Re: [netmod] Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Fri, 24 April 2020 18:09 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B5FC3A1168; Fri, 24 Apr 2020 11:09:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uROZKsVdIepT; Fri, 24 Apr 2020 11:09:24 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70074.outbound.protection.outlook.com [40.107.7.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A33D23A11A5; Fri, 24 Apr 2020 11:09:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nOuQNw+5qDtU3fC1WorI2o2NpFWTUzsXYkNVr2uaHxM4nh697VlE7UstCQBQy2fDGkDEd4c5GeP3NHe9Row4l/gkK8yr7Vr/neuUzSDzifyjuEXz1eHaoTzodleAfiLsZyZ7dqfwkXbUrLAcdJGsnjYCNZ12Hrq9tEiU2J6ViVvC92PVtPCvU3fAUpUIfqLsDRG19Rpp0ZmqxdebeKedytxbg7Bfix2X5MwkTrX5EsBI8oZ0jd2lUUlpSApUWjSaiXLaKlJ68xjkf7j1G35TDkztlZpcr99XxEXDyQEb1dAwUFBBUPC4GjzHph4LZwrWFHY4YroCbRgImtrIrnU/pQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Pgz5ipbW1XYMd4s8gCsy+Mm9m37ECyKpNMAOgWmuCHs=; b=fizsqLan7mk6V+f/YM6F1jbqeTbyzmZ1SXllMPgTHylAPQuVzc/8+DS+9lqqjMnOdoa6n9LNdDG3Vv8c4Z/e2dGqSJyyHfaWwnUZryunu35eKZaPXqGtpexsc1iI6fHChUUumQUn040yOacPhlQPZr8mRVkABVXMnOsKjpY83QerLmAdiZu+z08QluwO2Sue7crBmUaCA5coSXzNLGeI3b94ywR/7/A9PAVMj7T0pcPW0GcWBzytD1pCnnDASPvMh2Ko9XSeL/LR4zdjLJcN1xAsWfj01tRXXR1IYHvNBDXnDffyP7+OFnqhVr9ldsn3bSJLd6nO2kaaAj1Sd1onCQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Pgz5ipbW1XYMd4s8gCsy+Mm9m37ECyKpNMAOgWmuCHs=; b=O3apsempZ+BPZ+74OppvR1BM6z99InC9l/8OefdxCjVDbzYzE+IvS8hVGAqwj0UXXjUcFBZejie0fsFgJmqNuCAs20qEsHSEwdYEzxnw4s0u3Yf2HUZhOKhucbR7xgDMqfaCSfvwcxpO0ibxTkgkvPOogCzLKh4O69YvnovsmXQ=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=J.Schoenwaelder@jacobs-university.de;
Received: from AM0P190MB0707.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:196::24) by AM0P190MB0738.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:19b::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13; Fri, 24 Apr 2020 18:09:19 +0000
Received: from AM0P190MB0707.EURP190.PROD.OUTLOOK.COM ([fe80::dc34:2067:88d1:c483]) by AM0P190MB0707.EURP190.PROD.OUTLOOK.COM ([fe80::dc34:2067:88d1:c483%6]) with mapi id 15.20.2937.012; Fri, 24 Apr 2020 18:09:19 +0000
Date: Fri, 24 Apr 2020 20:09:18 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: "Rob Wilton (rwilton)" <rwilton=40cisco.com@dmarc.ietf.org>
Cc: Qin Wu <bill.wu@huawei.com>, Roman Danyliw <rdd@cert.org>, "netmod-chairs@ietf.org" <netmod-chairs@ietf.org>, "draft-ietf-netmod-factory-default@ietf.org" <draft-ietf-netmod-factory-default@ietf.org>, "netmod@ietf.org" <netmod@ietf.org>, The IESG <iesg@ietf.org>
Message-ID: <20200424180918.tjxoqpx4pyvsepqj@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: "Rob Wilton (rwilton)" <rwilton=40cisco.com@dmarc.ietf.org>, Qin Wu <bill.wu@huawei.com>, Roman Danyliw <rdd@cert.org>, "netmod-chairs@ietf.org" <netmod-chairs@ietf.org>, "draft-ietf-netmod-factory-default@ietf.org" <draft-ietf-netmod-factory-default@ietf.org>, "netmod@ietf.org" <netmod@ietf.org>, The IESG <iesg@ietf.org>
References: <B8F9A780D330094D99AF023C5877DABAAD620C2A@dggeml511-mbx.china.huawei.com> <MN2PR11MB436656E179DA492EA53477A3B5D00@MN2PR11MB4366.namprd11.prod.outlook.com>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <MN2PR11MB436656E179DA492EA53477A3B5D00@MN2PR11MB4366.namprd11.prod.outlook.com>
