IETF Logo Mail Archive

Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-l3sm-l3nm-11: (with DISCUSS and COMMENT)

mohamed.boucadair@orange.com Wed, 22 September 2021 12:12 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CBAE3A1C01; Wed, 22 Sep 2021 05:12:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LkVZlVdRkIue; Wed, 22 Sep 2021 05:12:02 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F30B3A1BFF; Wed, 22 Sep 2021 05:12:02 -0700 (PDT)
Received: from opfednr06.francetelecom.fr (unknown [xx.xx.xx.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfednr22.francetelecom.fr (ESMTP service) with ESMTPS id 4HDxxD3PPxz10DK; Wed, 22 Sep 2021 14:12:00 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1632312720; bh=u+v27XyBXz5gmXi2c/vF9uPFUVnGY5deKGwjnCOGIVU=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=oyW467oZZdREjbnJJVVOyjaC3Y0bLS8niYEewom7xdX+9p64a58ZvauWsv0XMC0OG isd397vKZu6q4EpTWDpQoN9gjsdAl6BwK3fKO5ATlTUaHhD3GFxOl0IwJ0SoTWOPtu SAM+9jz8SGKclR+9zeyb/PzCk9Fhf4u1q59ctQ2zuanpWC0D6HqdNiH7N6mmJWPMNg gYpOarYAmd9xkQd+Ze6T9+7ZnC6/PW0IKnFjKcLzLazMmLqBHA+5cwRj1BXPH6+L1z y3DC9AY/ML/69fR/RerMbdpm3zJqrhUdJGFYAQilqcZAoBXR+KFe40SB6u6IHEwOxh DrcX7TitPKCJA==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by opfednr06.francetelecom.fr (ESMTP service) with ESMTPS id 4HDxxD1qVMzDq7Z; Wed, 22 Sep 2021 14:12:00 +0200 (CEST)
From: mohamed.boucadair@orange.com
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
CC: "draft-ietf-opsawg-l3sm-l3nm@ietf.org" <draft-ietf-opsawg-l3sm-l3nm@ietf.org>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>, "adrian@olddog.co.uk" <adrian@olddog.co.uk>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-opsawg-l3sm-l3nm-11: (with DISCUSS and COMMENT)
Thread-Index: AQHXrZxG8eY40oS2BEGRX82epQWoeauv3ROA
Date: Wed, 22 Sep 2021 12:11:59 +0000
Message-ID: <2921_1632312720_614B1D90_2921_139_1_787AE7BB302AE849A7480A190F8B93303540A7F8@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <163208647041.29395.14738393918481539716@ietfa.amsl.com>
In-Reply-To: <163208647041.29395.14738393918481539716@ietfa.amsl.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/eME52GJp9jutT32LsvN2E32jMCc>
Subject: Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-l3sm-l3nm-11: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2021 12:12:08 -0000

Hi Roman, 

Thank you for the review. Much appreciated.

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Roman Danyliw via Datatracker [mailto:noreply@ietf.org]
> Envoyé : dimanche 19 septembre 2021 23:21
> À : The IESG <iesg@ietf.org>
> Cc : draft-ietf-opsawg-l3sm-l3nm@ietf.org; opsawg-chairs@ietf.org;
> opsawg@ietf.org; adrian@olddog.co.uk; adrian@olddog.co.uk
> Objet : Roman Danyliw's Discuss on draft-ietf-opsawg-l3sm-l3nm-11: (with
> DISCUSS and COMMENT)
> 
> Roman Danyliw has entered the following ballot position for
> draft-ietf-opsawg-l3sm-l3nm-11: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-
> criteria.html
> for more information about DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-opsawg-l3sm-l3nm/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> ** RFC8177 already defines a container to represent an individual key --
> key-string – as both a string and hex format. Additionally, this
> representation has built in ACLs to protect it.  This model appears to
> maximize flexibility by supporting both key-chains and an explicit key
> for protocols like BGP, RIP and ISIS.  Is there a reason why this model
> does not (or perhaps cannot) reuse the key-string representation from
> RFC8177 (the same way key-chain is)? And/or to not provide the
> flexibility for a hex encoded key?

