netconf protocol security considerations
play

Netconf Protocol: Security Considerations Wes Hardaker - PowerPoint PPT Presentation

Jul 08, 2023 •239 likes •373 views

Netconf Protocol: Security Considerations Wes Hardaker <hardaker@tislabs.com> 2004.Aug.05 Netconf Authentication and Access Control There is inherent access control now: The authentication process should result in an entity whose

  1. Netconf Protocol: Security Considerations Wes Hardaker <hardaker@tislabs.com> 2004.Aug.05

  2. Netconf Authentication and Access Control There is inherent access control now: The authentication process should result in an entity whose permissions and capabilities are known to the device. These permissions must be enforced during the NETCONF session. For example, if the native user interface restricts users from changing the network interface configuration, the user should not be able to change this configuration data using NETCONF. This implies that all netconf operations/data: MUST be mappable to existing access control specifications Not likely always possible Existing models are CLI based and very different MUST be checked against both: device access control future netconf access control systems accept by one, deny by other = ? Completely standardized access control may never happen

  3. Netconf Authentication and Access Control Existing access control systems aren’t network based Can’t say "must encrypt this data in transit" Can’t say "must not touch this except at the device"

  4. Netconf Authentication and Access Control Recommendation: Drop the existing requirement "Netconf MUST NOT be implemented without a suitable access control mechanism"

  5. Netconf protocol chaining Some operations work on remote datasets copy-config URL based: ftp, http Recommendation: Discussion of login credentials and how to pass them Explicit passing Implicit passing copy-config MUST only operate over secure URL transports?

  6. Netconf Locking: DOS Not new. Long discussed. Discussed in document. Global locks mean global lock-outs Grants absolute permission to lock objects otherwise unmanageable by a user. Kill-session can be used to remove locks But there is a race condition�� Point: Locks as is add insecurity if granted to peons

  7. Netconf Operations: Micro vs Global Netconf Assumptions: Configuration stores are always shared IE, there is not one candidate per user

  8. Netconf Operations: Micro vs Global

  9. Netconf Operations: Micro vs Global Consider policy: User P1 can only edit Var1, can’t edit Var2 User P2 can edit Var2 Easy: EDIT-CONFIG must disallow P1 from being able to edit Var2 Global operations add complexity to the ACM (assume Var2 modified) P1 can not COMMIT() if Var2 is modified P1 can not COPY-CONFIG(running, startup) if Var2 is modified VALIDATE(candidate) must not disclose errors about Var2 to P1 P1 can not CONFIRM changes if Var2 is modified P1 can not DISCARDS-CHANGES if Var2 modified If P2 modifies Var2, P1 can’t do any global operations

  10. Netconf Operations: Micro vs Global The state we’re in: MUST NOT give peon a lock MUST give peon a lock No secure state for multi-role enviornments Recommendation: "Netconf 1.0 MUST NOT be used in restricted-role environments" OR Fix the problems

  11. Netconf Operations: lock canditate config is locked by R running config is not

  12. Can someone else perform a commit?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

verify for NETCONF &lt;draft-cole-netconf-verify-00.txt&gt;

verify for NETCONF &lt;draft-cole-netconf-verify-00.txt&gt;

verify for NETCONF &lt;draft-cole-netconf-verify-00.txt&gt; &lt;draft-cole-netconf-transaction-test-00.txt&gt; Robert G. Cole 1 Dan Romascanu 2 Andy Bierman 3 1 U.S. Army CERDEC 2 Avaya dromasca@avaya.com 3 Netconf Central

87 views • 5 slides
NETCONF WG 58th IETF Minneapolis, MN November 10, 2003 November 12, 2003

NETCONF WG 58th IETF Minneapolis, MN November 10, 2003 November 12, 2003

NETCONF WG 58th IETF Minneapolis, MN November 10, 2003 November 12, 2003 abierman-netconf-nov03 1 NETCONF WG Details Mailing List Discussion: netconf@ops.ietf.org Subscribe: netconf-request@ops.ietf.org subscribe in the

642 views • 30 slides
v6ops and security IPv6 Transition/Co-existence Security Considerations

v6ops and security IPv6 Transition/Co-existence Security Considerations

v6ops and security IPv6 Transition/Co-existence Security Considerations draft-savola-v6ops-security-overview-00.txt Pekka Savola, CSC/FUNET Overview Overview Look at different kinds of issues IPv6 protocol Transition mechanisms in general

853 views • 10 slides
I2rs Requirements for NETCONF Status for I2RS Requirement on WG LC

