Re: [secdir] [netmod] Secdir last call review of draft-ietf-netmod-nmda-diff-09

Alexander L Clemm <ludwig@clemm.org> Fri, 06 August 2021 18:44 UTC

Return-Path: <ludwig@clemm.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F32B63A1019; Fri, 6 Aug 2021 11:44:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4nsQTWkVZ0q8; Fri, 6 Aug 2021 11:43:56 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 579D93A102E; Fri, 6 Aug 2021 11:43:56 -0700 (PDT)
Received: from [172.16.0.44] ([73.189.160.186]) by mrelay.perfora.net (mreueus002 [74.208.5.2]) with ESMTPSA (Nemesis) id 0MbfKV-1mSNHp48cH-00J2ev; Fri, 06 Aug 2021 20:43:53 +0200
To: Alexey Melnikov <aamelnikov@fastmail.fm>, secdir@ietf.org
Cc: last-call@ietf.org, netmod@ietf.org, draft-ietf-netmod-nmda-diff.all@ietf.org
References: <162514430275.17979.13728329356212798526@ietfa.amsl.com>
From: Alexander L Clemm <ludwig@clemm.org>
Message-ID: <200d27c8-f73a-a1be-47c0-727c56b80a8b@clemm.org>
Date: Fri, 6 Aug 2021 11:43:51 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <162514430275.17979.13728329356212798526@ietfa.amsl.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Provags-ID: V03:K1:5F2Qjcvk/wPKQBZMeKg9T5EKI91kO9niY6xUbj2bx8YBCyRd51K icDSwNZdPSLZGeuoJ3AkTixc7iqZ9UYBtIFqMUyvHu5T3aZC2v+1b32r5/opHIc7zxoSNF8 1W8AalAI4FKOqBzp5CC31Wxwnj186wkNxfC05BMdEUhsHU6t/otZGqBUZ7HWH3AsXSdH7lU 7IZby05ul2eUx4UA9hRlw==
X-UI-Out-Filterresults: notjunk:1;V03:K0:t/R3L968WMw=:ei4ecjrDfRcFYI+zwTwrK+ U4134ZlG7pJMHYiFt2q3SalHldWqTImdxSepIZjGm8Ul4XfDLRhbI6AVixbl+Zgb4RB8h5fp8 7CVHkoVAijpt9aNR6vRWxmCKcwx4SCwWVMx7Qo4xZGeadr5D3BZ165oDkZNjzQhWNrPNmla2v 4KVbrcLNXsX4684RaIXSXI/95MI1/fQ/kpQe87fSOIZMtxOKJkuUQTYLyVUteFgWDZ+CTi5Uw 41v4wEdGaOMXNK9T3mm/hx/0WQzCMxx5zk0FB4uhfpE51rMBtXKfouHPEODTJWCWJKoOCk3Qw iTXkhF19zjQL2yYm7F51rWpluL2u1gHbZbx94waKnSQG5eIDV8OPk2CN3d8hSkYs/JkaXXsQX HR4CsHxH9v8vTO59ngwZ06Jy3FLxYB8c03liRR4zsp7j5SKhtSDjEba5/KvetnsJNgh67nOz9 f2xTuqzdjxHstWQEFBjCg5dEdgE9pD5eE2Jb2b1pSZ8ftjydbMvWZi74AQVuQE6oaXa2lQ2w8 30Y4GAQ0XnRIJ0q8+MhJ8JrSAJmQwdzlBS+uUJQhyUBp0GUu6fUhc24MHxkSLqbuheU9FfdED pO4UgZGQ9ARTSa6mYUHUUjDhl6hqb6lPcDfWaMzc1uKZYN7El/4raKkA2jNF5ZpXPCqdKWpJp ThWHQhTAoBzRFwKt9njGAy+aNTjwK1l3CATVqwFo9i3m53kzjCrAKv6wljzF6Mfr7qiHyDJyV mpOKWGVgFdtOW066Pkd/xZQoNS2NhFLLWJb6R5hmCstnbbhG9IixfKrKGpX+SFXYDkllU9EM1 UxB9g3a5tvAAF2BknL+qMHvqaZE40UxrqDbCZk80aVsvG+rr5UfzLkMb4YplQEBBupkRoxx
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/-8cZVGuO4SG0i9Mqqh_zEs_Z0rU>
Subject: Re: [secdir] [netmod] Secdir last call review of draft-ietf-netmod-nmda-diff-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Aug 2021 18:44:11 -0000

