[i2rs] Benoit Claise's Discuss on draft-ietf-i2rs-yang-network-topo-15: (with DISCUSS and COMMENT)
Benoit Claise <bclaise@cisco.com> Mon, 11 September 2017 10:40 UTC
Return-Path: <bclaise@cisco.com>
X-Original-To: i2rs@ietf.org
Delivered-To: i2rs@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 301DE132D4A; Mon, 11 Sep 2017 03:40:34 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benoit Claise <bclaise@cisco.com>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-i2rs-yang-network-topo@ietf.org, Susan Hares <shares@ndzh.com>, i2rs-chairs@ietf.org, shares@ndzh.com, i2rs@ietf.org, Ladislav Lhotka <ladislav.lhotka@nic.cz>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.60.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <150512643419.9724.17953376593038070088.idtracker@ietfa.amsl.com>
Date: Mon, 11 Sep 2017 03:40:34 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2rs/kvJPWWRIN8TXxnCzB4b_OxaI8L8>
Subject: [i2rs] Benoit Claise's Discuss on draft-ietf-i2rs-yang-network-topo-15: (with DISCUSS and COMMENT)
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Sep 2017 10:40:34 -0000
Benoit Claise has entered the following ballot position for draft-ietf-i2rs-yang-network-topo-15: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-i2rs-yang-network-topo/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Preliminary note: I hope I'm doing the right thing by updating this DISCUSS point as I understand that the document is back to the WG. However, since I reviewed the version 15, since some of my ballot points have been addressed (thank you), and since I wanted to share my feedback publicly, here is my feedback. Please follow the YANG security guidelines template at https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines There are a number of data nodes defined in this YANG module that are writable/creatable/deletable (i.e., config true, which is the default). These data nodes may be considered sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) to these data nodes without proper protection can have a negative effect on network operations. These are the subtrees and data nodes and their sensitivity/vulnerability: <list subtrees and data nodes and state why they are sensitive> -- for all YANG modules you must evaluate whether any readable data -- nodes (those are all the "config false" nodes, but also all other -- nodes, because they can also be read via operations like get or -- get-config) are sensitive or vulnerable (for instance, if they -- might reveal customer information or violate personal privacy -- laws such as those of the European Union if exposed to -- unauthorized parties) Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. These are the subtrees and data nodes and their sensitivity/vulnerability: <list subtrees and data nodes and state why they are sensitive> -- if your YANG module has defined any rpc operations -- describe their specific sensitivity or vulnerability. Some of the RPC operations in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control access to these operations. These are the operations and their sensitivity/vulnerability: <list RPC operations and state why they are sensitive> I don't understand why the security considerations section of a YANG module document speaks about this: Rules expressed in NACM can be applied analogously also to other protocols that attempt access to YANG-defined data. In fact, it needs to be applied in the same way and should, like YANG, thus be considered independent of any particular protocol that is used to access YANG-defined data. Otherwise, access control rules defined by NACM could be very easily circumvented simply by using another access mechanism which does not enforce NACM. The alternative of mandating the introduction of mechanisms parallel to NACM that specify the same access control rules for other transports is clearly undesirable, as this would not only inhibit ease-of-use of systems that implement multiple protocols to access YANG data, but also open the specter of security holes due to inconsistencies in articulation and enforcement of rules across mechanisms that are essentially redundant. This is even confusing to speak about other protocols before/without specifying those protocols. You should remove this. OLD DISCUSS, FOR INFORMATION ONLY: To make sure both draft-ietf-i2rs-yang-network-topo and draft-ietf-i2rs-yang-l3-topology are treated the same way, here is my DISCUSS. As background, email sent to I2RS/IESG on Jan 24th 2017 Let me repeat what I mentioned already on the I2RS mailing list: This document contains a YANG model, a generic YANG model that could be accessed by NETCONF, RESTCONF, or the future I2RS protocol. This document doesn't say (and that would be a mistake IMO if it would) that this YANG model can only be accessed by the I2RS protocol. Hence I'm advocating that the security considerations diligently follow https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines, and that they don't go in the I2RS protocol specific details. This comment was made for draft-ietf-i2rs-yang-network-topo, but is equally applicable to this draft-ietf-i2rs-yang-l3-topology draft. I still maintain this point of view: it would be a mistake to limit a data model usage to a particular protocol. These topology documents are not I2RS YANG models, these are YANG models, which can be used in different contexts. I'm very concerned if we start having per-WG or per context data models in the IETF. Btw, I haven't seen a RFC specifying what the I2RS protocol is, only the requirements. We can't modify the current generic YANG security considerations for an I2RS control plane and a new datastore that are not yet specified. If you want to describe how I2RS will be using those topology YANG models (and any YANG models btw), then it's suitable to include this part of the I2RS protocol spec or part of an I2RS applicability statement. This is typically where you would describe some protocol specific information such as "write contention for two clients writing a node using I2RS priority (linked to I2RS User-ID)". Let me make my point differently. Let's assume for a moment that I2RS needs to use the IETF interface YANG model, does it mean that you will require RFC 7223bis with an updated security considerations? This can't be. I still think the generic YANG security guidelines is suitable, as it relates to IETF specified protocols NETCONF and RESTCONF. Addition of some generic information about the data model (not I2RS protocol) might be useful though. For example, text around "there is a risk that a write to a topology may create a looping topology or overload a particular node". Note that I don't think the the security considerations is the best section for this though. Regards, Benoit ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Editorial: The data model obeys the requirements for the ephemeral state found in the document [I-D.draft-ietf-i2rs-ephemeral-state]. For ephemeral topology data that is system controlled, the process tasked with maintaining topology information will load information from the routing process (such as OSPF) into the <operational> without relying on a configuration datastore. <operational> => operational state datastore, according to https://datatracker.ietf.org/doc/draft-ietf-netmod-revised-datastores/
- [i2rs] Benoit Claise's Discuss on draft-ietf-i2rs… Benoit Claise
- Re: [i2rs] Benoit Claise's Discuss on draft-ietf-… Susan Hares