I2rs Requirements for NETCONF Status for I2RS Requirement on WG LC

I2rs Requirements for NETCONF Status for I2RS Requirement on WG LC draft-ietf-i2rs-ephemeral-state-00 draft-ietf-i2rs-pub-sub-requirements/ draft-ietf-i2rs-traceability/ draft-ietf-i2rs-protocol-security-requirements-01 Adopted

497 views • 26 slides
Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals:

Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals:

IN3210 Network Security Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals: Authentication Integrity Confidentiality Transparent security protocol between TCP and application

1k views • 66 slides
Network Configuration Management with NETCONF and YANG J urgen Sch onw alder 84th IETF

Network Configuration Management with NETCONF and YANG J urgen Sch onw alder 84th IETF

Network Configuration Management with NETCONF and YANG J urgen Sch onw alder 84th IETF Meeting, Vancouver, 2012-07-29 1 / 90 Network Management Protocol Soup SID/TAM CMIN/WBEM GDMO/CMIP [TMFORUM] [DMTF] IE/IPFIX [OSI] [IETF]

1.15k views • 90 slides
NETCONF and YANG Status, Tutorial, Demo J urgen Sch onw alder 75th IETF 2009,

NETCONF and YANG Status, Tutorial, Demo J urgen Sch onw alder 75th IETF 2009,

NETCONF and YANG Status, Tutorial, Demo J urgen Sch onw alder 75th IETF 2009, Stockholm, 2009-07-30 This tutorial was supported in part by the EC IST-EMANICS Network of Excellence (#26854). 1 / 40 What is NETCONF? NETCONF is a

1.06k views • 40 slides
NETCONF Access Control draft-bierman-netconf-access-control-01 IETF 77, March 2010 Andy Bierman

NETCONF Access Control draft-bierman-netconf-access-control-01 IETF 77, March 2010 Andy Bierman

NETCONF Access Control draft-bierman-netconf-access-control-01 IETF 77, March 2010 Andy Bierman andyb@iwl.com Agenda Why does NETCONF need a standard access control model (ACM)? What are the functional requirements for a standard ACM

842 views • 26 slides
robust NETCONF &lt;draft-cole-netconf-robust-config-02.txt&gt; Robert G. Cole 1 Dan Romascanu 2

robust NETCONF &lt;draft-cole-netconf-robust-config-02.txt&gt; Robert G. Cole 1 Dan Romascanu 2

robust NETCONF &lt;draft-cole-netconf-robust-config-02.txt&gt; Robert G. Cole 1 Dan Romascanu 2 Andy Bierman 3 1 US Army CERDEC robert.g.cole@us.army.mil 2 Avaya dromasca@avaya.com 3 Interworking Labs andy@iwl.com 22 Mar 2010 / IETF-Anaheim

314 views • 9 slides
NETCONF and RESTCONF Client/Server Models Drafus covered: drafu-ietg-netconf-keystore-01

NETCONF and RESTCONF Client/Server Models Drafus covered: drafu-ietg-netconf-keystore-01

NETCONF and RESTCONF Client/Server Models Drafus covered: drafu-ietg-netconf-keystore-01 drafu-ietg-netconf-ssh-client-server-02 drafu-ietg-netconf-tls-client-server-02 drafu-ietg-netconf-netconf-client-server-02

452 views • 10 slides
I2RS RIB Route Example Sue Hares i2RS Client config Client Hackathon NETCONF CLI/GUI with

I2RS RIB Route Example Sue Hares i2RS Client config Client Hackathon NETCONF CLI/GUI with

I2RS RIB Route Example Sue Hares i2RS Client config Client Hackathon NETCONF CLI/GUI with i2RS CLI/GUI IETF 96 RIB + FB-RIB Extended RIB yangcli-pro + FB-RIB Goals NETCONF Network of routers simulated using confd mininet/mininext

484 views • 10 slides
Wednesday's slides TUTORIAL (n) Security (2): The security considerations for ECRIT are put

Wednesday's slides TUTORIAL (n) Security (2): The security considerations for ECRIT are put

Wednesday's slides TUTORIAL (n) Security (2): The security considerations for ECRIT are put forth in IETF RFC-5069 There are a few problems which seem to be intractable in a wireless environment with unauthenticated users.

