Re: [secdir] [Last-Call] [i2rs] Secdir last call review of draft-ietf-i2rs-yang-l2-network-topology-13
Christian Huitema <huitema@huitema.net> Fri, 26 June 2020 15:57 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C90643A089B for <secdir@ietfa.amsl.com>; Fri, 26 Jun 2020 08:57:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kJPRF3yWQp5y for <secdir@ietfa.amsl.com>; Fri, 26 Jun 2020 08:56:50 -0700 (PDT)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89A633A0845 for <secdir@ietf.org>; Fri, 26 Jun 2020 08:56:50 -0700 (PDT)
Received: from xse425.mail2web.com ([66.113.197.171] helo=xse.mail2web.com) by mx166.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1jopn7-000nPE-OY for secdir@ietf.org; Fri, 26 Jun 2020 16:57:28 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 49tg0W4pgWz1kMl for <secdir@ietf.org>; Fri, 26 Jun 2020 07:55:07 -0700 (PDT)
Received: from [10.5.2.13] (helo=xmail03.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1jopkx-0000pn-H2 for secdir@ietf.org; Fri, 26 Jun 2020 07:55:07 -0700
Received: (qmail 15894 invoked from network); 26 Jun 2020 14:55:07 -0000
Received: from unknown (HELO [192.168.1.107]) (Authenticated-user:_huitema@huitema.net@[172.58.43.153]) (envelope-sender <huitema@huitema.net>) by xmail03.myhosting.com (qmail-ldap-1.03) with ESMTPA for <netmod@ietf.org>; 26 Jun 2020 14:55:06 -0000
To: Qin Wu <bill.wu@huawei.com>, Susan Hares <shares@ndzh.com>, "secdir@ietf.org" <secdir@ietf.org>
Cc: "i2rs@ietf.org" <i2rs@ietf.org>, "draft-ietf-i2rs-yang-l2-network-topology.all@ietf.org" <draft-ietf-i2rs-yang-l2-network-topology.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, NETMOD Group <netmod@ietf.org>
References: <B8F9A780D330094D99AF023C5877DABAAD7BCE5D@dggeml531-mbs.china.huawei.com>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mDMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1Rmu0 J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PoiWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAuDgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB4h+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
Message-ID: <34bbf063-7973-b7aa-c407-0ac9c071a648@huitema.net>
Date: Fri, 26 Jun 2020 07:55:05 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <B8F9A780D330094D99AF023C5877DABAAD7BCE5D@dggeml531-mbs.china.huawei.com>
Content-Type: multipart/alternative; boundary="------------D1256F2AD8D9EE12B56C05C7"
Content-Language: en-US
X-Originating-IP: 66.113.197.171
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0f6LF1GdvkEexklpcFpSF5apSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDcQkv3rfK9nOh84B6FNp+WsRX qYbtEQV1z/L435ZRxFTNk2Aq4CB1uIboA4Kt9mVxZfHZrMQ8Ke0Z8pjKFUegibQrHWZPpqYwb4n/ 5SxQwXAlwKhAEGVwhQsL2SvUkQClr78mGWw0jJjCZO5tGoeKZsxKTagmQ3xMyVZ07UERWzx6BTXs FxcSzhpFHKuVDd8Suy8lNDS0QWWkADhl7glCR9PbrhSmW22tW1yBxgRT8bmxZJSIFVPkVVALPRKr lHlM3kWCH4Q79vaQ+COHDJAgLHQOD0r6/AaHZiEtdTMtMlgTBUa5LSawQcdT80HH17nNg8oiq9mz mwrbQbTulSg7juWBOXp8nHKe0R+FkIqN7hkFZqA6TBkpoO/ktnXt0JlLIRFsicyJMEhQFtD8PLoi nuxTyssp4L0plUGigax8zy4LpVxP5YFZg5fgueXLf6LKHDJ71JSXKkUqfqsTqwEEUOidX4Ts4xdG +C13IyWeZaLEvcYUkOTUkAbSil5+2+oX4nuZrRf7bMi0WRR6pZ+nWUKyccnhCI7Z+Axb9iK+poxX 0SU68ek9wyYNR7nSKrZbQsAM8hGlAkv+YXlQiOyIRazNjLvclnGzlTC8ZgkR3laIWqvAxiBHuIuS y5fCAlEk/IshhXkNQo0J2t+/Bq8+iVACVO3tx78u0bG7If2TCVTVXBgwIGr26umyD/gWRYtGmqBm J5LhaWhCjk5k4tfJqTnzSXChKWk/itcbicJsIPcjnBEvkV2mIEMgGUnrK6lIfqb5R4VemuUI6bcE ARsm0De6PaZO6/JToEyx4tmc5OljkPSpPXAVjl2oMr8a1xm0wfXUFMjTH2DyD8i5kO5bZlYFvf25 LVONYbYifH5OzZCwIgD/xDehea09OpnwSuobZrrGExMR7eTbBjMGDKI3ijhhJn7Muv/NHXl0o++8 3wM=
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/tcwYLDfCChj6aYO5W0zqmq79c8k>
Subject: Re: [secdir] [Last-Call] [i2rs] Secdir last call review of draft-ietf-i2rs-yang-l2-network-topology-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2020 15:57:14 -0000
I like variant B better, although I would not single out the mac addresses in the "sabotage" warning. My main concern is that network administrators will naturally be very concerned about information that is writable/creatable/deletable, because they understand the impact on the management of their network. However, they are not so concerned with read-only access, because reading information does not directly affect the operation of the network. My whole point is telling them, "you are documenting your L2 topology, it contains sensitive information, make sure that reading it is protected, not just writing it". I agree that NETCONF and RESTCONF provide the right tools for protecting the information. My request is just to clearly tell network administrators to use these tools, do not leave read access wide open! -- Christian Huitema On 6/26/2020 4:37 AM, Qin Wu wrote: > > Hi, Christian: > > 1. NACM defined in RFC8341 has already provided