Re: [netconf] Yangdoctors last call review of draft-ietf-netconf-tcp-client-server-09
Kent Watsen <kent@watsen.net> Mon, 19 April 2021 20:30 UTC
Return-Path: <01000178ebd39133-87ef25f3-1047-4f02-b5fb-706e82e7c02a-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 194BD3A42C9; Mon, 19 Apr 2021 13:30:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.017
X-Spam-Level:
X-Spam-Status: No, score=-0.017 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LuV9oZMK6ceu; Mon, 19 Apr 2021 13:30:19 -0700 (PDT)
Received: from a48-110.smtp-out.amazonses.com (a48-110.smtp-out.amazonses.com [54.240.48.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E56673A42CB; Mon, 19 Apr 2021 13:30:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1618864214; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=yqj5reR6NtpAzNmulJ+pDfaD+zZeIQHVOlyQIBwCTiI=; b=Jb0HblzpZ+4Ix6OCziHWW8KsAqBantl506hTg/iJqA7Q6X6GcNpR7Fk5v6eNeWw4 nVEt/BS86u+GTokgWoiVVxfS4zbOGWRmxn9t57HKFzdXi9pT1RKMWbM3c/qozfk1hjB 9/ZacsfpGMZ6H29xLxO+ZbFpCVAx/ESMXF9/U2tc=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Kent Watsen <kent@watsen.net>
In-Reply-To: <161796231010.8005.7390142571009530431@ietfa.amsl.com>
Date: Mon, 19 Apr 2021 20:30:14 +0000
Cc: YANG Doctors <yang-doctors@ietf.org>, draft-ietf-netconf-tcp-client-server.all@ietf.org, last-call@ietf.org, "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID: <01000178ebd39133-87ef25f3-1047-4f02-b5fb-706e82e7c02a-000000@email.amazonses.com>
References: <161796231010.8005.7390142571009530431@ietfa.amsl.com>
To: Ladislav Lhotka <ladislav.lhotka@nic.cz>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2021.04.19-54.240.48.110
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/QsGTLha4zFE_RdXkKR2w_ZBYGLY>
Subject: Re: [netconf] Yangdoctors last call review of draft-ietf-netconf-tcp-client-server-09
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 20:30:24 -0000
Hi Lada,
Thank you for your review!
Below are responses to your comments.
K.
> Reviewer: Ladislav Lhotka
> Review result: Ready with Issues
>
> The modules are well designed and nicely documented, both in the descriptions
> and text of the Internet-Draft.
;)
> **** Comments
>
> - Sections 2.1.4, 3.1.3, 4.1.3: the sentence 'The "..." module does not contain
> any protocol-accessible nodes.' is misleading in that the modules do define
> data nodes that are intended to be protocol accessible after the corresponding
> grouping is used. I know this is a part of the NETCONF/YANG lingo, but another
> formulation that clearly says what's going on might be preferable.
Fair enough. How about this?
The "ietf-tcp-..." module does not itself define
any protocol-accessible nodes. This module defines
only "grouping" statements that are used by other
modules to instantiate protocol-accessible nodes.
> - Sections 2.2, 3.2 and 4.2: the XML snippets use document elements
> "tcp-common", "tcp-client" and "tcp-server", but these containers are not
> defined in the corresponding modules. This is confusing, my suggestion is to
> rewrite the examples in the JSON representation where no such top-level node is
> necessary.
Indeed, and my validation script even takes the special step to convert the groupings to containers in order for the validation to succeed. In other modules, I created a “foobar-usage.yang” module to instantiate the grouping statements.
Hmmm, I was about to create the JSON, but realized that it would be easier to strip out the first-and0-last lines from the XML examples. I understand that they're not a valid XML documents, but snippets have been used before…
FWIW, all the examples are still validated, so there’s otherwise no loss in correctness.
>
> - What is the purpose of "tcp-connection-grouping" if it only uses
> "tcp-common-grouping" and nothing else? Why cannot "tcp-common-grouping” be used directly?
I added this comment:
Whilst this grouping appears to not add any value beyond that given
by "tcp-common-grouping", it is defined so as to provide space for a
future peer module (e.g., "tcp-system-grouping" that defines additional
configuration nodes used to configure a TCP stack at an operating
system level.
Makes sense?
> - The "local-port" parameter defined in ietf-tcp-client seems dubious from the
> security viewpoint in that fixing the source port makes it easier for attackers
> to steal the connection (see RFC 6056).
Interesting read. But note that the RFC regards primarily cleartext protocols. An axiom in security circles is “obscurity is not security”, i.e., randomizing client ports to make off-path guessing harder is not much of a win.
In our case, and pretty much every IETF protocol now, a secure transport layer is used, and having a predictable 5-tuple can greatly reduce the attack-surface in firewall rulebases.
As it stands, it’s configuration enabled by an optional feature (your next comment) and, besides, the wildcard values (e.g., “0”) may configured, enabling [potentially-random] operating-system selected values - so no harm?
> If the feature
> "local-binding-supported" is needed at all, I'd suggest to mention this in
> Security Considerations.
“Needed” is an interesting take. My feeling is that the model is incomplete otherwise. From a Security Considerations perspective, I’d like to put something like:
“Implementations are RECOMMENDED to implement the 'local-binding-supported’ feature for cryptographically-secure protocols so as to reduce to attack surface presented by firewalls.”
Is that what you had in mind? If nothing else, having such a statement in the draft would certainly catch the eye of the SecDir reviewer. Thoughts?
> - The module ietf-tcp-client uses the placeholder "RFC AAAA", which is not
> defined in the Editorial Note.
Fixed.
> **** Nits
>
> - RFC 7950 is cited repeatedly (6 times) in a general context, e.g. whenever
> YANG 1.1 is mentioned. It should suffice to use the citation at the first
> appearance.
All but one citation removed.
> - sec. 1.3: s/in compliant/is compliant/
Fixed (in all the drafts!)
> - in 3 places: s/illustatrating/illustrating/
Fixed (in all the drafts!)
Thanks again!
K.
- [netconf] Yangdoctors last call review of draft-i… Ladislav Lhotka via Datatracker
- Re: [netconf] Yangdoctors last call review of dra… Kent Watsen
- Re: [netconf] Yangdoctors last call review of dra… Ladislav Lhotka
- Re: [netconf] Yangdoctors last call review of dra… Kent Watsen