Re: [netmod] Secdir last call review of draft-ietf-netmod-factory-default-14

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Tue, 10 March 2020 12:19 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 851AC3A11D2 for <netmod@ietfa.amsl.com>; Tue, 10 Mar 2020 05:19:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ccCNmGAXc3t for <netmod@ietfa.amsl.com>; Tue, 10 Mar 2020 05:19:27 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00082.outbound.protection.outlook.com [40.107.0.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC83F3A11D0 for <netmod@ietf.org>; Tue, 10 Mar 2020 05:19:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; =?utf-8?q?b=3Dat9l1Q2FRQMXg8I5D44tKNK5eODYCPMn2Z+YekozfNdUuwJBlFyx/nbIPPOgv?= =?utf-8?q?Qy7CazMvyY94MeL/NMPJcf9r40hzSJJnCW1qtvuP802LzECB3Zd2j4WE5ebQlaviE?= =?utf-8?q?GwYn8FBVRMn95E/89IoKZ1bKg6jnmUkzMdVQKJHFAUUwwc/svzK1S134VHu6cx65x?= =?utf-8?q?oDsuL71DhyQevaZ6LLJyFdXFlGr1b8mjbtWRwe0NZLdmlyVyuiBVhysV11tl9wbgU?= =?utf-8?q?chHiMQia8Eh6StfknxD3TSzt3jT0PWyPfmKL2FRdaE6kdNyi7Y73wmwv8Oao2sqDx?= =?utf-8?q?FfHVUOkhGjvCflMHrx2VQ=3D=3D?=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMessage-ID=3ACont?= =?utf-8?q?ent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADCheck=3B?= =?utf-8?q?bh=3D+Ab7zGtEtFilvDbrULi4xn9zTe27w7S3vRKBZHWZXqM=3D=3B_b=3DQWRKpg?= =?utf-8?q?I8OBVJaBXGUEcMvRz1eLc1nBVoMDCAgB+CJlZF00EteyJudv+L10DQlC+GIGm/AvN?= =?utf-8?q?2VrphvivTfXeXckdNfok9w35kVR0ya/CCFauW7wc6iHF9dPexm4j/EW1DmNRVcygM?= =?utf-8?q?7JHVaZAqTfAvDAVwWfhZ7AhIK9z4CK9UmXy02pk1FA2VoR4xhu0NNGEXHoRpShKXE?= =?utf-8?q?AVjjWrh7iTw8ymAGPpRMBGgB/yMW+buxaK0xp6QVi1QI4HMV3dOnNb8D54ikXnPfv?= =?utf-8?q?xQY78JscczCs4tY3+DI1nJC8+IRX54uXnkBRbN4z3WPQ8z3aPuofB5TQHKsnhG7K3?= =?utf-8?q?XbQFUzuTJVQ=3D=3D?=
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; =?utf-8?q?h=3DFrom=3ADate=3AS?= =?utf-8?q?ubject=3AMessage-ID=3AContent-Type=3AMIME-Version=3AX-MS-Exchange?= =?utf-8?q?-SenderADCheck=3B?= =?utf-8?q?bh=3D+Ab7zGtEtFilvDbrULi4xn9zTe27w7S3vRKBZHWZXqM=3D=3B_b=3Df9upag?= =?utf-8?q?4s0/4gD+3qF6oi9Vc5wzTXzvyPSgGF9Q4gLkoQs8p0ExwS6ceJvUaXY51HgYD0k0u?= =?utf-8?q?qz1DTokXyLMB98FJXoZPFviX2GQo/DX596Cpztq4GD6t85hSNNDkFU5dvWSOrJV+G?= =?utf-8?q?lHyVee8HSd7XhM0d1lRtK19MiXVG1/Xu5W4=3D?=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=J.Schoenwaelder@jacobs-university.de;
Received: from AM4P190MB0004.EURP190.PROD.OUTLOOK.COM (10.172.221.19) by AM4P190MB0145.EURP190.PROD.OUTLOOK.COM (10.172.219.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.17; Tue, 10 Mar 2020 12:19:24 +0000
Received: from AM4P190MB0004.EURP190.PROD.OUTLOOK.COM ([fe80::10f:bf91:1a67:a580]) by AM4P190MB0004.EURP190.PROD.OUTLOOK.COM ([fe80::10f:bf91:1a67:a580%8]) with mapi id 15.20.2793.013; Tue, 10 Mar 2020 12:19:24 +0000
Date: Tue, 10 Mar 2020 13:19:23 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Qin Wu <bill.wu@huawei.com>
Cc: =?utf-8?Q?Bal=C3=A1zs?= Lengyel <balazs.lengyel=40ericsson.com@dmarc.ietf.org>, "'netmod@ietf.org'" <netmod@ietf.org>
Message-ID: <20200310121923.hgbo3azelxud4xgt@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Qin Wu <bill.wu@huawei.com>, =?utf-8?q?Bal=C3=A1zs?= Lengyel <balazs.lengyel=40ericsson.com@dmarc.ietf.org>, "'netmod@ietf.org'" <netmod@ietf.org>
References: <B8F9A780D330094D99AF023C5877DABAAD548070@dggeml511-mbs.china.huawei.com>
