[netmod] Secdir last call review of draft-ietf-netmod-factory-default-14

Stephen Kent via Datatracker <noreply@ietf.org> Mon, 09 March 2020 19:14 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: netmod@ietf.org
Delivered-To: netmod@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C6A763A15DC; Mon, 9 Mar 2020 12:14:52 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Stephen Kent via Datatracker <noreply@ietf.org>
To: <secdir@ietf.org>
Cc: netmod@ietf.org, draft-ietf-netmod-factory-default.all@ietf.org, last-call@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.120.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <158378129274.5575.11079304412600243334@ietfa.amsl.com>
Reply-To: Stephen Kent <kent@alum.mit.edu>
Date: Mon, 09 Mar 2020 12:14:52 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/Yb0ctxBmPO1bVCBayZxCG3ZoF6Y>
Subject: [netmod] Secdir last call review of draft-ietf-netmod-factory-default-14
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2020 19:15:00 -0000

Reviewer: Stephen Kent
Review result: Has Issues

SECDIR review of draft-ietf-netmod-factory-default-14

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written with the intent of improving security requirements and
considerations in IETF drafts.  Comments not addressed in last call may be
included in AD reviews during the IESG review.  Document editors and WG chairs
should treat these comments just like any other last call comments.

This is a very brief document- only 9 pages (ignoring notes that are to be
removed before publication)! It is a proposal for a YANG data model that will
allow clients to reset a server to its factory default settings. It also
defines a “factory-default” datastore that enables a client to determine the
values for the default settings for a server. The datamodel is said to conform
to the architecture defined in RFC 8342.

RFC 8342, and RFC 7950, define the terms used in this document, and the
terminology Section (1.1) cites these RFCs when enumerating these terms. This
reader would prefer to have the definitions replicated here for the nine terms
in question. Only one additional term is defined in this document, the
factory-default datastore. The acronym “RPC” (remote procedure call) is not
expanded upon first use.

The description of how to effect a factor-reset RPC, in Sections 2 & 3 seems
pretty thorough, and includes appropriate comments about security-relevant
data, e.g., private keys and certificates. I an not familiar enough with YANG
to evaluate the module definition in Section 4.

Section 6, Security Considerations, calls for use of SSH (RFC 6242) with
NETCONF and HTTPS (RFC 8446) with RESTCONF. The TLS reference is current,
citing TLS v1.3. However, RFC 6242 is a document that describes how to use SSH
with NETCONF. That document, in turn, cites RFC 4254, and that RFC cites RFC
4253 for a description of SSH. 4253 is a very much out of date document; the
integrity and key management algorithms in the original RFC have been updated 3
times (6668, 8268, and 8332). The encryption algorithms cited in 4253 are all
outdated. This discussion of SSH security for use with NETCONF, based on the
one citation, seems to be inconsistent with current IETF crypto guidelines.
This is a problem that the net management area should address before this
document is approved.

The discussion of how a factory-reset RPC may isolate a device, is good, as is
the warning about not relying on this RPC to prevent recovery of
security-sensitive data from NV storage.