Re: [secdir] secdir review of draft-ietf-netmod-rfc8022bis
"Acee Lindem (acee)" <acee@cisco.com> Mon, 22 January 2018 20:02 UTC
Return-Path: <acee@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C9A31270A0; Mon, 22 Jan 2018 12:02:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.531
X-Spam-Level:
X-Spam-Status: No, score=-14.531 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YSzjMh2Xjque; Mon, 22 Jan 2018 12:02:13 -0800 (PST)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD62612706D; Mon, 22 Jan 2018 12:02:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1918; q=dns/txt; s=iport; t=1516651333; x=1517860933; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=U4DsgBUFfbi4iyn1z9a3OcOeYHRsaeg4rfojcCmlRQU=; b=eMxZRJQeNsuFlGK/IkD1TLBB7CROgvJKODnsgWUO8oKPLnuiO0RIrQxX 4bx/smOmlPr58cFGIt9GfmN0y9rQDxXyBB8BHHGQYeejl9A/44txeYcXN G3OEBGqANZrgoEuLgCLea1TNhp2e70lHDBDT88sG8YqS4eOuyeuGf9AFy Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AfAQApQmZa/4QNJK1eGQEBAQEBAQEBAQEBAQcBAQEBAYNCZnQnB4NWiiSOZYFbl2WCFwojhRgCGoRWVBgBAQEBAQEBAQFrKIUkBiMRRRACAQgaAiYCAgIwFRACBAENBYozELRrgieKNwEBAQEBAQEBAQEBAQEBAQEBAQEBARgFgQ+DOoIVgz8pDIJ5gy8CAoFvgxcxgjQFo3oCiBGNSA2CDpIEinWCXIlJAhEZAYE7AR85gVBvFT0qAYF/hFd4iVKBFwEBAQ
X-IronPort-AV: E=Sophos;i="5.46,398,1511827200"; d="scan'208";a="60216382"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Jan 2018 20:02:13 +0000
Received: from XCH-RTP-015.cisco.com (xch-rtp-015.cisco.com [64.101.220.155]) by alln-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id w0MK2Cls011889 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 22 Jan 2018 20:02:12 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-015.cisco.com (64.101.220.155) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 22 Jan 2018 15:02:11 -0500
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1320.000; Mon, 22 Jan 2018 15:02:11 -0500
From: "Acee Lindem (acee)" <acee@cisco.com>
To: Carl Wallace <carl@redhoundsoftware.com>, "draft-ietf-netmod-rfc8022bis.all@ietf.org" <draft-ietf-netmod-rfc8022bis.all@ietf.org>
CC: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Thread-Topic: secdir review of draft-ietf-netmod-rfc8022bis
Thread-Index: AQHTk7NiLwnCM3+r8067/UkErtLxMKOAUGMA
Date: Mon, 22 Jan 2018 20:02:11 +0000
Message-ID: <E3BEEA47-9D31-4D90-9458-606DE565A9FA@cisco.com>
References: <D68B9F11.ADD98%carl@redhoundsoftware.com>
In-Reply-To: <D68B9F11.ADD98%carl@redhoundsoftware.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.116.152.198]
Content-Type: text/plain; charset="utf-8"
Content-ID: <73C2CCA7F33EC841967A19CD27007064@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Rxaqv9jKEvcRoDgI1-vVkTxZbOI>
Subject: Re: [secdir] secdir review of draft-ietf-netmod-rfc8022bis
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jan 2018 20:02:16 -0000
Hi Carl, Thanks for the review. On 1/22/18, 2:01 PM, "Carl Wallace" <carl@redhoundsoftware.com> wrote: I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I found no issues with the draft. The security considerations section references NETCONF and RESTCONF for network security, with SSH and TLS used. This seems fine but I wonder if some guidance on using these a la RFC6125 would be helpful for some. The information on transport layer security is a boilerplate. https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines If this were to be added, it should added here first. However, I’m not this draft on how to use TLS with PKI is really necessary. This is more a consideration for TLS itself than its usage with NETCONF/RESTCONF. One question in the security consideration section. Twice "/routing/ribs/rib" is referred to a list. Should this be "/routing/ribs"? Yes – this probably should be changed since the current node refers to a list element and not the list itself. I’ll update it. Thanks, Acee
- [secdir] secdir review of draft-ietf-netmod-rfc80… Carl Wallace
- Re: [secdir] secdir review of draft-ietf-netmod-r… Acee Lindem (acee)
- Re: [secdir] secdir review of draft-ietf-netmod-r… Acee Lindem (acee)