mechanisms to > restrict access to sensitive information to a minimal list of > authorized client or agents and deal with privacy issue if my > understanding is correct. > > 2. Both NETCONF and RESTCONF will rely on transport protocol > such as TLS to provide client authentication and server > authentication, i.e., mutual authentication. > > 3. The YANG security guideline defined in > https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines > > Provide perfect boilerplate to address both security consideration and > privacy consideration. > > My original proposal A to address your comments is: > > OLD TEXT: > > " > > There are a number of data nodes defined in this YANG module that are > > writable/creatable/deletable (i.e., config true, which is the > > default). These data nodes may be considered sensitive or vulnerable > > in some network environments. Write operations (e.g., edit-config) > > to these data nodes without proper protection can have a negative > > effect on network operations. These are the subtrees and data nodes > > and their sensitivity/vulnerability in the ietf-network module: > > > > o l2-network-attributes: A malicious client could attempt to > > sabotage the configuration of any of the contained attributes, > > such as the name or the flag data nodes. > > > > o l2-node-attributes: A malicious client could attempt to sabotage > > the configuration of important node attributes, such as the name > > or the management-address. > > > > o l2-link-attributes: A malicious client could attempt to sabotage > > the configuration of important link attributes, such as the rate > > or the delay data nodes. > > > > o l2-termination-point-attributes: A malicious client could attempt > > to sabotage the configuration of important termination point > > attributes, such as the maximum-frame-size. > > " > > NEW TEXT: > > " > > There are a number of data nodes defined in this YANG module that are > > writable/creatable/deletable (i.e., config true, which is the > > default). These data nodes may be considered sensitive or vulnerable > > in some network environments. Write operations (e.g., edit-config) > > to these data nodes without proper protection can have a negative > > effect on network operations. These are the subtrees and data nodes > > and their sensitivity/vulnerability in the ietf-network module: > > > > o l2-network-attributes: A malicious client could attempt to > > sabotage the configuration of any of the contained attributes, > > such as the name or the flag data nodes. > > > > o l2-node-attributes: A malicious client could attempt to sabotage > > the configuration of important node attributes, such as the name > > ,the management-address *or mac address of the devices*. > > > > o l2-link-attributes: A malicious client could attempt to sabotage > > the configuration of important link attributes, such as the rate > > or the delay data nodes. > > > > o l2-termination-point-attributes: A malicious client could attempt > > to sabotage the configuration of important termination point > > attributes, such as the maximum-frame-size, *mac-address*. > > " > > > > With your proposed text, we could have the following proposal changes > (Proposal B): > > OLD TEXT: > > " > > 6. Security Considerations > > > > The YANG module specified in this document defines a schema for data > > that is designed to be accessed via network management protocols such > > as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer > > is the secure transport layer, and the mandatory-to-implement secure > > transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer > > is HTTPS, and the mandatory-to-implement secure transport is TLS > > [RFC8446]. > > > > The Network Configuration Access Control Model (NACM) [RFC8341] > > provides the means to restrict access for particular NETCONF or > > > > RESTCONF users to a preconfigured subset of all available NETCONF or > > RESTCONF protocol operations and content. > > > > In general, Layer 2 network topologies are system-controlled and > > provide ephemeral topology information. In an NMDA-complient server, > > they are only part of <operational> which provides read-only access > > to clients, they are less vulnerable. That said, the YANG module > > does in principle allow information to be configurable. > > > > The Layer 2 topology module define information that can be > > configurable in certain instances, for example in the case of virtual > > topologies that can be created by client applications. In such > > cases, a malicious client could introduce topologies that are > > undesired. Specifically, a malicious client could attempt to remove > > or add a node, a link, a termination point, by creating or deleting > > corresponding elements in the