IETF Logo Mail Archive

Re: [secdir] Updated rev posted [Re: Review of draft-ietf-mpls-ldp-yang-07]

"Kamran Raza (skraza)" <skraza@cisco.com> Tue, 10 March 2020 13:48 UTC

Return-Path: <skraza@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB5EE3A0F58; Tue, 10 Mar 2020 06:48:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Level:
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=a4uabIQp; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=0KCYh1/v
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Acztv2yilbMF; Tue, 10 Mar 2020 06:48:09 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB17C3A0F53; Tue, 10 Mar 2020 06:48:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=32289; q=dns/txt; s=iport; t=1583848088; x=1585057688; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=lu7pCkvlTXx5f6IHtEGWGjWf7Yv963yu/ulMDwsmd24=; b=a4uabIQp/EyJeL2Q3ZlZa/Z2CVX53bt0DA9ZNQHaRZX94RKkge2LzY0x itNm1sf3u6rYt/nyH14SHdshOrhof286H6fcMeF1MhpebozDPzEZb6OR1 CDnNv3xVVVsby9CH9lUdT3f/A+zkg3U0pPKnHe9S9mfkvrEOeEBurpx3p I=;
IronPort-PHdr: 9a23:jDEAlx9FCyYrcP9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+/bR7E/fs4iljPUM2b8P9Ch+fM+4HYEW0bqdfk0jgZdYBUERoMiMEYhQslVdWGE0TpJdbhbjcxG4JJU1o2t3w=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DFAACLmWde/5NdJa1lDgwBAQEBAQEBAQEDAQEBAREBAQECAgEBAQGBe4ElL1AFbFggBAsqCoQLg0UDim+CX4ljjjKCUgNUCQEBAQwBAS0CBAEBhEMCF4FvJDgTAgMBAQsBAQUBAQECAQUEbYVWDIVjAQEBAQMSER0BATcBDwIBCBEDAQIhBwMCAgIfERQJCAIEDgUigwQBgX1NAy4BniUCgTmIYnWBMoJ/AQEFhQwNC4IMCYE4jCwaggCBEScggk0+ghuCUBaCWzKCLJBshXKKD45RLEQKgjySMoQ4HYJKiCSETot+kEeJYIwog3wCBAIEBQIOAQEFgWkigVhwFWUBgkFQGA2BGo0DDQQSg1CEWYU/PXQCgSeMRwGBDwEB
X-IronPort-AV: E=Sophos;i="5.70,537,1574121600"; d="scan'208,217";a="445125474"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 10 Mar 2020 13:48:07 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by rcdn-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id 02ADm3Yh005808 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 10 Mar 2020 13:48:06 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 10 Mar 2020 08:48:04 -0500
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 10 Mar 2020 09:48:02 -0400
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 10 Mar 2020 08:48:02 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BqzgbkR0Lq0fMu8KWM2S92YxMGAhzdMhEdv+Bz8evR8/HKftIJvVq3yd0OswUtu4AQbsOaZB8rJ8qRAKMGCJ/8DWu4nlldxQkxQNyGHcBdieqOIGxRSIj0NwDZORPPKuE+PU+OXUIHJ5ab2x/mIAFjFVIItnqPSHhbhx82VQ8bsCJbyQdR3/wX4b3lANvXen1V6z9oYwebrzfs2jzxdFtCWmcE40C6/aah3r8yVbEesb0Y8dQy8rJ5rdPAAqtbyWWbZv9x6hSaniy3N+SYhKAhkeZpPA0QjNc2MvOQ8Lq2nuOk0+lxkWKi2afuBOpUi1OU3M57JcVvRwPvjOOJhV/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=lu7pCkvlTXx5f6IHtEGWGjWf7Yv963yu/ulMDwsmd24=; b=n1vgGQ7IXivr5tobC+OUkPxx5ksnzgf4eDwQ3X9D2V/tzwYsyssa8kNHMiOgurGhYc0H/jL3oTr1fhvYUX7LKirLFnxJHIVLsUQJCQxNtd2fpW429F8Dwn/5FKcP8c/jUpJ6ud1D8U+BLa4w5yVAN9dF7YzdLxPvGk1cW/FNkdmLK+dV6+mnIvuluG6jipNfSOcAlnzAjadl8+7BEehDNnQdluKTURnZgutq+wPtCL67tEK0D14YMnXHQUhl4BJ8eZGNic5OcjFyurYCiFQe8IOQbrizoOUiwF1LGqjPj85Fd6VfzVr4/Mh75iVZKNsmXE2ZUegtHT+SbIqmPHvPbA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lu7pCkvlTXx5f6IHtEGWGjWf7Yv963yu/ulMDwsmd24=; b=0KCYh1/vwasj4Cnvn9u0pvH7A8mGd6549cVgc0H8rOMokspZ7qyrbRnTftIz0CB9Cbg0+jy/Hr6Zsc8U0uSNWhG3hOGEcOmZEm2kimxDjz5Bs1d0bnhLZtiLxkhpLrG3imDlGzLNFbLykgtd7cJEnkXoGnUo6Jr3XhxQ0nGVm3U=
