Re: Some strange text in our charter - do we have consensus?

[Balazs Lengyel <balazs.lengyel@ericsson.com>]

Hello Bert,
I think there should be a statement in the NETCONF over SSH RFC, Security considerations 
chapter dealing with the Bill Fenner problem.

"Users should take care that allowing NETCONF over SSH should not open up other unwanted access 
possibilities e.g. console access to the node or access to other subsystems. This can be 
realized by using a dedicated SSH server for NETCONF, or using user accounts with CLI access 
disabled; however the exact method is up to the NETCONF server implementation."

It is another question whether we want to open the RFC in order to add this? If we anyway open 
it to update it for Notifications, maybe this should go in as well.

Balazs

Bert Wijnen - IETF wrote:
> [explicitly bcc:-ed Bill Fenner. I am not sure if he is still on the
>  mailing list, Bill can you let me know?]
>
> The current WG charter has this text:
>
>  - The Bill Fenner problem: Address real or perceived issue that "giving
>    SSH for NETCONF gives full SSH access to the box"
>
> It is listed as a non-goal/non-work-item of the current charter.
> So we can just leave it as is. 
>
> At the other hand, at the IETF69 meeting we did not have a lot of 
> "operator" feedback on this.
>
> Discussing it with the one of the previous WG chairs (Simon),
> we got this explanation from Simon:
>
> > This seems to come from a discussion at the NEE bof at IETF 69
> > (http://www3.ietf.org/proceedings/07jul/minutes/nee.txt):
> >
> >     [...]
> >     Bill Fenner: possible gap, about authentication and authorization.
> >     Operators are fine with SNMP read access, but ssh access for
> >     NETCONF?  Not sure. Perception is that NETCONF ssh access gives
> >     full access to the box.
> >   
> >     Sharon Chisholm: Exactly what is this perception?
> >   
> >     Bert Wijnen: Completely in conflict with NETCONF requirements!
> >   
> >     Bill Fenner: Different operators have different concerns...
> >   
> >     David Partain: what should the WG do?
> >   
> >     Bill Fenner: TLS would help.  Thinks we may need an authentication
> >     mechanism just for NETCONF.  SSH sounds like you can login to the
> >     device which is scary.
> >     [...]
> >
> > Maybe Bill thought (or "thought that operators would think", since
> > this is about perception) that NETCONF-over-SSH was linked with a
> > normal SSH server providing access to the full CLI.  That is not the
> > intent: NETCONF over SSH is specified to be served on a separate TCP
> > port by default, and as a special SSH subsystem called "netconf".
> >
> > Well, the operators I know all permit SSH (or even TELNET) access to
> > their boxes for configuration, so why wouldn't they permit
> > NETCONF-over-SSH? Anyway.  So that's why we're doing TLS!
> >
> > Best regards,
> > --
> > Simon.
>
> It would be good if NetConf participants (specifically operators) could
> chime in what they think about this "perceived problem".
>
> Bert
>
>
> --
> to unsubscribe send a message to netconf-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/netconf/>

--
Balazs Lengyel                       Ericsson Hungary Ltd.
TSP System Manager
ECN: 831 7320                        Fax: +36 1 4377792
Tel: +36-1-437-7320     email: Balazs.Lengyel@ericsson.com

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>