Network Working Group L. Seitz
Internet-Draft SICS, Swedish Institute of
Intended status: Standards Track Computer Science AB
Expires: January 7, 2008 E. Rissanen
Axiomatics AB
July 6, 2007
NETCONF access control profile for XACML
draft-seitz-netconf-xacml-00.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 7, 2008.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Seitz & Rissanen Expires January 7, 2008 [Page 1]
Internet-Draft NETCONF access control profile for XACML July 2007
Abstract
The NETCONF remote network configuration protocol currently lacks an
access control model. The need for such a model has be recognized
within the NETCONF working group. The eXtended Access Control Markup
Language (XACML) is an XML-based access control standard, with
widespread acceptance from the industry and good open-source support.
This document proposes a profile that defines how to use XACML to
provide fine-grain access control for NETCONF commands.
Table of Contents
1. Requirements notation . . . . . . . . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. XACML overview . . . . . . . . . . . . . . . . . . . . . . . . 5
4. NETCONF overview . . . . . . . . . . . . . . . . . . . . . . . 7
5. Policy and Request profile for XACML . . . . . . . . . . . . . 8
5.1. Abbreviations and namespaces . . . . . . . . . . . . . . . 8
5.2. New XACML functions, attributes and data-types . . . . . . 8
5.3. get and get-config RPC . . . . . . . . . . . . . . . . . . 10
5.4. edit-config RPC . . . . . . . . . . . . . . . . . . . . . 13
5.5. copy-config and delete-config RPC . . . . . . . . . . . . 16
5.6. lock and unlock RPC . . . . . . . . . . . . . . . . . . . 19
5.7. kill-session RPC . . . . . . . . . . . . . . . . . . . . . 21
5.8. close-session RPC . . . . . . . . . . . . . . . . . . . . 22
5.9. commit and discard-changes RPC . . . . . . . . . . . . . . 23
5.10. validate RPC . . . . . . . . . . . . . . . . . . . . . . . 24
6. Practical consequences for NETCONF implementations . . . . . . 26
7. Security Considerations . . . . . . . . . . . . . . . . . . . 27
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28
8.1. Normative References . . . . . . . . . . . . . . . . . . . 28
8.2. Informative References . . . . . . . . . . . . . . . . . . 28
Appendix A. Abbreviations . . . . . . . . . . . . . . . . . . . . 29
Appendix B. Examples . . . . . . . . . . . . . . . . . . . . . . 30
B.1. Get-config example . . . . . . . . . . . . . . . . . . . . 30
B.2. edit-config example . . . . . . . . . . . . . . . . . . . 35
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41
Intellectual Property and Copyright Statements . . . . . . . . . . 42
Seitz & Rissanen Expires January 7, 2008 [Page 2]
Internet-Draft NETCONF access control profile for XACML July 2007
1. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Seitz & Rissanen Expires January 7, 2008 [Page 3]
Internet-Draft NETCONF access control profile for XACML July 2007
2. Introduction
The NETCONF protocol rfc [RFC4741] specifies in its Security
Considerations (section 9) that "This document does not specify an
authorization scheme, ... Implementors SHOULD provide a
comprehensive authorization scheme with NETCONF". In this document a
profile is defined and explained that allows to use the eXtended
Access Control Markup Language [XACML] as authorization scheme for
NETCONF commands. The reasons why the use of XACML is suggested are
the following:
o XACML is an open standard that has been developed by an industry
consortium.
o XACML is an XML [XML] based approach, that is well adapted to the
authorization challenges encountered within NETCONF.
o XACML is widely accepted and used in a number of commercial
products [XACMLProducts].
o Open-source implementations of the XACML standard are readily
available.
Seitz & Rissanen Expires January 7, 2008 [Page 4]
Internet-Draft NETCONF access control profile for XACML July 2007
3. XACML overview
This section gives a short overview of what XACML is and how it
works. We only describe the parts of XACML that are needed in this
draft, therefore some descriptions may not reflect the full
functionality of the corresponding XACML element. Some familiarity
with the terms from [RFC2904] (e.g. PDP, PEP) is expected from the
reader. The references also include a more detailed introduction
[XACMLIntro].
The XACML standard defines two things:
o A XML schema defining a syntax for requests, access control
policies and responses.
o A processing model that specifies how a request shall be evaluated
by a PDP against a set of policies in order to generate a
response.
A request is a collection of attributes typically describing the
requesting subject, the requested resource and the action that the
subject wishes to perform on the resource. An attribute can for
example be a role of the user or a resource group-id.
