Hi, Chris: Adrian and I talk about user tag management during his review of draft-ietf-netmod-node-tags. One issue raised by Adrian is about whether we will face a situation where one user want to add a user tag while the other user intends to remove such tag. So the question related to RFC8819 is: Has RFC8819 missed to talk about the risks associated with an attacker adding or removing tags so that a requester gets the wrong data? See more details below.
-Qin >>Section 5 has >> As the main consumer of >> data object tags are users, users may also remove any tag from a live >> server, no matter how the tag became associated with a data object >> within a YANG module. >> >>Suppose there are two users accessing the same YANG data objects on a >>live >server. This doesn't seem unreasonable in the case of different users or >monitoring tools reading data about the network or devices. >> >>Doesn't this text lead to "warring tag removal" where one user adds a >>tag, >and another user removes it? >> >>Maybe this is limited to user tags so that each user may have their own >tags. But, in this case, it needs to be clearer what a user tag contains and >how it is used. >> >>It would still be pretty annoying is Benoit added user:benoit to some >>data >objects, and I went and removed them. > [Qin Wu] Yes, I believe it is limited to user tags, since IETF tags are > design time tags, so does implementation tags. It is unlikely to face the > situation "warring tag removal". >But for user tag, your are right, user has its own tags and each user may have >different privilege therefore. User with low privilege can not remove the tag >owned by high privilege user. >But I am not sure this is the scope of this document, It seems to me >implementation specific and should not in the scope of this document, agree? > (See also section 5.3) [AF] Agree about implementation. But maybe, "An implementation MAY include mechanisms to stop users' removing each other's tags or to apply privilege levels to different users." >>Should section 10 talk about the risks associated with an attacker >>adding >or removing tags so that a requester gets the wrong data? > [Qin Wu] User tag is not registered, how user tag is defined and removed is > not scope of this document, in my opinion. Take a look at RFC8819, RFC8819 > also doesn't flag this as a issue, do you think we should do this? [AF] Hmmm. Maybe 8819 missed this? I agree this refers to the previous point. Actually: 1. Just go back and check that it is clear that only user tags can be added/removed dynamically 2. Add a note to section 10 to say "Note that appropriate privilege and security levels need to be applied to the addition and removal of user tags to ensure that a user receives the correct data." _______________________________________________ netmod mailing list netmod@ietf.org https://www.ietf.org/mailman/listinfo/netmod
