Re: [Lime] Opsdir telechat review of draft-ietf-lime-yang-connectionless-oam-methods-10
Benoit Claise <bclaise@cisco.com> Thu, 26 October 2017 01:59 UTC
Return-Path: <bclaise@cisco.com>
X-Original-To: lime@ietfa.amsl.com
Delivered-To: lime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A36913A5CF; Wed, 25 Oct 2017 18:59:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jx6l0vChY0X8; Wed, 25 Oct 2017 18:59:03 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 281E213955B; Wed, 25 Oct 2017 18:59:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3029; q=dns/txt; s=iport; t=1508983143; x=1510192743; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to:content-transfer-encoding; bh=RtaJotkxsNPrXqtvhUYcXjJup75aS+9hjy0gZRvVOy0=; b=LBhrtnxRLfNU9tSFOXA+mwHmiBkjLEXB/cgi1MjkrK9lSYrX+oqep1On aHZhy8xEdMMnHknzsE13jpGR8BfjMhgnnW/62563hZSnHoalztDGSArX1 wPVuJQuZ0/sQNWcx5zrFMSD3htzqCUaLEfzQ1BGBL5PMyf97VH3CeGrtM A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DPAACVQPFZ/5tdJa1bGgEBAQECAQEBAQgBAQEBg19kbieDeoofjwyKRY1vghEKI4UYAoRtPxgBAgEBAQEBAQFrKIUeBiMPAQVBEAkCDgwCIwMCAiElEQYBDAYCAQGKBAMVEIscnWeCJ4c5DYMvAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWBD4IbBIIHgVCCEoF0gQ2CXoU7gmEFkmSOUzyHZYgZhHmCFYV7g12HOYolgmiBDYRRLIJqgTkfOIFbNCEIHRWDLYJcHBmBbiA2iUksghYBAQE
X-IronPort-AV: E=Sophos;i="5.43,433,1503360000"; d="scan'208";a="22183471"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Oct 2017 01:59:02 +0000
Received: from [10.24.95.171] ([10.24.95.171]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id v9Q1x1C5005529; Thu, 26 Oct 2017 01:59:01 GMT
To: Qin Wu <bill.wu@huawei.com>, Jouni Korhonen <jouni.nospam@gmail.com>, "ops-dir@ietf.org" <ops-dir@ietf.org>
Cc: "draft-ietf-lime-yang-connectionless-oam-methods.all@ietf.org" <draft-ietf-lime-yang-connectionless-oam-methods.all@ietf.org>, "lime@ietf.org" <lime@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
References: <150879260596.24828.12185900699882057027@ietfa.amsl.com> <B8F9A780D330094D99AF023C5877DABA9AC14AD4@nkgeml513-mbx.china.huawei.com>
From: Benoit Claise <bclaise@cisco.com>
Message-ID: <cdb5b306-234d-bff1-4f7c-257deb516196@cisco.com>
Date: Wed, 25 Oct 2017 18:59:01 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <B8F9A780D330094D99AF023C5877DABA9AC14AD4@nkgeml513-mbx.china.huawei.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/lime/3ERFX_tJTU_rT-NE1ESCPZLlOos>
Subject: Re: [Lime] Opsdir telechat review of draft-ietf-lime-yang-connectionless-oam-methods-10
X-BeenThere: lime@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Layer Independent OAM Management in Multi-Layer Environment \(LIME\) discussion list." <lime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lime>, <mailto:lime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lime/>
List-Post: <mailto:lime@ietf.org>
List-Help: <mailto:lime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lime>, <mailto:lime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Oct 2017 01:59:05 -0000
Thanks Jouni for your review. Qin, your new text is an improvement IMO. Regards, B. > Thanks Jouni for valuable review, please see my reply inline. > > -Qin > -----邮件原件----- > 发件人: Jouni Korhonen [mailto:jouni.nospam@gmail.com] > 发送时间: 2017年10月24日 5:03 > 收件人: ops-dir@ietf.org > 抄送: draft-ietf-lime-yang-connectionless-oam-methods.all@ietf.org; lime@ietf.org; ietf@ietf.org > 主题: Opsdir telechat review of draft-ietf-lime-yang-connectionless-oam-methods-10 > > Reviewer: Jouni Korhonen > Review result: Ready > > I did a quite shallow review on the document. Apart from some trivial editorials (that the RFC editor will catch better than I do anyway), and one comment in Section 5, the document is ready to go. > > In Section 5 on lines: > 1006 Some of the RPC operations in this YANG module may be considered > 1007 sensitive or vulnerable in some network environments. It is thus > 1008 important to control access to these operations. These are the > 1009 operations and their sensitivity/vulnerability: > 1011 o continuity-check: Generates continuity check. > 1013 o path-discovery: Generates path discovery. > 1015 which may lead to Denial-of-Service attack on both the local device > 1016 and the network or unauthorized source access to some sensitive > 1017 information. > > Some basic questions. What are the mentioned "some networks environment" and why they are vulnerable? How/why the DoS is the identified vulnerability here? > And in general lines 1015-1017 are hard (at least to me) to understand in the light of earlier text. > > [Qin]: Based on AD review comments, we update section 5 based on YANG security guideline > https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines > Answer your question, when authorized source or attacker get access to sensitive information and may use such information to launch DoS attack. > Here is the proposed change to address your comments: > " > Some of the RPC operations in this YANG module may be considered > sensitive or vulnerable in some network environments. It is thus > important to control access to these operations. These are the operations > and their sensitivity/vulnerability: > > o continuity-check: Generates continuity check. > > o path-discovery: Generates path discovery. > > These operations are used to retrieve the data from the device that need to execute the OAM command. Unauthorized source access to some sensitive information in the above data may lead to Denial-of-Service attack on both the local device and the network. > " > Thanks. > > The IDnits comments are not relevant (the reported error is just editorial). > > [Qin]: Will get this clean up. > The YANG module also passed the validation (I used yangvalidator) with date related warnings. > > [Qin]: Fixed in v-(10), it doesn't come from this draft but from referenced interface model draft. >
- [Lime] Opsdir telechat review of draft-ietf-lime-… Jouni Korhonen
- Re: [Lime] Opsdir telechat review of draft-ietf-l… Qin Wu
- Re: [Lime] Opsdir telechat review of draft-ietf-l… Benoit Claise