A policy consists of a target and one or more rules generating an
effect. The target describes for which request the policy applies,
in terms of conditions on a set of attributes. During evaluation
these attributes are fetched from the request and from external
information sources (PIPs) available to the PDP. If a policy
applies, its effect will either be PERMIT or DENY.
An example policy target is shown here:
01
02
03
04
05 print
06
09
10 ...
11
12 ...
13
14 ...
15
Seitz & Rissanen Expires January 7, 2008 [Page 5]
Internet-Draft NETCONF access control profile for XACML July 2007
The Target consists of one or more DisjunctiveMatch sections which
must all be fulfilled in order for the policy to apply. Within the
DisjunctiveMatch section, one of the ConjunctiveMatches must apply.
Within a ConjunctiveMatch, all of the Matches must apply. A Match
specifies a matching function (which must have a boolean result), and
the function parameters, which can either be static AttributeValue
(as in line 04) or a value fetched externally from the request of a
PIP (as in line 05-07). The AttributeDesignator (lines 05-07)
specifies which external value(s) to fetch by giving a Category, an
Identifier and a DataType. If several values are returned, only one
needs to satisfy the Match function.
Seitz & Rissanen Expires January 7, 2008 [Page 6]
Internet-Draft NETCONF access control profile for XACML July 2007
4. NETCONF overview
The NETCONF configuration protocol describes a set of operations that
read or write configuration data on a network device. These
operations are transferred to the device by the means of remote
procedure calls (RPCs) encoded in XML. The different protocol
operations are:
o allows to get specific parts of a specific
configuration.
o allows to edit specific parts of a specific
configuration.
o allows to overwrite a specific configuration with a
new one from a specific source.
o allows to delete a specific configuration.
o allows to lock a specific configuration for editing.
o allows to unlock a specific configuration.
o allow to get specific parts from the "running"
configuration.
o allows to close your own session.
o allows to kill someone else's session.
For a more specific description of the NETCONF protocol please refer
to [RFC4741].
The present document defines an access control model for these
operations and for the extensions defined in the standard.
Seitz & Rissanen Expires January 7, 2008 [Page 7]
Internet-Draft NETCONF access control profile for XACML July 2007
5. Policy and Request profile for XACML
The goal of this section is to define how a PEP SHOULD generate a
XACML request from a RPC carrying a NETCONF operation. The response
to this request determines whether the RPC is processed or discarded.
Furthermore this profile defines how policies corresponding to
permissions about a specific NETCONF operation on specific data
SHOULD be formulated. A strong familiarity with the latest XACML
syntax is required to fully appreciate this section.
The part of XACML authorisation that deals with the subjects (e.g. in
terms of user groups or roles) is out of scope for this profile,
since it is not in any way specific to the NETCONF protocol. Thus
all the following definitions omit the subject parts of both requests
and policies (indicated by "..."). This part can be defined
independently from this profile.
5.1. Abbreviations and namespaces
Since XML in general, and especially the XACML syntax, are quite
verbose we have defined a set of abbreviations, that can be found in
section Appendix A. Furthermore we use the term 'Attribute'
exclusively for XACML attributes. If we refer to attributes of XML
elements we specify this by adding the prefix 'XML' as in 'XML-
attribute'.
In order to clearly identify new XACML functions, attributes, and
data-types defined specifically for this profile they SHALL have the
identifier-prefix "xacml-netconf". Thus the following identifiers-
prefixes SHALL be used:
o Functions: "xacml-netconf:function:"
o Attributes: "xacml-netconf:attribute:"
o Data-types: "xacml-netconf:data-type:"
5.2. New XACML functions, attributes and data-types
This section defines the new functions, attributes and data-types for
XACML introduced by this profile.
o XACML function: Id="xacml-netconf:function:xpath-node-match"
Parameter 1 data-type: &xpath;
Parameter 2 data-type: &xpath;
The basic idea of this function is to check whether a xml-node in
a xml-document is matched by a certain XPath [XPath]. Due to the
Seitz & Rissanen Expires January 7, 2008 [Page 8]
Internet-Draft NETCONF access control profile for XACML July 2007
difficulty of encoding a xml-node in its document context, we use
a second XPath to point to that xml-node in the document.
This function works in two steps. First it evaluates the second
xpath (representing the xml-node) against the Content element of
the Request. This XPath must match a single xml-node only
(otherwise an error is returned).
In the second step, the first XPath expression is evaluated
against the same Content. If the resulting set of xml-nodes
contains the xml-node that results from the first step or one of
its ancestors, the value of this function is true, otherwise it is
false.