X-ClientProxiedBy: AM0PR04CA0022.eurprd04.prod.outlook.com (2603:10a6:208:122::35) To AM0P190MB0707.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:196::24)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (2001:638:709:5::7) by AM0PR04CA0022.eurprd04.prod.outlook.com (2603:10a6:208:122::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13 via Frontend Transport; Fri, 24 Apr 2020 18:09:19 +0000
X-Originating-IP: [2001:638:709:5::7]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 375977dd-74ee-4052-f85c-08d7e87a9bc6
X-MS-TrafficTypeDiagnostic: AM0P190MB0738:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <AM0P190MB0738C2C5AB66B3C951400E07DED00@AM0P190MB0738.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:8273;
X-Forefront-PRVS: 03838E948C
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0707.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFTY:; SFS:(346002)(136003)(366004)(39860400002)(376002)(396003)(66946007)(6486002)(16526019)(186003)(8936002)(2906002)(6496006)(52116002)(66556008)(66476007)(8676002)(4326008)(3450700001)(81156014)(54906003)(4744005)(786003)(316002)(83080400001)(86362001)(478600001)(1076003)(5660300002); DIR:OUT; SFP:1101;
Received-SPF: None (protection.outlook.com: jacobs-university.de does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: qJuAvPI9z/ozNzay8O8zE97ElYF31K4S3tAWEUNyfYQWrwn+sLd5EqCgm94dQi/0PMa/g/XHKSAgbrTYdhrdKVqjNuvoTjykX8K8OWsH1GRHU2eyWnccpfDYvNMKqqT+91vEgckYII1krzoPe7rGRPa1LmFrwzHv/laUy2XVgh+5ufMZY/MPBkA6d0xtMccSaIONaHXBf+memnSn6saSCurnbp8Y066X+YyfM7ybVjhJHmc1BlnIh4yTpeKYGVJ9Vv/S/CQpN8+OMj0pjoVBveh7sRbDjuQzGkoGfuoab6Zh9zDgSsL+/rn8sCwv4ypQjU/6IZ/2v4pcGWEzCzIDu+j3zq3+GjP1cGyZcEnHHonvhmkdcMwRhCGD5nEE9G+qtiYwMO9ImZ7iVSAMBwEywKjdTU+isy9OpBEAcg7ce8IDSPMgOxB7VlpDRmAR48E0GikXHoZ4nBUURdrRg2wp6NwFcXRUbrAppqQjEKX7eNJJj/i4BRz6NvTqBxBsVx2Nk+h4GlPAJl997OpuOmXbmw==
X-MS-Exchange-AntiSpam-MessageData: xLRAnRRk5324nWuTi8nNrN+jPZzAmIeCL6kqVqqAKwPr5aAgh4Hhl2/nCQ7IstVyUbf9SnvLxngR7hM0ZvBnXma489csOooYCBbsFLnWjsGnNSB7wkVO/5BrWdO6H70/mVh5UgdOsNabvm1vCcoPfm+6cSveYOVxPi58QGOFd+0=
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 375977dd-74ee-4052-f85c-08d7e87a9bc6
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Apr 2020 18:09:19.6433 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: tAiVWdY7ijeaFHTfLSyaGwV0DmOgRWtjobs0mYQrjQdmGsryRh8qth6syjUegnfLdS0IVMq9o1Na2y7NGMTmnkSjQ6YY9lEvHi1XBz8YCgg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0P190MB0738
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/ZpwTGBf-D5cwQFHgyS6qFB-fdeA>
Subject: Re: [netmod] Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 18:09:32 -0000

On Fri, Apr 24, 2020 at 04:54:04PM +0000, Rob Wilton (rwilton) wrote:
> 
> 1) Concerns read access to the factory-default datastore which could contain sensitive information.  Perhaps read access to that datastore should default to nacm:default-deny-all?  If so, then this should probably be documented in section 3, with a sentence in section 6 to explain that is how it is protected.
>

Why would a factory-default datastore be more sensitive than <running>?

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>