Received: from BL0PR11MB3412.namprd11.prod.outlook.com (2603:10b6:208:7c::32) by BL0PR11MB3410.namprd11.prod.outlook.com (2603:10b6:208:33::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.17; Tue, 10 Mar 2020 13:48:01 +0000
Received: from BL0PR11MB3412.namprd11.prod.outlook.com ([fe80::b955:b5f0:af03:ee30]) by BL0PR11MB3412.namprd11.prod.outlook.com ([fe80::b955:b5f0:af03:ee30%3]) with mapi id 15.20.2793.018; Tue, 10 Mar 2020 13:48:01 +0000
From: "Kamran Raza (skraza)" <skraza@cisco.com>
To: "Shawn M. Emery" <semery@uccs.edu>
CC: secdir <secdir@ietf.org>, "draft-ietf-mpls-ldp-yang.all@ietf.org" <draft-ietf-mpls-ldp-yang.all@ietf.org>
Thread-Topic: Updated rev posted [Re: Review of draft-ietf-mpls-ldp-yang-07]
Thread-Index: AQHV7e9JI5sjC6LP2EGHwHk11d+oLqgyyzYAgA7a4wA=
Date: Tue, 10 Mar 2020 13:48:01 +0000
Message-ID: <3791FB89-740C-44AA-A7B2-8DF07155E19C@cisco.com>
References: <F628A40F-73B3-40C5-A50B-CBC1E8D612F8@cisco.com> <CAChzXmZO+tV9tD43Ku32GYT6JRzq3Q11onsT3c43bK0o9v6nvQ@mail.gmail.com>
In-Reply-To: <CAChzXmZO+tV9tD43Ku32GYT6JRzq3Q11onsT3c43bK0o9v6nvQ@mail.gmail.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.22.0.200209
authentication-results: spf=none (sender IP is ) smtp.mailfrom=skraza@cisco.com;
x-originating-ip: [173.38.117.91]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dfc47c99-614c-45ae-5bc4-08d7c4f9a69a
x-ms-traffictypediagnostic: BL0PR11MB3410:
x-microsoft-antispam-prvs: <BL0PR11MB341039B0692CDD1D6BA7F5EED0FF0@BL0PR11MB3410.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 033857D0BD
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(396003)(376002)(346002)(39860400002)(136003)(199004)(189003)(6916009)(8936002)(64756008)(316002)(66446008)(296002)(54906003)(186003)(2906002)(2616005)(6486002)(26005)(66476007)(66556008)(76116006)(81166006)(81156014)(8676002)(71200400001)(66946007)(86362001)(478600001)(5660300002)(33656002)(6512007)(53546011)(4326008)(15650500001)(36756003)(6506007); DIR:OUT; SFP:1101; SCL:1; SRVR:BL0PR11MB3410; H:BL0PR11MB3412.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Fsb0pvQ8X27GGN1eu481XEeNvyOrHShxp+5DPDnTNWUhnCzN4Vi+NfH9gDfTugO5rL1M24wSYUCR7lBHFeROCxK+YVwIkUrBWQZ8ctVgWwAGCBbGQhUu1ZCjVN6PIhTivxT+Sfkvohq+wVhUpUQejBYFtPKD1v9ED60X4ryXgfo8eK2tq/psD4VEzaPIv8z7Wh2VgfpToNrX9Hkv7VKaH1eKwMGy7IpCDRErGKJMB3sxSgjQcYrsaJELPB7fOfvqzYk1tsLflwPnohoWdaip7O8aszdGovW/NMiJlujz/i1h5/Dqv68V4MNqYw3URoLjInk+mgxBjhKMpw3Rg6GMXYpkq2TzKGrtdt+ChDB211xEzLGbSRhdcbjZAfIpgjqak2CXJNsIvNL0A6L92igeT6XTt7BbLQK2KcitMx1QDIPtkwsf1JHfGq5hPFo11MhE
x-ms-exchange-antispam-messagedata: 2TOT7o59Q2Ik/SjA6pyg4ed0EpXyLqP0VnBbMYr95KVB7yVtO0LnjLhiAyRbbiXZvvuJumsIaw1Pc7AIwvElRQDe83SsqdZK7A++0n/5g87a9RYos9MZZTJn62zBw5jPPGMGGr4JNrzgBoTZ5mcOow==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_3791FB89740C44AAA7B28DF07155E19Cciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: dfc47c99-614c-45ae-5bc4-08d7c4f9a69a
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Mar 2020 13:48:01.5290 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: K1NmYvnz9txkazAz8Mdi/cvF2rQTEfZvewsOtKQfC4Ri8FawidJzpdkfBXRszmw/Fq3pWt56fb157/ZcQLlRyw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3410
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: rcdn-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Ps-a-PbkUiBqL9L7t3PEhmxGkK8>
Subject: Re: [secdir] Updated rev posted [Re: Review of draft-ietf-mpls-ldp-yang-07]
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 13:48:12 -0000

