this help?

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email