IETF Logo Mail Archive

Re: [netmod] security considerations boilerplate updates to cover RESTCONF

Benoit Claise <bclaise@cisco.com> Thu, 16 March 2017 07:37 UTC

Return-Path: <bclaise@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29817126C23; Thu, 16 Mar 2017 00:37:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.523
X-Spam-Level:
X-Spam-Status: No, score=-14.523 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id syRv2ANtOZrl; Thu, 16 Mar 2017 00:37:44 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F0C3126BF7; Thu, 16 Mar 2017 00:37:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1402; q=dns/txt; s=iport; t=1489649863; x=1490859463; h=subject:to:references:from:message-id:date:mime-version: in-reply-to:content-transfer-encoding; bh=YimrlcwGJ30LdUnadAq+2kUh4+1vWD7VoEwJnWMEon0=; b=I7SeKDBeYn57ZL4Lh24ox2ywBx1hUcM0OGvmrAlgjc8oNG8Ps4UEWS/x rKnd0wULuuHZJjJExFVzt58/oaR4pCY8t1Pso7anscLQ9qimRk2LdibTK MGXXg9J6MMXTVzd0Eh6iC/FS8QO3DysjlA3W0wbbqD4nGebK+Lmz//1iU w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DDAgByQMpY/xbLJq1dGQEBAQEBAQEBAQEBBwEBAQEBhDIqj0OQZZMvgg+CDoYiAoNSFwECAQEBAQEBAWsohRYBBThRCw4KLlcGAQwIAQGJfLIdilQBAQEBAQEBAQIBAQEBAQEihk6CBYJqijkFnESSPYpUhlOLPIgPIAE2gQQjFggXFYcZP4l4AQEB
X-IronPort-AV: E=Sophos;i="5.36,170,1486425600"; d="scan'208";a="653305016"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Mar 2017 07:37:41 +0000
Received: from [10.60.67.87] (ams-bclaise-8916.cisco.com [10.60.67.87]) by aer-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id v2G7bePT019777; Thu, 16 Mar 2017 07:37:41 GMT
To: Kent Watsen <kwatsen@juniper.net>, "netmod@ietf.org" <netmod@ietf.org>, "sec-ads@ietf.org" <sec-ads@ietf.org>
References: <20170313212537.GB53972@elstar.local> <7de29e11-f045-b0a1-808f-38044f6f7352@cisco.com> <8E887FD1-9849-4A05-A43F-CF675056A7B5@juniper.net> <1fdc07f6-0434-a490-024d-af039877ae33@cisco.com> <20170316072757.GD59114@elstar.local>
From: Benoit Claise <bclaise@cisco.com>
Message-ID: <0138111b-6c95-0edc-23c4-2797312bb51a@cisco.com>
Date: Thu, 16 Mar 2017 08:37:39 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <20170316072757.GD59114@elstar.local>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/MvwaEb2YMqvcmnIyXUBgJEcW6E8>
Subject: Re: [netmod] security considerations boilerplate updates to cover RESTCONF
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2017 07:37:45 -0000

On 3/16/2017 8:27 AM, Juergen Schoenwaelder wrote:
> On Wed, Mar 15, 2017 at 08:10:22PM +0100, Benoit Claise wrote:
>
>> I like the "YANG based management protocols" part
> I think 'YANG based' is not needed (and to some extend even incorrect)
> and I would spell out 'network management' instead of 'management':
>   
>    The YANG module defined in this document is designed to be accessed
>    via network management protocols such as NETCONF [RFC6241] or
>    RESTCONF [RFC8040].
I could live with that.
Latest proposal:

     The YANG module defined in this document is designed to be accessed
     via network management protocols such as NETCONF [RFC6241] or
     RESTCONF [RFC8040]. The lowest NETCONF layer is the secure 
transport layer,
     and mandatory-to-implement secure transport is Secure Shell (SSH) 
[RFC6242],
     while the lowest RESTCONF layer is HTTP, and the 
mandatory-to-implement secure
     transport is Transport Layer Security (TLS) [RFC5246].

     The NETCONF access control model [RFC6536] provides the means to 
restrict
     access for particular NETCONF or RESTCONF users to a pre-configured 
subset
     of all available NETCONF or RESTCONF protocol operations and content.

I'll discuss this proposal with the security ADs during the telechat 
today, even if these changes should non controversial.

Regards, Benoit
>
> /js
>

v2.23.0 | Report a Bug | By Email