Hi Shawn,

Thanks for your comments. Please see inline [skraza2]

From: "Shawn M. Emery" <semery@uccs.edu>
Date: Saturday, February 29, 2020 at 5:57 PM
To: "Kamran Raza (skraza)" <skraza@cisco.com>
Cc: secdir <secdir@ietf.org>, "draft-ietf-mpls-ldp-yang.all@ietf.org" <draft-ietf-mpls-ldp-yang.all@ietf.org>
Subject: Re: Updated rev posted [Re: Review of draft-ietf-mpls-ldp-yang-07]

Thank you for the major update, the Security Consideration section looks much better.  Here are my comments with rev 08:

1. In section 10.1.2, it states that LDP peer authentication can be augmented via a key generated with an algorithm such as MD5.  I know it may be out of scope from this document, but why is MD5 given as an example rather than scrypt or is the assumption that the keys are based on high entropy?
[skraza2]: MD5 is specified as the authentication mechanism in base LDP spec RFC 5036 and hence special mention here. Infact, in prev revision, we were only covering md5 and changed the model to make it more generic to cover other types, including MD5.

2. In section 10.1.3, it states:
These are the operations and their sensitivity/vulnerability:
...

but the vulnerabilities were listed before this statement.  Should reorder.

[skraza2]: Rephrased. Will be part of rev -09 update.

Regards,

Shawn.
--

On Thu, Feb 27, 2020 at 11:26 PM Kamran Raza (skraza) <skraza@cisco.com<mailto:skraza@cisco.com>> wrote:
Thanks for your review and comments.

