Re: [netmod] Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)

Qin Wu <bill.wu@huawei.com> Tue, 21 April 2020 13:21 UTC

Return-Path: <bill.wu@huawei.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FC053A0C32; Tue, 21 Apr 2020 06:21:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9mFjxA63ctgL; Tue, 21 Apr 2020 06:21:36 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0C703A0C42; Tue, 21 Apr 2020 06:20:34 -0700 (PDT)
Received: from lhreml704-cah.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 72F95D587FA779B34A61; Tue, 21 Apr 2020 14:20:30 +0100 (IST)
Received: from DGGEML421-HUB.china.huawei.com (10.1.199.38) by lhreml704-cah.china.huawei.com (10.201.108.45) with Microsoft SMTP Server (TLS) id 14.3.487.0; Tue, 21 Apr 2020 14:20:30 +0100
Received: from DGGEML511-MBX.china.huawei.com ([169.254.1.248]) by dggeml421-hub.china.huawei.com ([10.1.199.38]) with mapi id 14.03.0487.000; Tue, 21 Apr 2020 21:20:23 +0800
From: Qin Wu <bill.wu@huawei.com>
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
CC: "draft-ietf-netmod-factory-default@ietf.org" <draft-ietf-netmod-factory-default@ietf.org>, "netmod-chairs@ietf.org" <netmod-chairs@ietf.org>, "netmod@ietf.org" <netmod@ietf.org>, Kent Watsen <kent+ietf@watsen.net>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)
Thread-Index: AdYX31BAcjZyyoisREivDOhxrSDBSw==
Date: Tue, 21 Apr 2020 13:20:22 +0000
Message-ID: <B8F9A780D330094D99AF023C5877DABAAD620C2A@dggeml511-mbx.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.138.33.123]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/dmMxDT2khLZZTyRbcHwzWecsMpE>
Subject: Re: [netmod] Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2020 13:21:39 -0000

Hi, Roman:
A few clarification inline below. 
-----邮件原件-----
发件人: Roman Danyliw via Datatracker [mailto:noreply@ietf.org] 
发送时间: 2020年4月21日 20:52
收件人: The IESG <iesg@ietf.org>
抄送: draft-ietf-netmod-factory-default@ietf.org; netmod-chairs@ietf.org; netmod@ietf.org; Kent Watsen <kent+ietf@watsen.net>; kent+ietf@watsen.net
主题: Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)

Roman Danyliw has entered the following ballot position for
draft-ietf-netmod-factory-default-14: Discuss

When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-netmod-factory-default/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Please use YANG security considerations template from https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines.  Specifically (as a DISCUSS item):

** (Per the template questions “for all YANG modules you must evaluate whether any readable data”) Would factory-default contain any sensitive information in certain network environments where the ACLs should be more restrictive that world readable for everyone?
[Qin]: It does follows yang-security-guidelines but there is no readable data node defined within rpc, that's why we don't use third paragraph boilerplate and fourth paragraph boilerplate of yang-security-guidelines. YANG-security-guidelines are more applicable to YANG data model with more readable/writable data nodes.
In addition, as clarified in the second paragraph, section 6 of this draft, NACM can be used to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations (i.e., factory-reset rpc)

Per “The operational disruption caused by setting the config to factory default contents varies greatly depending on the implementation and current config”, it seems like it could be worse than just an operational disruption.  Please note that a default configuration could be insecure or not have security controls enabled whereby exposing the network to compromise.

[Qin]: As described in the second paragraph of section 6 it by default restrict access for everyone by using the "default-deny-all" access control defined [RFC8341], what else does it need to address this security concern?
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Please use YANG security considerations template from https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines.  Specifically (as a COMMENT item):

** Add “The Network Configuration Access Control Model (NACM) [RFC8341] provides the means to …”

[Qin]: We did follow this template, I am wondering how it is different from the second paragraph of section 6? I see they are equivalent but with more fine granularity security measures, if my understanding is correct.