Re: [netmod] I-D Action: draft-ietf-netmod-factory-default-13.txt

Warren Kumari <warren@kumari.net> Mon, 02 March 2020 17:41 UTC

Return-Path: <warren@kumari.net>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E838B3A0D81 for <netmod@ietfa.amsl.com>; Mon, 2 Mar 2020 09:41:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eWk896Ms6zOo for <netmod@ietfa.amsl.com>; Mon, 2 Mar 2020 09:41:50 -0800 (PST)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEF073A0D80 for <netmod@ietf.org>; Mon, 2 Mar 2020 09:41:49 -0800 (PST)
Received: by mail-qt1-x831.google.com with SMTP id e20so590699qto.5 for <netmod@ietf.org>; Mon, 02 Mar 2020 09:41:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=VDsdYYkuDN0loBgHUayd6UzX5nmhn9cMkJTkLvYihis=; b=LS5kLcgbHw1uCYt0ImAmIAVqYhgTcsJccLhM0kBM1RLacPLm9T9PdCzStCzN624JO/ ZEkV6XyY40eFYqiD+lCmawiux1PxwdAyglE+1A0kKgTi2vQxiyOelYs6TSRD2fr+SmZI fcW31MvOfQY0Wi9ZqfgZ57M6s+6dyn90csqWkjwFmXkxGVUkT/xccWTccloJ7+SSzhW+ 5aGHRX85gTJWWiCSvx21jwfGEGnTIel1z5NLecTRTGlue6BIF/juGJXBk18nsTBfviLo 2Hcto2V/yywRaiNcpVQljdHcxjr2P9mP65uMwQkbQ57dQh0SDdvJQLagAVlnzzr88XKm 9+hA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=VDsdYYkuDN0loBgHUayd6UzX5nmhn9cMkJTkLvYihis=; b=nicJqGAXHaJu3ihRJkeYBbDQiOKIyI6jjHiFjdZ1sQm03uUZgFGls3QI8QHNOKG7Rw mbjRwdvtz82Dp8Q82HRr9o54V80HU3QTRjx2gYYJYr29+aLCctAmZl1jwu4HwSFfJhrl 1+1vPDUnRmBr1vkaqHOc7XDoBMIn4ULUWr9K6sZcEXvI5XQAV77O2TnLXdc7RujC8VkH oFeL1NIjNr2zFmomOBJXgCPQx1rN6I1dC52hTatjQFdzydbGpZ6zXBclny37OGjbYWP3 j41ZgUGmzFkLzMnyIrjhNKLdHxHrm7YiKzCqeN4PVztx/KnE6hzTPWZ66l1u0QYAZmlo IdBA==
X-Gm-Message-State: ANhLgQ1zvE/yvrExShGHbJgPryXfCVtEnjm+DXV5cnyYgCjxuijgKtUo kRl100AIqyZkkiDbduO/xdgUi/rb+Q70VrpSFbNDSQ==
X-Google-Smtp-Source: =?utf-8?q?ADFU+vuKAxoRYPcqAKgxCjGeXttU+2kXK3Ex67+2lwV8?= =?utf-8?q?MchjCWBGsvTu9Y/zY7vssovHKJWRvvwe3pqYrvACTyGPuJ0=3D?=
X-Received: by 2002:ac8:5316:: with SMTP id t22mr763789qtn.279.1583170908197; Mon, 02 Mar 2020 09:41:48 -0800 (PST)
MIME-Version: 1.0
References: <B8F9A780D330094D99AF023C5877DABAAD4E48C5@dggeml511-mbx.china.huawei.com> =?utf-8?q?=3CMN2PR11MB4366927357DB4BB34F128F7EB5EA0=40MN2PR11MB4366=2Enampr?= =?utf-8?q?d11=2Eprod=2Eoutlook=2Ecom=3E?=
In-Reply-To: =?utf-8?q?=3CMN2PR11MB4366927357DB4BB34F128F7EB5EA0=40MN2PR11MB?= =?utf-8?q?4366=2Enamprd11=2Eprod=2Eoutlook=2Ecom=3E?=
From: Warren Kumari <warren@kumari.net>
Date: Mon, 2 Mar 2020 12:41:12 -0500
Message-ID: <CAHw9_iKxw-KMPukGSTjGMs_bO7eCynazyHNzy=i9CL5RhCK6=w@mail.gmail.com>
To: "Rob Wilton (rwilton)" <rwilton@cisco.com>
Cc: Qin Wu <bill.wu@huawei.com>, "netmod@ietf.org" <netmod@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/MPah2W3PIz8YvoSOWmgBh8mufkE>
Subject: Re: [netmod] I-D Action: draft-ietf-netmod-factory-default-13.txt
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2020 17:41:52 -0000

On Wed, Feb 26, 2020 at 7:49 AM Rob Wilton (rwilton) <rwilton@cisco.com> wrote:
>
> Hi Qin,
>
> Thanks for your work and timely updates on this document.
>
> Warren, I think that we are good to go for IETF LC with the -14 version.


