Re: [netconf] [Last-Call] Secdir last call review of draft-ietf-netconf-tcp-client-server-21

Kent Watsen <kent+ietf@watsen.net> Tue, 20 February 2024 01:47 UTC

From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018dc4324a3f-750d3974-1976-4ffc-8cb4-ea941c1ef656-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_256A1B70-AD59-4CE1-93C1-0BAD137B67F5"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Tue, 20 Feb 2024 01:47:26 +0000
In-Reply-To: <170812861007.49360.14797284971130302854@ietfa.amsl.com>
Cc: secdir@ietf.org, draft-ietf-netconf-tcp-client-server.all@ietf.org, last-call@ietf.org, "netconf@ietf.org" <netconf@ietf.org>
To: Nancy Cam-Winget <ncamwing@cisco.com>
References: <170812861007.49360.14797284971130302854@ietfa.amsl.com>
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/ev7-MQCJDxdO82edTckIAe7sAQ0>
Subject: Re: [netconf] [Last-Call] Secdir last call review of draft-ietf-netconf-tcp-client-server-21
Precedence: list

Hi Nancy,

Thank you for your valuable comments.
Please find my responses below.

Kent


> On Feb 16, 2024, at 7:10 PM, Nancy Cam-Winget via Datatracker <noreply@ietf.org> wrote:
> 
> Reviewer: Nancy Cam-Winget
> Review result: Has Nits
> 
> I have reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG.  These comments were written primarily for the benefit of the 
> security area directors.  Document editors and WG chairs should treat 
> these comments just like any other last call comments.
> 
> 
> This document defines 3 YANG 1.1 modules support configuration of
> TCP clients and TCP servers. These three modules encompass the 
> (1) common configurations, (2) a grouping methodology to enable
> Modification of application specific parameters for TCP connections
> And (3) configurations specific to clients for traversing proxies.
> 
> 
> The document reads well and I have found no issues but have
> One nit:
> 
> Section 3.1.1 speaks to features such as "socks5-username-password"
> and "socks5-gss-api" which have both security and privacy implications.
> While there is general mention in the Security Considerations (Section 5),
> That care must be taken; given that these parameters are used as examples
> in Section 3, it would be note highlighting that care in particular to
> these parameters must be properly protected to ensure both confidentiality
> and integrity.

I suppose it is a bit silly for the example in Section 3 to configure a proxy.  It’s my quirk to try to make examples present every field possible so that they’re better seen.  In this case, I wonder how popular TCP-proxies are and, if close to “zero”, having a proxy configured in an example may cause more confusion than be helpful.  Would simply removing the “proxy-server” from the example resolve most of your concern?

Separately, I found the Security Considerations about the "password” node to be outdated.  It was written before support for encrypted-passwords was added to the "crypto-types" draft.  So I updated the Security Considerations section to say this:

    The "password" node defined in the "tcp-client-grouping"
    grouping is defined using the "password-grouping" grouping
    presented in <xref target="I-D.ietf-netconf-crypto-types"/>.
    This grouping enables both cleartext and encrypted passwords
    to be configured.  As the referenced document states, configuration
    of cleartext passwords is NOT RECOMMENDED.  However, in 
    the case cleartext values are configured, this node is additionally 
    sensitive to read operations such that, in normal use cases, 
    it should never be returned to a client.  For this reason, the 
    NACM extension "default-deny-all" has been applied to it.


Thanks again,
Kent

[netconf] Secdir last call review of draft-ietf-n… Nancy Cam-Winget via Datatracker
Re: [netconf] [Last-Call] Secdir last call review… Kent Watsen