Re: [netmod] Secdir last call review of draft-ietf-netmod-factory-default-14

Qin Wu <bill.wu@huawei.com> Thu, 23 April 2020 02:10 UTC

Return-Path: <bill.wu@huawei.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37DF73A10F0; Wed, 22 Apr 2020 19:10:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w1Y4IBsP7BmB; Wed, 22 Apr 2020 19:10:45 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC7D23A10F2; Wed, 22 Apr 2020 19:10:44 -0700 (PDT)
Received: from lhreml702-chm.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id EE2F95C238F15FD511FB; Thu, 23 Apr 2020 03:10:40 +0100 (IST)
Received: from lhreml702-chm.china.huawei.com (10.201.108.51) by lhreml702-chm.china.huawei.com (10.201.108.51) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1913.5; Thu, 23 Apr 2020 03:10:30 +0100
Received: from DGGEML423-HUB.china.huawei.com (10.1.199.40) by lhreml702-chm.china.huawei.com (10.201.108.51) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256) id 15.1.1913.5 via Frontend Transport; Thu, 23 Apr 2020 03:10:30 +0100
Received: from DGGEML511-MBX.china.huawei.com ([169.254.1.248]) by dggeml423-hub.china.huawei.com ([10.1.199.40]) with mapi id 14.03.0487.000; Thu, 23 Apr 2020 10:10:25 +0800
From: Qin Wu <bill.wu@huawei.com>
To: Stephen Kent <kent@alum.mit.edu>, "secdir@ietf.org" <secdir@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>
CC: "netmod@ietf.org" <netmod@ietf.org>, "draft-ietf-netmod-factory-default.all@ietf.org" <draft-ietf-netmod-factory-default.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-netmod-factory-default-14
Thread-Index: AdYZEvwNyq02j8DOS36yuTwtkmNm9Q==
Date: Thu, 23 Apr 2020 02:10:25 +0000
Message-ID: <B8F9A780D330094D99AF023C5877DABAAD628FBB@dggeml511-mbx.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.138.33.123]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/IgggjnMA1sKwXcDrbvTgVRigK68>
Subject: Re: [netmod] Secdir last call review of draft-ietf-netmod-factory-default-14
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2020 02:10:48 -0000

Thanks Stephen for valuable review. See reply inline below.
-----邮件原件-----
发件人: Stephen Kent via Datatracker [mailto:noreply@ietf.org] 
发送时间: 2020年3月10日 3:15
收件人: secdir@ietf.org
抄送: netmod@ietf.org; draft-ietf-netmod-factory-default.all@ietf.org; last-call@ietf.org
主题: Secdir last call review of draft-ietf-netmod-factory-default-14

Reviewer: Stephen Kent
Review result: Has Issues

SECDIR review of draft-ietf-netmod-factory-default-14

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving security requirements and considerations in IETF drafts.  Comments not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments.

This is a very brief document- only 9 pages (ignoring notes that are to be removed before publication)! It is a proposal for a YANG data model that will allow clients to reset a server to its factory default settings. It also defines a “factory-default” datastore that enables a client to determine the values for the default settings for a server. The datamodel is said to conform to the architecture defined in RFC 8342.

RFC 8342, and RFC 7950, define the terms used in this document, and the terminology Section (1.1) cites these RFCs when enumerating these terms. This reader would prefer to have the definitions replicated here for the nine terms in question. 
[Qin]: Replicating definition in RFC8342 and RFC7950 seems redundant and reference the existing definition means honor existing work and also help reader to find the source of definition,:-)
Only one additional term is defined in this document, the factory-default datastore. The acronym “RPC” (remote procedure call) is not expanded upon first use.
[Qin]: Okay, try to fix this,thanks.

The description of how to effect a factor-reset RPC, in Sections 2 & 3 seems pretty thorough, and includes appropriate comments about security-relevant data, e.g., private keys and certificates. I an not familiar enough with YANG to evaluate the module definition in Section 4.
[Qin]:the module definition will be evaluated or validate by using pyang tool which has already be part of datatracker with Henrik's support.

Section 6, Security Considerations, calls for use of SSH (RFC 6242) with NETCONF and HTTPS (RFC 8446) with RESTCONF. The TLS reference is current, citing TLS v1.3. However, RFC 6242 is a document that describes how to use SSH with NETCONF. That document, in turn, cites RFC 4254, and that RFC cites RFC
4253 for a description of SSH. 4253 is a very much out of date document; the integrity and key management algorithms in the original RFC have been updated 3 times (6668, 8268, and 8332). The encryption algorithms cited in 4253 are all outdated. This discussion of SSH security for use with NETCONF, based on the one citation, seems to be inconsistent with current IETF crypto guidelines.
This is a problem that the net management area should address before this document is approved.
[Qin] See relevant discussion and response in netmod below
https://mailarchive.ietf.org/arch/msg/netmod/5RFxOEODUMMMV0YL2TuojLa203k/
https://mailarchive.ietf.org/arch/msg/netmod/sItCtzXzqNuwKjYOm5_xWINlrvI/
https://mailarchive.ietf.org/arch/msg/netmod/JFurLpsf8d1-3A9QweykoixkKr4/


The discussion of how a factory-reset RPC may isolate a device, is good, as is the warning about not relying on this RPC to prevent recovery of security-sensitive data from NV storage.
[Qin]: Thanks, many of your comments are self-explanation comments, no need for further clarification, thanks.