[netmod] FW: Secdir last call review of draft-ietf-netmod-factory-default-14

Balázs Lengyel <balazs.lengyel@ericsson.com> Tue, 10 March 2020 11:59 UTC

Return-Path: <balazs.lengyel@ericsson.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 585CF3A118B for <netmod@ietfa.amsl.com>; Tue, 10 Mar 2020 04:59:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VB_EUGFlJRKI for <netmod@ietfa.amsl.com>; Tue, 10 Mar 2020 04:58:59 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2071.outbound.protection.outlook.com [40.107.21.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1E5D3A118C for <netmod@ietf.org>; Tue, 10 Mar 2020 04:58:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; =?utf-8?q?b=3DlKUKUWryNaYQC3jH/H6p2Z7uTRkhpcPiUe1rJQnChatt4F0MOXnN/ZJHEIc8P?= =?utf-8?q?DJk2bPd5VeGmt3Q1omzARZ7b3jprc66ar5mpPd1ZybwrnNXoAKkKyIw1/9F7UyV90?= =?utf-8?q?JDc8kLlm7ZPRledQXbwQk3hH5wRVHIt2NPfmiQAMec0geEBHnX3rBBbTxoE6PC8Xn?= =?utf-8?q?8wEvdpnUYkxmCEwn8iiMIHKtWWS9QtP7204GhygCwR03UirwEasMtpEF57m/N7qR0?= =?utf-8?q?pQIKL+p1R/e66E5j9pMebVhuYMQXDBAjQny4aR0sweLsdyIVufR1hCse5T6L0pZOx?= =?utf-8?q?wvLc0YUS+1GWJw7yHz/bw=3D=3D?=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMessage-ID=3ACont?= =?utf-8?q?ent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADCheck=3B?= =?utf-8?q?bh=3DIfsuH4kZ0wY5+arocfSWdyow2M9s+8KdZgt4KJIdaQY=3D=3B_b=3DH5Wj5s?= =?utf-8?q?ZgMyEutrYdtG7IIjgMcOuYO2aXfPARt5IjM9fEmjmYh/vK3VO6A5GmJaE2fH2r70K?= =?utf-8?q?tdK/w5BzEXALLd5cib4nxuMgEREd5+pXqSYQOkkg3WoxzR1FONy1boTngRbgeUkhJ?= =?utf-8?q?iligMh9N8Q426DH8xarYwwL0NfugE2oukjhz7TGJKsTKYWdE2wLBNGnOFWF+5yNNr?= =?utf-8?q?2JxR7mpbgArgbVIsatHDAQv5XMy0er0MO/iDZaMFuQlOPBddJuKBaShIkOYqRg9rI?= =?utf-8?q?rqVi8pLfaes6/dHbaDC+6l15mpqG7lRR1++aWA5XioUBRjFT7kAyu2bSgspV2T1ar?= =?utf-8?q?38VAQRqddPw=3D=3D?=
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMessage-ID=3AContent-Typ?= =?utf-8?q?e=3AMIME-Version=3AX-MS-Exchange-SenderADCheck=3B?= =?utf-8?q?bh=3DIfsuH4kZ0wY5+arocfSWdyow2M9s+8KdZgt4KJIdaQY=3D=3B_b=3DvQNsKs?= =?utf-8?q?S6wQ53mNr9azqapgMDZIOPOEzz1ZIAOA1eqIdVwBOvzqIdZqpWXAk3W1v6nfTnUEK?= =?utf-8?q?svPJyR4SgmN34M1YYBV5ayJ4mMPK5D04BSMFMmYHq63AouOu0/eWj+ZzAr4BNjxOy?= =?utf-8?q?7eKRa8aNqph46YRnVokiQuyShh/sfEnh8Qw=3D?=
Received: from DB7PR07MB4011.eurprd07.prod.outlook.com (52.134.97.155) by DB7PR07MB4954.eurprd07.prod.outlook.com (20.178.40.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.11; Tue, 10 Mar 2020 11:58:50 +0000
Received: from DB7PR07MB4011.eurprd07.prod.outlook.com ([fe80::15cf:dc81:c6f4:aa0c]) by DB7PR07MB4011.eurprd07.prod.outlook.com ([fe80::15cf:dc81:c6f4:aa0c%7]) with mapi id 15.20.2814.007; Tue, 10 Mar 2020 11:58:50 +0000
From: =?utf-8?B?QmFsw6F6cyBMZW5neWVs?= <balazs.lengyel@ericsson.com>
To: "'netmod@ietf.org'" <netmod@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-netmod-factory-default-14
Thread-Index: AQHV9kcMhPp34W7XDEyI3+BqaQT406hBuZjw
Date: Tue, 10 Mar 2020 11:58:50 +0000
Message-ID: =?utf-8?q?=3CDB7PR07MB4011ABF34F31BD668F0246D8F0FF0=40DB7PR07MB4?= =?utf-8?q?011=2Eeurprd07=2Eprod=2Eoutlook=2Ecom=3E?=
References: <158378129274.5575.11079304412600243334@ietfa.amsl.com>
In-Reply-To: <158378129274.5575.11079304412600243334@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.lengyel@ericsson.com;
x-originating-ip: [89.135.192.225]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b48b268c-b2e1-43e6-1a6d-08d7c4ea65f0
x-ms-traffictypediagnostic: DB7PR07MB4954:
x-microsoft-antispam-prvs: =?utf-8?q?=3CDB7PR07MB495483D9D4F111A9A4440B52F0F?= =?utf-8?q?F0=40DB7PR07MB4954=2Eeurprd07=2Eprod=2Eoutlook=2Ecom=3E?=
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 033857D0BD
x-forefront-antispam-report: SFV:NSPM; =?utf-8?q?SFS=3A=2810009020=29=284636?= =?utf-8?b?MDA5KSgzNDYwMDIpKDM3NjAwMikoMzk4NjA0MDAwMDIpKDM5NjAwMykoMzY2?= =?utf-8?b?MDA0KSgxMzYwMDMpKDE5OTAwNCkoMTg5MDAzKSg0Nzg2MDAwMDEpKDI5MDYwMDIp?= =?utf-8?b?KDY2NTc0MDEyKSg4NTIwMjAwMykoODExNTYwMTQpKDk2ODYwMDMpKDI2MDA1KSgx?= =?utf-8?q?86003=29=2876116006=29=2855016002=29=2866946007=29=288676002=29?= =?utf-8?q?=2866446008=29=2866476007=29=2866556008=29=2864756008=29=28691600?= =?utf-8?b?OSkoODkzNjAwMikoNjY2MTYwMDkpKDgxMTY2MDA2KSg4NjM2MjAwMSkoNTI1?= =?utf-8?q?36014=29=2871200400001=29=287696005=29=2885182001=29=286506007=29?= =?utf-8?q?=2853546011=29=285660300002=29=28316002=29=2833656002=29=28491001?= =?utf-8?q?=29=3B?= DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR07MB4954; H:DB7PR07MB4011.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: =?utf-8?q?0DB2Pbr0PIuqyoxS35a2gbteD748uff?= =?utf-8?q?6FqE/KSIPUEQqYtyOFkvpqviUeR3wh8JDvMLQRedyKWdb+5bGo9mIodtsEHndBRx7?= =?utf-8?q?XrrYdZhJ7BTz2pSxGEhXT1rrhYNZ6JK6KKT+cXsepTJApdNH2DwoIg6Orfw5snuC3?= =?utf-8?q?AbaVSrOCLCIjs6Zd/JgwHJbC3EvDdqsydxJ3rb9CEYEtIQOpttmWDAvWYHU2T48vL?= =?utf-8?q?Zo9Nep9vwYZuya+96vKLNSKm0LVJRf0npxphWd4d46zPRAqa4dTJJPiYqhhSQYRg4?= =?utf-8?q?PxUe/bGdkOs9sWboSSSGvq4OUeCWfeMdDCruPK5NU9yINEGXyKK5gnTK6T+bnjJoj?= =?utf-8?q?V+UkcQTdxur4TBYNQThDbwnhbmSiZsVUFwwD0qCwj9p8qQTL+TPyX2ypzRcS7IJfd?= =?utf-8?q?F9cxt5YY+AiSIGEYY/u2DPQA69fzs32YTt20ovhGLSGLhUd9LoNp9VdsKwdNzLrPm?= =?utf-8?q?PfpUE=3D?=
x-ms-exchange-antispam-messagedata: =?utf-8?q?H9hheLHrjMtJfu0eMmJaXcrm7yhoF7?= =?utf-8?q?IAZ5BPbXjJDsLs7+V5vsyfuC/ax797ohQh81lUgTeebm8GgRR5NJJSG/C5FRzyPJz?= =?utf-8?q?D9By/UUbMEB1kA9qT+8f8SV95mqdbDbcZqmIPEEZzCOYsnyw33iBptA=3D=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_01A4_01D5F6DB.A4639CC0"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b48b268c-b2e1-43e6-1a6d-08d7c4ea65f0
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Mar 2020 11:58:50.7210 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: =?utf-8?q?D4aR/BvQ8V4Fa0m8r+DoK?= =?utf-8?q?wJvg3M+plKVydj3n4InfD91mX9cWDcqoSCIxGTqqElPeKh+Wq68SK/e0IzvlTSmFJ?= =?utf-8?q?4lzjkqn2MLNbjsdvoyX98=3D?=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB4954
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/QESo3PH4cGYSyTC-1o0JVMaZ1dk>
Subject: [netmod] FW: Secdir last call review of draft-ietf-netmod-factory-default-14
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 11:59:04 -0000

