Re: [netmod] Secdir last call review of draft-ietf-netmod-syslog-model-21

Yaron Sheffer <> Tue, 20 February 2018 02:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 81BA0126BF3; Mon, 19 Feb 2018 18:17:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.407
X-Spam-Status: No, score=-0.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Q75Yrt6w6uDl; Mon, 19 Feb 2018 18:17:57 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400e:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6B34B1243FE; Mon, 19 Feb 2018 18:17:57 -0800 (PST)
Received: by with SMTP id y8so6563182pgr.9; Mon, 19 Feb 2018 18:17:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=T0uJ5I3ZkxWILYpcGW636VG16zpNV2elAKzNIASHxHo=; b=UbW6ZQcBhO1tiGsAnJ4Hy32mmivMHHrkfsKNEQo1kLVBuwm7ariaYd9lBeFQoUWYsi AxNt1mZigF1sz86KjwUwnGkZx7tqAGllKWh1/ro4/6AxnCKbK62SBAwmi4LqX6Wt0xRU 5YqljwBIXFobnOXuRrwGCx7vTRJRKy6uhkTqU5DY++zjTN57UcGmMz8PUAEs12QiN7FV z92R8GuChfPnlKVr50+EyFF84cv6YyiZ9i1LZNyCIH9TtbiMA9FF94PbHQaENbs9IVB2 yDcINuItDXXnb5AAo+tu6/GGurimsugpezdQbkZbx1ZD5MYYoRW1EBAEEXZCX4PTwVD0 eedA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=T0uJ5I3ZkxWILYpcGW636VG16zpNV2elAKzNIASHxHo=; b=efs/3nPa1xHGViEEKuonubYObxZlt5/6j16ExjNNQyScLQ7Q34Usk13lH2pNrgvQru McYLcv5gwy6SN2+XMNzasU31X7u35STYs6HYRbyIiuBGQov6rOkiKd9BiKIR3f7LQvwn Z9xVbRqvijy+1XZ9N3i1UiZa+irtjrUy1AlFRofffZ8rElRPMgK6rEpYpN8VS/Pz4p7E 5LJI06AmpPCbpS5VGuS7ZPVaTfna1v4vTX8jFgg9PGgsC94GcJszCz2fsgvklsxNtap2 udc6oRALtQZ0rONiDjrSMXlhj60HPdUoBp8tbpESV26DGw/9KCVf/Htac8N72u7i5h8K ulbw==
X-Gm-Message-State: APf1xPAAHYPQwpWnVT2tNVhAMYarUMiRLcckOyxqvaMKYtW70IeOzU6z /JGqR+N65j77McFbCoDwgpWubkxZ
X-Google-Smtp-Source: AH8x226ZwRLfSJNDj/b49Wz2K4LvjpdEoYbNF3BFqI+W/0ipK5YIdC9VFvmNbRfjpjrrnfZ1oTNgxw==
X-Received: by with SMTP id t8mr11504724pfj.177.1519093076571; Mon, 19 Feb 2018 18:17:56 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id n17sm17354564pfj.67.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Feb 2018 18:17:55 -0800 (PST)
To: "Clyde Wildes (cwildes)" <>, "" <>
Cc: "" <>, "" <>, "" <>
References: <> <>
From: Yaron Sheffer <>
Message-ID: <>
Date: Mon, 19 Feb 2018 14:55:56 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [netmod] Secdir last call review of draft-ietf-netmod-syslog-model-21
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Feb 2018 02:17:58 -0000

Hi Clyde,

Thank you for responding to my comments. I am OK with all of your responses.


On 19/02/18 13:02, Clyde Wildes (cwildes) wrote:
> Yaron,
> Thanks for your review. My answers are inline as [clw1].
> On 2/18/18, 6:31 AM, "Yaron Sheffer" <> wrote:
>      Reviewer: Yaron Sheffer
>      Review result: Has Issues
>      General Comments
>      * The semantics of pattern matching is not clear: "and/or the message text" -
>      are there cases where you only match the text but not the facility/severity? *
> [clw1] Yes. There are three cases: 1. Match on facility/severity; 2. Match on the regex pattern; 3. Match on both facility/severity and the regex pattern.
>      It's very confusing to specify rollover in minutes, but retention in hours.
>      People are bound to get this one wrong.
> [clw1] I will change the retention to minutes unless others object.
>      * Interface selection: the feature
>      makes sense, but I think the description is incorrect. "This leaf sets the
>      source interface to be used to send messages to the remote syslog server. If
>      not set, messages sent to a remote syslog server will contain the IP address of
>      the interface the syslog message uses to exit the network element". AFAIK the
>      source IP will always correspond to the interface, but this feature allows you
>      to select a particular one.
> [clw1] You are correct. I will modify the description to make this clearer. How about:
> "This leaf sets the source interface to be used to send messages to the remote syslog server. If
> not set, messages can be sent on any interface."
>      * Usage examples: the second example lists a
>      specific IPv6 address, but the Yang snippet shows a domain name.
> [clw1] Thanks for catching this error. I will fix this in the next revision.
>      * A generic
>      question (I am new to the Yang ecosystem): I understand most implementers will
>      use this module from
>      - is this the expectation? If so, why not add a link from the RFC into the
>      repo, to make it easier for people to find?
> [clw1] It is standard practice to include the model in the RFC AFAIK. I have not seen github links published in any other RFCs.
>      Security Comments
>      * I think almost all writable data nodes here are sensitive, because a network
>      attacker's first move is to block any logging on the host, and many of the data
>      nodes here can be used for this purpose.
> [clw1] I will reword the security section to include all writeable nodes as sensitive.
>      * Re: readable data nodes, I'm not
>      sure which are sensitive, and the document should give an example or two rather
>      than just say "some". Otherwise the security advice is not actionable. One
>      example: "remote" sections leak information about other hosts in the network.
> [clw1] This text was lifted from another model. I will review the readable nodes and update.
>      * Write operations... can have a negative effect on network operations. - I would
>      add "and on network security", because logs are often used to detect security
>      breaches.
> [clw1] I will add this phrase.
>      * Also add an advice, similar to the one on "pattern match", that the
>      private key used for signing log messages MUST NOT be used for any other
>      purpose, and that the implementation of this data node must ensure this
>      property (I'm not sure how). The rationale: if the TLS private key is used, for
>      example, this could result in a signing oracle for TLS and eventually a MITM
>      attack.
> [clw1] I will add this advice.
> Thanks,
> Clyde