Hi Alexey,

thank you for your review and pointing out the nits (empty lines after
HTTP headers), which are addressed in -12. 

Kind regards

--- Alex

On 7/1/2021 5:58 AM, Alexey Melnikov via Datatracker wrote:
> Reviewer: Alexey Melnikov
> Review result: Has Nits
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG. These comments were written primarily for the benefit of the
> security area directors. Document editors and WG chairs should treat these
> comments just like any other last call comments.
>
> This document defines an RPC operation to compare management
> datastores that comply with the NMDA architecture.
> The Security Considerations talks about a couple of issues specific to
> the new operation:
> 1) sensitivity of the new "compare" operation and how access control rights
> to access it should be restricted.
> 2) performance considerations of running "compare" and
> how it can lead to Denial-of-Service, if the number of requests allowed
> in any given time interval is not restricted.
> I can't think of other security issues raised by this document that are
> missing from it.
>
> Nits:
>
> In Section 6:
>
>>   The same request in RESTCONF (using JSON format):
>>
>>   POST /restconf/operations/ietf-nmda-compare:compare HTTP/1.1
>>   Host: example.com
>>   Content-Type: application/yang-data+json
>>   Accept: application/yang-d
> Please insert an empty line after the HTTP request header and before the
> following payload, or your example is not syntactically valid.
>
> Also, I don't "application/yang-d" in the list of registered media types on
> <https://www.iana.org/assignments/media-types/media-types.xhtml>. Did I miss it?
>
>>   { "ietf-nmda-compare:input" {
>>      "source" : "ietf-datastores:operational",
>>      "target" : "ietf-datastores:intended",
>>      "report-origin" : null,
>>      "xpath-filter" : "/ietf-interfaces:interfaces"
>>      }
>>   }
>>
>>   The same response in RESTCONF (using JSON format):
>>
>>  HTTP/1.1 200 OK
>>  Date: Thu, 26 Jan 2019 20:56:30 GMT
>>  Server: example-server
>>  Content-Type: application/yang-d
> Similar to the above, you need an empty line inserted here.
>
>>  { "ietf-nmda-compare:output" : {
>>      "differences" : {
>>        "ietf-yang-patch:yang-patch" : {
>>          "patch-id" : "interface status",
>>          "comment" : "diff between intended (source) and operational",
>>          "edit" : [
>>            {
>>              "edit-id" : "1",
>>              "operation" : "replace",
>>              "target" : "/ietf-interfaces:interface=eth0/enabled",
>>              "value" : {
>>                 "ietf-interfaces:interface/enabled" : "false"
>>              },
>>              "source-value" : {
>>                 "ietf-interfaces:interface/enabled" : "true",
>>                 "@ietf-interfaces:interface/enabled" : {
>>                   "ietf-origin:origin" : "ietf-origin:learned"
>>                 }
>>               }
>>            },
>>            {
>>              "edit-id" : "2",
>>              "operation" : "create",
>>              "target" : "/ietf-interfaces:interface=eth0/description",
>>              "value" : {
>>                 "ietf-interface:interface/description" : "ip interface"
>>              }
>>            }
>>          ]
>>        }
>>      }
>>    }
>>  }
> Best Regards,
> Alexey
>
>
> _______________________________________________
> netmod mailing list
> netmod@ietf.org
> https://www.ietf.org/mailman/listinfo/netmod