Re: [Netconf] notification access control

To: Martin Bjorklund <mbj at tail-f.com>
Subject: Re: [Netconf] notification access control
From: Andy Bierman <andy at netconfcentral.com>
Date: Wed, 17 Jun 2009 14:21:09 -0700
Cc: netconf at ietf.org
Delivered-to: netconf at core3.amsl.com
In-reply-to: <20090617.231005.07000664.mbj at tail-f.com>
List-archive: <http://www.ietf.org/mail-archive/web/netconf>
List-help: <mailto:netconf-request@ietf.org?subject=help>
List-id: Network Configuration WG mailing list <netconf.ietf.org>
List-post: <mailto:netconf@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
References: <4A394F71.4090500 at netconfcentral.com> <20090617.223346.105733797.mbj at tail-f.com> <4A3958C0.70404 at netconfcentral.com> <20090617.231005.07000664.mbj at tail-f.com>
User-agent: Thunderbird 2.0.0.21 (Windows/20090302)

Martin Bjorklund wrote:

Andy Bierman <andy at netconfcentral.com> wrote:

Martin Bjorklund wrote:

Andy Bierman <andy at netconfcentral.com> wrote:

The all-or-nothing approach actually helps hackers.
If there is no filter, then any dropped notification
would stick out like a red flag, since it must have
contained some sensitive data. (This works just
by watching the traffic with wireshark, without
actually being able to read any of the packets.)

How would a hacker know that a notification was *not* sent by watching
the traffic?

by watching traffic patterns (when multiple subscriptions
are active).


But you wouldn't know that the different subscriptions use the same
filter.


true -- especially since the filter element is
getting removed from the ietf-netconf-state module.

I don't care that much if the entire notif is dropped, or some element
is pruned, but the current spec is pretty clear - the notification
MUST be dropped.  So a 5277 compliant server cannot prune
elements from the notifications.

I don't think the RFC says that anywhere.
There is just the vague text about granting
permission.  IMO, that meant that the manager
has permission to see the <eventType> element,
but it does not mean the entire payload is going
to be delivered, if ACM policy decides otherwise.


Ok, I agree the text is vague.  But maybe this is good - it means that
the ACM can define the behavior without a 5277bis.

(Compare with 4741, it doesn't say what the result is if you do a
<get> w/o a filter when you don't have read access to everything - do
you get all data you're allowed to see (yes), or do you get an
access-denied error (no)?)


For write access and exec access (invoke RPC method),
an access-denied error is generated.  For all read operations,
the data is just silently dropped.

Since there is no standard ACM, and assumptions are valid,
including these.



/martin


Andy

References:
- Re: [Netconf] notification access control
  - From: Andy Bierman
- Re: [Netconf] notification access control
  - From: Martin Bjorklund
- Re: [Netconf] notification access control
  - From: Andy Bierman
- Re: [Netconf] notification access control
  - From: Martin Bjorklund

Prev by Date: Re: [Netconf] notification access control
Next by Date: Re: [Netconf] notification access control
Previous by thread: Re: [Netconf] notification access control
Next by thread: Re: [Netconf] notification access control
Index(es):
- Date
- Thread

Re: [Netconf] notification access control

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.