Re: [secdir] secdir review of draft-ietf-netconf-monitoring

[Martin Bjorklund <mbj@tail-f.com>]

Hi,

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote:
> On Fri, Jun 11, 2010 at 10:00:43AM +0200, Alan DeKok wrote:
> > I have reviewed this document as part of the security directorate's
> > ongoing effort to review all IETF documents being processed by the
> > IESG.  These comments were written primarily for the benefit of the
> > security area directors.  Document editors and WG chairs should treat
> > these comments just like any other last call comments.
> > 
> > The document defines a data model for netconf monitoring.  The security
> > considerations section says in part:
> > 
> >    Some of the readable data nodes in this YANG module may be
> >    considered sensitive or vulnerable in some network environments.
> >    It is thus important to control read access (e.g. via get,
> >    get-config or notification) to these data nodes.
> > 
> > What is unclear from the document is whether or not the data is secure
> > *after* access is gained.  i.e. is there a secure transport layer?
> > Should one be used?  If not, why?
> 
> NETCONF runs over SSH or TLS or TLS/BEEP or SOAP/HTTPS. In other
> words, all existing NETCONF transports are "secure". The revision of
> the NETCONF specification being worked on is going to make this
> hopefully clearer by calling the transport layer "secure transports".
> 
> There has been progress very recently on formulating a security
> considerations template for documents that contain NETCONF/YANG data
> models and I think it would be good if this document would indeed
> follow these guidelines.

Actually, this document follows the latest security considerations
template.

However, the template does not mention that NETCONF runs over a secure
transport.  Maybe the template (and this document) should be updated
to make this clear?


/martin