[netconf] Roman Danyliw's Discuss on draft-ietf-netconf-tls-client-server-39: (with DISCUSS and COMMENT)

Roman Danyliw via Datatracker <noreply@ietf.org> Thu, 29 February 2024 02:13 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-netconf-tls-client-server@ietf.org, netconf-chairs@ietf.org, netconf@ietf.org, jeff.hartley@commscope.com, mjethanandani@gmail.com, jeff.hartley@commscope.com
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <170917283775.22191.6509967842786982820@ietfa.amsl.com>
Date: Wed, 28 Feb 2024 18:13:57 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/ZWpQHq4iIYuVmX_oT-_J9ZgS70k>
Subject: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-tls-client-server-39: (with DISCUSS and COMMENT)

Roman Danyliw has entered the following ballot position for
draft-ietf-netconf-tls-client-server-39: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
for more information about how to handle DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-netconf-tls-client-server/

----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

As mentioned in the ssh-client-server draft, I struggle to understand when it
is assumed that the security considerations of the imported modules apply, and
when they will be surfaced as issues in the module that is using them. With
that confusion in mind:

** Section 5.3 and 5.4
None of the readable data nodes defined in this YANG module are
considered sensitive or vulnerable in network environments. The NACM
"default-deny-all" extension has not been set for any data nodes
defined in this module.

Please be aware that this module uses the "key" and "private-key"
nodes from the "ietf-crypto-types" module
[I-D.ietf-netconf-crypto-types], where said nodes have the NACM
extension "default-deny-all" set, thus preventing unrestricted read-
access to the cleartext key values.

It is difficult for me to reconcile these two paragraphs. The first says there
is nothing read sensitive in this YANG module. The second paragraph helpfully
reminds us there are potentially sensitive private keys in the module.
Additionally, from an OPSEC perspective, knowing which client/EE certificates
is held by a device might reveal information useful to an attacker.

Section 5.4 has similar language.

----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thank you to Barry Leiba for the SECDIR review.

** Section 5.*
The protocol-accessible read-only node for the algorithms supported
by a server is mildly sensitive

What is meant by “mildly sensitive”?

[netconf] Roman Danyliw's Discuss on draft-ietf-n… Roman Danyliw via Datatracker
Re: [netconf] Roman Danyliw's Discuss on draft-ie… Kent Watsen