Re: [Netconf] notification access control

To: "NETCONF" <netconf at ietf.org>
Subject: Re: [Netconf] notification access control
From: "Randy Presuhn" <randy_presuhn at mindspring.com>
Date: Wed, 17 Jun 2009 17:23:09 -0700
Delivered-to: netconf at core3.amsl.com
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=mindspring.com; b=VEmvQ2SqfoiQRqbl87lt/+XMN65DcmPGVjl9y/HnEsENo7iK1DzTHHz1ROJ7xfKN; h=Received:Message-ID:From:To:References:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP;
List-archive: <http://www.ietf.org/mail-archive/web/netconf>
List-help: <mailto:netconf-request@ietf.org?subject=help>
List-id: Network Configuration WG mailing list <netconf.ietf.org>
List-post: <mailto:netconf@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
References: <200906171944.n5HJiBBo056500 at idle.juniper.net> <4A394F71.4090500 at netconfcentral.com> <001201c9ef9c$832a64a0$6801a8c0 at oemcomputer> <4A397C90.1050801 at netconfcentral.com>

Hi -

> From: "Andy Bierman" <andy at netconfcentral.com>
> To: "Randy Presuhn" <randy_presuhn at mindspring.com>
> Cc: "NETCONF" <netconf at ietf.org>
> Sent: Wednesday, June 17, 2009 4:30 PM
> Subject: Re: [Netconf] notification access control
>
> Randy Presuhn wrote:
> > Hi -
> > 
> >> From: "Andy Bierman" <andy at netconfcentral.com>
> >> To: "Phil Shafer" <phil at juniper.net>
> >> Cc: "NETCONF" <netconf at ietf.org>
> >> Sent: Wednesday, June 17, 2009 1:17 PM
> >> Subject: Re: [Netconf] notification access control
...
> Since the filters will be removed from monitoring data,
> an attacker won't really have any way of knowing which
> sessions are trying to filter which content.  Therefore,
> presence or absence of a notification does not really
> mean anything.

You're only looking at the potential eavesdropper.
Consider where the atacker is the authorized user,
trying to ferrer out information s/he is not supposed
to be able to have access to.

> What's the problem if the agent leaves out some subtrees
> in the payload on <get> or <notification>?  And why
> would the ACM policy be different for <get> or <notification>
> in NETCONF? (it's all just SSH2 channel data to me :-)

It's not the omission per se that bothers me.  It's that the
very existence of the notification reveals information.
That's why SNMP doesn't just consider the varbinds
in deciding whether to forward a notification.  Now maybe
this is covered by Netconf's access control framework,
or maybe it isn't.

> The argument that the manager may not understand the
> notification payload is no different than if the
> manager did a NETCONF <get/> on the same data, and
> a subset was returned.

I don't think anyone is making that argument.

> Obviously, any system that rejected all <get/> requests
> with an access-denied error, would not be very usable.
> Silently skipping over unauthorized data is needed
> to provide a usable management system. What if an
> SNMP MIB walk crashed with an access-control error the
> first unauthorized node it hit?  Same problem in NETCONF, no?

How did we get from notifications into get requests?

Randy

Follow-Ups:
- Re: [Netconf] notification access control
  - From: Andy Bierman

References:
- Re: [Netconf] notification access control
  - From: Phil Shafer
- Re: [Netconf] notification access control
  - From: Andy Bierman
- Re: [Netconf] notification access control
  - From: Randy Presuhn
- Re: [Netconf] notification access control
  - From: Andy Bierman

Prev by Date: Re: [Netconf] notification access control
Next by Date: Re: [Netconf] notification access control
Previous by thread: Re: [Netconf] notification access control
Next by thread: Re: [Netconf] notification access control
Index(es):
- Date
- Thread

Re: [Netconf] notification access control

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.