IETF Logo Mail Archive

Re: [secdir] Review of draft-ietf-netmod-schema-mount-10

joel jaeggli <joelja@gmail.com> Sat, 11 August 2018 15:47 UTC

Return-Path: <joelja@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CD28131074 for <secdir@ietfa.amsl.com>; Sat, 11 Aug 2018 08:47:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.998
X-Spam-Level:
X-Spam-Status: No, score=-0.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ol6I1jsMgFQD for <secdir@ietfa.amsl.com>; Sat, 11 Aug 2018 08:47:03 -0700 (PDT)
Received: from mail-pl0-x244.google.com (mail-pl0-x244.google.com [IPv6:2607:f8b0:400e:c01::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20A0F130FF9 for <secdir@ietf.org>; Sat, 11 Aug 2018 08:47:03 -0700 (PDT)
Received: by mail-pl0-x244.google.com with SMTP id e11-v6so5225781plb.3 for <secdir@ietf.org>; Sat, 11 Aug 2018 08:47:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=IaaRqQPOfp2PgllNT5aNesjqvpmcUd6sJmLSMPUTr2k=; b=UxQ5eoyFQMimJ4cHWYI/oML66DH2LbzLpYmEhArc9Y/QDdT3G2DV6/AevxHfRkb7SH wb/rCc4UbiRG646A128VYQM/ebAVYFypcN+sGjP/fDfcQFh02jCUxWGClRYoCv8iGys3 wuXXrrThSvBnuKQ4k1rKuwmfB4ZzANjt6jpMAVziVtUQna3JU091NSNMMnKXDmk/zZ6A XmPTSO7pOEqYsltyUDLTOqXBDf5tM2UxUrBQSXg/aZW0IBx5inGKPRVQmDsHXRcRLn0P 3He7/6ZRk+ExeMoJVHr5GwURx+lFG28VfkDGrOjzaQoYxjJ0q0+T05OYNSQSD0fkW3ok jnww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language; bh=IaaRqQPOfp2PgllNT5aNesjqvpmcUd6sJmLSMPUTr2k=; b=chyOGY8QBb6Ro11M5zIeiJv6s3kJs6bA0Fbya6RxcXLYXudHZs02uVEANpps2RwA/7 FnVPSD6DveFLxLXT3wXFNq2AEel11ECtzbZ0s+PdyDAEE54YJSCzuV4aBDR3oe2LoJ9R /ZXNvR8ncFZZYJRwC7lkf7s7jX4uzSR+k+zV+PWK/31gr0MPUdRHUWAbtuwxF3CbfWio JQpr5GzAkCZHW06MHQMQ7rb8AMujjfU3GtNnCtQ8yWxgc0lmowqgs8gVL0eMyWchGzig 4RemfsUD8fpWs+qvvd7dyDfflBX38cP0KIPdnGnngYaiTcO5AVnOcNESWjbXU4I0EpyF m/9A==
X-Gm-Message-State: AOUpUlEEBIA4YPRDi20OD4KVWab6jmzCRQIvsriyRTSH4gZ2h89zKlF0 iwsWIJPUca7yvOlTJVewyDuZlx9E6TQ=
X-Google-Smtp-Source: AA+uWPwPX0HEH25O+5ua9nX2TPcIU5ML9UOgU5pf50KNBnYJzXKhny2Cc+3KR0t/vp3kLjqUsiNSGw==
X-Received: by 2002:a17:902:758a:: with SMTP id j10-v6mr10140877pll.281.1534002422496; Sat, 11 Aug 2018 08:47:02 -0700 (PDT)
Received: from MBP.local (c-73-202-177-209.hsd1.ca.comcast.net. [73.202.177.209]) by smtp.gmail.com with ESMTPSA id y72-v6sm13828307pfg.10.2018.08.11.08.47.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 11 Aug 2018 08:47:01 -0700 (PDT)
To: Shawn Emery <shawn.emery@gmail.com>, Martin Bjorklund <mbj@tail-f.com>
Cc: lhotka@nic.cz, secdir@ietf.org, draft-ietf-netmod-schema-mount.all@tools.ietf.org
References: <CAChzXmanxy0cn9i-E6FvnNmC2_gpir1qNd4jgPLAmDL7L8j-6A@mail.gmail.com> <87po0fgf4f.fsf@nic.cz> <20180807.105640.1680662026219965166.mbj@tail-f.com> <CAChzXmadH1j8V7qcU7rebZoeqkAUPOPzCExMJ=Vz-tDVvP=ycA@mail.gmail.com>
From: joel jaeggli <joelja@gmail.com>
Openpgp: preference=signencrypt
Autocrypt: addr=joelja@gmail.com; prefer-encrypt=mutual; keydata= xsDiBD832SIRBADVEfzsfIX+fuN2XUPyyEXP4Mq8dqpjmcy+XTIHzZLVKzxmP+17zJYTj9MR dMA5vuZRsRpzFoeDMOJyHVVyaQeSwEApO3FJOej+CNAXpaTLYgobL1XcsQXMTbeNT5x9ZK+R ZQtoC8Vunv6UTygY+kHUHvNijhVtJtCcAW0NE2fiWwCgjKPAldaGNbPg6SKvSTFipsPPqoUE ALKjZApjCG/3Yi4kHgzCQw65mfE9u8O7bZcrvmzzRgmwShyQjrRNgxhwl2q9+e8Uo6kuk56q 0Q4On6y873W6EtBRYLTU5MiIK3mspi5YYpIi/F2XTkcW6Dx/C/ZQQ8WddAyX6QLAXHYMus86 x7tzjGM3HVlvJpWTb4CqcDOcvZakA/9aJhMEffleJx+6xrjZTUYvAQDYUSRWNmc+ehyAuh/B KH0DKqhkLlm0SBdsnKvQHXbdjhu9m9K4E6aR/s117QK60jZo1XNrVKJ1oM3X+2DNmDBl/K33 e/tPSC8byvD77doezHvWvE5n50KIEZezVgMkYWDSPWb0nefdXLY5+rgfms0fSm9lbCBKYWVn Z2xpIDxqb2VsamFAYm9ndXMuY29tPsJjBBMRAgAjAhsDBgsJCAcDAgQVAggDBBYCAwECHgEC F4AFAk3mKPcCGQEACgkQ8AA1q7Z/VrJ6vgCfYITQSd0+WXcYjEoj8+tNys5egPcAn3OUUHVt JElVkSSARJ4XWjRYqKiazsNNBD8320MQEACTNxol/GIZW4CGUnyIlr+13Dqx8aHZfbd96UQE Ys9mZkBxwP2V7D00tOETcY5apr9tr9oHf5p4xA2l2oE8KR4xbF6+0XIpeYzRcl5d0iUaSMwm HcX3J/+XyZegJqTG7zMEK72c1tPVrra9DRNZP+rhKFLJJornDiQJFQVhtQE37WA1kmC6rlyR KHA2RMYS3IugAgJfuy5pZn/5jKCv+ZxIv7tnk7GUQWwfPdr4PokPCBxSXUYch98Rcq3dbCio 8FPmrfI6K2Z9NMa/gXGpF3ynmxDJLY31aPgbUiv9VllZoeMkotbXHW1zrsXte/1MEgFrlkiQ WDJ/dHjlCdlFASfaPvVXxdiUgH7LV3cW+BOY2z4VVwhYM6/kTDoLKWZ3opBeN9KcAHPRFCkA fxwAu8PNgi74lMjcFzu66U8vVM37YqSYpXsi+mlwZDhzCJ8qm9FDwaH2bB1LJ7m41F098B29 SRG3s/XXgTCSt0js/yUp9EXRPQpME99GvwiBNFN9p9e45ZqS85Wll6GqHh+Jyvq0ODWH6XOz uop3UUqw6I2Q8rG7e/uxKWcFnt1q48uhdTHA0TfnYC5HpHf/tAuR+ui6s16xrENgFgeeu4b/ q/jA4N1ZuJU7IbnO5f28YTlJOef/HywY3OXBsrdhEXKLIc5xRj6NC4WphyQ9MQrx8cS1bwAD BQ//WNM1WUlr6tIn8/7SIqqHRg3UmzVNu4u+r9rK9LJkYRLA4xKb/TrqDhP9oyO7Oz2S5CsF wjiPc1vzGzfRgIOArPJrejM4BzHQ03tl1qb/5YNDaB1QzfPv6dT9OkhMMuth0tcmH5sjfbiF Nc41aKU5w4FFkTv3XmrXciz4+PWbAYGB7pYbhGmsx//9C2bS56Bu1QkFeSCzN5AvWAmJfyPU yMXFKDe21DlImMdkrn/K838Lm8o0CLOKbJBX8K0pE4rGEf20FLfmHx/bLZRcWhTm8cB/vHNd 8GhwFlvHylj6+5QtR0Tc0hBcOG8SZktjE/hEiYi+dAZCrwT9i8Hjulnx/vu+Knt40+5CB2hk L1VQwdGWLYO4FGqWwwv0Y8XhWOudLYCZQWrgOsIzYezahC5b9iobFx8dgAElXNPTxI/dymrI d/6foyBrGnzzOnV/gfWfQp7N1rbrh0mQXRhwwwQIjlmbUyz8fTlaTcAo8ocXTVUb6WY7U5nr ufzKsFceR/olFnvZKKhbGVG6VvqNLS1r5lcRR1J7GVZM+Sb2ZNKgnwiUf8yxKfWg84NUPt/b etviJ73LVPdjV1PNZgcxfPRO3XL6Y9FaBP9oB4f58ujuhzOLUt+6I0KuzY8H5RBBaIrJJptl DEOnxFn1J7Q0uxQ2BzqfZdKTwJS4OCjm+OsLd8HCRgQYEQIABgUCPzfbQwAKCRDwADWrtn9W soUzAJ4zatxnKYcGdyoFojBc1Y2jqaHZsQCbB25DmeFRx14xxuxdAXb0wsKf35w=
Message-ID: <271413a7-d204-ad36-985b-5fbb7271dfed@gmail.com>
Date: Sat, 11 Aug 2018 08:47:00 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAChzXmadH1j8V7qcU7rebZoeqkAUPOPzCExMJ=Vz-tDVvP=ycA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------0ABC812B6B05FA705C7C84F0"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/637KGpHmo_OYiWhTmf3JMHTkKQs>
Subject: Re: [secdir] Review of draft-ietf-netmod-schema-mount-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Aug 2018 15:47:13 -0000

thanks

joel


On 8/10/18 10:48 PM, Shawn Emery wrote:
> Hi Martin,
>
> Ah, that would explain the disjointed text.  Thanks for the followup
> and the reference.  I'm fine with the original text in this case,
> given the scope of work otherwise.
>
> Regards,
>
> Shawn.
> --
> On Tue, Aug 7, 2018 at 2:56 AM, Martin Bjorklund <mbj@tail-f.com
> <mailto:mbj@tail-f.com>> wrote:
>
>     Hi Shawn,
>
>     As mentioned, this text comes from the YANG security template
>     (https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines
>     <https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines>) that
>     has been approved by the security ADs.
>
>     [This doesn't mean that the text can't be changed, but if it needs to
>     be changed, the template should be changed (after being approved by
>     the ADs).]
>
>     But I brought this up in the WG, and a comment was made that *if* this
>     change is made, we also need to change not just this sentence, but
>     also the rest of the template; these are written as a list of data
>     nodes/subtrees and their corresponding sensitivity/vulnerability. So,
>     if the change is accepted, new drafts would need to be written as a
>     list of sensitivities/vulnerabilities with the data nodes and subtrees
>     to which they apply.
>
>     So I suggest we keep the current text in this document.
>
>
>     /martin
>
>
>
>     Ladislav Lhotka <lhotka@nic.cz <mailto:lhotka@nic.cz>> wrote:
>     > Hi Shawn,
>     >
>     > thank you for the review, please see my comment below.
>     >
>     > Shawn Emery <shawn.emery@gmail.com
>     <mailto:shawn.emery@gmail.com>> writes:
>     >
>     > > Reviewer: Shawn M. Emery
>     > > Review result: Ready with nits
>     > >
>     > > I have reviewed this document as part of the security
>     directorate's
>     > > ongoing effort to review all IETF documents being processed by
>     the IESG.
>     > > These comments were written primarily for the benefit of the
>     security
>     > > area directors. Document editors and WG chairs should treat these
>     > > comments just like any other last call comments.
>     > >
>     > > This draft specifies a schema for YANG module mount points for
>     yet another
>     > > specified schema location.
>     > >
>     > > The security considerations section does exist and refers to
>     transport
>     > > security
>     > > through SSH and HTTPS for NETCONF and RESTCONF, respectively.  For
>     > > authorization, the spec refers to RFC 8341 for controlling
>     NETCONF and
>     > > RESTCONF user access.  Data that would be considered sensitive
>     or subject
>     > > to attack is briefly described and prescribes read access
>     controls for said
>     > > data.
>     > > I agree with the authors' assertions.
>     > >
>     > > General comments:
>     > >
>     > > None.
>     > >
>     > > Editorial comments:
>     > >
>     > > OLD:
>     > >
>     > > These are the subtrees and data nodes and their
>     sensitivity/vulnerability:
>     > >
>     > > NEW:
>     > >
>     > > The following should be considered for subtrees/data nodes and
>     their
>     > > corresponding
>     > >
>     > > sensitivity/vulnerability:
>     > >
>     >
>     > The OLD formulation actually comes from RFC 6087, section 6.1
>     (Security
>     > Considerations Section Template). Your NEW formulation indeed looks
>     > better, so we will use it in the present draft, and I will also
>     send it
>     > to the netmod mailing list in order to apply this change in
>     > draft-ietf-netmod-rfc6087bis.
>     >
>     > Thanks, Lada
>     >
>     > >
>     > > Shawn.
>     > > --
>     >
>     > --
>     > Ladislav Lhotka
>     > Head, CZ.NIC Labs
>     > PGP Key ID: 0xB8F92B08A9F76C67
>     >
>
>

v2.23.0 | Report a Bug | By Email