The following example shall illustrate how this function works:
Given the function parameters:
/top/interfaces[name="Ethernet"]/interface and
/top/interfaces[name="Ethernet"]/interface
as well as the content XML document:
01
02
03 Ethernet
04
05 Ethernet0/0
06 1500
07
08
09 Ehternet1/1
10 3000
11
12
13 Ethernet2/2
14 1000
15
16
17
18 WLAN
19
20 DHCP0/0
21
22
23
We get the following evaluation:
1. The second xpath points out the xml-node at line 09.
2. The first xpath points out the xml-nodes 03, 07 and 11.
Since xml-node 07 is an ancestor of xml-node 09 the function
evaluates to true.
Seitz & Rissanen Expires January 7, 2008 [Page 9]
Internet-Draft NETCONF access control profile for XACML July 2007
o XACML attribute: Id="xacml-netconf:attribute:rpc-target"
Category=&Resource;
data-type=&string;
This attribute indicates which data store the operation is
targeting. In the case of the copy-config command, this is the
destination data store. For the lock/unlock commands this is the
target data store. An example value would be "running".
o XACML attribute: Id="xacml-netconf:attribute:rpc-source"
Category=&Resource;
data-type=&string; or data-type=&AnyURI;
This attribute indicates the source for the operation. In the
case of the copy-config command, this is the source data store or
an URL. An example value would be "candidate".
o XACML data-type: Id="xacml-netconf:data-type:xpath-expression"
This data-type is a XPath. The data-type also encodes necessary
namespace information, if the XPath is to be used on a namespace
aware document. The encoding is an XML-tag with the name of
"xpath" containing zero or more attributes, each defining a
namespace prefix to namespace URI matching for use with this
XPath.
An example xpath expression would look like this:
01
02
03 //ns1:top/ns1:interfaces[ns1:name="Ethernet"]
04
05
5.3. get and get-config RPC
The get/get-config RPCs get a special treatment, because it was
deemed that the whole RPC shouldn't fail just because the the user is
not authorised to read parts of the result. Instead the desired
behaviour in such a case is to prune the results that are not covered
by the users rights. Therefore it is RECOMMENDED to perform access
control on the result of a get/get-config RPC instead of on the RPC
itself, so that the unauthorised elements can be filtered out and
only the authorised ones remain.
Requests for get/get-config RPCs SHALL be formed as follows: As a
first step, calculate which xml-nodes of the data model are the
results of the RPC. For each xml-node in the result, run an XACML
request. The request contains
Seitz & Rissanen Expires January 7, 2008 [Page 10]
Internet-Draft NETCONF access control profile for XACML July 2007
1. The whole result document under the xml-node.
2. A "&Resource;" category Attribute with AttributeId=&resource-id;
having the AttributeValue of DataType="&xpath;" which contains an
XPath that uniquely identifies the xml-node in question.
3. Another &Resource; category Attribute with AttributeId="xacml-
netconf:attribute:rpc-source" and the AttributeValue with
DataType="&string;" that identifies the data-model this RPC uses
as source (i.e. "running", "startup" or "candidate")
corresponding to the RPC source. This SHALL always have a value
of "running" for "get" RPCs.
4. An "Action" category Attribute with AttributeId="action-id" and
the AttributeValue "read" with DataType="&string;".
Each xml-node that is permitted by the corresponding request is
included in the result together with its ancestors and descendants.
Furthermore the requests for its descendants are skipped. Those xml-
nodes that are not permitted are not included.
These multiple XACML requests can be executed very efficiently if the
PDP is running locally on the network element, preferrably in the
same process as the NETCONF agent. Such an architecture would mean
that no new XML documents get generated and no network communication
needs to be done for those repeated requests.
For security reasons it is advisable not to report that parts of the
response where pruned by access control, otherwise an attacker could
use get/get-config to gather information about the existence of parts
of the configuration that is not accessible according to the
attackers rights.
It is RECOMMENDED that a policy designed to apply to a get or get-
config RPC SHOULD match one AttributeValue corresponding to the
desired subtree of the data-model with the DataType="&xpath;", the
AttributeId="&resource-id;" and the Category="&Resource;".
The same element SHOULD contain a match of an
AttribueValue corresponding to the desired RPC source (i.e.
"running", "startup" or "candidate") with the DataType="&string;",
the AttributeId="xacml-netconf:attribute:rpc-source" and the
Category="&Resource;". If the policy is to apply to "get" RPCs only
this value SHOULD be "running"
Furthermore the policy SHOULD match the AttributeValue "read" with
the DataType="&string;", the AttributeId="action-id" and the
Category="Action". in a element enclosed by a
separate element of the policy target.
Seitz & Rissanen Expires January 7, 2008 [Page 11]
Internet-Draft NETCONF access control profile for XACML July 2007
Example request:
01
02 ...
