[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Misc security considerations on the current netconf draft
>>>>> On Fri, 21 May 2004 13:12:00 +0200, Eliot Lear <lear@cisco.com> said:
Eliot> Is your requirement that we specify an ACL model now? Truth be told
Eliot> we could specify a rudimentary one without much difficulty.
The previous message really documented concerns, and I didn't specify
requirements. I've been mulling what I'd recommend that would be
deemed acceptable (which is the hard part).
You have specified a ACL model. You haven't specified how to apply it.
Eliot> I do not share your concern about mixed models. I think it's still
Eliot> left to the device to validate commands as authentic from a
Eliot> configuration file, no matter its source.
1) But you don't state that. And you don't state which targets are
(MUST be) restricted by access control.
2) And did you see my questions regarding roll-backs and validate?
Eliot> I think of it no differently than a UNIX script (without setuid
Eliot> capability).
The difference is that you have parts a few files (running, candidate,
etc) of files accessible and other parts of a few files inaccessible
but you can still use the cp command to move data between those
files. Unix doesn't match this case at all, because you can't do
partial file access control.
If you want to stick with unix in your analogy, maybe you meant that
you put each of your data into separate files and provided
access control on each of those files. But your only command to move
between the two sets of files (running vs candidate) is cp -r candidate/
running/ .
--
"In the bathtub of history the truth is harder to hold than the soap,
and much more difficult to find." -- Terry Pratchett
--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>