[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue 9.1) DoS attack using global <lock>

To: Andy Bierman <abierman@cisco.com>
Subject: Re: Issue 9.1) DoS attack using global <lock>
From: Rob Enns <rpe@juniper.net>
Date: Fri, 12 Dec 2003 11:54:13 -0800
Cc: Eliot Lear <lear@cisco.com>, netconf@ops.ietf.org
In-reply-to: <4.3.2.7.2.20031205091052.0290d2b8@fedex.cisco.com>
Mail-followup-to: Andy Bierman <abierman@cisco.com>, Eliot Lear <lear@cisco.com>, netconf@ops.ietf.org
References: <4.3.2.7.2.20031202160844.027568e0@fedex.cisco.com> <4.3.2.7.2.20031202160844.027568e0@fedex.cisco.com> <4.3.2.7.2.20031205091052.0290d2b8@fedex.cisco.com>
User-agent: Mutt/1.4i

On Fri, Dec 05, 2003 at 09:21:37AM -0800, Andy Bierman wrote:
> At 08:40 AM 12/5/2003, Eliot Lear wrote:
> >Andy,
> >
> >Obviously 9.1 and 9.2 are related.  So long as we note this in the security considerations, because the individual who is screwing up the lock is authenticated, I'm not even sure we need a <steal-lock> command to get around it.
> 
> I agree with you.
> The premise of the <steal-lock> operation is that an authenticated
> attacker would be able to detect that his session was terminated
> by another user, reestablish a new session, and issue another <lock>
> operation, all before the user that issued the <kill-session>
> operation could request a new <lock> operation.  
> 
> The <steal-lock> operation could be accomplished with a <kill-session>, 
> followed by a <lock>.  IMO, this is sufficient.  We could add <steal-lock> 
> in a future version if operational experience shows this particular
> attack to be a problem.  It seems to me that a malicious user could
> do much more damage by changing the running config than by simply
> grabbing a lock and holding it.

I agree with this. I don't see a need for <steal-lock> -- we should note
the issue, capture the discussion, and if necessary we can revisit this
in version.next.

Rob

> 
> Andy
> 
> 
> 
> >Andy Bierman wrote:
> >
> >>A DoS attack is possible if global lock allows users to lock more of the config dB than they have write access. Choose one of:
> >>  - Only users with all-access can lock the dB
> >>  - Only grant lock for areas that write-access is allowed
> >>  - Support partial locks
> >>  - Simply document the problem in the security section
> >>
> >>--
> >>to unsubscribe send a message to netconf-request@ops.ietf.org with
> >>the word 'unsubscribe' in a single line as the message text body.
> >>archive: <http://ops.ietf.org/lists/netconf/>
> 
> 
> --
> to unsubscribe send a message to netconf-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/netconf/>

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

References:
- Issue 9.1) DoS attack using global <lock>
  - From: Andy Bierman <abierman@cisco.com>
- Re: Issue 9.1) DoS attack using global <lock>
  - From: Andy Bierman <abierman@cisco.com>

Prev by Date: Re: Issue 2.1) Should the NETCONF protocol support notifications?
Next by Date: Re: Issue 5.1) SSH End of message directive
Previous by thread: Re: Issue 9.1) DoS attack using global <lock>
Next by thread: Issue 9.2) <steal-lock>
Index(es):
- Date
- Thread