Re: [Netconf] notification access control

To: "NETCONF" <netconf at ietf.org>
Subject: Re: [Netconf] notification access control
From: "Randy Presuhn" <randy_presuhn at mindspring.com>
Date: Wed, 17 Jun 2009 15:39:43 -0700
Delivered-to: netconf at core3.amsl.com
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=mindspring.com; b=mdfr8bQUh5LSSvCHIlqAqD4XhjGvdhRIJKEHcbFuQPZhcbrxxIB+z/Rt9o/u6rwj; h=Received:Message-ID:From:To:References:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP;
List-archive: <http://www.ietf.org/mail-archive/web/netconf>
List-help: <mailto:netconf-request@ietf.org?subject=help>
List-id: Network Configuration WG mailing list <netconf.ietf.org>
List-post: <mailto:netconf@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
References: <200906171944.n5HJiBBo056500 at idle.juniper.net> <4A394F71.4090500 at netconfcentral.com>

Hi -

> From: "Andy Bierman" <andy at netconfcentral.com>
> To: "Phil Shafer" <phil at juniper.net>
> Cc: "NETCONF" <netconf at ietf.org>
> Sent: Wednesday, June 17, 2009 1:17 PM
> Subject: Re: [Netconf] notification access control
...
> The all-or-nothing approach actually helps hackers.
> If there is no filter, then any dropped notification
> would stick out like a red flag, since it must have
> contained some sensitive data. (This works just
> by watching the traffic with wireshark, without
> actually being able to read any of the packets.)
> We should want to make it as difficult as possible
> to discover the access control policy in use on an agent.

I have a couple of problems with this line of reasoning.

(1) hiding the policy is probably not as important as
protecting the information covered by that policy.

(2) selective removal of elements from the payload
can still permit semantic leaks.  Consider something
analogous to a "linkUp" notification.  For a particular
interface, the payload might be supressed by such a
policy, but the notification would still be delivered to
a party that wasn't supposed to know what was going
on with that interface.  If that was the only interface
which would meet the subscription's criteria, then
even surpressing the payload doesn't prevent the
information leak.

Randy

Follow-Ups:
- Re: [Netconf] notification access control
  - From: Andy Bierman
- Re: [Netconf] notification access control
  - From: Andy Bierman

References:
- Re: [Netconf] notification access control
  - From: Phil Shafer
- Re: [Netconf] notification access control
  - From: Andy Bierman

Prev by Date: Re: [Netconf] notification access control
Next by Date: Re: [Netconf] notification access control
Previous by thread: Re: [Netconf] notification access control
Next by thread: Re: [Netconf] notification access control
Index(es):
- Date
- Thread

Re: [Netconf] notification access control

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.