node, link, and termination point > > lists, respectively. In the case of a topology that is learned, the > > server will automatically prohibit such misconfiguration attempts. > > In the case of a topology that is configured, i.e. whose origin is > > "intended", the undesired configuration could become effective and be > > reflected in the operational state datastore, leading to disruption > > of services provided via this topology might be disrupted. For those > > reasons, it is important that the NETCONF access control model is > > vigorously applied to prevent topology misconfiguration by > > unauthorized clients. > > > > There are a number of data nodes defined in this YANG module that are > > writable/creatable/deletable (i.e., config true, which is the > > default). These data nodes may be considered sensitive or vulnerable > > in some network environments. Write operations (e.g., edit-config) > > to these data nodes without proper protection can have a negative > > effect on network operations. These are the subtrees and data nodes > > and their sensitivity/vulnerability in the ietf-network module: > > > > o l2-network-attributes: A malicious client could attempt to > > sabotage the configuration of any of the contained attributes, > > such as the name or the flag data nodes. > > > > o l2-node-attributes: A malicious client could attempt to sabotage > > the configuration of important node attributes, such as the name > > or the management-address. > > > > o l2-link-attributes: A malicious client could attempt to sabotage > > the configuration of important link attributes, such as the rate > > or the delay data nodes. > > > > o l2-termination-point-attributes: A malicious client could attempt > > to sabotage the configuration of important termination point > > attributes, such as the maximum-frame-size. > > " > > NEW TEXT: > > " > > 6. Security Considerations > > > > The YANG module specified in this document defines a schema for data > > that is designed to be accessed via network management protocols such > > as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer > > is the secure transport layer, and the mandatory-to-implement secure > > transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer > > is HTTPS, and the mandatory-to-implement secure transport is TLS > > [RFC8446]. > > > > The Network Configuration Access Control Model (NACM) [RFC8341] > > provides the means to restrict access for particular NETCONF or > > RESTCONF users to a preconfigured subset of all available NETCONF or > > RESTCONF protocol operations and content. > > > > In general, Layer 2 network topologies are system-controlled and > > provide ephemeral topology information. In an NMDA-complient server, > > they are only part of <operational> which provides read-only access > > to clients, they are less vulnerable. That said, the YANG module > > does in principle allow information to be configurable. > > > > The Layer 2 topology module define information that can be > > configurable in certain instances, for example in the case of virtual > > topologies that can be created by client applications. In such > > cases, a malicious client could introduce topologies that are > > undesired. Specifically, a malicious client could attempt to remove > > or add a node, a link, a termination point, by creating or deleting > > corresponding elements in the node, link, and termination point > > lists, respectively. In the case of a topology that is learned, the > > server will automatically prohibit such misconfiguration attempts. > > In the case of a topology that is configured, i.e. whose origin is > > "intended", the undesired configuration could become effective and be > > reflected in the operational state datastore, leading to disruption > > of services provided via this topology might be disrupted. For those > > reasons, it is important that the NETCONF access control model is > > vigorously applied to prevent topology misconfiguration by > > unauthorized clients. > > > > * The YANG model for layer 2 topology may expose sensitive information, * > > * for example the MAC addresses of devices. Unrestricted use of such > information * > > * can lead to privacy violations. For example, listing MAC addresses > in a network * > > * allows monitoring of devices and their movements. Location > information can be derived* > > * from MAC addresses of network devices, bypassing protection of > location information by * > > * the Operating System. Deployments should mitigate this privacy > concerns by limiting access * > > * to the layer 2 topology information. Access to the information > should be restricted to a * > > * minimal list of authorized clients, and should also require proper > authentication of these clients.