03
04
05
07 /ns1:top[1]/ns1:interface[1]
08
09
10
11
12
16
17 read
18
19
20
21
22
23 Ethernet0/0
24 1500
25
26
27 Ethernet1/1
28 1000
29
30
31
32
Example policy:
Seitz & Rissanen Expires January 7, 2008 [Page 12]
Internet-Draft NETCONF access control profile for XACML July 2007
01
02
03 ...
04
05
06
07
08
09 /ns1:top/ns1:interface
10
11
12
15
16
17 running
19
22
23
24
25
26
27
28 read
29
32
33
34
35
36
37
5.4. edit-config RPC
Requests for edit-config RPCs SHALL be formed as follows: Under the
element an Attribute with the
AttributeId="&resource-id;" and the DataType="&xpath;". The
AttributeValue SHALL be "//*[@operation and not(ancestor::*[@
operation])]".
The same Category SHALL also include an Attribute with the
AttributeId="&scope;" and the DataType="&string;". The
AttributeValue SHALL be "XPath-expression".
Seitz & Rissanen Expires January 7, 2008 [Page 13]
Internet-Draft NETCONF access control profile for XACML July 2007
Still under the same Category there SHALL be an Attribute with the
AttributeId="xacml-netconf:attribute:rpc-target" and the DataType="&
string;". The AttributeValue SHALL be either "running", "startup" or
"candidate" corresponding to the RPC target.
Furthermore the request SHALL include the element, containing a single Attribute with the
AttributeId="action-id" having the DataType="&string;" and the
AttributeValue of "write".
From the RPC, the contents of the element SHALL be included
in the request under the element. If the RPC contains a
element the contents of the RPC element
that are added to the request element SHALL be edited to
add a xml-attribute "operation" with a value corresponding to the
value of the element.
This request format makes use of the Multiple resource profile of
XACML [XACML_MR] where the multiple resources are the elements of the
RPC that have an "operation" xml-attribute and no ancestor with such
an xml-attribute. Using this profile, no access control is performed
for operations that have an ancestor operation. This is due to the
fact that all edit-config operations are subsumed under the action
"write" as far as access control is concerned. The underlying
assumption of this profile is that if you are authorised to write to
a xml-node in the data-model you are automatically authorised to
write to all its children too.
The XPath "//*[@operation and not(ancestor::*[@operation])]" performs
the selection of operations with no ancestor operation.
If any edit-config operation of the RPC is not permitted, the whole
RPC SHALL be denied.
If the RPC uses the :url capability (i.e. a element appears
instead of the element), the NETCONF agent SHALL preprocess
the RPC by downloading the file pointed to by the URL and replacing
the element by a element containing the content of the
file.
Another special case that needs to be treated is the following:
According to the protocol specification, it is possible to create a
syntactically correct edit-config RPC with no operation at all (i.e.
specifying 'none' as and having no 'operation'
xml-attributes in the ). Such an RPC SHALL be discarded
according to this profile and not be processed by the NETCONF agent,
to avoid leaking information with the error messages.
It is RECOMMENDED that a policy designed to apply to an edit-config
RPC SHOULD match one AttributeValue corresponding to the desired
subtree of the data-model with the DataType="&xpath;", the
AttributeId="&resource-id;" and the Category="&Resource;".
The same element SHOULD contain a match of an
AttribueValue corresponding to the desired RPC target (i.e.
Seitz & Rissanen Expires January 7, 2008 [Page 14]
Internet-Draft NETCONF access control profile for XACML July 2007
"running", "startup" or "candidate") with the DataType="&string;",
the AttributeId="xacml-netconf:attribute:rpc-target" and the
Category="&Resource;".
Furthermore the policy SHOULD match the AttributeValue "write" with
the DataType="&string;", the AttributeId="action-id" and the
Category="Action" in a element enclosed by a
separate element of the policy target.
Example request:
01
02 ...
03
04
05
12
16
20
21 write
22
23
24
25
26
27 Ethernet0/0
28 1500
29
30
31
32
Example policy:
Seitz & Rissanen Expires January 7, 2008 [Page 15]
Internet-Draft NETCONF access control profile for XACML July 2007
01
02
03 ...
04
05
06
07
08
09 /ns1:top/ns1:interface[ns1:name="Ethernet0/0"]
10
11
12
15
16
17 running
19
22
23
24
25
26
27
28 write
30
33
34
35
36
37
38
5.5. copy-config and delete-config RPC
Requests for copy-config and delete-config RPCs SHALL be formed as
follows: The RPC target parameter SHALL be included under the
element as a single Attribute with
the AttributeId="xacml-netconf:attribute:rpc-target". If the RPC
target is one of {running, startup, candidate} the DataType SHALL be
"&string;" otherwise it SHALL be "&AnyURI;". The AttributeValue
SHALL be equal to the RPC target.
