Network Configuration Access Control Model
draft-ietf-netconf-rfc6536bis-09

[Ballot comment]
Quick note on Table 1:

  | HEAD    | all            |                | N/A            |
  | GET    | all            |                | N/A            |

Shouldn't these be ", " rather than just ""?

----------------------------------------------------------------------

I'll note that there's a subtle OPTIONS-related attack here similar to what Eric calls out regarding PUT and PATCH.

This document appears to put no access restrictions whatsoever on the use of OPTIONS. RFC 8040, section 4.1 indicates that the answer can change based on the "specific resource", while RFC7231, section 4.3.7 stipulates that "a server's communication options typically depend on the resource." The risk here is that the response to OPTIONS may vary based on the presence or absence of a resource corresponding to the URL's path. If this is the case and if no access control is applied to OPTIONS, then it can be used to trivially probe for the presence or absence of values within a tree.

I believe there should be text either in section 3.2.3 or under the "Security Considerations" section that warns implementations not to vary their OPTIONS responses based on the existence of the underlying resource.

[Ballot comment]
Thanks for your work on this draft to improve access controls on data.

I'l watch responses to Eric's comment on line 648 as I agree with the concern.

[Ballot comment]
Line 231
      object.  One of "none", "read", "create", "delete", "update", or
      "execute".
Your table below does not make use of "none" but rather makes use of N/A. Are they the same?


Line 469
  The RESTCONF protocol [RFC8040] is used for network management
  purposes within this document.
Maybe just merge these sentences?


Line 559
      is rejected with an "access-denied" error.

  The following sequence of conceptual processing steps is executed for
How does this discussion correspond to the diagram above. For instance, what does pre-read data node acc tl correspond to?

Line 648
      operation for these nodes is considered to be "none".  The edit
      begins at the target resource.
IMPORTANT: I believe this creates a modest vulnerability to treat
PATCH (and potentially PUT) this way because it allows the attacker to
confirm a guess for the contents of a resource it could not have read
(because the parents were unreadable). The attack here is to provide a
patch with the "before" being a guess for parts of the file and then
look for success or failure. How hard this is depends on file
structure (characters per line), etc.


Line 670
  | POST    | datastore, data |        | create          |
  | POST    | operation      | specified operation | N/A            |
  | PUT    | data            |        | create, replace |
I don't folllow why "Access operation" is N/A for, e.g. "GET". an you explain?


Line 673
  | PUT    | datastore      |        | replace        |
  | PATCH  | data, datastore |        | merge          |
  | DELETE  | data            |        | delete          |
"merge" does not appear in the list of access oeprations above.


Line 1057
        match any of the user's groups, proceed to the next rule-list
        entry.
Assuming I am reading this correctly, it is not possible to have
access control entries for individuals but only only for
groups. There's nothing wrong with that, but you should make it clear
earlier. If I'm wrong, can you correct me and explain what I'm
missing.

The following Last Call announcement was sent out (ends 2017-10-25):

From: The IESG
To: IETF-Announce
CC: Mahesh Jethanandani , mjethanandani@gmail.com, netconf@ietf.org, bclaise@cisco.com, draft-ietf-netconf-rfc6536bis@ietf.org, netconf-chairs@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Network Configuration Access Control Module) to Internet Standard


The IESG has received a request from the Network Configuration WG (netconf)
to consider the following document: - 'Network Configuration Access Control
Module'
  as Internet Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2017-10-25. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the beginning of
the Subject line to allow automated sorting.

Abstract


  The standardization of network configuration interfaces for use with
  the Network Configuration Protocol (NETCONF) or RESTCONF protocol
  requires a structured and secure operating environment that promotes
  human usability and multi-vendor interoperability.  There is a need
  for standard mechanisms to restrict NETCONF or RESTCONF protocol
  access for particular users to a pre-configured subset of all
  available NETCONF or RESTCONF protocol operations and content.  This
  document defines such an access control model.

  This document obsoletes RFC 6536.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-netconf-rfc6536bis/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-netconf-rfc6536bis/ballot/


No IPR declarations have been submitted directly on this I-D.