* > > > > There are a number of data nodes defined in this YANG module that are > > writable/creatable/deletable (i.e., config true, which is the > > default). These data nodes may be considered sensitive or vulnerable > > in some network environments. Write operations (e.g., edit-config) > > to these data nodes without proper protection can have a negative > > effect on network operations. These are the subtrees and data nodes > > and their sensitivity/vulnerability in the ietf-network module: > > > > o l2-network-attributes: A malicious client could attempt to > > sabotage the configuration of any of the contained attributes, > > such as the name or the flag data nodes. > > > > o l2-node-attributes: A malicious client could attempt to sabotage > > the configuration of important node attributes, such as the name > > ,the management-address, *mac-address of the devices*. > > > > o l2-link-attributes: A malicious client could attempt to sabotage > > the configuration of important link attributes, such as the rate > > or the delay data nodes. > > > > o l2-termination-point-attributes: A malicious client could attempt > > to sabotage the configuration of important termination point > > attributes, such as the maximum-frame-size, *mac-address*. > > " > > The question is do you think proposal with yang security boilterplate > has already addressed your comments > > Or you think we should emphasize how privacy issue can be addressed by > NACM and client authentication is needed? > > > > -Qin > > -----邮件原件----- > 发件人: Christian Huitema [mailto:huitema@huitema.net] > 发送时间: 2020年6月26日12:05 > 收件人: Susan Hares <shares@ndzh.com>; Qin Wu <bill.wu@huawei.com>; > secdir@ietf.org > 抄送: i2rs@ietf.org; > draft-ietf-i2rs-yang-l2-network-topology.all@ietf.org; last-call@ietf.org > 主题: Re: [Last-Call] [i2rs] Secdir last call review of > draft-ietf-i2rs-yang-l2-network-topology-13 > > > > How about adding something like this: > > > > Privacy Considerations > > > > The Yang model for layer 2 topology exposes privacy sensitive > information, for example the MAC addresses of devices. Unrestricted > use of such information can lead to privacy violations. For example, > listing MAC addresses in a network allows monitoring of devices and > their movements. Location information can be derived from MAC > addresses of network devices, bypassing protection of location > information by the Operating System. > > > > Deployments should mitigate this privacy concerns by limiting access > to the layer 2 topology information. Access to the information should > be restricted to a minimal list of authorized agents, and should > require proper authentication of these agents. > > > > -- Christian Huitema > > > > On 6/25/2020 7:00 AM, Susan Hares wrote: > > > Qin and Christian: > > > > > > Thank you for your prompt attention to the privacy issue. > > > I'm sure Christian will respond in a bit - since he might be in PDT time-zone. > > > > > > Once you have a solution you both like, we should validate the privacy > > > changes to the security considerations section with the Yang-doctors, > > > OPS-ADs, and Security-ADs. > > > > > > Martin's watching this thread so I'm sure he'll help us out as well. > > > > > > Sue > > > > > > -----Original Message----- > > > From: i2rs [mailto:i2rs-bounces@ietf.org] On Behalf Of Qin Wu > > > Sent: Thursday, June 25, 2020 9:25 AM > > > To: Susan Hares; 'Christian Huitema'; secdir@ietf.org <mailto:secdir@ietf.org> > > > Cc: i2rs@ietf.org <mailto:i2rs@ietf.org>; > > > draft-ietf-i2rs-yang-l2-network-topology.all@ietf.org > <mailto:draft-ietf-i2rs-yang-l2-network-topology.all@ietf.org>; > > > last-call@ietf.org <mailto:last-call@ietf.org> > > > Subject: Re: [i2rs] Secdir last call review of > > > draft-ietf-i2rs-yang-l2-network-topology-13 > > > > > > Sue and Christian: > > > I have responded to Christian on privacy issue, my proposal is to add MAC address as > another data node vulnerability example in our original security > consideration section. > > > But If Christian or security directorate has recommending text, we authors are happy > to accept it. > > > > > > -Qin > > > -----邮件原件----- > > > 发件人: Susan Hares [mailto:shares@ndzh.com] > > > 发送时间: 2020年6月25日21:04 > > > 收件人: 'Christian Huitema' <huitema@huitema.net > <mailto:huitema@huitema.net>>; secdir@ietf.org <mailto:secdir@ietf.org> > > > 抄送: draft-ietf-i2rs-yang-l2-network-topology.all@ietf.org > <mailto:draft-ietf-i2rs-yang-l2-network-topology.all@ietf.org>; > > > i2rs@ietf.org <mailto:i2rs@ietf.org>; last-call@ietf.org > <mailto:last-call@ietf.org> > > > 主题: RE: Secdir last call review of > > > draft-ietf-i2rs-yang-l2-network-topology-13 > > > > > > Christian: > > > > > > Thank you for catching the privacy issues. > > > > > > I've got a few