As an author of netmod drafts I would like to see some general guidance on this issue. Can someone help please.
Balazs

-----Original Message-----
From: Stephen Kent via Datatracker <noreply@ietf.org> 
Sent: 2020. március 9., hétfő 20:15
To: secdir@ietf.org
Cc: netmod@ietf.org; draft-ietf-netmod-factory-default.all@ietf.org; last-call@ietf.org
Subject: Secdir last call review of draft-ietf-netmod-factory-default-14

Reviewer: Stephen Kent
Review result: Has Issues

SECDIR review of draft-ietf-netmod-factory-default-14

Section 6, Security Considerations, calls for use of SSH (RFC 6242) with NETCONF and HTTPS (RFC 8446) with RESTCONF. The TLS reference is current, citing TLS v1.3. However, RFC 6242 is a document that describes how to use SSH with NETCONF. That document, in turn, cites RFC 4254, and that RFC cites RFC
4253 for a description of SSH. 4253 is a very much out of date document; the integrity and key management algorithms in the original RFC have been updated 3 times (6668, 8268, and 8332). The encryption algorithms cited in 4253 are all outdated. This discussion of SSH security for use with NETCONF, based on the one citation, seems to be inconsistent with current IETF crypto guidelines.
This is a problem that the net management area should address before this document is approved.

The discussion of how a factory-reset RPC may isolate a device, is good, as is the warning about not relying on this RPC to prevent recovery of security-sensitive data from NV storage.