Re: [Netconf] notification access control

To: Martin Bjorklund <mbj at tail-f.com>
Subject: Re: [Netconf] notification access control
From: Andy Bierman <andy at netconfcentral.com>
Date: Wed, 17 Jun 2009 13:57:36 -0700
Cc: netconf at ietf.org
Delivered-to: netconf at core3.amsl.com
In-reply-to: <20090617.223346.105733797.mbj at tail-f.com>
List-archive: <http://www.ietf.org/mail-archive/web/netconf>
List-help: <mailto:netconf-request@ietf.org?subject=help>
List-id: Network Configuration WG mailing list <netconf.ietf.org>
List-post: <mailto:netconf@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
References: <200906171944.n5HJiBBo056500 at idle.juniper.net> <4A394F71.4090500 at netconfcentral.com> <20090617.223346.105733797.mbj at tail-f.com>
User-agent: Thunderbird 2.0.0.21 (Windows/20090302)

Martin Bjorklund wrote:

Andy Bierman <andy at netconfcentral.com> wrote:

The all-or-nothing approach actually helps hackers.
If there is no filter, then any dropped notification
would stick out like a red flag, since it must have
contained some sensitive data. (This works just
by watching the traffic with wireshark, without
actually being able to read any of the packets.)


How would a hacker know that a notification was *not* sent by watching
the traffic?


by watching traffic patterns (when multiple subscriptions
are active).

I don't care that much if the entire notif is dropped, or some element
is pruned, but the current spec is pretty clear - the notification
MUST be dropped.  So a 5277 compliant server cannot prune
elements from the notifications.


I don't think the RFC says that anywhere.
There is just the vague text about granting
permission.  IMO, that meant that the manager
has permission to see the <eventType> element,
but it does not mean the entire payload is going
to be delivered, if ACM policy decides otherwise.

What if the ACM rule is simply:  deny "//secret-stuff".
What if the ACM defines 'deny on read access' to mean prune?
(And what about applying access control to 'anyxml'
nodes, like a subtree <filter>?)


/martin


Andy

Follow-Ups:
- Re: [Netconf] notification access control
  - From: Martin Bjorklund

References:
- Re: [Netconf] notification access control
  - From: Phil Shafer
- Re: [Netconf] notification access control
  - From: Andy Bierman
- Re: [Netconf] notification access control
  - From: Martin Bjorklund

Prev by Date: Re: [Netconf] notification access control
Next by Date: Re: [Netconf] notification access control
Previous by thread: Re: [Netconf] notification access control
Next by thread: Re: [Netconf] notification access control
Index(es):
- Date
- Thread

Re: [Netconf] notification access control

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.