Re: [netmod] I-D Action: draft-ietf-netmod-factory-default-04.txt
Qin Wu <bill.wu@huawei.com> Wed, 06 November 2019 02:21 UTC
Return-Path: <bill.wu@huawei.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9524120C19 for <netmod@ietfa.amsl.com>; Tue, 5 Nov 2019 18:21:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WfROjhw-MMXD for <netmod@ietfa.amsl.com>; Tue, 5 Nov 2019 18:21:22 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC4F7120828 for <netmod@ietf.org>; Tue, 5 Nov 2019 18:21:18 -0800 (PST)
Received: from LHREML714-CAH.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 816812B1F3F05A559786 for <netmod@ietf.org>; Wed, 6 Nov 2019 02:21:17 +0000 (GMT)
Received: from DGGEML406-HUB.china.huawei.com (10.3.17.50) by LHREML714-CAH.china.huawei.com (10.201.108.37) with Microsoft SMTP Server (TLS) id 14.3.408.0; Wed, 6 Nov 2019 02:21:17 +0000
Received: from DGGEML531-MBS.china.huawei.com ([169.254.5.209]) by dggeml406-hub.china.huawei.com ([10.3.17.50]) with mapi id 14.03.0439.000; Wed, 6 Nov 2019 10:20:59 +0800
From: Qin Wu <bill.wu@huawei.com>
To: Kent Watsen <kent+ietf@watsen.net>, john heasley <heas@shrubbery.net>
CC: "netmod@ietf.org" <netmod@ietf.org>
Thread-Topic: [netmod] I-D Action: draft-ietf-netmod-factory-default-04.txt
Thread-Index: AdWUR59Z/n3hF6/TQ9WWBzFYs4wvjQ==
Date: Wed, 06 Nov 2019 02:20:59 +0000
Message-ID: <B8F9A780D330094D99AF023C5877DABAA93EB7DD@dggeml531-mbs.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.134.31.203]
Content-Type: multipart/alternative; boundary="_000_B8F9A780D330094D99AF023C5877DABAA93EB7DDdggeml531mbschi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/O_pjZI3Qf7HZI0kVx-ccRShAWjM>
Subject: Re: [netmod] I-D Action: draft-ietf-netmod-factory-default-04.txt
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2019 02:21:28 -0000
发件人: netmod [mailto:netmod-bounces@ietf.org] 代表 Kent Watsen 发送时间: 2019年11月6日 3:27 收件人: john heasley <heas@shrubbery.net> 抄送: netmod@ietf.org 主题: Re: [netmod] I-D Action: draft-ietf-netmod-factory-default-04.txt Yes, I'm suggesting that this "clearing" be a requirement, even if the operator has the choice between clear "only the configuration" and "everything." "might" -> "MUST". The fine line between too vague and too much detail must be found. >>> In addition,the "factory-reset" RPC MUST restore storage to factory condition, including remove log files, remove temporary files, remove certificates, keys, etc zero passwords, <insert other things> The process (SHOULD|MUST) zero/pattern-write then remove sensitive files such as the TLS keys, configuration stores, etc. [Qin]: Okay, here is the my proposed change: OLD TEXT: “ In addition, the "factory-reset" RPC might also be used to trigger some other restoring and resetting tasks such as files cleanup, restarting the node or some of the SW processes, or setting some security data/passwords to the default value, removing logs, removing any temporary data (from datastore or elsewhere) etc. When and why these tasks are triggered is not the scope of this document. ” NEW TEXT: “ In addition, the "factory-reset" RPC MUST restore storage to factory condition, including remove log files, remove temporary files (from datastore or elsewhere). It MUST also remove security credentials and restoring default security settings including remove certificates, keys, zero passwords, etc. The process invoked by the "factory-reset" RPC SHOULD zero/pattern-write than remove sensitive files such as the TLS keys, configuration stores, etc. The RPC MAY also be used to trigger some other resetting tasks such as restarting the node or some of the software processes, activating the factory-default config which in turn enables zero touch provision (ZTP). ” If you have better text, feel free to share. The RPC MAY provide an option to limit the actions to factory reset of the configuration. [Qin]: we have add nacm:default-deny-all on RPC we proposed. Security section will be enhanced Based on Andy’s comment in the separate email. Strongly agree. Kent // contributor
- [netmod] I-D Action: draft-ietf-netmod-factory-de… internet-drafts
- Re: [netmod] I-D Action: draft-ietf-netmod-factor… john heasley
- Re: [netmod] I-D Action: draft-ietf-netmod-factor… Schönwälder
- Re: [netmod] I-D Action: draft-ietf-netmod-factor… Qin Wu
- Re: [netmod] I-D Action: draft-ietf-netmod-factor… john heasley
- Re: [netmod] I-D Action: draft-ietf-netmod-factor… Kent Watsen
- Re: [netmod] I-D Action: draft-ietf-netmod-factor… Qin Wu
- Re: [netmod] I-D Action: draft-ietf-netmod-factor… Qin Wu
- Re: [netmod] I-D Action: draft-ietf-netmod-factor… Martin Bjorklund