Whoops, I had missed this; luckily Rob is on the ball and reminded me
/ pointed this out.

I have just requested IETF LC.

W

>
> Thanks,
> Rob
>
>
> > -----Original Message-----
> > From: Qin Wu <bill.wu@huawei.com>
> > Sent: 26 February 2020 12:28
> > To: Rob Wilton (rwilton) <rwilton@cisco.com>om>; netmod@ietf.org
> > Subject: RE: I-D Action: draft-ietf-netmod-factory-default-13.txt
> >
> > -----邮件原件-----
> > 发件人: Rob Wilton (rwilton) [mailto:rwilton@cisco.com]
> > 发送时间: 2020年2月26日 18:03
> > 收件人: Qin Wu <bill.wu@huawei.com>om>; netmod@ietf.org
> > 主题: RE: I-D Action: draft-ietf-netmod-factory-default-13.txt
> >
> > Hi Qin,
> >
> > Please see inline ...
> >
> > > -----Original Message-----
> > > From: Qin Wu <bill.wu@huawei.com>
> > > Sent: 26 February 2020 01:15
> > > To: Rob Wilton (rwilton) <rwilton@cisco.com>om>; netmod@ietf.org
> > > Subject: RE: I-D Action: draft-ietf-netmod-factory-default-13.txt
> > >
> > > Hi, Rob:
> > > -----邮件原件-----
> > > 发件人: Rob Wilton (rwilton) [mailto:rwilton@cisco.com]
> > > 发送时间: 2020年2月26日 2:02
> > > 收件人: Qin Wu <bill.wu@huawei.com>om>; netmod@ietf.org
> > > 主题: RE: I-D Action: draft-ietf-netmod-factory-default-13.txt
> > >
> > > Hi Qin,
> > >
> > > I think that you may have accidentally removed the RFC editor
> > > instructions in the YANG module that presumably we want to still keep?
> > >
> > >             // RFC Ed.: update the date below with the date of RFC
> > publication
> > >           // and remove this note.
> > >           // RFC Ed.: replace XXXX with actual RFC number and remove
> > > this
> > >           // note.
> > > [Qin]: My understanding is RFC Note is used to send a note to RFC
> > > Editor, after RFC Editor take action, the RFC Editor note should go
> > > away and will not stay in the YANG module any more.
> > > What do you suggest? Don't include "and remove this note" in the RFC
> > > Editor note?
> > [RW]
> > Apologies, I had read the diff the wrong way round.  Your instruction here
> > is fine, and no further change is required.
> > [Qin]: Good.
> >
> > >
> > > For the update to the security section, my concern wasn't so much
> > > about no longer being able to access a private key, but more that a
> > > client cannot rely on any private data being unrecoverable after the
> > factory-reset RPC.
> > > i.e. they can't just use the factory-reset RPC and then sell the
> > > device on ebay, with the assumption that all private data has been
> > > properly cleansed.
> > >
> > > OLD:
> > >
> > >
> > >        The non-volatile storage is expected to be wiped clean and reset
> > > back
> > >        to the factory default state, but there is no guarantee that the
> > > data
> > >        is wiped according to any particular data cleansing standard, and
> > > the
> > >        owner of the device MUST NOT rely on any temporary data (e.g.,
> > >        including private keys) for recovery after the factory-reset RPC
> > > has
> > >        been invoked.
> > >
> > > NEW:
> > >
> > >
> > >        The non-volatile storage is expected to be wiped clean and reset
> > > back
> > >        to the factory default state, but there is no guarantee that the
> > > data
> > >        is wiped according to any particular data cleansing standard, and
> > > the
> > >        owner of the device MUST NOT rely on any sensitive data (e.g.,
> > >        private keys) being forensically unrecoverable from the device's
> > >           non-volatile storage after a factory-reset RPC has been
> > invoked.
> > >
> > > [Qin]: I am not lawyer, when you use the word "forensically". But the
> > > "factory-reset" RPC operation has been restricted by using the
> > > "default- deny-all" access control defined in RFC8341. I am not sure
> > > any end user can take advantage of factory-reset RPC as the client.
> > > Let me know if my understanding is correct.
> > >
> >
> > Your current text says, "users need to be aware that private keys might
> > not be recoverable after a factory-reset RPC".  But this isn't a security
> > consideration, this is just an inconvenience, and I believe the text is
> > section 2 is sufficient.
> >
> > My concern is entirely the other way around, i.e. "users need to be aware
