Hi,
I am curious if this is a security concern.
When an event is scheduled, the ID and its scheduled time
are sent out in a notification to potentially all clients.
notification netconf-scheduled-message {
leaf schedule-id {
type string;
description
"The ID of the scheduled message.";
}
leaf scheduled-time {
type yang:date-and-time;
description
"The time at which the RPC is scheduled to be performed.";
}
description
"Indicates that a scheduled message was received.";
reference
"draft-mm-netconf-time-capability:
Time Capability in NETCONF";
}Any client can get these notifications and know the ID (to cancel it)
and the scheduled time.
Is is a security issue that any client can get the schedule-id
and use it to cancel the scheduled RPC?
Andy
On Wed, Jul 29, 2015 at 2:15 PM, Olafur Gudmundsson <ogud@xxxxxxxx> wrote:
I have reviewed this document as part of the security directorate'songoing effort to review all IETF documents being processed by theIESG. These comments were written primarily for the benefit of thesecurity area directors. Document editors and WG chairs should treatthese comments just like any other last call comments.This document is ready for publicationThe document is well written.The security considerations are clear and accurate. I would like highlight one omission though.This capability allows an attacker once it has gained access to schedule events in the future eventhough attackers access has been detected and revoked.Olafur
_______________________________________________
Netconf mailing list
Netconf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/netconf