[alto] Roman Danyliw's Discuss on draft-ietf-alto-oam-yang-16: (with DISCUSS and COMMENT)
Roman Danyliw via Datatracker <noreply@ietf.org> Thu, 18 January 2024 14:47 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: alto@ietf.org
Delivered-To: alto@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B3C7C604307; Thu, 18 Jan 2024 06:47:09 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-alto-oam-yang@ietf.org, alto-chairs@ietf.org, alto@ietf.org, mohamed.boucadair@orange.com, mohamed.boucadair@orange.com
X-Test-IDTracker: no
X-IETF-IDTracker: 12.2.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <170558922942.23695.16046305326297000661@ietfa.amsl.com>
Date: Thu, 18 Jan 2024 06:47:09 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/alto/EBrly0aniAY72534w5xsa1fWP9E>
Subject: [alto] Roman Danyliw's Discuss on draft-ietf-alto-oam-yang-16: (with DISCUSS and COMMENT)
X-BeenThere: alto@ietf.org
X-Mailman-Version: 2.1.39
List-Id: "Application-Layer Traffic Optimization \(alto\) WG mailing list" <alto.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/alto>, <mailto:alto-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/alto/>
List-Post: <mailto:alto@ietf.org>
List-Help: <mailto:alto-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/alto>, <mailto:alto-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2024 14:47:09 -0000
Roman Danyliw has entered the following ballot position for draft-ietf-alto-oam-yang-16: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-alto-oam-yang/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Per -15 ballot review: ** Section 8. Per the guidance on writeable data, aren’t significant parts of alto-server/listen sensitive as one could alter the stored keys for the server or client; or the username/password combinations (in http-server-parameters)? ** Section 8. Per the guidance about readable data: -- isn’t tls-server-parameters sensitive since it could contain raw private keys (e.g., ks:inline-or-keystore-symmetric-key-grouping)? -- Would it be best practice to be able to read all of the authorized users? Thanks for the response at https://mailarchive.ietf.org/arch/msg/alto/tD88zktK20QDBIbd-jbGt5JJDLc/ > Yes, some groupings in alto-server/listen are also sensitive. But they are > defined in other RFCs, thus the security considerations in those RFCs also > apply to them. This described approach is inconsistent with my observation on how the YANG security template is used. If there is a path which has security considerations, the issues are typically highlighted regardless of whether there is reuse. Setting aside that this is a YANG module, my experience with any protocol document is that if there is a mechanism reused by reference and it introduces a relevant security dependency, it would have been cited in the Security Considerations as applicable. Neither of these approach appear to be taken here. Is there a reason why not? ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Rich Salz for the SECDIR review. Thank you for addressed by COMMENT and DISCUSS feedback.
- [alto] Roman Danyliw's Discuss on draft-ietf-alto… Roman Danyliw via Datatracker
- Re: [alto] Roman Danyliw's Discuss on draft-ietf-… Jensen Zhang