questions to help the authors scope this change: > > > > > > 1) Since this is common to all L2 Topologies, can you or the security directorate > recommend some text that might be appropriate? > > > If you have recommended text, has this text been reviewed by OPS-DIR and Yang > doctors? > > > > > > 2) Will it be a problem If we write privacy considerations on IEEE specifications? > > > 3) Do we need to consider the range of deployments of L2 (home, > > > enterprise, public PBB service, national PBB service, Data centers) > > > > > > > > > Thank you, Sue > > > > > > > > > -----Original Message----- > > > From: Christian Huitema via Datatracker [mailto:noreply@ietf.org] > > > Sent: Thursday, June 25, 2020 1:01 AM > > > To: secdir@ietf.org <mailto:secdir@ietf.org> > > > Cc: draft-ietf-i2rs-yang-l2-network-topology.all@ietf.org > <mailto:draft-ietf-i2rs-yang-l2-network-topology.all@ietf.org>; > > > i2rs@ietf.org <mailto:i2rs@ietf.org>; last-call@ietf.org > <mailto:last-call@ietf.org> > > > Subject: Secdir last call review of > > > draft-ietf-i2rs-yang-l2-network-topology-13 > > > > > > Reviewer: Christian Huitema > > > Review result: Has Issues > > > > > > I have reviewed this document as part of the security directorate's ongoing effort to > review all IETF documents being processed by the IESG. These comments > were written with the intent of improving security requirements and > considerations in IETF drafts. Comments not addressed in last call > may be included in AD reviews during the IESG review. Document > editors and WG chairs should treat these comments just like any other > last call comments. > > > > > > This document describes a Yang model for representing Link Layer topologies. > > > Representing such topologies is obviously useful for managing network. > > > The security section is focused on securing the usage of this information for > network management, but does not address potential privacy issues. > > > > > > The security considerations explain correctly how altering the link layer > information could enable attacks against the network. The proposed > remedy is access control, implemented using either SSH or TLS. This is > fine, although the discussion of TLS authorisation is a bit short. By > default, TLS verifies the identity of the server but not that of the > client. RFC8040 section 2.5 specifies that "a RESTCONF server SHOULD > require authentication based on TLS client certificates. I assume > that's the intent, but it might be useful to say so. > > > > > > On the other hand, the security considerations do not describe privacy issues, and > I find that problematic. The proposed information model lists a number > of sensitive data, such as for example the MAC addresses of devices. > > > This information can be misused. For example, applications could assess device > location fetching the MAC addresses of local gateways. Third parties > could access link local information to gather identities of devices > accessing a particular network. Such information is often protected by > privacy API in the Operating System, but accessing the Yang module > over the network might allow applications to bypass these controls. > > > > > > Client authentication alone does not necessarily protect against these > privacy leaks. A classic configuration error would limit write access > to authorized users, but to allow read-only access to most users. This > kind of error would allow privacy leaks. Given the sensitive nature of > MAC addresses and other identifiers, it is useful to warn against such > errors. > > > > > > > > > > > > > > > > > > _______________________________________________ > > > i2rs mailing list > > > i2rs@ietf.org <mailto:i2rs@ietf.org> > > > https://www.ietf.org/mailman/listinfo/i2rs > > > >
- [secdir] Secdir last call review of draft-ietf-i2… Christian Huitema via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Susan Hares
- Re: [secdir] Secdir last call review of draft-iet… Qin Wu
- Re: [secdir] Secdir last call review of draft-iet… Qin Wu
- Re: [secdir] [i2rs] Secdir last call review of dr… Susan Hares
- Re: [secdir] [Last-Call] [i2rs] Secdir last call … Christian Huitema
- Re: [secdir] [Last-Call] [i2rs] Secdir last call … Qin Wu
- Re: [secdir] [Last-Call] [i2rs] Secdir last call … Susan Hares
- Re: [secdir] [i2rs] [Last-Call] Secdir last call … Juergen Schoenwaelder
- Re: [secdir] [i2rs] [Last-Call] Secdir last call … Susan Hares
- Re: [secdir] [Last-Call] [i2rs] Secdir last call … Christian Huitema
- Re: [secdir] [Last-Call] [i2rs] Secdir last call … Qin Wu
- Re: [secdir] [Last-Call] [i2rs] Secdir last call … Christian Huitema
- Re: [secdir] [Last-Call] [i2rs] Secdir last call … Roman Danyliw
- Re: [secdir] [Last-Call] [i2rs] Secdir last call … Benjamin Kaduk