Seitz & Rissanen Expires January 7, 2008 [Page 16]
Internet-Draft NETCONF access control profile for XACML July 2007
In case of copy-config RPCs the request SHALL also include the RPC
source under same Category as a single Attribute with the
AttributeId="xacml-netconf:attribute:rpc-source". If the RPC source
is one of {running, startup, candidate} the DataType SHALL be
"&string;" otherwise it SHALL be "&AnyURI;". The AttributeValue
SHALL be equal to the RPC source.
Furthermore the request SHALL include the element, containing a single Attribute with the
AttributeId="action-id" having the DataType="&string;". This SHALL
have the AttributeValue of "write" if the RPC target is one of
{running, startup, candidate}. If the RPC target is a URL then this
AttributeValue SHALL be "read".
When the target is a URL, no configuration data is overwritten, such
RPC must therefore be considered 'read' operations. However when the
target is a local configuration, the RPC must be considered a 'write'
operation.
It is RECOMMENDED that a policy designed to apply to a copy-config/
delete-config RPC SHOULD match one or more AttribueValues
corresponding to the desired RPC targets with AttributeId="xacml-
netconf:attribute:rpc-target" and the Category="&Resource;".
For those targets that are "running", "startup" or "candidate" the
DataType SHALL be equal to "&string;", for URL targets, the DataType
SHALL be equal to &AnyURI;.
Each desired RPC target SHOULD be placed in a separate
element under a single common
element in the policy target.
The policy SHOULD also match one or more AttribueValues corresponding
to the desired RPC sources with the DataType="&string;" or
DataType="&AnyURI;", the AttributeId="xacml-netconf:attribute:rpc-
source" and the Category="&Resource;". Each desired RPC source
SHOULD be placed in a separate element under a
single common element in the policy target.
Furthermore if any target elements where one of {running, startup,
candidate}, then the policy SHOULD match the AttributeValue "write"
with the DataType="&string;", the AttributeId="action-id" and the
Category="Action" in a separate element enclosed
by a separate element in the policy target.
If any source elements where one of {running, startup, candidate},
then the policy SHOULD match the AttributeValue "read" with the
DataType="&string;", the AttributeId="action-id" and the
Category="Action" in a separate element. This
element should be enclosed the same element as
previous "write" action matches if any, otherwise it is to be
enclosed by a separate element in the policy
target.
Seitz & Rissanen Expires January 7, 2008 [Page 17]
Internet-Draft NETCONF access control profile for XACML July 2007
Example request:
01
02 ...
03
04
05
08
13
14 write
15
16
17
Example policy:
Seitz & Rissanen Expires January 7, 2008 [Page 18]
Internet-Draft NETCONF access control profile for XACML July 2007
01
02
03 ...
04
05
06
07 running
09
12
13
14
15
16
17
18 https://user@example.com:
20 passphrase/cfg/new.txt
21
24
25
26
27
28
29
30 write
32
35
36
37
38
39
40
5.6. lock and unlock RPC
Requests for lock/unlock RPCs SHALL be formed as follows: The RPC
operation target SHALL be included under the element as a single Attribute with the
AttributeId="xacml-netconf:attribute:rpc-target" and the DataType="&
string;". The AttributeValue SHALL be either "running", "startup" or
Seitz & Rissanen Expires January 7, 2008 [Page 19]
Internet-Draft NETCONF access control profile for XACML July 2007
"candidate" corresponding to the RPC operation target.
Furthermore the request SHALL include the element, containing a single Attribute with the
AttributeId="action-id" having the DataType="&string;" and the
AttributeValue of either "lock" or "unlock" depending on the type of
RPC.
It is RECOMMENDED that a policy designed to apply to a lock/unlock
RPC SHOULD match one or more AttribueValues corresponding to the
desired RPC targets (i.e. "running", "startup" and/or "candidate")
with the DataType="&string;", the AttributeId="xacml-
netconf:attribute:rpc-target" and the Category="&Resource;". Each
desired RPC target SHOULD be placed in a separate
element under a single element in the policy
target. Furthermore the policy SHOULD match both AttributeValues
"lock" and "unlock" with the DataType="&string;", the
AttributeId="action-id" and the Category="Action". in separate
elements enclosed by a separate
element of the policy target.
Example request:
01
02 ...
03
04
05
09
10 lock
11
12
13
Example policy:
Seitz & Rissanen Expires January 7, 2008 [Page 20]
Internet-Draft NETCONF access control profile for XACML July 2007
01
02
03 ...
