Re: [secdir] Review of draft-ietf-netmod-schema-mount-10
Shawn Emery <shawn.emery@gmail.com> Sat, 11 August 2018 05:48 UTC
Return-Path: <shawn.emery@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68C78130FB2 for <secdir@ietfa.amsl.com>; Fri, 10 Aug 2018 22:48:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TO4LNz6VmDvI for <secdir@ietfa.amsl.com>; Fri, 10 Aug 2018 22:48:20 -0700 (PDT)
Received: from mail-lj1-x244.google.com (mail-lj1-x244.google.com [IPv6:2a00:1450:4864:20::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37ADF127332 for <secdir@ietf.org>; Fri, 10 Aug 2018 22:48:20 -0700 (PDT)
Received: by mail-lj1-x244.google.com with SMTP id v9-v6so8720360ljk.4 for <secdir@ietf.org>; Fri, 10 Aug 2018 22:48:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=sBff6m+4K10f4zhjxVfzyIMBOLqi396qGDdAgAPGXL8=; b=ILMmlbTG1RMxJvhYfdtp5t43Fmt/fKroZMpoJ2w1yfMIof71lP3e26Y6oiYsiaV4di 96Dpi47x81a4XtUF+XsKuv8kiqn11Gn4S7BkY8GPbG0hfvvq407wTtNol/ibKYk5oKhq CsdgRUf7ONEzr4O6R/n5/JFagor/WRBpgmK1IiwNI7P1CgC7HokLr50sw35f4X2OkWKQ lzCGL/VsmhTBlusfP1oaLTRX9gD3FYaLtXo5Y0XAG9j1TjqtjraQOCGIg8icp++cYvxg Op8nPu6oJ50RTSba4A5ag7HpCzyuSXHmXa5Fa3TXZAFOD7sjqcKUoShsfrnYO6n/MX+c YFKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=sBff6m+4K10f4zhjxVfzyIMBOLqi396qGDdAgAPGXL8=; b=U5K8av7n55c+X6MV1JFkQghilOXJRIn4MoSE4ScbneKjEZLdvlAoZnzn0ty2KXqe/F R3T+kDcPqBWjOskgH1KgpDCdDgIcDwGGyhAAVWpDvBGDJUIAyGvwFsoHDbrTyzK8qLR7 Y5c4I4NRPj5TpvJcDGb6n5Rem3v1vOnSEWg6zOAWlLZ3A+e09OpV4Ni1tDHmP2UZ8mWM uxINTLtCmKXmnwK3zRrZyhI0IYBq1cTOJp7GLcD0Auzt+2yHOI5BH9jSoSVVTpG8gStg u7CFPZorjPUXyNiXiGZ1nDd26OS9Qk0CfbCfYg4W1wG20rm7beF6g/vmLGcpjc2BRyH4 zrRQ==
X-Gm-Message-State: AOUpUlFlomrHyOeS+t36M/Sb9BOTW9Tu9BoeS/wmyTQRTpsGLcWOsi77 F8TFvWeIcSldqmyDUIX584OiNebfZfDOoB4l2MQ=
X-Google-Smtp-Source: AA+uWPx4m1O5Pp84iKJpSmJigke0n5KpBq/qxLmMfm3s2zK/pLGMQ+nY5fZfYuDpGBJYu5y2rZHiBCF4I0rfzFaaIW0=
X-Received: by 2002:a2e:498:: with SMTP id a24-v6mr6757235ljf.27.1533966498227; Fri, 10 Aug 2018 22:48:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a2e:5012:0:0:0:0:0 with HTTP; Fri, 10 Aug 2018 22:48:17 -0700 (PDT)
In-Reply-To: <20180807.105640.1680662026219965166.mbj@tail-f.com>
References: <CAChzXmanxy0cn9i-E6FvnNmC2_gpir1qNd4jgPLAmDL7L8j-6A@mail.gmail.com> <87po0fgf4f.fsf@nic.cz> <20180807.105640.1680662026219965166.mbj@tail-f.com>
From: Shawn Emery <shawn.emery@gmail.com>
Date: Fri, 10 Aug 2018 23:48:17 -0600
Message-ID: <CAChzXmadH1j8V7qcU7rebZoeqkAUPOPzCExMJ=Vz-tDVvP=ycA@mail.gmail.com>
To: Martin Bjorklund <mbj@tail-f.com>
Cc: lhotka@nic.cz, secdir@ietf.org, draft-ietf-netmod-schema-mount.all@tools.ietf.org
Content-Type: multipart/alternative; boundary="000000000000396b2b0573226845"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Lal0lAl7cfWGOgRi2m04a2YaSj8>
Subject: Re: [secdir] Review of draft-ietf-netmod-schema-mount-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Aug 2018 05:48:24 -0000
