PSARC 2007/397 NDMP Service

[Darren J Moffat]

Minor spec nit, libmd should be used rather than libmd5 as per 
PSARC/2005/426.

The configurable listening port should probably be provided as an SMF 
service property, not doing so would require using an alternate SMF 
method script rather than the one the project team provided.

Much more important though is the security issues with NDMP.  The 
authentication used in NDMP is weak and doesn't use an algorithm that is 
in the FIPS 140-2 list, this will cause problems with some customers. 
Also NDMP does not provide for protection of the data in transit.

However neither of these are issues caused by this project team but are 
problems that are inherit in the NDMP protocol, the security 
considerations in the standard are very weak and incomplete.

A security analysis of the NDMP protocol can be found at [1].

Even though the NDMP service is not enabled by default I believe this 
project would be greatly enhanced if it had the ability to have some 
access control on incoming connections.  A simple use of libwrap's 
hosts_access(3) function would provide some enhanced security for the 
side receiving the inbound connections.  Ideally a stronger 
authentication and transport protection would be provided but since that 
would change the on the wire protocol I don't expect the project team to 
resolve that issue for this case but I would highly encourage them to 
work with the relevant standards body to get strong authentication 
(probably using GSS-API or SASL) and data confidentially support in the 
transport protocol.


[1] http://www-users.itlabs.umn.edu/classes/Fall-2006/csci5271/ndmp.pdf

--
Darren J Moffat