04
05
06
07 running
09
12
13
14
15
16
17
18 lock
20
23
24
25
26
27 unlock
29
32
33
34
35
36
37
5.7. kill-session RPC
Requests and policies for this RPC are defined to be independent of
the session-id. Although it would be easily possible to make
session-id specific policies and requests, no reasonable use-case for
such a feature was found.
Any kill-session RPC SHALL be translated to a request that includes
the element, containing a single
Attribute with the AttributeId="action-id" having the DataType="&
Seitz & Rissanen Expires January 7, 2008 [Page 21]
Internet-Draft NETCONF access control profile for XACML July 2007
string;" and the AttributeValue "kill-session".
It is RECOMMENDED that a policy designed to apply to a kill-session
RPC SHOULD match the single AttributeValue "kill-session" with the
DataType="&string;", the AttributeId="action-id" and the
Category="Action" in a element of its Target.
Example request:
01
02 ...
03
04
05 kill-session
07
08
09
Example policy:
01
02
03 ...
04
05
06
07 kill-session
09
12
13
14
15
16
17
5.8. close-session RPC
For this RPC it was deemed that no XACML profile was necessary. This
results from the assumption that only the person that opened a
session should be allowed to submit this RPC to the NETCONF agent.
It seems reasonable to expect that the NETCONF agent can enforce this
behaviour without the support of the access control system.
Seitz & Rissanen Expires January 7, 2008 [Page 22]
Internet-Draft NETCONF access control profile for XACML July 2007
5.9. commit and discard-changes RPC
If the NETCONF agent supports the :candidate capability, Any commit
or discard-changes RPC SHALL be translated to a request that includes
the element, containing a single
Attribute with the AttributeId="action-id" having the DataType="&
string;" and the AttributeValue of either "commit" or "discard-
changes".
It is RECOMMENDED that a policy designed to apply to a commit or
discard-changes RPC SHOULD match the single AttributeValue "commit"
or "discard-changes" with the DataType="&string;", the
AttributeId="action-id" and the Category="Action" in a
element enclosed by a element
of its Target.
Example request:
01
02 ...
03
04
05 commit
06
07
08
Example policy:
01
02
03 ...
04
05
06
07 commit
09
12
13
14
15
16
17
Seitz & Rissanen Expires January 7, 2008 [Page 23]
Internet-Draft NETCONF access control profile for XACML July 2007
5.10. validate RPC
If the NETCONF agent supports the :validate capability, requests for
lock/unlock RPCs SHALL be formed as follows: The RPC operation target
SHALL be included under the
element as a single Attribute with the AttributeId="xacml-
netconf:attribute:rpc-target" and the DataType="&string;". The
AttributeValue SHALL be either "running", "startup" or "candidate"
corresponding to the RPC operation target.
Furthermore the request SHALL include the element, containing a single Attribute with the
AttributeId="action-id" having the DataType="&string;" and the
AttributeValue of "validate".
It is RECOMMENDED that a policy designed to apply to a validate RPC
SHOULD match one or more AttribueValues corresponding to the desired
RPC targets (i.e. "running", "startup" and/or "candidate") with the
DataType="&string;", the AttributeId="xacml-netconf:attribute:rpc-
target" and the Category="&Resource;". Each desired RPC target
SHOULD be placed in a separate element under a
single element in the policy target. Furthermore
the policy SHOULD match the AttributeValue "validate" with the
DataType="&string;", the AttributeId="action-id" and the
Category="Action" in a separate element enclosed
by a separate element of the policy target.
Example request:
01
02 ...
03
04
05
09
10 validate
11
12
13
Example policy:
Seitz & Rissanen Expires January 7, 2008 [Page 24]
Internet-Draft NETCONF access control profile for XACML July 2007
01
02
03 ...
04
05
06
07 candidate
09
12
13
14
15
16
17
18 validate
20
23
24
25
26
27
28
Seitz & Rissanen Expires January 7, 2008 [Page 25]
Internet-Draft NETCONF access control profile for XACML July 2007
6. Practical consequences for NETCONF implementations
This profile does not make any assumptions on the data-model that a
NETCONF operation affects. However writing a correct policy
according to this profile requires such knowledge. This is due to
the fact that XPathes matching parts of the data-model have to be
inserted in the policy.
A PDP using this profile to perform access control on NETCONF
operations will need access to the RPC and for or
operations, to the results of the RPC. No access to actual device
data is required by this profile. If a special treatment for get/
get-config proves to be undesirable, a more restrictive
interpretation can be implemented by performing a similar access
control evaluation as for edit-config RPCs.
