[secdir] Secdir last call review of draft-ietf-netmod-nmda-diff-09
Alexey Melnikov via Datatracker <noreply@ietf.org> Thu, 01 July 2021 12:58 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C122C3A0D03; Thu, 1 Jul 2021 05:58:22 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Alexey Melnikov via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-netmod-nmda-diff.all@ietf.org, last-call@ietf.org, netmod@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.33.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <162514430275.17979.13728329356212798526@ietfa.amsl.com>
Reply-To: Alexey Melnikov <aamelnikov@fastmail.fm>
Date: Thu, 01 Jul 2021 05:58:22 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/3qXpdpifYuDlt4_JWCiJeq7-zAQ>
Subject: [secdir] Secdir last call review of draft-ietf-netmod-nmda-diff-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jul 2021 12:58:23 -0000
Reviewer: Alexey Melnikov Review result: Has Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines an RPC operation to compare management datastores that comply with the NMDA architecture. The Security Considerations talks about a couple of issues specific to the new operation: 1) sensitivity of the new "compare" operation and how access control rights to access it should be restricted. 2) performance considerations of running "compare" and how it can lead to Denial-of-Service, if the number of requests allowed in any given time interval is not restricted. I can't think of other security issues raised by this document that are missing from it. Nits: In Section 6: > The same request in RESTCONF (using JSON format): > > POST /restconf/operations/ietf-nmda-compare:compare HTTP/1.1 > Host: example.com > Content-Type: application/yang-data+json > Accept: application/yang-d Please insert an empty line after the HTTP request header and before the following payload, or your example is not syntactically valid. Also, I don't "application/yang-d" in the list of registered media types on <https://www.iana.org/assignments/media-types/media-types.xhtml>. Did I miss it? > { "ietf-nmda-compare:input" { > "source" : "ietf-datastores:operational", > "target" : "ietf-datastores:intended", > "report-origin" : null, > "xpath-filter" : "/ietf-interfaces:interfaces" > } > } > > The same response in RESTCONF (using JSON format): > > HTTP/1.1 200 OK > Date: Thu, 26 Jan 2019 20:56:30 GMT > Server: example-server > Content-Type: application/yang-d Similar to the above, you need an empty line inserted here. > { "ietf-nmda-compare:output" : { > "differences" : { > "ietf-yang-patch:yang-patch" : { > "patch-id" : "interface status", > "comment" : "diff between intended (source) and operational", > "edit" : [ > { > "edit-id" : "1", > "operation" : "replace", > "target" : "/ietf-interfaces:interface=eth0/enabled", > "value" : { > "ietf-interfaces:interface/enabled" : "false" > }, > "source-value" : { > "ietf-interfaces:interface/enabled" : "true", > "@ietf-interfaces:interface/enabled" : { > "ietf-origin:origin" : "ietf-origin:learned" > } > } > }, > { > "edit-id" : "2", > "operation" : "create", > "target" : "/ietf-interfaces:interface=eth0/description", > "value" : { > "ietf-interface:interface/description" : "ip interface" > } > } > ] > } > } > } > } Best Regards, Alexey
- [secdir] Secdir last call review of draft-ietf-ne… Alexey Melnikov via Datatracker
- Re: [secdir] [netmod] Secdir last call review of … Alexander L Clemm