Re: [secdir] secdir review of draft-ietf-netmod-rfc8022bis
"Acee Lindem (acee)" <acee@cisco.com> Mon, 22 January 2018 20:06 UTC
Return-Path: <acee@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58B16127136; Mon, 22 Jan 2018 12:06:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.531
X-Spam-Level:
X-Spam-Status: No, score=-14.531 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SU_69K5LQP2N; Mon, 22 Jan 2018 12:06:33 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 432AE12D77B; Mon, 22 Jan 2018 12:06:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2444; q=dns/txt; s=iport; t=1516651591; x=1517861191; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=tuzMjb0bHRD/4PJaK52c0+umet8as2BxBDAc9TSf3dk=; b=bOt4iyhQrMWhtT3HbZtR8Fit26sVBeQ7SwrO2Ze3IluPhTNNFpQvGwN9 Aj7d96oiaZfVc4B83TwGLVa8nOXo0f7W+gSS5gHWcdhPMDgx4WzhNqjLv INDB/F1jOpyodkyzxuhRtCUqAluqApd+zLSJMhxIVDlI1Ar6K3c2NHlgq g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AfAQBJQ2Za/4cNJK1eGQEBAQEBAQEBAQEBAQcBAQEBAYNCZnQnB4NWiiSOZYFbl2WCFwojhRgCGoRWVBgBAQEBAQEBAQFrKIUkBiMRRRACAQgaAiYCAgIwFRACBAENBYozELRtgieKNwEBAQEBAQEBAQEBAQEBAQEBAQEBARgFgQ+DOoIVgz8pDIJ5gy8CAoFvgxcxgjQFo3oCiBGNSIIbkgSKdYJciUkCERkBgTsBHzmBUG8VPSoBgX+EV3iJUoEXAQEB
X-IronPort-AV: E=Sophos;i="5.46,398,1511827200"; d="scan'208";a="59555760"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Jan 2018 20:06:30 +0000
Received: from XCH-RTP-014.cisco.com (xch-rtp-014.cisco.com [64.101.220.154]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id w0MK6U26006996 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 22 Jan 2018 20:06:30 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-014.cisco.com (64.101.220.154) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 22 Jan 2018 15:06:29 -0500
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1320.000; Mon, 22 Jan 2018 15:06:29 -0500
From: "Acee Lindem (acee)" <acee@cisco.com>
To: Carl Wallace <carl@redhoundsoftware.com>, "draft-ietf-netmod-rfc8022bis.all@ietf.org" <draft-ietf-netmod-rfc8022bis.all@ietf.org>
CC: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Thread-Topic: secdir review of draft-ietf-netmod-rfc8022bis
Thread-Index: AQHTk7NiLwnCM3+r8067/UkErtLxMKOAUGMAgAABM4A=
Date: Mon, 22 Jan 2018 20:06:29 +0000
Message-ID: <419C7C18-650C-4280-BE36-E2D5CC24A33B@cisco.com>
References: <D68B9F11.ADD98%carl@redhoundsoftware.com> <E3BEEA47-9D31-4D90-9458-606DE565A9FA@cisco.com>
In-Reply-To: <E3BEEA47-9D31-4D90-9458-606DE565A9FA@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.116.152.198]
Content-Type: text/plain; charset="utf-8"
Content-ID: <EA4C90ACA937BA4CB0EE0B5C81C3A6EE@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/OCdVOu9cOYv4A9_Oyo78UGBU09w>
Subject: Re: [secdir] secdir review of draft-ietf-netmod-rfc8022bis
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jan 2018 20:06:35 -0000
Hi Carl, Correction:/routing/ribs/rib is, in fact, the YANG list. /routing/ribs is a container for the list of RIBs. So, this is the proper terminology. Thanks, Acee On 1/22/18, 3:02 PM, "Acee Lindem (acee)" <acee@cisco.com> wrote: Hi Carl, Thanks for the review. On 1/22/18, 2:01 PM, "Carl Wallace" <carl@redhoundsoftware.com> wrote: I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I found no issues with the draft. The security considerations section references NETCONF and RESTCONF for network security, with SSH and TLS used. This seems fine but I wonder if some guidance on using these a la RFC6125 would be helpful for some. The information on transport layer security is a boilerplate. https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines If this were to be added, it should added here first. However, I’m not this draft on how to use TLS with PKI is really necessary. This is more a consideration for TLS itself than its usage with NETCONF/RESTCONF. One question in the security consideration section. Twice "/routing/ribs/rib" is referred to a list. Should this be "/routing/ribs"? Yes – this probably should be changed since the current node refers to a list element and not the list itself. I’ll update it. Thanks, Acee
- [secdir] secdir review of draft-ietf-netmod-rfc80… Carl Wallace
- Re: [secdir] secdir review of draft-ietf-netmod-r… Acee Lindem (acee)
- Re: [secdir] secdir review of draft-ietf-netmod-r… Acee Lindem (acee)