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <B8F9A780D330094D99AF023C5877DABAAD548070@dggeml511-mbs.china.huawei.com>
X-ClientProxiedBy: AM4PR0701CA0008.eurprd07.prod.outlook.com (2603:10a6:200:42::18) To AM4P190MB0004.EURP190.PROD.OUTLOOK.COM (2603:10a6:200:65::19)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (212.201.44.247) by AM4PR0701CA0008.eurprd07.prod.outlook.com (2603:10a6:200:42::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.7 via Frontend Transport; Tue, 10 Mar 2020 12:19:23 +0000
X-Originating-IP: [212.201.44.247]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: d09c8518-6c74-4c7f-7a15-08d7c4ed44f0
X-MS-TrafficTypeDiagnostic: AM4P190MB0145:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: =?utf-8?q?=3CAM4P190MB01456F91A2FB8878EABB88D1DEF?= =?utf-8?q?F0=40AM4P190MB0145=2EEURP190=2EPROD=2EOUTLOOK=2ECOM=3E?=
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 033857D0BD
X-Forefront-Antispam-Report: SFV:NSPM; =?utf-8?q?SFS=3A=2810009020=29=283760?= =?utf-8?b?MDIpKDM5ODUwNDAwMDA0KSgzOTYwMDMpKDEzNjAwMykoMzY2MDA0KSgzNDYwMDIp?= =?utf-8?b?KDE4OTAwMykoMTk5MDA0KSg4MTE2NjAwNikoODYzNjIwMDEpKDY2NTc0MDEyKSg4?= =?utf-8?q?1156014=29=28966005=29=28478600001=29=2854906003=29=288936002=29?= =?utf-8?q?=283450700001=29=286486002=29=28316002=29=2866476007=29=286655600?= =?utf-8?b?OCkoNzg2MDAzKSg2Njk0NjAwNykoODY3NjAwMikoMTg2MDAzKSgxMDc2MDAzKSg5?= =?utf-8?b?NTYwMDQpKDE2NTI2MDE5KSgyOTA2MDAyKSg2OTE2MDA5KSgyNjAwNSkoNTY2?= =?utf-8?q?0300002=29=286496006=29=2852116002=29=284326008=29=2853546011=29?= =?utf-8?q?=3B?= DIR:OUT; SFP:1101; SCL:1; SRVR:AM4P190MB0145; H:AM4P190MB0004.EURP190.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
Received-SPF: None (protection.outlook.com: jacobs-university.de does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: =?utf-8?q?WbC/9L7RFZ+VS2GRRGA+OuHl5gaDD43?= =?utf-8?q?jBxkRk4nnlGyK4nLFg0A4Afmqmg3sjHzdWcUwrXKLRr0QzUmJuHa0S+hGWf71SY39?= =?utf-8?q?nWWgBgOKwYNRQ3Bd9GCXhB6CDq24MemkMFvMMz/7Qeu6XzbsmpTUmrpfKk01EwmME?= =?utf-8?q?6zwxm8oqL+OWFYDv558kF3R0aB1UQ5pE7It9o0gBPnvdLMVClot/OjwHRu3ol7f3B?= =?utf-8?q?Z1439mlX9IXnaDXGVEce0YirfwXWOy65VK68KsSjwQFgtgfwYSxY03dg8IsG0mnyE?= =?utf-8?q?CFWkMLy0YXHhOFw69Mx+jYSrpB9eIihQ0nlyhoZDrgO4HnJQRmH0pBbKCXmIzKvcj?= =?utf-8?q?2tde03KdnlTg0J7ZDtLjwzXEcll8VDu6HpMzi1kaywIUXAzx14YgwrY03RDJ5cddW?= =?utf-8?q?0axQ0XKb8riZH6UIRw64pMRqAFbR9x/+7nnMd7Y4mzXdjuiDXxp1QuLV0H4mQQHEO?= =?utf-8?q?bOLDQvbSg629bCbaNX7JES64Tlmb2WC0XDMja9ulYblHiBjw=3D=3D?=
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?q?JJfUOdCKYX026yk8ANSjH+pem9S41i?= =?utf-8?q?bW3czOgt1GW0IR9V09S7P8E6Vf0YBrn20Y6siZhreO5VozTuDBLMFaYWqbqBN/59F?= =?utf-8?q?E8zMiCIpNZisAJAEZ5eT9PwKsuYncdCbKUNsNWsuRNIdqUpOseTUxHA=3D=3D?=
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: d09c8518-6c74-4c7f-7a15-08d7c4ed44f0
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Mar 2020 12:19:24.1347 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: =?utf-8?q?oxGuxhoqEmdpDPsCdJhYW?= =?utf-8?q?ZrtEYOJ15X92yL0tD39zuDUXOCjQUKXd/BsnzHRZcyP2zmbs3JPHv1SnNHq48jBOD?= =?utf-8?q?GuWBVFGL58OLwQbUUqcGY=3D?=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4P190MB0145
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/5RFxOEODUMMMV0YL2TuojLa203k>
Subject: Re: [netmod] Secdir last call review of draft-ietf-netmod-factory-default-14
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 12:19:30 -0000

