Re: [Netconf] notification access control

To: Andy Bierman <andy at netconfcentral.com>, Phil Shafer <phil at juniper.net>, NETCONF <netconf at ietf.org>
Subject: Re: [Netconf] notification access control
From: Andy Bierman <andy at netconfcentral.com>
Date: Wed, 17 Jun 2009 16:50:15 -0700
Delivered-to: netconf at core3.amsl.com
In-reply-to: <20090617233855.GA11123 at elstar.local>
List-archive: <http://www.ietf.org/mail-archive/web/netconf>
List-help: <mailto:netconf-request@ietf.org?subject=help>
List-id: Network Configuration WG mailing list <netconf.ietf.org>
List-post: <mailto:netconf@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
References: <200906171944.n5HJiBBo056500 at idle.juniper.net> <4A394F71.4090500 at netconfcentral.com> <20090617233855.GA11123 at elstar.local>
User-agent: Thunderbird 2.0.0.21 (Windows/20090302)

Juergen Schoenwaelder wrote:

On Wed, Jun 17, 2009 at 10:17:53PM +0200, Andy Bierman wrote:

The all-or-nothing approach actually helps hackers.
If there is no filter, then any dropped notification
would stick out like a red flag, since it must have
contained some sensitive data. (This works just
by watching the traffic with wireshark, without
actually being able to read any of the packets.)
We should want to make it as difficult as possible
to discover the access control policy in use on an agent.


I hope SSH makes it difficult enough to do this kind of attack; an
attacker would need a valid session key to make any sense out of the
encrypted byte stream. And if the attacker is able to obtain a valid
session key, well then you likely have a bigger problem.


Not entirely.
If ClientAliveInterval or ServerAliveInterval is enabled
in openssh, then there will be periodic data sent on
the channel to keep proxies from timing out, etc.
(Plain Keepalive messages are TCP, not SSH.)

These can be guessed (and removed from the data set)
just because they will be the same SSH message at
regular intervals.

Any <rpc-reply> will be immediately preceded by the <rpc>
PDU going the other way, so that is easy to remove
from the data-set.

So, you can easily tell that a session is getting
a notification (or not), but you cannot guess the content.

/js


Andy

Follow-Ups:
- Re: [Netconf] notification access control
  - From: Juergen Schoenwaelder
- Re: [Netconf] notification access control
  - From: Andy Bierman

References:
- Re: [Netconf] notification access control
  - From: Phil Shafer
- Re: [Netconf] notification access control
  - From: Andy Bierman
- Re: [Netconf] notification access control
  - From: Juergen Schoenwaelder

Prev by Date: Re: [Netconf] notification access control
Next by Date: Re: [Netconf] notification access control
Previous by thread: Re: [Netconf] notification access control
Next by thread: Re: [Netconf] notification access control
Index(es):
- Date
- Thread

Re: [Netconf] notification access control

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.