Hi Martin, Ah, that would explain the disjointed text. Thanks for the followup and the reference. I'm fine with the original text in this case, given the scope of work otherwise. Regards, Shawn. -- On Tue, Aug 7, 2018 at 2:56 AM, Martin Bjorklund <mbj@tail-f.com> wrote: > Hi Shawn, > > As mentioned, this text comes from the YANG security template > (https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines) that > has been approved by the security ADs. > > [This doesn't mean that the text can't be changed, but if it needs to > be changed, the template should be changed (after being approved by > the ADs).] > > But I brought this up in the WG, and a comment was made that *if* this > change is made, we also need to change not just this sentence, but > also the rest of the template; these are written as a list of data > nodes/subtrees and their corresponding sensitivity/vulnerability. So, > if the change is accepted, new drafts would need to be written as a > list of sensitivities/vulnerabilities with the data nodes and subtrees > to which they apply. > > So I suggest we keep the current text in this document. > > > /martin > > > > Ladislav Lhotka <lhotka@nic.cz> wrote: > > Hi Shawn, > > > > thank you for the review, please see my comment below. > > > > Shawn Emery <shawn.emery@gmail.com> writes: > > > > > Reviewer: Shawn M. Emery > > > Review result: Ready with nits > > > > > > I have reviewed this document as part of the security directorate's > > > ongoing effort to review all IETF documents being processed by the > IESG. > > > These comments were written primarily for the benefit of the security > > > area directors. Document editors and WG chairs should treat these > > > comments just like any other last call comments. > > > > > > This draft specifies a schema for YANG module mount points for yet > another > > > specified schema location. > > > > > > The security considerations section does exist and refers to transport > > > security > > > through SSH and HTTPS for NETCONF and RESTCONF, respectively. For > > > authorization, the spec refers to RFC 8341 for controlling NETCONF and > > > RESTCONF user access. Data that would be considered sensitive or > subject > > > to attack is briefly described and prescribes read access controls for > said > > > data. > > > I agree with the authors' assertions. > > > > > > General comments: > > > > > > None. > > > > > > Editorial comments: > > > > > > OLD: > > > > > > These are the subtrees and data nodes and their > sensitivity/vulnerability: > > > > > > NEW: > > > > > > The following should be considered for subtrees/data nodes and their > > > corresponding > > > > > > sensitivity/vulnerability: > > > > > > > The OLD formulation actually comes from RFC 6087, section 6.1 (Security > > Considerations Section Template). Your NEW formulation indeed looks > > better, so we will use it in the present draft, and I will also send it > > to the netmod mailing list in order to apply this change in > > draft-ietf-netmod-rfc6087bis. > > > > Thanks, Lada > > > > > > > > Shawn. > > > -- > > > > -- > > Ladislav Lhotka > > Head, CZ.NIC Labs > > PGP Key ID: 0xB8F92B08A9F76C67 > > >
- Re: [secdir] Review of draft-ietf-netmod-schema-m… Ladislav Lhotka
- [secdir] Review of draft-ietf-netmod-schema-mount… Shawn Emery
- Re: [secdir] Review of draft-ietf-netmod-schema-m… joel jaeggli
- Re: [secdir] Review of draft-ietf-netmod-schema-m… Martin Bjorklund
- Re: [secdir] Review of draft-ietf-netmod-schema-m… Shawn Emery
- Re: [secdir] Review of draft-ietf-netmod-schema-m… joel jaeggli