The document contains these normative downward references.
See RFC 3967 for additional information:
    draft-ietf-netmod-revised-datastores: Network Management Datastore Architecture (None - IETF stream)
    rfc6991: Common YANG Data Types (Proposed Standard - IETF stream)
    rfc6020: YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF) (Proposed Standard - IETF stream)
    rfc7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing (Proposed Standard - IETF stream)
    rfc6241: Network Configuration Protocol (NETCONF) (Proposed Standard - IETF stream)
    rfc6242: Using the NETCONF Protocol over Secure Shell (SSH) (Proposed Standard - IETF stream)
    rfc5277: NETCONF Event Notifications (Proposed Standard - IETF stream)
    rfc8040: RESTCONF Protocol (Proposed Standard - IETF stream)
    rfc7950: The YANG 1.1 Data Modeling Language (Proposed Standard - IETF stream)

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

This document is intended to be a Internet Standard document.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

The standardization of network configuration interfaces for use with the Network Configuration Protocol (NETCONF) or RESTCONF protocol requires a structured and secure operating environment that promotes human usability and multi-vendor interoperability.  There is a need for standard mechanisms to restrict NETCONF or RESTCONF protocol access for particular users to a pre-configured subset of all available NETCONF or RESTCONF protocol operations and content.  This document defines such an access control model.


Working Group Summary

This document is a bis document to RFC 6536 and as such is an update rather than a new draft. The main purpose of the document is to bring it up to date with the publication of RFC 7950 (YANG 1.1).

There are no open issues with the document.

Document Quality

The document was reviewed and comments were provided in both the IETF meetings and on the NETCONF WG mailing list. A YANG doctors review was requested for the YANG module in the document, and Kent has agreed to provide it soon.

The changes to the document are minor w.r.t. RFC 6536 and it would be difficult to distinguish the implementation of this draft vis-a-vis RFC 6536. YumaWorks has indicated that they have implemented RFC 6536 for NETCONF and RESTCONF and for YANG 1.1 actions. Support for nested notifications, which is also a YANG 1.1 feature is not yet supported. Cisco is currently implementing RFC 6536 for NETCONF on the XR platforms, and the NCS platform (from tail-f acquisition) implements RFC 6536.

Personnel

  Who is the Document Shepherd? Who is the Responsible Area
  Director?

The document shepherd is Mahesh Jethanandani and the AD will be Benoit Claise.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

The document shepherd has followed the progression of the document through the WG and has reviewed the document. As this time, the document has addressed all outstanding comments and as a document shepherd I believe the document is ready for publication.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

The document shepherd does not have any concerns about the review the document has received. It  has been reviewed by several parties over several iterations to address all outstanding comments.


(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

The document is not new and the changes from RFC 6536 are minor and do not substantially change the structure of the model or the draft. The original RFC, RFC 6536 does address the middle A in AAA, and it is assumed that the original draft was reviewed from a AAA and operations/management perspective.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

The document shepherd has no concerns about the changes proposed to RFC 6536 by this draft.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

Yes, all the authors have confirmed that they are not aware of any IPRs related to the document.

(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

No IPR disclosures have been filed against this document.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it? 

The document has been discussed extensively both on the mailing list and in the WG meetings. The number of people who have contributed actively to the document has been small with ample opportunity given for folks to comment on the changes in the document.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

No.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See https://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

An idnits checks on the document has revealed one warning.

Outdated reference: A later version (-03) exists of
    draft-ietf-netmod-revised-datastores-02


(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

A yang doctors review has been requested and should be forthcoming. A

(13) Have all references within this document been identified as
either normative or informative?

Yes.

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

There is a normative reference to draft-ietf-netmod-revised-datastore, which is a WG document. It is expected that this document will have to wait for that document to reach RFC state before this document can be published.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

No.

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

This document will obsolete RFC 6536 and it has been listed on the title header page as such.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

The document updates an existing registry in the “YANG Module Names” registry to reference the new RFC number instead of RFC6536.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

None.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

The data tracker indicates that a YANG Validation has been performed on the document, and it shows 0 errors and warnings.