Re: [netmod] security considerations boilerplate updates to cover RESTCONF
"Mehmet Ersue" <mersue@gmail.com> Wed, 15 March 2017 17:09 UTC
Return-Path: <mersue@gmail.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7948F13171D; Wed, 15 Mar 2017 10:09:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.688
X-Spam-Level:
X-Spam-Status: No, score=-2.688 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dXK7GK1hBpfG; Wed, 15 Mar 2017 10:09:09 -0700 (PDT)
Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A7E113171A; Wed, 15 Mar 2017 10:09:08 -0700 (PDT)
Received: by mail-wm0-x231.google.com with SMTP id t189so28321087wmt.1; Wed, 15 Mar 2017 10:09:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=TpLKFJU9A6x2UQ8ek9jfERXE3IMC7/C6GbUTXF/VoaQ=; b=O3EatxK2hSXnXqWxbNTpNFQp9/pDIuCXiUeDw63k4kKjSML1RGeoX2TBM19gRztn/L uHJjMrb6+Pse6YCJ2FndlLSYKnpCASoC2Wh2u+qHHL3ZNeTQz7sy900Ms0X+/1dvG1kg B/f6Rf5LLrKSx/IF4dAvYoOaoXFnRF8JnLbvbaM0B2nyc/kDq5+lC7UH6Y09yBUSC/d4 9RW3kGLbXX2PFtE8Mn1Q5LiCYHbfw1DUmoLyfuD+UQvN+ChJcOe7wxdbd12z2fPZlyGk NbvYjbJ72GRyyljwY8IskfELasMVb2gqME2C8xAUZutCNZ2hVwhV6zJMQI0fcbw1l3ao RyJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=TpLKFJU9A6x2UQ8ek9jfERXE3IMC7/C6GbUTXF/VoaQ=; b=kXoQwxUqfvHwH/bX0+r1Olax/96I3Iy2Wq9x8EKS0pPksRIHSo11MqTpUnmzfjaH1f M6Ew5fOTnjbII8ntf/IPT6X03iTYwspNqVQyfJCiLHbou65nV/HOZpRdj1OfyIQAfzcz VtPzHKpQ1HZCkBiPOQ+ID0c0pWL7AfDIC9qeiKqxhCt5gZ0uKac3NGY6TXlxUTsP73WR 9p5Ta0Wws6RhRVo6900VczOAwA0X3ZCVEs/dad9PsPnL2b4VqrmCZR5Zj9jfwoiZj9yf rUJNX1xsn/wBRxoG2NKJbnNanfKQfKJNUsHklKTbUhfmj9MmJl13n1xkCEj24pxjrR41 fw8g==
X-Gm-Message-State: AFeK/H0tc+cCxm4ZHED9JedaONOSpN3XzUTOOHTN5NsiRMdUJ0dmhQodSoAg2bCAXFDgow==
X-Received: by 10.28.208.72 with SMTP id h69mr21187478wmg.100.1489597746943; Wed, 15 Mar 2017 10:09:06 -0700 (PDT)
Received: from DESKTOPFLHJVQJ (p5DCC645C.dip0.t-ipconnect.de. [93.204.100.92]) by smtp.gmail.com with ESMTPSA id g45sm3073949wrd.11.2017.03.15.10.09.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Mar 2017 10:09:06 -0700 (PDT)
From: Mehmet Ersue <mersue@gmail.com>
To: 'Benoit Claise' <bclaise@cisco.com>, netmod@ietf.org
Cc: sec-ads@ietf.org
References: <20170313212537.GB53972@elstar.local> <7de29e11-f045-b0a1-808f-38044f6f7352@cisco.com>
In-Reply-To: <7de29e11-f045-b0a1-808f-38044f6f7352@cisco.com>
Date: Wed, 15 Mar 2017 18:09:07 +0100
Message-ID: <03cc01d29dae$db5aff90$9210feb0$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_03CD_01D29DB7.3D235F30"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGJMIRwVHbcr6YpIqDDgDof1YDe8gGzbvedohtgQGA=
Content-Language: de
X-AVK-Virus-Check: AVA 25.11068;244D8A0E
X-AVK-Spam-Check: 1; str=0001.0A0C0201.58C97531.023D,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0; AE713
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/e5fNnmanpD5DXzpyM-24VIiGXzY>
Subject: Re: [netmod] security considerations boilerplate updates to cover RESTCONF
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 17:09:11 -0000
Looks good to me. However, I think we should change: s/and mandatory-to-implement is Secure Shell/ and the mandatory-to-implement secure transport is Secure Shell/ Mehmet From: netmod [mailto:netmod-bounces@ietf.org] On Behalf Of Benoit Claise Sent: Wednesday, March 15, 2017 5:45 PM To: netmod@ietf.org Cc: sec-ads@ietf.org Subject: Re: [netmod] security considerations boilerplate updates to cover RESTCONF Dear all, [copying the security ADs to make sure the new security section is fine] Let's separate the two issues 1. the multiple URLs in draft-ietf-netmod-rfc6087bis-12.txt Basically, I agree with Jürgen I see section 4.7: This section MUST be patterned after the latest approved template (available at http://trac.tools.ietf.org/area/ops/trac/wiki/ <http://trac.tools.ietf.org/area/ops/trac/wiki/yang-security-guidelines> yang-security-guidelines <http://trac.tools.ietf.org/area/ops/trac/wiki/yang-security-guidelines> ). Section 7.1 <https://tools.ietf.org/html/draft-ietf-netmod-rfc6087bis-12#section-7.1> contains the security considerations template dated 2013-05-08. Authors MUST