Re: [Netconf] notification access control

To: Randy Presuhn <randy_presuhn at mindspring.com>
Subject: Re: [Netconf] notification access control
From: Andy Bierman <andy at netconfcentral.com>
Date: Wed, 17 Jun 2009 16:30:24 -0700
Cc: NETCONF <netconf at ietf.org>
Delivered-to: netconf at core3.amsl.com
In-reply-to: <001201c9ef9c$832a64a0$6801a8c0 at oemcomputer>
List-archive: <http://www.ietf.org/mail-archive/web/netconf>
List-help: <mailto:netconf-request@ietf.org?subject=help>
List-id: Network Configuration WG mailing list <netconf.ietf.org>
List-post: <mailto:netconf@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
References: <200906171944.n5HJiBBo056500 at idle.juniper.net> <4A394F71.4090500 at netconfcentral.com> <001201c9ef9c$832a64a0$6801a8c0 at oemcomputer>
User-agent: Thunderbird 2.0.0.21 (Windows/20090302)

Randy Presuhn wrote:

Hi -

From: "Andy Bierman" <andy at netconfcentral.com>
To: "Phil Shafer" <phil at juniper.net>
Cc: "NETCONF" <netconf at ietf.org>
Sent: Wednesday, June 17, 2009 1:17 PM
Subject: Re: [Netconf] notification access control

...

The all-or-nothing approach actually helps hackers.
If there is no filter, then any dropped notification
would stick out like a red flag, since it must have
contained some sensitive data. (This works just
by watching the traffic with wireshark, without
actually being able to read any of the packets.)
We should want to make it as difficult as possible
to discover the access control policy in use on an agent.


I have a couple of problems with this line of reasoning.

(1) hiding the policy is probably not as important as
protecting the information covered by that policy.

(2) selective removal of elements from the payload
can still permit semantic leaks.  Consider something
analogous to a "linkUp" notification.  For a particular
interface, the payload might be supressed by such a
policy, but the notification would still be delivered to
a party that wasn't supposed to know what was going
on with that interface.  If that was the only interface
which would meet the subscription's criteria, then
even surpressing the payload doesn't prevent the
information leak.


I think Martin is right.
Since the filters will be removed from monitoring data,
an attacker won't really have any way of knowing which
sessions are trying to filter which content.  Therefore,
presence or absence of a notification does not really
mean anything.

What's the problem if the agent leaves out some subtrees
in the payload on <get> or <notification>?  And why
would the ACM policy be different for <get> or <notification>
in NETCONF? (it's all just SSH2 channel data to me :-)

The argument that the manager may not understand the
notification payload is no different than if the
manager did a NETCONF <get/> on the same data, and
a subset was returned.

Obviously, any system that rejected all <get/> requests
with an access-denied error, would not be very usable.
Silently skipping over unauthorized data is needed
to provide a usable management system. What if an
SNMP MIB walk crashed with an access-control error the
first unauthorized node it hit?  Same problem in NETCONF, no?

Randy



Andy

Follow-Ups:
- Re: [Netconf] notification access control
  - From: Randy Presuhn

References:
- Re: [Netconf] notification access control
  - From: Phil Shafer
- Re: [Netconf] notification access control
  - From: Andy Bierman
- Re: [Netconf] notification access control
  - From: Randy Presuhn

Prev by Date: Re: [Netconf] notification access control
Next by Date: Re: [Netconf] notification access control
Previous by thread: Re: [Netconf] notification access control
Next by thread: Re: [Netconf] notification access control
Index(es):
- Date
- Thread

Re: [Netconf] notification access control

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.