> > that private information might still be recoverable after a factory-reset
> > RPC", because a factory-reset RPC does not guarantee that it won't be.
> > Section 2 recommends that security sensitive data be overwritten with 0's,
> > but this is only a SHOULD, and writing 0's doesn't meet the standard
> > industry requirements of ensuring that the data won't be subsequently
> > recoverable.
> >
> > When electronic equipment reaches the end of its useful life then normally
> > the company will ensure that all private data is destroyed from any media
> > before it can be resold.  E.g. in the US this might be done to the DoD
> > 5220.22 standard.
> >
> > I don't want clients using the factory-reset RPC to think that it is
> > sufficient for them to avoid properly wiping any non-volatile storage.
> >
> > Does that help clarify the security concern that I'm asking you to please
> > address?
> >
> > [Qin]: Thanks for your clarification, the text you suggest seems
> > reasonable to me now, thanks.
> > Thanks,
> > Rob
> >
> >
> > > Thanks,
> > > Rob
> > >
> > >
> > > > -----Original Message-----
> > > > From: netmod <netmod-bounces@ietf.org> On Behalf Of Qin Wu
> > > > Sent: 25 February 2020 12:39
> > > > To: netmod@ietf.org
> > > > Subject: Re: [netmod] I-D Action:
> > > > draft-ietf-netmod-factory-default-13.txt
> > > >
> > > > v-13 is posted, the diff is:
> > > > https://www.ietf.org/rfcdiff?url2=draft-ietf-netmod-factory-default-
> > > > 13
> > > > Thanks Rob for valuable review.
> > > >
> > > > -Qin
> > > > -----邮件原件-----
> > > > 发件人: I-D-Announce [mailto:i-d-announce-bounces@ietf.org] 代表
> > > internet-
> > > > drafts@ietf.org
> > > > 发送时间: 2020年2月25日 20:36
> > > > 收件人: i-d-announce@ietf.org
> > > > 抄送: netmod@ietf.org
> > > > 主题: I-D Action: draft-ietf-netmod-factory-default-13.txt
> > > >
> > > >
> > > > A New Internet-Draft is available from the on-line Internet-Drafts
> > > > directories.
> > > > This draft is a work item of the Network Modeling WG of the IETF.
> > > >
> > > >         Title           : A YANG Data Model for Factory Default
> > Settings
> > > >         Authors         : Qin Wu
> > > >                           Balazs Lengyel
> > > >                           Ye Niu
> > > >   Filename        : draft-ietf-netmod-factory-default-13.txt
> > > >   Pages           : 12
> > > >   Date            : 2020-02-25
> > > >
> > > > Abstract:
> > > >    This document defines a YANG data model to allow clients to reset a
> > > >    server back to its factory default condition.  It also defines a
> > > >    "factory-default" datastore to allow clients to read the factory
> > > >    default configuration for the device.
> > > >
> > > >    The YANG data model in this document conforms to the Network
> > > >    Management Datastore Architecture (NMDA) defined in RFC 8342.
> > > >
> > > >
> > > > The IETF datatracker status page for this draft is:
> > > > https://datatracker.ietf.org/doc/draft-ietf-netmod-factory-default/
> > > >
> > > > There are also htmlized versions available at:
> > > > https://tools.ietf.org/html/draft-ietf-netmod-factory-default-13
> > > > https://datatracker.ietf.org/doc/html/draft-ietf-netmod-factory-defa
> > > > ul
> > > > t-13
> > > >
> > > > A diff from the previous version is available at:
> > > > https://www.ietf.org/rfcdiff?url2=draft-ietf-netmod-factory-default-
> > > > 13
> > > >
> > > >
> > > > Please note that it may take a couple of minutes from the time of
> > > > submission until the htmlized version and diff are available at
> > > > tools.ietf.org.
> > > >
> > > > Internet-Drafts are also available by anonymous FTP at:
> > > > ftp://ftp.ietf.org/internet-drafts/
> > > >
> > > >
> > > > _______________________________________________
> > > > I-D-Announce mailing list
> > > > I-D-Announce@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/i-d-announce
> > > > Internet-Draft directories: http://www.ietf.org/shadow.html or
> > > > ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> > > > _______________________________________________
> > > > netmod mailing list
> > > > netmod@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/netmod



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf