Re: [secdir] Review of draft-ietf-netmod-schema-mount-10
joel jaeggli <joelja@gmail.com> Sat, 11 August 2018 15:47 UTC
Return-Path: <joelja@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CD28131074 for <secdir@ietfa.amsl.com>; Sat, 11 Aug 2018 08:47:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.998
X-Spam-Level:
X-Spam-Status: No, score=-0.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ol6I1jsMgFQD for <secdir@ietfa.amsl.com>; Sat, 11 Aug 2018 08:47:03 -0700 (PDT)
Received: from mail-pl0-x244.google.com (mail-pl0-x244.google.com [IPv6:2607:f8b0:400e:c01::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20A0F130FF9 for <secdir@ietf.org>; Sat, 11 Aug 2018 08:47:03 -0700 (PDT)
Received: by mail-pl0-x244.google.com with SMTP id e11-v6so5225781plb.3 for <secdir@ietf.org>; Sat, 11 Aug 2018 08:47:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=IaaRqQPOfp2PgllNT5aNesjqvpmcUd6sJmLSMPUTr2k=; b=UxQ5eoyFQMimJ4cHWYI/oML66DH2LbzLpYmEhArc9Y/QDdT3G2DV6/AevxHfRkb7SH wb/rCc4UbiRG646A128VYQM/ebAVYFypcN+sGjP/fDfcQFh02jCUxWGClRYoCv8iGys3 wuXXrrThSvBnuKQ4k1rKuwmfB4ZzANjt6jpMAVziVtUQna3JU091NSNMMnKXDmk/zZ6A XmPTSO7pOEqYsltyUDLTOqXBDf5tM2UxUrBQSXg/aZW0IBx5inGKPRVQmDsHXRcRLn0P 3He7/6ZRk+ExeMoJVHr5GwURx+lFG28VfkDGrOjzaQoYxjJ0q0+T05OYNSQSD0fkW3ok jnww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language; bh=IaaRqQPOfp2PgllNT5aNesjqvpmcUd6sJmLSMPUTr2k=; b=chyOGY8QBb6Ro11M5zIeiJv6s3kJs6bA0Fbya6RxcXLYXudHZs02uVEANpps2RwA/7 FnVPSD6DveFLxLXT3wXFNq2AEel11ECtzbZ0s+PdyDAEE54YJSCzuV4aBDR3oe2LoJ9R /ZXNvR8ncFZZYJRwC7lkf7s7jX4uzSR+k+zV+PWK/31gr0MPUdRHUWAbtuwxF3CbfWio JQpr5GzAkCZHW06MHQMQ7rb8AMujjfU3GtNnCtQ8yWxgc0lmowqgs8gVL0eMyWchGzig 4RemfsUD8fpWs+qvvd7dyDfflBX38cP0KIPdnGnngYaiTcO5AVnOcNESWjbXU4I0EpyF m/9A==
X-Gm-Message-State: AOUpUlEEBIA4YPRDi20OD4KVWab6jmzCRQIvsriyRTSH4gZ2h89zKlF0 iwsWIJPUca7yvOlTJVewyDuZlx9E6TQ=
X-Google-Smtp-Source: AA+uWPwPX0HEH25O+5ua9nX2TPcIU5ML9UOgU5pf50KNBnYJzXKhny2Cc+3KR0t/vp3kLjqUsiNSGw==
X-Received: by 2002:a17:902:758a:: with SMTP id j10-v6mr10140877pll.281.1534002422496; Sat, 11 Aug 2018 08:47:02 -0700 (PDT)
Received: from MBP.local (c-73-202-177-209.hsd1.ca.comcast.net. [73.202.177.209]) by smtp.gmail.com with ESMTPSA id y72-v6sm13828307pfg.10.2018.08.11.08.47.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 11 Aug 2018 08:47:01 -0700 (PDT)
To: Shawn Emery <shawn.emery@gmail.com>, Martin Bjorklund <mbj@tail-f.com>
Cc: lhotka@nic.cz, secdir@ietf.org, draft-ietf-netmod-schema-mount.all@tools.ietf.org
References: <CAChzXmanxy0cn9i-E6FvnNmC2_gpir1qNd4jgPLAmDL7L8j-6A@mail.gmail.com> <87po0fgf4f.fsf@nic.cz> <20180807.105640.1680662026219965166.mbj@tail-f.com> <CAChzXmadH1j8V7qcU7rebZoeqkAUPOPzCExMJ=Vz-tDVvP=ycA@mail.gmail.com>
From: joel jaeggli <joelja@gmail.com>
Openpgp: preference=signencrypt
Autocrypt: addr=joelja@gmail.com; prefer-encrypt=mutual; keydata= xsDiBD832SIRBADVEfzsfIX+fuN2XUPyyEXP4Mq8dqpjmcy+XTIHzZLVKzxmP+17zJYTj9MR dMA5vuZRsRpzFoeDMOJyHVVyaQeSwEApO3FJOej+CNAXpaTLYgobL1XcsQXMTbeNT5x9ZK+R ZQtoC8Vunv6UTygY+kHUHvNijhVtJtCcAW0NE2fiWwCgjKPAldaGNbPg6SKvSTFipsPPqoUE ALKjZApjCG/3Yi4kHgzCQw65mfE9u8O7bZcrvmzzRgmwShyQjrRNgxhwl2q9+e8Uo6kuk56q 0Q4On6y873W6EtBRYLTU5MiIK3mspi5YYpIi/F2XTkcW6Dx/C/ZQQ8WddAyX6QLAXHYMus86 x7tzjGM3HVlvJpWTb4CqcDOcvZakA/9aJhMEffleJx+6xrjZTUYvAQDYUSRWNmc+ehyAuh/B KH0DKqhkLlm0SBdsnKvQHXbdjhu9m9K4E6aR/s117QK60jZo1XNrVKJ1oM3X+2DNmDBl/K33 e/tPSC8byvD77doezHvWvE5n50KIEZezVgMkYWDSPWb0nefdXLY5+rgfms0fSm9lbCBKYWVn Z2xpIDxqb2VsamFAYm9ndXMuY29tPsJjBBMRAgAjAhsDBgsJCAcDAgQVAggDBBYCAwECHgEC F4AFAk3mKPcCGQEACgkQ8AA1q7Z/VrJ6vgCfYITQSd0+WXcYjEoj8+tNys5egPcAn3OUUHVt JElVkSSARJ4XWjRYqKiazsNNBD8320MQEACTNxol/GIZW4CGUnyIlr+13Dqx8aHZfbd96UQE Ys9mZkBxwP2V7D00tOETcY5apr9tr9oHf5p4xA2l2oE8KR4xbF6+0XIpeYzRcl5d0iUaSMwm HcX3J/+XyZegJqTG7zMEK72c1tPVrra9DRNZP+rhKFLJJornDiQJFQVhtQE37WA1kmC6rlyR KHA2RMYS3IugAgJfuy5pZn/5jKCv+ZxIv7tnk7GUQWwfPdr4PokPCBxSXUYch98Rcq3dbCio 8FPmrfI6K2Z9NMa/gXGpF3ynmxDJLY31aPgbUiv9VllZoeMkotbXHW1zrsXte/1MEgFrlkiQ WDJ/dHjlCdlFASfaPvVXxdiUgH7LV3cW+BOY2z4VVwhYM6/kTDoLKWZ3opBeN9KcAHPRFCkA fxwAu8PNgi74lMjcFzu66U8vVM37YqSYpXsi+mlwZDhzCJ8qm9FDwaH2bB1LJ7m41F098B29 SRG3s/XXgTCSt0js/yUp9EXRPQpME99GvwiBNFN9p9e45ZqS85Wll6GqHh+Jyvq0ODWH6XOz uop3UUqw6I2Q8rG7e/uxKWcFnt1q48uhdTHA0TfnYC5HpHf/tAuR+ui6s16xrENgFgeeu4b/ q/jA4N1ZuJU7IbnO5f28YTlJOef/HywY3OXBsrdhEXKLIc5xRj6NC4WphyQ9MQrx8cS1bwAD BQ//WNM1WUlr6tIn8/7SIqqHRg3UmzVNu4u+r9rK9LJkYRLA4xKb/TrqDhP9oyO7Oz2S5CsF wjiPc1vzGzfRgIOArPJrejM4BzHQ03tl1qb/5YNDaB1QzfPv6dT9OkhMMuth0tcmH5sjfbiF Nc41aKU5w4FFkTv3XmrXciz4+PWbAYGB7pYbhGmsx//9C2bS56Bu1QkFeSCzN5AvWAmJfyPU yMXFKDe21DlImMdkrn/K838Lm8o0CLOKbJBX8K0pE4rGEf20FLfmHx/bLZRcWhTm8cB/vHNd 8GhwFlvHylj6+5QtR0Tc0hBcOG8SZktjE/hEiYi+dAZCrwT9i8Hjulnx/vu+Knt40+5CB2hk L1VQwdGWLYO4FGqWwwv0Y8XhWOudLYCZQWrgOsIzYezahC5b9iobFx8dgAElXNPTxI/dymrI d/6foyBrGnzzOnV/gfWfQp7N1rbrh0mQXRhwwwQIjlmbUyz8fTlaTcAo8ocXTVUb6WY7U5nr ufzKsFceR/olFnvZKKhbGVG6VvqNLS1r5lcRR1J7GVZM+Sb2ZNKgnwiUf8yxKfWg84NUPt/b etviJ73LVPdjV1PNZgcxfPRO3XL6Y9FaBP9oB4f58ujuhzOLUt+6I0KuzY8H5RBBaIrJJptl DEOnxFn1J7Q0uxQ2BzqfZdKTwJS4OCjm+OsLd8HCRgQYEQIABgUCPzfbQwAKCRDwADWrtn9W soUzAJ4zatxnKYcGdyoFojBc1Y2jqaHZsQCbB25DmeFRx14xxuxdAXb0wsKf35w=
Message-ID: <271413a7-d204-ad36-985b-5fbb7271dfed@gmail.com>
Date: Sat, 11 Aug 2018 08:47:00 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAChzXmadH1j8V7qcU7rebZoeqkAUPOPzCExMJ=Vz-tDVvP=ycA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------0ABC812B6B05FA705C7C84F0"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/637KGpHmo_OYiWhTmf3JMHTkKQs>
Subject: Re: [secdir] Review of draft-ietf-netmod-schema-mount-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Aug 2018 15:47:13 -0000
thanks joel On 8/10/18 10:48 PM, Shawn Emery wrote: > Hi Martin, > > Ah, that would explain the disjointed text. Thanks for the followup > and the reference. I'm fine with the original text in this case, > given the scope of work otherwise. > > Regards, > > Shawn. > -- > On Tue, Aug 7, 2018 at 2:56 AM, Martin Bjorklund <mbj@tail-f.com > <mailto:mbj@tail-f.com>> wrote: > > Hi Shawn, > > As mentioned, this text comes from the YANG security template > (https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines > <https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines>) that > has been approved by the security ADs. > > [This doesn't mean that the text can't be changed, but if it needs to > be changed, the template should be changed (after being approved by > the ADs).] > > But I brought this up in the WG, and a comment was made that *if* this > change is made, we also need to change not just this sentence, but > also the rest of the template; these are written as a list of data > nodes/subtrees and their corresponding sensitivity/vulnerability. So, > if the change is accepted, new drafts would need to be written as a > list of sensitivities/vulnerabilities with the data nodes and subtrees > to which they apply. > > So I suggest we keep the current text in this document. > > > /martin > > > > Ladislav Lhotka <lhotka@nic.cz <mailto:lhotka@nic.cz>> wrote: > > Hi Shawn, > > > > thank you for the review, please see my comment below. > > > > Shawn Emery <shawn.emery@gmail.com > <mailto:shawn.emery@gmail.com>> writes: > > > > > Reviewer: Shawn M. Emery > > > Review result: Ready with nits > > > > > > I have reviewed this document as part of the security > directorate's > > > ongoing effort to review all IETF documents being processed by > the IESG. > > > These comments were written primarily for the benefit of the > security > > > area directors. Document editors and WG chairs should treat these > > > comments just like any other last call comments. > > > > > > This draft specifies a schema for YANG module mount points for > yet another > > > specified schema location. > > > > > > The security considerations section does exist and refers to > transport > > > security > > > through SSH and HTTPS for NETCONF and RESTCONF, respectively. For > > > authorization, the spec refers to RFC 8341 for controlling > NETCONF and > > > RESTCONF user access. Data that would be considered sensitive > or subject > > > to attack is briefly described and prescribes read access > controls for said > > > data. > > > I agree with the authors' assertions. > > > > > > General comments: > > > > > > None. > > > > > > Editorial comments: > > > > > > OLD: > > > > > > These are the subtrees and data nodes and their > sensitivity/vulnerability: > > > > > > NEW: > > > > > > The following should be considered for subtrees/data nodes and > their > > > corresponding > > > > > > sensitivity/vulnerability: > > > > > > > The OLD formulation actually comes from RFC 6087, section 6.1 > (Security > > Considerations Section Template). Your NEW formulation indeed looks > > better, so we will use it in the present draft, and I will also > send it > > to the netmod mailing list in order to apply this change in > > draft-ietf-netmod-rfc6087bis. > > > > Thanks, Lada > > > > > > > > Shawn. > > > -- > > > > -- > > Ladislav Lhotka > > Head, CZ.NIC Labs > > PGP Key ID: 0xB8F92B08A9F76C67 > > > >
- Re: [secdir] Review of draft-ietf-netmod-schema-m… Ladislav Lhotka
- [secdir] Review of draft-ietf-netmod-schema-mount… Shawn Emery
- Re: [secdir] Review of draft-ietf-netmod-schema-m… joel jaeggli
- Re: [secdir] Review of draft-ietf-netmod-schema-m… Martin Bjorklund
- Re: [secdir] Review of draft-ietf-netmod-schema-m… Shawn Emery
- Re: [secdir] Review of draft-ietf-netmod-schema-m… joel jaeggli