133 views • 9 slides
Protocol Security Engineering &quot;

Protocol Security Engineering &quot;

Can we avoid Protocol Security meltdown? Brian Monahan Trusted Systems Lab HP Labs, Bristol, UK Tel: +44 (0)117 312-8935 Email: brian_monahan@hp.com Presented at STORK : Towards a Roadmap for Future Research 26-27 November 2002 What is

203 views • 3 slides
Automated Reasoning for Security Protocol Analysis The ASW Protocol Revisited: A Unified View

Automated Reasoning for Security Protocol Analysis The ASW Protocol Revisited: A Unified View

Automated Reasoning for Security Protocol Analysis The ASW Protocol Revisited: A Unified View Paul Hankes Drielsma and Sebastian M odersheim Information Security, ETH Zurich ARSPA Paul Hankes Drielsma 1 Introduction ASW: an

508 views • 14 slides
NETCONF by Example v0.1.1 (2015-11-05) Overview and Objec6ves

NETCONF by Example v0.1.1 (2015-11-05) Overview and Objec6ves

NETCONF by Example v0.1.1 (2015-11-05) Overview and Objec6ves This presenta6on uses a set of common configura6on management tasks to walk through the main

610 views • 35 slides
IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer fmajstor@cisco.com Cisco Systems, Inc. 1 fmajstor@cisco.com, IPv6 Security Agenda IPv6 Primer IPv6 Protocol

241 views • 21 slides
Data Examples Announcements Examples: Objects Land Owners Instance attributes are found before

Data Examples Announcements Examples: Objects Land Owners Instance attributes are found before

Data Examples Announcements Examples: Objects Land Owners Instance attributes are found before class attributes; class attributes are inherited class Worker: &lt;class Worker&gt; &gt;&gt;&gt; Worker().work() &gt;&gt;&gt; Worker().work()

818 views • 8 slides
From Training to Education: Building Offensive Curriculum from Training Certifications * or

From Training to Education: Building Offensive Curriculum from Training Certifications * or

From Training to Education: Building Offensive Curriculum from Training Certifications * or Why I watched the entire movie library over Spring Break By: Michael Kranch CANSec 2018 October 27-28 Who Am I? B.S. / M.S. in Computer

507 views • 24 slides
TACKYDROID Pentesting Android Applications in Style THIS TALK IS ABOUT AN APP WE ARE MAKING

TACKYDROID Pentesting Android Applications in Style THIS TALK IS ABOUT AN APP WE ARE MAKING

TACKYDROID Pentesting Android Applications in Style THIS TALK IS ABOUT AN APP WE ARE MAKING This talk IS NOT about Android platform itself This talk IS about how we want to contribute auditing apps that run on Android systems With

975 views • 74 slides
Dragos, Inc. | May 2019 Student Student Officer Student Officer Network Defender Student

Dragos, Inc. | May 2019 Student Student Officer Student Officer Network Defender Student

Joe Slowik / @jfslowik Dragos, Inc. | May 2019 Student Student Officer Student Officer Network Defender Student Officer Network Defender ICS Defender

725 views • 46 slides
C++ (1 of 3) Mid-late 1990s, C was language of choice Since then, C++ language of choice

C++ (1 of 3) Mid-late 1990s, C was language of choice Since then, C++ language of choice

The Game Development Process Game Programming Outline Teams and Processes Select Languages Debugging Misc (as time allows) AI Multiplayer 1 Introduction Used to be programmers created games But many great

585 views • 32 slides
Business Model Canvas and CHEEKY CHUNK CASE STUDY Raj Jaswa Pratik Doshi Jan 2018 Focus on

Business Model Canvas and CHEEKY CHUNK CASE STUDY Raj Jaswa Pratik Doshi Jan 2018 Focus on

Business Model Canvas and CHEEKY CHUNK CASE STUDY Raj Jaswa Pratik Doshi Jan 2018 Focus on one step at a time, the rest will figure out! M.A.N.U.F.A.C.T.U.R.I.N.G. List of Manufacturers. Cold Calling. Facing Rejections.

3.82k views • 43 slides
Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections

Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections

Chair for Network Architectures and Services Technical University of Munich (TUM) Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections Intermediate Talk Julien Schmidt May 30, 2016 Chair for

384 views • 16 slides
Fixing problems with grammars Informatics 2A: Lecture 13 John Longley School of Informatics

Fixing problems with grammars Informatics 2A: Lecture 13 John Longley School of Informatics

LL(1) grammars: summary Fixing problems with grammars Informatics 2A: Lecture 13 John Longley School of Informatics University of Edinburgh jrl@inf.ed.ac.uk 22 October 2015 1 / 20 LL(1) grammars: summary LL(1) grammars: summary Given a

445 views • 23 slides

More recommend