Re: [secdir] Secdir last call review of draft-ietf-opsawg-tacacs-yang-03
Yaron Sheffer <yaronf.ietf@gmail.com> Mon, 11 May 2020 11:12 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 276E73A09F0; Mon, 11 May 2020 04:12:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wIqwKGuV5GKJ; Mon, 11 May 2020 04:12:41 -0700 (PDT)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 305A83A09E8; Mon, 11 May 2020 04:12:41 -0700 (PDT)
Received: by mail-wr1-x431.google.com with SMTP id x17so10436975wrt.5; Mon, 11 May 2020 04:12:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version:content-transfer-encoding; bh=BIj2aVW0Q+l4uirILkL6VAF/PJq5CUGd+sAOOoj4jZg=; b=CQvvt03F609uxl8gqfCqYNHL3kOkihINJD8XhqAzvJdbqHneahM2+SUN58WEE3fPA2 Ee7jz7ZfR0UEy/+BByG2Y0LR4LAKuerpsPg9PCfjA8vzT2vzSrv7pdjjFQKmYIV9uvyl aOzbleAYJvRRT8J5oo9Q7GZQZWiG28XDLsyJpacNVADeyUSh6ERqVWixk66NV+ydFYwB +CdM/OLEg7ekrPjokEeMY4kHbU/oNtgoyfFpFsxVJwQ2GADM3EsQYMXnmO2/DNCOPSN0 MWX4NBfiL09/GO7MOckzPjfk5irRd6C2yoqCzcEi/lQGM622HtktvCxTGKKtfl264gYM 4nww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=BIj2aVW0Q+l4uirILkL6VAF/PJq5CUGd+sAOOoj4jZg=; b=ApWYnTsvi1qMTj0WAWSXa/Wlh32igC5bGV04Nt7AOSt81iczMbzv3diAPjT3nbCzjr SzgEOpC1yKXW9W+hmr5i5YMpFB9IAhnILJADR7E0iB1chVi4/5RI59nXIOmpAx/Q1CUT qJWCrLUjDtF0A94OWbtqwg+6MdQWURV2FDTq9bsP47SaQcwwh8Soug2/Hu/0WreXTfcn UDmaElFmJtDANO9B5zN4J9zbboiCIO89mbheUbHx/Xh9lMWs50Apy9aWYWvZ6458wePr YbxCyAf4FwufHoEh8spfcVMVsIVKqCJfs3vDBN971s41fpC//VXrH4NWUuVRcJ7jzFhT TgKw==
X-Gm-Message-State: AGi0Pubr4GfHT7P/HoQxwjf+pBu9HLXQExAKCEiYLKn8mAml8Bt1CGJ8 QcAmRE1wHGSRzg4JoWI+PRc=
X-Google-Smtp-Source: APiQypKexmLP7C3frq84M5Zf6o1ud1RqnphpfIQ3pmoGEPTjNAjWaZM3HUbRmWN9O7gFSNLeWfJE8g==
X-Received: by 2002:adf:9f48:: with SMTP id f8mr18565992wrg.228.1589195559539; Mon, 11 May 2020 04:12:39 -0700 (PDT)
Received: from [10.0.0.139] (bzq-109-65-14-162.red.bezeqint.net. [109.65.14.162]) by smtp.gmail.com with ESMTPSA id a13sm16784017wrv.67.2020.05.11.04.12.37 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 May 2020 04:12:38 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.36.20041300
Date: Mon, 11 May 2020 14:12:36 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: "Wubo (lana)" <lana.wubo@huawei.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "opsawg@ietf.org" <opsawg@ietf.org>, "draft-ietf-opsawg-tacacs-yang.all@ietf.org" <draft-ietf-opsawg-tacacs-yang.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Message-ID: <C7104CC1-DB88-47D2-9EAC-EF4BF5D0D3CE@gmail.com>
Thread-Topic: Secdir last call review of draft-ietf-opsawg-tacacs-yang-03
References: <b4d8a3edbdf14560996c9395880bffc3@huawei.com>
In-Reply-To: <b4d8a3edbdf14560996c9395880bffc3@huawei.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/MUuhpLzRJ-XGj8yYB50d1EawJdQ>
Subject: Re: [secdir] Secdir last call review of draft-ietf-opsawg-tacacs-yang-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2020 11:12:43 -0000
Hi Bo, Thank you for your quick response. I am OK with the clarifications and the additional text. Best, Yaron On 5/11/20, 06:01, "Wubo (lana)" <lana.wubo@huawei.com> wrote: Hi Yaron, Thanks for the review. Please see inline. Regards, Bo -----邮件原件----- 发件人: Yaron Sheffer via Datatracker [mailto:noreply@ietf.org] 发送时间: 2020年5月9日 1:08 收件人: secdir@ietf.org 抄送: opsawg@ietf.org; draft-ietf-opsawg-tacacs-yang.all@ietf.org; last-call@ietf.org 主题: Secdir last call review of draft-ietf-opsawg-tacacs-yang-03 Reviewer: Yaron Sheffer Review result: Has Nits This document defines a YANG module for the configuration of TACACS+ clients. The document is short and straightforward, and I only have one significant comment. * I am not familiar with common security practices for the devices covered by this protocol. But I am wondering, should the "shared-secret" field be made optional, so that it can be entered "out of band" in applications that prefer not to keep it stored in the YANG configuration store and available to network management tools? [Bo] The "shared-secret" node is indeed sensitive. But there are two main reasons for defining as mandatory. 1) The TACACS+ protocol requires that the secret must be configured. 2) YANG model can use NACM (RFC8341) to ensure node security. The "shared-secret" adds security tagging "nacm:default-deny-all" to restrict only initial device access and some recovery session. Additionally, the definition follows the current System model (RFC7317) , as TACACS+ model is an augmentation of the System model. The definition of the "shared-secret" in the RADIUS authentication of the System model is mandatory and YANG extension "nacm:default-deny-all" is used to protect. Perhaps some addition text could help: /system/tacacsplus/server/shared-secret: Access to this node is considered sensitive and therefore has been restricted using the "default-deny-all" access control defined in [RFC8341]. * Not a security comment: the YANG module includes a reference to draft-ietf-opsawg-tacacs-18, but I assume that you'll want to replace it with the RFC number for that draft once it is published. Yet I don't see an RFC Editor note mentioning that. [Bo] OK, will add in the next revision. * It is confusing that "messages-received" is for messages received by the server, and "errors-received" is for errors received *from* the server. [Bo] Thanks, will correct to "from" the server to keep consistency.
- [secdir] Secdir last call review of draft-ietf-op… Yaron Sheffer via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Wubo (lana)
- Re: [secdir] Secdir last call review of draft-iet… Yaron Sheffer