Re: [Netconf] notification access control

To: Andy Bierman <andy at netconfcentral.com>
Subject: Re: [Netconf] notification access control
From: Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>
Date: Thu, 18 Jun 2009 01:38:55 +0200
Cc: NETCONF <netconf at ietf.org>
Delivered-to: netconf at core3.amsl.com
In-reply-to: <4A394F71.4090500 at netconfcentral.com>
List-archive: <http://www.ietf.org/mail-archive/web/netconf>
List-help: <mailto:netconf-request@ietf.org?subject=help>
List-id: Network Configuration WG mailing list <netconf.ietf.org>
List-post: <mailto:netconf@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
Mail-followup-to: Andy Bierman <andy at netconfcentral.com>, Phil Shafer <phil at juniper.net>, NETCONF <netconf at ietf.org>
References: <200906171944.n5HJiBBo056500 at idle.juniper.net> <4A394F71.4090500 at netconfcentral.com>
Reply-to: Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>
User-agent: Mutt/1.5.19 (2009-01-05)

On Wed, Jun 17, 2009 at 10:17:53PM +0200, Andy Bierman wrote:
 
> The all-or-nothing approach actually helps hackers.
> If there is no filter, then any dropped notification
> would stick out like a red flag, since it must have
> contained some sensitive data. (This works just
> by watching the traffic with wireshark, without
> actually being able to read any of the packets.)
> We should want to make it as difficult as possible
> to discover the access control policy in use on an agent.

I hope SSH makes it difficult enough to do this kind of attack; an
attacker would need a valid session key to make any sense out of the
encrypted byte stream. And if the attacker is able to obtain a valid
session key, well then you likely have a bigger problem.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

Follow-Ups:
- Re: [Netconf] notification access control
  - From: Andy Bierman

References:
- Re: [Netconf] notification access control
  - From: Phil Shafer
- Re: [Netconf] notification access control
  - From: Andy Bierman

Prev by Date: Re: [Netconf] notification access control
Next by Date: Re: [Netconf] notification access control
Previous by thread: Re: [Netconf] notification access control
Next by thread: Re: [Netconf] notification access control
Index(es):
- Date
- Thread

Re: [Netconf] notification access control

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.