[[Med]] We are echoing what is supported by the device models where the explicit key is supported. For example, 

* RFC8695 for RIP supports the following:

       |     +--rw authentication
       |     |  +--rw (auth-type-selection)?
       |     |     +--:(auth-key-chain)
       |     |     |  +--rw key-chain? key-chain:key-chain-ref
       |     |     +--:(auth-key)
       |     |        +--rw key?                string
       |     |        +--rw crypto-algorithm?   identityref

* draft-ietf-isis-yang-isis-cfg for IS-IS supports the following:

          |  +--rw (authentication-type)?
          |  |  +--:(key-chain) {key-chain}?
          |  |  |  +--rw key-chain?            key-chain:key-chain-ref
          |  |  +--:(password)
          |  |     +--rw key?                string
          |  |     +--rw crypto-algorithm?   identityref


> 
> ** Section 9.  The text notes that ‘vpn-service’ is sensitive to write
> operations.  Wouldn’t ‘vpn-profiles’ be equally sensitive to alterations
> with similar consequences?  For example, altering an encryption-profile-
> identifier could change the algorithm chosen or the key.

[[Med]] We didn't because the profiles are defined with the following (see the common I-D):

"nacm:default-deny-write;"

And that we are saying the following under security considerations:

   The Network Configuration Access Control Model (NACM) [RFC8341]
   provides the means to restrict access for particular NETCONF or
   RESTCONF users to a preconfigured subset of all available NETCONF or
   RESTCONF protocol operations and content.

FWIW, RFC8341 defines the default-deny-write as follows: 

     extension default-deny-write {
       description
         "Used to indicate that the data model node
          represents a sensitive security system parameter.

          If present, the NETCONF server will only allow the designated
          'recovery session' to have write access to the node.  An
          explicit access control rule is required for all other users.

          If the NACM module is used, then it must be enabled (i.e.,
          /nacm/enable-nacm object equals 'true'), or this extension
          is ignored.

          The 'default-deny-write' extension MAY appear within a data
          definition statement.  It is ignored otherwise.";
     }

> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thank you to Rifaat Shekh-Yusef for the SECDIR review.
> 
> To the authors: the explanatory text in Sections 4 and 7 made this large
> YANG model very accessible.  It's sometimes hard to find the right
> balance between the text narrative and letting the model speak for
> itself, but this document negotiated it well.

[[Med]] Thanks. 

> 
> ** Section 7.6.5.  Could we ever end up in a situation where
> security/enabled=True but the key-chain-ref pointed a key-chain who’s
> crypto-algorithm was cleartext?

[[Med]] Not sure to get the question. Are you referring to customer-key-chain under security?

                         |  +--rw encryption-profile
                         |     +--rw (profile)?
                         |        +--:(provider-profile)
                         |        |  +--rw profile-name?         leafref
                         |        +--:(customer-profile)
                         |           +--rw customer-key-chain?
                         |                   kc:key-chain-ref

> 
> ** Section 9.  In addition to sensitivity of customer-name and ip-
> connection to read operation, wouldn’t the corresponding topology
> information revealed by pretty much everything in vpn-service also be of
> concern?
> 

[[Med]] The ip-connection is more a concern as it include details about the CE, not the node topology (PEs) as these are shared between many customers.

> ** Section 9.  The text enumerating sensitive read operations provides
> no caution about protecting the various key material.  RFC8177 is cited
> later, but as noted in the DISCUSS, the suggested key wrap primitive is
> not usable with instances of “key” as the hex-key-string feature is not
> supported.

[[Med]] Do you have in mind a specific text we can add? Thanks. 

> 
> ** Typos:

[[Med]] Fixed all those. Thanks.

> 
> Section 7.5.  Typo. s/rendez-vous/rendezvous/
> 
> YANG.  A few places. s/adresss/addresses/
> 
> YANG.  Typo. s/oubtound/outbound/
> 
> 


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email