check the WEB page at the URL listed above in case there is a more recent version available. Then, I see section 7: The following section contains the security considerations template dated 2010-06-16. Not sure why it contains this cut/paste? It should just say: the latest version is at this URL. Then, I see in the same section: This section MUST be patterned after the latest approved template (available at http://www.ops.ietf.org/netconf/yang-security-considerations.txt This page is not found. This should be corrected in rfc6087bis. 2. the new security guidelines must include RESTCONF. At this point, this is a blocking factor for the publication of YANG module. As an example, draft-ietf-lmap-yang-11 <https://datatracker.ietf.org/doc/draft-ietf-lmap-yang/> , A YANG Data Model for LMAP Measurement Agents, on the telechat tomorrow. As mentioned the most up to date version is https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines Here is the proposal, discussed on the YANG doctors list: OLD The YANG module defined in this memo is designed to be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) [RFC6242]. The NETCONF access control model [RFC6536] provides the means to restrict access for particular NETCONF users to a pre-configured subset of all available NETCONF protocol operations and content. NEW The YANG module defined in this memo is designed to be accessed via the NETCONF [RFC6241] or RESTCONF [RFC8040] protocol. The lowest NETCONF layer is the secure transport layer, and mandatory-to-implement is Secure Shell (SSH) [RFC6242], while the lowest RESTCONF layer is HTTP, and the mandatory-to-implement secure transport is Transport Layer Security (TLS) [RFC5246]. The NETCONF access control model [RFC6536] provides the means to restrict access for particular NETCONF or RESTCONF users to a pre-configured subset of all available NETCONF or RESTCONF protocol operations and content. Any objections? Have covered all that we need for the new RESTCONF protocol? Regards, Benoit Hi, this came up during IESG processing of a YANG module - is there a new security guideline boilerplate text covering RESTCONF? This was briefly discussed on the yang-doctors but somehow the discussion stopped because RESTCONF was not published yet at that time. I think this affects draft-ietf-netmod-rfc6087bis-12.txt. draft-ietf-netmod-rfc6087bis-12.txt has several pointers to read online documents - why do we need several points? I think some are also not working. Ideally, there should be a single stable URL. /js
- Re: [netmod] security considerations boilerplate … Benoit Claise
- [netmod] security considerations boilerplate upda… Juergen Schoenwaelder
- Re: [netmod] security considerations boilerplate … Benoit Claise
- Re: [netmod] security considerations boilerplate … Mehmet Ersue
- Re: [netmod] security considerations boilerplate … Kent Watsen
- Re: [netmod] security considerations boilerplate … Benoit Claise
- Re: [netmod] security considerations boilerplate … Juergen Schoenwaelder
- Re: [netmod] security considerations boilerplate … Benoit Claise
- Re: [netmod] security considerations boilerplate … Juergen Schoenwaelder
- Re: [netmod] security considerations boilerplate … Benoit Claise
- Re: [netmod] security considerations boilerplate … Kent Watsen
- Re: [netmod] security considerations boilerplate … Kent Watsen
- Re: [netmod] security considerations boilerplate … Kathleen Moriarty
- Re: [netmod] security considerations boilerplate … Juergen Schoenwaelder
- Re: [netmod] security considerations boilerplate … Alia Atlas
- Re: [netmod] security considerations boilerplate … Juergen Schoenwaelder
- Re: [netmod] security considerations boilerplate … Benoit Claise
- Re: [netmod] security considerations boilerplate … Kent Watsen
- Re: [netmod] security considerations boilerplate … Phil Shafer
- Re: [netmod] security considerations boilerplate … Ladislav Lhotka
- Re: [netmod] security considerations boilerplate … Kent Watsen
- Re: [netmod] security considerations boilerplate … Acee Lindem (acee)