This profile makes heavy use of XPath [XPath] to reference elements
in a data-model. It may be the case that XPath processing proves to
be too slow for time-critical applications. Therefore alternatives
can be considered, such as the Subtree Filtering proposed in the
Netconf standard section 6 [RFC4741]. This profile can be adapted to
such alternatives with relative ease, by creating a new data-type for
XACML representing the xml-node selection expression and a new
function for XACML equivalent to the "xpath-node-match" Function.
According to this profile, no specific access control architecture is
required (i.e. where the PDP and PEP are implemented). However it
seems both advisable and possible to have the PDP running at the same
location as the NETCONF agent. Although calls to distant PDPs are
possible the response time would be prohibitive. In order to allow
for fast communication one should aim to have the PDP running in the
same process as the NETCONF agent. Our implementation of the XACML
PDP is around 300 KByte large and has a memory consumption in the
order of magnitude of 700 KBytes (this is mostly due to XML
processing at startup). Further optimisation of these numbers is
possible if need arises.
If the NETCONF agent supports the :url capability, edit-config RPCs
need to be preprocessed to substitute a possible element by a
element containing the contents of the file pointed to by
the URL.
Seitz & Rissanen Expires January 7, 2008 [Page 26]
Internet-Draft NETCONF access control profile for XACML July 2007
7. Security Considerations
Depending on the error messages returned by unsuccessful edit-config
operations, an attacker might probe parts of the data model that are
not covered by the attackers access rights. Especially the 'data-
exists' and 'data-missing' errors could leak information about the
device data. If these leaks are considered severe, one should
consider replacing the error message e.g. with an 'operation-failed'
error message without further description.
New capabilities advertised by NETCONF agents can provide new methods
of accessing data on the device. If the access control model does
not cover such capabilities it is RECOMMENDED to deny requests using
them until the model has been extended to cover them.
In order to implement such behaviour for new NETCONF operations, a
deny-biased PDP can be used. Such a PDP denies all requests for
which no applicable policy can be found.
If the capability affects existing NETCONF operations, the specific
profile for these operations SHOULD be extended.
Security considerations from the XACML standard [XACML] and from the
NETCONF standard [RFC4741] SHOULD be applied to any use of this
profile.
Seitz & Rissanen Expires January 7, 2008 [Page 27]
Internet-Draft NETCONF access control profile for XACML July 2007
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2904] Vollbrecht, J., Calhoun, P., Farrell, S., Gommans, L.,
Gross, G., de Bruijn, B., de Laat, C., Holdrege, M., and
D. Spence, "AAA Authorization Framework", RFC 2904,
August 2000.
[RFC4741] Enns, R., "NETCONF Configuration Protocol", RFC 4741,
December 2006.
[XACML] OASIS, "eXtensible Access Control Markup Language",
.
[XACML_MR]
Anne, A., "Multiple resource profile of XACML v2.0",
OASIS Standard, February 2005.
[XML] Bray, T., Paoli, J., Maler, E., Sperberg-McQueen, C., and
F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fourth
Edition)", World Wide Web Consortium Recommendation REC-
xml-20060816, August 2006,
.
[XPath] DeRose, S. and J. Clark, "XML Path Language (XPath)
Version 1.0", World Wide Web Consortium
Recommendation REC-xpath-19991116, November 1999,
.
8.2. Informative References
[XACMLIntro]
Sun Microsystems, Inc., "A Brief Introduction to XACML",
Webpage http://www.oasis-open.org/committees/download.php/
2713/Brief_Introduction_to_XACML.html, March 2003.
[XACMLProducts]
Anderson, A., "XACML References and Products, Version
1.73",
Webpage http://docs.oasis-open.org/xacml/xacmlRefs.html,
January 2007.
Seitz & Rissanen Expires January 7, 2008 [Page 28]
Internet-Draft NETCONF access control profile for XACML July 2007
Appendix A. Abbreviations
For abbreviating XACML policies and requests this profile provides a
list of entity declarations, that is to be used within this document.
The syntax and expansion for such entities is defined in [XML] (e.g.
&string; will be expanded to
"http://www.w3.org/2001/XMLSchema#string").
o
o
o
o
o
o
o
o
o
Seitz & Rissanen Expires January 7, 2008 [Page 29]
Internet-Draft NETCONF access control profile for XACML July 2007
Appendix B. Examples
In this section we give examples of requests, policies and their
evaluation.
