Re: [netmod] Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)

Andy Bierman <> Tue, 21 April 2020 16:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 992753A0DA4 for <>; Tue, 21 Apr 2020 09:20:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Y1GCpIuCgf8N for <>; Tue, 21 Apr 2020 09:20:35 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::b2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E7AC03A0D91 for <>; Tue, 21 Apr 2020 09:20:34 -0700 (PDT)
Received: by with SMTP id f13so7603244ybk.7 for <>; Tue, 21 Apr 2020 09:20:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jLdF29kDKCpHHZlhWLOLmXtv8q5MmOOxKMVjwyX2DvQ=; b=PHq/5uXKbRh5W+QqnLZIljJYyoJQlNk3eAOeg0sLmjMyuhIgikZzLjioqE7hUnUwTA 3D5gdJtFx8YlmAc+ouZsm8zn6kGoN7N9MQSEcf7CagYdNIvuEh84gt/nvF40g35xorQ8 FLp4NfQe2Y5AuHyWt4YPMU4DkZlyrsOI1mqIba68ICn0XDkINO0ze0T8LySWjrmNC/Rf SdEWYU8I0p/wmog5xEjOo26+iafDdXdGVBRfuU/stJAEKjUNIuZul7o9cV4cDm+OE537 16d86wjz+/4xLW/7EC+TWYecg1ogBxLsCli6xAptuqAQCSPn8YGaZMQZ/STCAfmicN41 emeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jLdF29kDKCpHHZlhWLOLmXtv8q5MmOOxKMVjwyX2DvQ=; b=COCgMq5exl6GsDGjsnlMScHxfJ7GEqNogZUrt+Az2AzYBzvm2Pf5YLPTMomU06xkxm cU2X4cv303iIEq1HsIVWtMWx/oCO7y+NURDIAZAWr9XV4tx4vGmslnoZErJVRJkUBhsS RH4VSN46WAuCIf8ZvKTpTih9uD/0LA+tCdXjOqAUTtV1f8mSJO9U/h2SqsDMuWOoG9g/ Ts7fCNt7xtHeBiNMnIy8itubFZvfyowKmzS5sZX/hjyHLC7CWhQpsxuh+H8a8b2A+5MI z7aFrxlSpq96RHJU8nDwWooG/obXv43A8azd05voj/GkVjJ+eqBH6MURCsfbwi0Maj5E lQBQ==
X-Gm-Message-State: AGi0PuaNVMOjW+HTl8C4LiLRSvRBfHJDu6HB309/YuubzVexM2El8Ua5 jkmDIIAv8je+J4J79d3XE9OizGYrAl6lAG4H30bBDg==
X-Google-Smtp-Source: APiQypL4PwtgO0F58+jUZ3v/lawZ1bxsUDfaIAGZwWNZL2Sjl+OkTqjPExpVlklvIoOeDnkMqjPZZocqMslry//bJTI=
X-Received: by 2002:a5b:cd0:: with SMTP id e16mr5393448ybr.107.1587486030569; Tue, 21 Apr 2020 09:20:30 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Andy Bierman <>
Date: Tue, 21 Apr 2020 09:20:19 -0700
Message-ID: <>
To: Kent Watsen <>
Cc: Qin Wu <>, Roman Danyliw <>, "" <>, The IESG <>, "" <>, "" <>
Content-Type: multipart/alternative; boundary="000000000000f0394105a3cf64a0"
Archived-At: <>
Subject: Re: [netmod] Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Apr 2020 16:20:40 -0000

On Tue, Apr 21, 2020 at 8:56 AM Kent Watsen <> wrote:

> Hi Roman,
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> Please use YANG security considerations template from
> Specifically (as a DISCUSS item):
> ** (Per the template questions “for all YANG modules you must evaluate
> whether any readable data”) Would factory-default contain any sensitive
> information in certain network environments where the ACLs should be more
> restrictive that world readable for everyone?
> [Qin]: It does follows yang-security-guidelines but there is no readable
> data node defined within rpc, that's why we don't use third paragraph
> boilerplate and fourth paragraph boilerplate of yang-security-guidelines.
> YANG-security-guidelines are more applicable to YANG data model with more
> readable/writable data nodes.
> In addition, as clarified in the second paragraph, section 6 of this
> draft, NACM can be used to restrict access for particular NETCONF or
> RESTCONF users to a preconfigured subset of all available NETCONF or
> RESTCONF protocol operations (i.e., factory-reset rpc)
> Per “The operational disruption caused by setting the config to factory
> default contents varies greatly depending on the implementation and current
> config”, it seems like it could be worse than just an operational
> disruption.  Please note that a default configuration could be insecure or
> not have security controls enabled whereby exposing the network to
> compromise.
> [Qin]: As described in the second paragraph of section 6 it by default
> restrict access for everyone by using the "default-deny-all" access control
> defined [RFC8341], what else does it need to address this security concern?
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> Please use YANG security considerations template from
> Specifically (as a COMMENT item):
> ** Add “The Network Configuration Access Control Model (NACM) [RFC8341]
> provides the means to …”
> [Qin]: We did follow this template, I am wondering how it is different
> from the second paragraph of section 6? I see they are equivalent but with
> more fine granularity security measures, if my understanding is correct.
> Regarding the use of the YANG security considerations template from [1],
> it has been noted that the template is imperfect in several ways…
> For instance, a YANG module  may not define any protocol accessible nodes
> (e.g., they only define identities, typedefs, yang-data, or structures).
> In another example, the YANG module may only define RPCs (such as in this
> case) and/or notifications.  In yet another example, the YANG module may be
> only for use with RESTCONF (not NETCONF), and thus mentioning NETCONF at
> all would be odd (i.e., RFC 8572).
> In such cases, strict adherence to the template does not make sense.  As
> chair/shepherd/author, I’ve struggled with how to best satisfy the
> intention adequately.   Of course, each case varies, but one idea that I’ve
> been exploring is to start the section with a disclaimer explaining why/how
> template [1] is (or not) followed.  This approach is appealing as it
> immediately conveys to the IESG that the template was not ignored.
> However, it is unappealing in that it may be wrong for the published
> Security Considerations section to have a link to the template.

Section 3 defines a factory-default datastore.
This exposes the factory default values of all configuration data nodes.
It seems like this should be mentioned in security considerations.

The template is a guideline, nothing more.

IMO even a typedef can require some security documentation:

   typedef password {
       type string;
         "contains the text password for access to all confidential server

Please advise.
> Kent  // as chair and shepherd


> [1]
> _______________________________________________
> netmod mailing list