Re: [netmod] Secdir last call review of draft-ietf-i2rs-yang-l2-network-topology-13

Qin Wu <> Thu, 25 June 2020 13:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 339573A0997; Thu, 25 Jun 2020 06:17:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Tw-ni7sVPPtz; Thu, 25 Jun 2020 06:17:53 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CE3C83A0839; Thu, 25 Jun 2020 06:17:52 -0700 (PDT)
Received: from (unknown []) by Forcepoint Email with ESMTP id 3DD2DAA6F058A746A43B; Thu, 25 Jun 2020 14:17:49 +0100 (IST)
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Thu, 25 Jun 2020 14:17:49 +0100
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.1.1913.5 via Frontend Transport; Thu, 25 Jun 2020 14:17:48 +0100
Received: from ([]) by ([fe80::74d9:c659:fbec:21fa%31]) with mapi id 14.03.0487.000; Thu, 25 Jun 2020 21:17:42 +0800
From: Qin Wu <>
To: Christian Huitema <>, "" <>
CC: "" <>, "" <>, "" <>, "" <>, NETMOD Group <>
Thread-Topic: Secdir last call review of draft-ietf-i2rs-yang-l2-network-topology-13
Thread-Index: AdZK7/ux7S4z7G2WR7mVKayBPsC8Mg==
Date: Thu, 25 Jun 2020 13:17:41 +0000
Message-ID: <>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <>
Subject: Re: [netmod] Secdir last call review of draft-ietf-i2rs-yang-l2-network-topology-13
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Jun 2020 13:17:56 -0000

Hi, Christian:
Thanks for valuable comments, please see reply inline.
发件人: Christian Huitema via Datatracker [] 
发送时间: 2020年6月25日 13:01
主题: Secdir last call review of draft-ietf-i2rs-yang-l2-network-topology-13

Reviewer: Christian Huitema
Review result: Has Issues

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving security requirements and considerations in IETF drafts.  Comments not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document describes a Yang model for representing Link Layer topologies.
Representing such topologies is obviously useful for managing network.
The security section is focused on securing the usage of this information for network management, but does not address potential privacy issues.
[Qin]: My understanding privacy issue can be addressed by using NACM. NACM provide client authorization and restrict particular users to get access to a preconfigured subset of all
     available NETCONF or RESTCONF protocol operations and content.

The security considerations explain correctly how altering the link layer information could enable attacks against the network. The proposed remedy is access control, implemented using either SSH or TLS. This is fine, although the discussion of TLS authorisation is a bit short. By default, TLS verifies the identity of the server but not that of the client. RFC8040 section 2.5 specifies that "a RESTCONF server SHOULD require authentication based on TLS client certificates. I assume that's the intent, but it might be useful to say so.
[Qin]: Good observation on RESTCONF (RFC8040), Similarly, NETCONF (RFC6241) stipulates that "NETCONF connections MUST be authenticated.  The transport protocol is
   responsible for authentication of the server to the client and authentication of the client to the server." TLS is one example of such transport protocol. So it is the job of Transport protocol to provide mutual authentication. Please refer to section 2.2 of RFC6241. 
   I am not sure we should emphasize mutual authentication using underlying transport protocol in this document, since both RESTCONF and NETCONF has already clarified client authentication and server authentication.
   Let me know if you think I am wrong.

On the other hand, the security considerations do not describe privacy issues, and I find that problematic. The proposed information model lists a number of sensitive data, such as for example the MAC addresses of devices.
This information can be misused. For example, applications could assess device location fetching the MAC addresses of local gateways. Third parties could access link local information to gather identities of devices accessing a particular network. Such information is often protected by privacy API in the Operating System, but accessing the Yang module over the network might allow applications to bypass these controls.
[Qin]: I think this is a valid point, in my thinking, we could add MAC address as another sensitive data node examples under l2-node-attributes and l2-termination-points-attributes.
Please note that we follow YANG security guideline template as follows:

Client authentication alone does not necessarily protect against these privacy leaks. A classic configuration error would limit write access to authorized users, but to allow read-only access to most users. This kind of error would allow privacy leaks. Given the sensitive nature of MAC addresses and other identifiers, it is useful to warn against such errors.
[Qin]:I agree client authentication alone doesn't protect against the privacy leak but NACM does since it provides client authorization and restrict various different use to get access to operation and contents.
If I am wrong, I would like to solicit opinion from NETMOD mailing list.