B.1. Get-config example
Given the following get-config RPC:
01
03
04
05
06
07
08
09
10
11
we get the following result before access control:
Seitz & Rissanen Expires January 7, 2008 [Page 30]
Internet-Draft NETCONF access control profile for XACML July 2007
01
03
04
05
06 Ethernet
07
08 Ethernet0/0
09 1500
10
11
12 Ehternet1/1
13 3000
14
15
16 Ethernet2/2
17 1000
18
19
20
21 WLAN
22
23 WLAN0/0
24
25
26
27
28
Now given and the XACML policy (ommitting the subject part):
Seitz & Rissanen Expires January 7, 2008 [Page 31]
Internet-Draft NETCONF access control profile for XACML July 2007
01
02
03 ...
04
05
06
07
08 /top/interfaces[name="Ethernet"]
09
10
13
14
15 running
17
20
21
22
23
24
25
26 read
28
31
32
33
34
35
36
we generate the following requests (ommitting the subject part):
Seitz & Rissanen Expires January 7, 2008 [Page 32]
Internet-Draft NETCONF access control profile for XACML July 2007
01
02 ...
03
04
05
10
14
15 read
16
17
18
19 ...
20
21
which is denied.
01
02 ...
03
04
05
04
05
04
05
04
05
04
05
04
05
03
04
05
06 Ethernet
07
08 Ethernet0/0
09 1500
10
11
12 Ehternet1/1
13 3000
14
15
16 Ethernet2/2
17 1000
18
19
20
21
22
B.2. edit-config example
Given the following edit-config RPC:
Seitz & Rissanen Expires January 7, 2008 [Page 35]
Internet-Draft NETCONF access control profile for XACML July 2007
01
03
04
05
06
07
08 Ethernet
09
10 Ethernet0/0
11 1500
12 192.0.0.1
13
14
15 Ethernet1/1
16 3000
17
18
19 Ethernet2/2
20 1000
21
22
23
24 WLAN
25
26 WLAN0/0
27
28
29
30
31
32
and the following XACML policy (ommitting the subject part):
Seitz & Rissanen Expires January 7, 2008 [Page 36]
Internet-Draft NETCONF access control profile for XACML July 2007
01
02
03 ...
04
05
06
07
08 /top/interfaces[name="Ethernet"]
09
10
13
14
15 running
17
20
21
22
23
24
25
26 write
28
31
32
33
34
35
36
we generate the following request from the RPC:
Seitz & Rissanen Expires January 7, 2008 [Page 37]
Internet-Draft NETCONF access control profile for XACML July 2007
01
02
03
04 running
05
06
07 XPath-expression
09
10
11
18
19 write
20
21
22
23 [Contents of the element in the RPC]
24
25
which results in the following XACML response:
01
02
03 Permit
04
05
07
08 /top[1]/interfaces[1]/interface[1]
09
10
11
12
13
14
15
16
17 NotApplicable
18
19
Seitz & Rissanen Expires January 7, 2008 [Page 38]
Internet-Draft NETCONF access control profile for XACML July 2007
21
28
29
30
31 Permit
32
33
35
36 /top[1]/interfaces[1]/interface[2]
37
38
39
40
41
42
43
44
45 Permit
46
47
49
50 /top[1]/interfaces[1]/interface[3]/mtu[1]
47
48
49
50
51
52
53
54
The meaning of this response is the following:
o The operation on line 09 of the RPC is permitted (lines 02-14 of
the response).
o There is no applicable policy for the operation on line 25 of the
RPC (lines 15-27 of the response). This usually means that we
deny the operation and therefore reject the whole RPC.
Seitz & Rissanen Expires January 7, 2008 [Page 39]
Internet-Draft NETCONF access control profile for XACML July 2007
o The operation on line 14 of the RPC is permitted (line 28-40 of
the response).
o The operation on line 20 of the RPC is permitted (line 41-53 of
the response).
The operation on line 12 of the RPC is not submitted to access
control since a ancestor xml-element already contained a edit-config
operation (line 09). Since we simplify all edit-config operations to
'write', the operation on line 12 would have been permitted anyway as
the ancestor operation was permitted. If the ancestor operation had
been denied the whole RPC would be rejected anyway.
Seitz & Rissanen Expires January 7, 2008 [Page 40]
Internet-Draft NETCONF access control profile for XACML July 2007
Authors' Addresses
Ludwig Seitz
SICS, Swedish Institute of Computer Science AB
Box 1263
Kista 164 29
Sweden
Phone: +46 8 633 1516
Email: ludwig@sics.se
Erik Rissanen
Axiomatics AB
Ringstedsgatan 36
Kista 164 48
Sweden
Email: erik@axiomatics.com
Seitz & Rissanen Expires January 7, 2008 [Page 41]
Internet-Draft NETCONF access control profile for XACML July 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Seitz & Rissanen Expires January 7, 2008 [Page 42]