IETF Logo Mail Archive

[CCAMP] Secdir last call review of draft-ietf-ccamp-layer1-types-16

Christian Huitema via Datatracker <noreply@ietf.org> Mon, 13 November 2023 03:18 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: ccamp@ietf.org
Delivered-To: ccamp@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ED39C1524B3; Sun, 12 Nov 2023 19:18:47 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Christian Huitema via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: ccamp@ietf.org, draft-ietf-ccamp-layer1-types.all@ietf.org, last-call@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 11.14.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <169984552704.60413.8772898152962330657@ietfa.amsl.com>
Reply-To: Christian Huitema <huitema@huitema.net>
Date: Sun, 12 Nov 2023 19:18:47 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/ccamp/alymOJ-LAOkdzBdNQGxukjdu63E>
Subject: [CCAMP] Secdir last call review of draft-ietf-ccamp-layer1-types-16
X-BeenThere: ccamp@ietf.org
X-Mailman-Version: 2.1.39
List-Id: Discussion list for the CCAMP working group <ccamp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ccamp>, <mailto:ccamp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ccamp/>
List-Post: <mailto:ccamp@ietf.org>
List-Help: <mailto:ccamp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ccamp>, <mailto:ccamp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2023 03:18:47 -0000

Reviewer: Christian Huitema
Review result: Ready

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

The summary of the review is 'Ready'.

draft-ietf-ccamp-layer1-types specifies a YANG module for describing the common
data types, groupings and identities for use in YANG [RFC7950] data models of
Layer 1 networks, such as for example Optical Transport Networking.

The security section asserts that potential security issues do not derived from
the particulars of the Yang modules, but from potential unauthorized access to
the data and unauthorized modification of the data. Access is expected to be
protected using either SSH for NETCONF or HTTPS for RESTCONF, as per standard
practice. I would not expect a Yang module to state anything else.

I do not have enough expertise in Optical Transport Networking and other Layer
1 networks to evaluate the details of the specification. I assume that other
reviewers will conduct such specialized review.

And now, a side remark, not related to this specific document but applying to
the general practice of saying "just use NETCONF with SSH or RESTCONF with
TLS", but SSH and HTTPS support a variety of authentication mechanisms. SSH,
for example, can authenticate a client using a public key, a password, a host
identity, or even nothing. HTTPS has a similar range of options. Some of those
options are much more vulnerable than others -- password based authentication,
for example, is vulnerable to phishing attacks and password reuse.

The NETCONF and RESTCONF specifications leave the choice of authentication to
the organization deploying the Yang based management, with statements like "the
identity of the SSH client MUST also be verified and authenticated by the SSH
server according to local policy". I did not find a specification of what the
local policy should be. It would be nice if the safety of network
infrastructure could not be defeated by a password-based attack, or other
simple attacks. It might be useful to do some work here, and provide practical
guidance on the deployment of strong authentication mechanisms.

v2.23.0 | Report a Bug | By Email