We have just posted a new rev -08 that takes care of your comments and comments from other IESG reviewers.
On behalf of authors, please see inline [skraza]:

From: "Shawn M. Emery" <semery@uccs.edu<mailto:semery@uccs.edu>>
Date: Monday, November 25, 2019 at 5:34 PM
To: secdir <secdir@ietf.org<mailto:secdir@ietf.org>>, "draft-ietf-mpls-ldp-yang.all@ietf.org<mailto:draft-ietf-mpls-ldp-yang.all@ietf.org>" <draft-ietf-mpls-ldp-yang.all@ietf.org<mailto:draft-ietf-mpls-ldp-yang.all@ietf.org>>
Cc: Shawn Emery <shawn.emery@gmail.com<mailto:shawn.emery@gmail.com>>
Subject: Review of draft-ietf-mpls-ldp-yang-07
Resent-From: <alias-bounces@ietf.org<mailto:alias-bounces@ietf.org>>
Resent-To: <skraza@cisco.com<mailto:skraza@cisco.com>>, <rajiva@cisco.com<mailto:rajiva@cisco.com>>, <xufeng.liu.ietf@gmail.com<mailto:xufeng.liu.ietf@gmail.com>>, <sesale@juniper.net<mailto:sesale@juniper.net>>, <jescia.chenxia@huawei.com<mailto:jescia.chenxia@huawei.com>>, <hshah@ciena.com<mailto:hshah@ciena.com>>, <mach.chen@huawei.com<mailto:mach.chen@huawei.com>>, <tsaad.net@gmail.com<mailto:tsaad.net@gmail.com>>, <n.leymann@telekom.de<mailto:n.leymann@telekom.de>>, <loa@pi.nu<mailto:loa@pi.nu>>, <martin.vigoureux@nokia.com<mailto:martin.vigoureux@nokia.com>>, <db3546@att.com<mailto:db3546@att.com>>, <aretana.ietf@gmail.com<mailto:aretana.ietf@gmail.com>>, Nicolai Leymann <n.leymann@telekom.de<mailto:n.leymann@telekom.de>>, Tarek Saad <tsaad.net@gmail.com<mailto:tsaad.net@gmail.com>>
Resent-Date: Monday, November 25, 2019 at 5:33 PM

Reviewer: Shawn M. Emery
Review result: Ready with nits

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This draft specifies a YANG model for the Multi-Protocol Label
Switching (MPLS) Label Distribution Protocol (LDP).  Network
Configuration Protocol (NETCONF) and RESTCONF is used
to mange network devices based on this model.

The security considerations section does exist and for security
and privacy concerns, discusses that the MTI for NETCONF is
SSH and TLS for RESTCONF.  For authorization, NETCONF
and RESTCONF uses the Network Configuration Access Control
Model (NACM).

The section goes on to state that some data nodes
and RPC operations in the YANG module are considered sensitive
to various operations, but does not give guidance on which nodes
or subtrees that would be affected.  In the past, module specifications
that I've reviewed have outlined each of these relevant items.

[skraza]: Enhanced this section significantly and have added the relevant items to this section. See draft rev -08.

The section finishes with the statement that the security
properties of the base specifications, LDP, LDP IPv6, etc., also applies
to this draft.  I agree with the above assertions.

General comments:

None.

Editorial comments:
[skraza]: Fixed all the listed.

s/into following/into the following/
s/means and be read/should be read/
s/family"/family"./
s/VPN Forwarding and Routing/VPN Routing and Forwarding/
s/provides a mean/provides a means/
s/Neibgbor/Neighbor/
s/pereference/preference/
s/creatable\/ deletable/creatable\/deletable/

RESTCONF should be expanded on first ocurence.
[skraza]: I could not find the expansion – even in the RESTCONF RFC 8040 .

Shawn.
--

v2.23.0 | Report a Bug | By Email