Re: [netmod] Secdir last call review of draft-ietf-netmod-factory-default-14
Kent Watsen <kent@watsen.net> Tue, 10 March 2020 22:09 UTC
Return-Path: <01000170c67eb3eb-b3bffc95-9c46-4496-b0a2-8f3350dadd31-000000@amazonses.watsen.net>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52B733A0EDC for <netmod@ietfa.amsl.com>; Tue, 10 Mar 2020 15:09:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qW8HxWs4ZzU9 for <netmod@ietfa.amsl.com>; Tue, 10 Mar 2020 15:09:18 -0700 (PDT)
Received: from a8-96.smtp-out.amazonses.com (a8-96.smtp-out.amazonses.com [54.240.8.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2CD53A0ECF for <netmod@ietf.org>; Tue, 10 Mar 2020 15:09:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1583878157; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=+Heg+BRQhsBhBHDfBcGIeKtUvPbDc81ZBt8OQm3GEi8=; b=cU5TDDqQ5sfHZXKGzzZ1p6/reU9fmS1rojqP6I8FdpY1mDtOeMJuCeEZjlVrPJSs xrAvUiSVYecZIlxIvMPszn8avMWuKU88oGUzp8Yyt7LqETxzFP4aEcLYc4Gf8i7EmOx pjPj2v/ZQcb/KbPQ+qRt2fNKdUQ2mabony8bhYQA=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Kent Watsen <kent@watsen.net>
In-Reply-To: <BY5PR11MB43553E7CA237521A7C44F9E1B5FF0@BY5PR11MB4355.namprd11.prod.outlook.com>
Date: Tue, 10 Mar 2020 22:09:17 +0000
Cc: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Qin Wu <bill.wu@huawei.com>, Warren Kumari <warren@kumari.net>, "B alázs Lengyel <balazs.lengyel=40ericsson.com@dmarc .ietf.org>, netmod@ietf.org" <netmod@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID: <01000170c67eb3eb-b3bffc95-9c46-4496-b0a2-8f3350dadd31-000000@email.amazonses.com>
References: <B8F9A780D330094D99AF023C5877DABAAD548070@dggeml511-mbs.china.huawei.com> <20200310121923.hgbo3azelxud4xgt@anna.jacobs.jacobs-university.de> <BY5PR11MB43553E7CA237521A7C44F9E1B5FF0@BY5PR11MB4355.namprd11.prod.outlook.com>
To: "Rob Wilton (rwilton)" <rwilton=40cisco.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2020.03.10-54.240.8.96
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/JFurLpsf8d1-3A9QweykoixkKr4>
Subject: Re: [netmod] Secdir last call review of draft-ietf-netmod-factory-default-14
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 22:09:20 -0000
Thanks Rob and Juergen. I agree as well, as it doesn’t make sense to force higher-level protocol layers to publish updates whenever a lower-level layer publishes an update and thereby “obsoletes” the previous protocol layer version. I put “obsolete” in quotes because I think its generally understood that the previous protocol version is not obsolete in a real-world sense for many years to come. FWIW, RFC 8040 says: RESTCONF does not require a specific version of HTTP. However, it is RECOMMENDED that at least HTTP/1.1 [RFC7230] be supported by all implementations. <Note: HTTP/1.1 is NOT obsoleted by HTTP 2.0 (RFC 7540)> And: A RESTCONF server MUST support the Transport Layer Security (TLS) protocol [RFC5246] <Note: RFC 5246 (TLS 1.2) is obsoleted by RFC 8446 (TLS 1.3)> Kent > On Mar 10, 2020, at 9:38 AM, Rob Wilton (rwilton) <rwilton=40cisco.com@dmarc.ietf.org> wrote: > > I basically agree with Juergen. > > I have also raised this with the security ADs to try and find a path to resolve this. > > Thanks, > Rob > > >> -----Original Message----- >> From: netmod <netmod-bounces@ietf.org> On Behalf Of Juergen Schoenwaelder >> Sent: 10 March 2020 12:19 >> To: Qin Wu <bill.wu@huawei.com> >> Cc: Balázs Lengyel <balazs.lengyel=40ericsson.com@dmarc.ietf.org>; >> 'netmod@ietf.org' <netmod@ietf.org> >> Subject: Re: [netmod] Secdir last call review of draft-ietf-netmod- >> factory-default-14 >> >> Hi, >> >> if secdir people believe RFC 6242 needs to be revised or updated, then >> this is a separate work item for the NETCONF working group to consider. I >> do not think that such an update should gate any data models currently in >> the pipeline. (I am not even sure such an update is strictly needed since >> if we go there, we constantly need udpates, but that is then a NETCONF >> discussion.) >> >> /js >> >> On Tue, Mar 10, 2020 at 12:13:51PM +0000, Qin Wu wrote: >>> Thanks Balazs for heads up. I think the security guideline we are >> currently following is one defined in the following link: >>> https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines >>> If it is a issue, I believe it applies to all YANG related documents. >>> >>> -Qin >>> -----邮件原件----- >>> 发件人: netmod [mailto:netmod-bounces@ietf.org] 代表 Balázs Lengyel >>> 发送时间: 2020年3月10日 19:59 >>> 收件人: 'netmod@ietf.org' <netmod@ietf.org> >>> 主题: [netmod] FW: Secdir last call review of >>> draft-ietf-netmod-factory-default-14 >>> >>> As an author of netmod drafts I would like to see some general guidance >> on this issue. Can someone help please. >>> Balazs >>> >>> -----Original Message----- >>> From: Stephen Kent via Datatracker <noreply@ietf.org> >>> Sent: 2020. március 9., hétfő 20:15 >>> To: secdir@ietf.org >>> Cc: netmod@ietf.org; draft-ietf-netmod-factory-default.all@ietf.org; >>> last-call@ietf.org >>> Subject: Secdir last call review of >>> draft-ietf-netmod-factory-default-14 >>> >>> Reviewer: Stephen Kent >>> Review result: Has Issues >>> >>> SECDIR review of draft-ietf-netmod-factory-default-14 >>> >>> Section 6, Security Considerations, calls for use of SSH (RFC 6242) >>> with NETCONF and HTTPS (RFC 8446) with RESTCONF. The TLS reference is >>> current, citing TLS v1.3. However, RFC 6242 is a document that >>> describes how to use SSH with NETCONF. That document, in turn, cites >>> RFC 4254, and that RFC cites RFC >>> 4253 for a description of SSH. 4253 is a very much out of date document; >> the integrity and key management algorithms in the original RFC have been >> updated 3 times (6668, 8268, and 8332). The encryption algorithms cited in >> 4253 are all outdated. This discussion of SSH security for use with >> NETCONF, based on the one citation, seems to be inconsistent with current >> IETF crypto guidelines. >>> This is a problem that the net management area should address before >> this document is approved. >>> >>> The discussion of how a factory-reset RPC may isolate a device, is good, >> as is the warning about not relying on this RPC to prevent recovery of >> security-sensitive data from NV storage. >>> >>> >>> >>> _______________________________________________ >>> netmod mailing list >>> netmod@ietf.org >>> https://www.ietf.org/mailman/listinfo/netmod >> >> -- >> Juergen Schoenwaelder Jacobs University Bremen gGmbH >> Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany >> Fax: +49 421 200 3103 <https://www.jacobs-university.de/> >> >> _______________________________________________ >> netmod mailing list >> netmod@ietf.org >> https://www.ietf.org/mailman/listinfo/netmod > _______________________________________________ > netmod mailing list > netmod@ietf.org > https://www.ietf.org/mailman/listinfo/netmod
- [netmod] Secdir last call review of draft-ietf-ne… Stephen Kent via Datatracker
- [netmod] FW: Secdir last call review of draft-iet… Balázs Lengyel
- Re: [netmod] Secdir last call review of draft-iet… Qin Wu
- Re: [netmod] Secdir last call review of draft-iet… Juergen Schoenwaelder
- Re: [netmod] Secdir last call review of draft-iet… Rob Wilton (rwilton)
- Re: [netmod] Secdir last call review of draft-iet… Kent Watsen
- Re: [netmod] Secdir last call review of draft-iet… Qin Wu