Re: [secdir] [netmod] Secdir last call review of draft-ietf-netmod-nmda-diff-09
Alexander L Clemm <ludwig@clemm.org> Fri, 06 August 2021 18:44 UTC
Return-Path: <ludwig@clemm.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F32B63A1019; Fri, 6 Aug 2021 11:44:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4nsQTWkVZ0q8; Fri, 6 Aug 2021 11:43:56 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 579D93A102E; Fri, 6 Aug 2021 11:43:56 -0700 (PDT)
Received: from [172.16.0.44] ([73.189.160.186]) by mrelay.perfora.net (mreueus002 [74.208.5.2]) with ESMTPSA (Nemesis) id 0MbfKV-1mSNHp48cH-00J2ev; Fri, 06 Aug 2021 20:43:53 +0200
To: Alexey Melnikov <aamelnikov@fastmail.fm>, secdir@ietf.org
Cc: last-call@ietf.org, netmod@ietf.org, draft-ietf-netmod-nmda-diff.all@ietf.org
References: <162514430275.17979.13728329356212798526@ietfa.amsl.com>
From: Alexander L Clemm <ludwig@clemm.org>
Message-ID: <200d27c8-f73a-a1be-47c0-727c56b80a8b@clemm.org>
Date: Fri, 06 Aug 2021 11:43:51 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <162514430275.17979.13728329356212798526@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Provags-ID: V03:K1:5F2Qjcvk/wPKQBZMeKg9T5EKI91kO9niY6xUbj2bx8YBCyRd51K icDSwNZdPSLZGeuoJ3AkTixc7iqZ9UYBtIFqMUyvHu5T3aZC2v+1b32r5/opHIc7zxoSNF8 1W8AalAI4FKOqBzp5CC31Wxwnj186wkNxfC05BMdEUhsHU6t/otZGqBUZ7HWH3AsXSdH7lU 7IZby05ul2eUx4UA9hRlw==
X-UI-Out-Filterresults: notjunk:1;V03:K0:t/R3L968WMw=:ei4ecjrDfRcFYI+zwTwrK+ U4134ZlG7pJMHYiFt2q3SalHldWqTImdxSepIZjGm8Ul4XfDLRhbI6AVixbl+Zgb4RB8h5fp8 7CVHkoVAijpt9aNR6vRWxmCKcwx4SCwWVMx7Qo4xZGeadr5D3BZ165oDkZNjzQhWNrPNmla2v 4KVbrcLNXsX4684RaIXSXI/95MI1/fQ/kpQe87fSOIZMtxOKJkuUQTYLyVUteFgWDZ+CTi5Uw 41v4wEdGaOMXNK9T3mm/hx/0WQzCMxx5zk0FB4uhfpE51rMBtXKfouHPEODTJWCWJKoOCk3Qw iTXkhF19zjQL2yYm7F51rWpluL2u1gHbZbx94waKnSQG5eIDV8OPk2CN3d8hSkYs/JkaXXsQX HR4CsHxH9v8vTO59ngwZ06Jy3FLxYB8c03liRR4zsp7j5SKhtSDjEba5/KvetnsJNgh67nOz9 f2xTuqzdjxHstWQEFBjCg5dEdgE9pD5eE2Jb2b1pSZ8ftjydbMvWZi74AQVuQE6oaXa2lQ2w8 30Y4GAQ0XnRIJ0q8+MhJ8JrSAJmQwdzlBS+uUJQhyUBp0GUu6fUhc24MHxkSLqbuheU9FfdED pO4UgZGQ9ARTSa6mYUHUUjDhl6hqb6lPcDfWaMzc1uKZYN7El/4raKkA2jNF5ZpXPCqdKWpJp ThWHQhTAoBzRFwKt9njGAy+aNTjwK1l3CATVqwFo9i3m53kzjCrAKv6wljzF6Mfr7qiHyDJyV mpOKWGVgFdtOW066Pkd/xZQoNS2NhFLLWJb6R5hmCstnbbhG9IixfKrKGpX+SFXYDkllU9EM1 UxB9g3a5tvAAF2BknL+qMHvqaZE40UxrqDbCZk80aVsvG+rr5UfzLkMb4YplQEBBupkRoxx
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/-8cZVGuO4SG0i9Mqqh_zEs_Z0rU>
Subject: Re: [secdir] [netmod] Secdir last call review of draft-ietf-netmod-nmda-diff-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Aug 2021 18:44:11 -0000
Hi Alexey, thank you for your review and pointing out the nits (empty lines after HTTP headers), which are addressed in -12. Kind regards --- Alex On 7/1/2021 5:58 AM, Alexey Melnikov via Datatracker wrote: > Reviewer: Alexey Melnikov > Review result: Has Nits > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat these > comments just like any other last call comments. > > This document defines an RPC operation to compare management > datastores that comply with the NMDA architecture. > The Security Considerations talks about a couple of issues specific to > the new operation: > 1) sensitivity of the new "compare" operation and how access control rights > to access it should be restricted. > 2) performance considerations of running "compare" and > how it can lead to Denial-of-Service, if the number of requests allowed > in any given time interval is not restricted. > I can't think of other security issues raised by this document that are > missing from it. > > Nits: > > In Section 6: > >> The same request in RESTCONF (using JSON format): >> >> POST /restconf/operations/ietf-nmda-compare:compare HTTP/1.1 >> Host: example.com >> Content-Type: application/yang-data+json >> Accept: application/yang-d > Please insert an empty line after the HTTP request header and before the > following payload, or your example is not syntactically valid. > > Also, I don't "application/yang-d" in the list of registered media types on > <https://www.iana.org/assignments/media-types/media-types.xhtml>. Did I miss it? > >> { "ietf-nmda-compare:input" { >> "source" : "ietf-datastores:operational", >> "target" : "ietf-datastores:intended", >> "report-origin" : null, >> "xpath-filter" : "/ietf-interfaces:interfaces" >> } >> } >> >> The same response in RESTCONF (using JSON format): >> >> HTTP/1.1 200 OK >> Date: Thu, 26 Jan 2019 20:56:30 GMT >> Server: example-server >> Content-Type: application/yang-d > Similar to the above, you need an empty line inserted here. > >> { "ietf-nmda-compare:output" : { >> "differences" : { >> "ietf-yang-patch:yang-patch" : { >> "patch-id" : "interface status", >> "comment" : "diff between intended (source) and operational", >> "edit" : [ >> { >> "edit-id" : "1", >> "operation" : "replace", >> "target" : "/ietf-interfaces:interface=eth0/enabled", >> "value" : { >> "ietf-interfaces:interface/enabled" : "false" >> }, >> "source-value" : { >> "ietf-interfaces:interface/enabled" : "true", >> "@ietf-interfaces:interface/enabled" : { >> "ietf-origin:origin" : "ietf-origin:learned" >> } >> } >> }, >> { >> "edit-id" : "2", >> "operation" : "create", >> "target" : "/ietf-interfaces:interface=eth0/description", >> "value" : { >> "ietf-interface:interface/description" : "ip interface" >> } >> } >> ] >> } >> } >> } >> } > Best Regards, > Alexey > > > _______________________________________________ > netmod mailing list > netmod@ietf.org > https://www.ietf.org/mailman/listinfo/netmod
- [secdir] Secdir last call review of draft-ietf-ne… Alexey Melnikov via Datatracker
- Re: [secdir] [netmod] Secdir last call review of … Alexander L Clemm