Re: [Netconf] notification access control

To: andy at netconfcentral.com
Subject: Re: [Netconf] notification access control
From: Martin Bjorklund <mbj at tail-f.com>
Date: Wed, 17 Jun 2009 23:10:05 +0200 (CEST)
Cc: netconf at ietf.org
Delivered-to: netconf at core3.amsl.com
In-reply-to: <4A3958C0.70404 at netconfcentral.com>
List-archive: <http://www.ietf.org/mail-archive/web/netconf>
List-help: <mailto:netconf-request@ietf.org?subject=help>
List-id: Network Configuration WG mailing list <netconf.ietf.org>
List-post: <mailto:netconf@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
References: <4A394F71.4090500 at netconfcentral.com> <20090617.223346.105733797.mbj at tail-f.com> <4A3958C0.70404 at netconfcentral.com>

Andy Bierman <andy at netconfcentral.com> wrote:
> Martin Bjorklund wrote:
> > Andy Bierman <andy at netconfcentral.com> wrote:
> >> The all-or-nothing approach actually helps hackers.
> >> If there is no filter, then any dropped notification
> >> would stick out like a red flag, since it must have
> >> contained some sensitive data. (This works just
> >> by watching the traffic with wireshark, without
> >> actually being able to read any of the packets.)
> > How would a hacker know that a notification was *not* sent by watching
> > the traffic?
> > 
> 
> by watching traffic patterns (when multiple subscriptions
> are active).

But you wouldn't know that the different subscriptions use the same
filter.

> > I don't care that much if the entire notif is dropped, or some element
> > is pruned, but the current spec is pretty clear - the notification
> > MUST be dropped.  So a 5277 compliant server cannot prune
> > elements from the notifications.
> > 
> 
> I don't think the RFC says that anywhere.
> There is just the vague text about granting
> permission.  IMO, that meant that the manager
> has permission to see the <eventType> element,
> but it does not mean the entire payload is going
> to be delivered, if ACM policy decides otherwise.

Ok, I agree the text is vague.  But maybe this is good - it means that
the ACM can define the behavior without a 5277bis.

(Compare with 4741, it doesn't say what the result is if you do a
<get> w/o a filter when you don't have read access to everything - do
you get all data you're allowed to see (yes), or do you get an
access-denied error (no)?)



/martin

Follow-Ups:
- Re: [Netconf] notification access control
  - From: Andy Bierman

References:
- Re: [Netconf] notification access control
  - From: Andy Bierman
- Re: [Netconf] notification access control
  - From: Martin Bjorklund
- Re: [Netconf] notification access control
  - From: Andy Bierman

Prev by Date: Re: [Netconf] notification access control
Next by Date: Re: [Netconf] notification access control
Previous by thread: Re: [Netconf] notification access control
Next by thread: Re: [Netconf] notification access control
Index(es):
- Date
- Thread

Re: [Netconf] notification access control

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.