Re: [Netconf] notification access control

To: Phil Shafer <phil at juniper.net>
Subject: Re: [Netconf] notification access control
From: Andy Bierman <andy at netconfcentral.com>
Date: Wed, 17 Jun 2009 13:17:53 -0700
Cc: NETCONF <netconf at ietf.org>
Delivered-to: netconf at core3.amsl.com
In-reply-to: <200906171944.n5HJiBBo056500 at idle.juniper.net>
List-archive: <http://www.ietf.org/mail-archive/web/netconf>
List-help: <mailto:netconf-request@ietf.org?subject=help>
List-id: Network Configuration WG mailing list <netconf.ietf.org>
List-post: <mailto:netconf@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
References: <200906171944.n5HJiBBo056500 at idle.juniper.net>
User-agent: Thunderbird 2.0.0.21 (Windows/20090302)

Phil Shafer wrote:

Andy Bierman writes:

3.2, para 4:
   After generation of the <notification> element, access control is
   applied by the server.  If a session does not have permission to
   receive the <notification>, then it is discarded for that session,
   and processing of the internal event is completed for that session.

I will assume an implementation may silently prune
parts of the payload from the notification, due to access
control policy.  The notification MUST be dropped
if the <eventType> element would be filtered out,
in violation of the <notification> element schema.


Yes, let's add this as an issue list for a future -bis, since an
implementation should be able to prune inappropriate elements from
the notification.

Also we should repair the word "after" in the above text, since
there isn't any explicit to generate the <notification> element at
all if no one is permitted to receive the content.


yes -- I assume you mean the 'stream n' delivery in figure 2.
The replay (logging service) is given a copy of the event.
Delivery of replay notifications to a stream is no different
than live events.  (not shown in figure 2.)

Also, the 'filter' step in figure 2 is misleading.
ACM and filtering is not applied on the stream, but
independently, on each subscription (not shown).

The all-or-nothing approach actually helps hackers.
If there is no filter, then any dropped notification
would stick out like a red flag, since it must have
contained some sensitive data. (This works just
by watching the traffic with wireshark, without
actually being able to read any of the packets.)
We should want to make it as difficult as possible
to discover the access control policy in use on an agent.

Thanks,
 Phil


Andy

Follow-Ups:
- Re: [Netconf] notification access control
  - From: Juergen Schoenwaelder
- Re: [Netconf] notification access control
  - From: Randy Presuhn
- Re: [Netconf] notification access control
  - From: Martin Bjorklund

References:
- Re: [Netconf] notification access control
  - From: Phil Shafer

Prev by Date: Re: [Netconf] notification access control
Next by Date: Re: [Netconf] notification access control
Previous by thread: Re: [Netconf] notification access control
Next by thread: Re: [Netconf] notification access control
Index(es):
- Date
- Thread

Re: [Netconf] notification access control

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.