Hi,

if secdir people believe RFC 6242 needs to be revised or updated, then
this is a separate work item for the NETCONF working group to
consider. I do not think that such an update should gate any data
models currently in the pipeline. (I am not even sure such an update
is strictly needed since if we go there, we constantly need udpates,
but that is then a NETCONF discussion.)

/js

On Tue, Mar 10, 2020 at 12:13:51PM +0000, Qin Wu wrote:
> Thanks Balazs for heads up. I think the security guideline we are currently following is one defined in the following link:
> https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines
> If it is a issue, I believe it applies to all YANG related documents.
> 
> -Qin
> -----邮件原件-----
> 发件人: netmod [mailto:netmod-bounces@ietf.org] 代表 Balázs Lengyel
> 发送时间: 2020年3月10日 19:59
> 收件人: 'netmod@ietf.org' <netmod@ietf.org>
> 主题: [netmod] FW: Secdir last call review of draft-ietf-netmod-factory-default-14
> 
> As an author of netmod drafts I would like to see some general guidance on this issue. Can someone help please.
> Balazs
> 
> -----Original Message-----
> From: Stephen Kent via Datatracker <noreply@ietf.org> 
> Sent: 2020. március 9., hétfő 20:15
> To: secdir@ietf.org
> Cc: netmod@ietf.org; draft-ietf-netmod-factory-default.all@ietf.org; last-call@ietf.org
> Subject: Secdir last call review of draft-ietf-netmod-factory-default-14
> 
> Reviewer: Stephen Kent
> Review result: Has Issues
> 
> SECDIR review of draft-ietf-netmod-factory-default-14
> 
> Section 6, Security Considerations, calls for use of SSH (RFC 6242) with NETCONF and HTTPS (RFC 8446) with RESTCONF. The TLS reference is current, citing TLS v1.3. However, RFC 6242 is a document that describes how to use SSH with NETCONF. That document, in turn, cites RFC 4254, and that RFC cites RFC
> 4253 for a description of SSH. 4253 is a very much out of date document; the integrity and key management algorithms in the original RFC have been updated 3 times (6668, 8268, and 8332). The encryption algorithms cited in 4253 are all outdated. This discussion of SSH security for use with NETCONF, based on the one citation, seems to be inconsistent with current IETF crypto guidelines.
> This is a problem that the net management area should address before this document is approved.
> 
> The discussion of how a factory-reset RPC may isolate a device, is good, as is the warning about not relying on this RPC to prevent recovery of security-sensitive data from NV storage.
> 
> 
> 
> _______________________________________________
> netmod mailing list
> netmod@ietf.org
> https://www.ietf.org/mailman/listinfo/netmod

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>