Re: architecture and security

[Andy Bierman <ietf@andybierman.com>]

Balazs Lengyel wrote:
> I have to say that my requirements (coming from telecom operators) do 
> ask for some complicated cases.
>
> I need to handle the following two cases:
> 1) A router with multiple virtual routers. Each virtual router might be 
> managed by a separate organization. This would mean that a subtree of 
> the data model must be assigned to each organization.
> 2) I have a big box: where user A is responsible for configuration 
> management while user B is responsible for performance management. I 
> want to keep them separate. This would mean that some type of objects 
> (representing performance measurements) should be handled separately.


You can embed classification in the schema, or in the
XML tree itself, in elements or attributes.
You can use namespaces.  Access control in XML
shouldn't be that hard.


> Information leaks can't be fully avoided but with careful modeling of 
> data and documentation warning about the possibility of some leaks we 
> can provide a solution that is better then just saying NO.


We are not likely to solve the rmonAlarmVariable (object shadowing)
problem with netconf access control.  Since naming and data components
are treated the same in XML (unlike SMI OIDs) there is no need
to worry about the name of an instance leaking information,
but history buffers, variable-pointers, data embedded in
show command printfs, can all leak information.  We aren't
going to rid the world of these dangers.
Security considerations sections are there to be read
(no, really, it's not all boilerplate! ;-)


I don't understand Juergen's comment about meaningful names.
Info like ifAlias or ifName is 'just more data' and
covered by access control the same as other objects.


> All I am asking for that Netconf should not actively prohibit such a 
> solution.


What specific items in the murky solution space prohibit
which specific items in your problem space?  I don't see why
you couldn't come up with an access control model that works.




> Balazs

Andy

> Juergen Schoenwaelder wrote:
> > On Thu, Apr 13, 2006 at 12:16:14PM -0700, Andy Bierman wrote:
> >  
> > > References in identifiers -- you mean like information
> > > carried in the instance portion of an OID?
> > >
> > > Not sure what you mean
> >
> > Operators seem to like to name things in meaningful ways and these
> > names frequently carry information which may be sensitive. If you want
> > to define views so that different people can look at a box, you have
> > to ensure that nothing leaks through which might be embedded in
> > operator assigned names (and thus can't be really handled by access
> > control rules unless you have embedded AI).
> >
> > /js


--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>