Re: [secdir] secdir review of draft-ietf-netconf-monitoring

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Fri, 11 June 2010 08:55 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 921EE3A69D6; Fri, 11 Jun 2010 01:55:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.381
X-Spam-Level:
X-Spam-Status: No, score=0.381 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_50=0.001, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zbOBkzfv7SZz; Fri, 11 Jun 2010 01:55:08 -0700 (PDT)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id 4B74C3A68F8; Fri, 11 Jun 2010 01:55:08 -0700 (PDT)
Received: from localhost (demetrius1.jacobs-university.de [212.201.44.46]) by hermes.jacobs-university.de (Postfix) with ESMTP id 672A7C001E; Fri, 11 Jun 2010 10:55:10 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius1.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 5TjdbO0TUae6; Fri, 11 Jun 2010 10:55:09 +0200 (CEST)
Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 33F62C0016; Fri, 11 Jun 2010 10:55:09 +0200 (CEST)
Received: by elstar.local (Postfix, from userid 501) id 7E0F612F9B4B; Fri, 11 Jun 2010 10:55:06 +0200 (CEST)
Date: Fri, 11 Jun 2010 10:55:06 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Martin Bjorklund <mbj@tail-f.com>
Message-ID: <20100611085506.GE5257@elstar.local>
Mail-Followup-To: Martin Bjorklund <mbj@tail-f.com>, "aland@deployingradius.com" <aland@deployingradius.com>, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-netconf-monitoring@tools.ietf.org" <draft-ietf-netconf-monitoring@tools.ietf.org>, Bert Wijnen <bertietf@bwijnen.net>
References: <4C11ED2B.1070707@deployingradius.com> <20100611080956.GA5257@elstar.local> <20100611.101949.192441308.mbj@tail-f.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20100611.101949.192441308.mbj@tail-f.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: "draft-ietf-netconf-monitoring@tools.ietf.org" <draft-ietf-netconf-monitoring@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, Bert Wijnen <bertietf@bwijnen.net>
Subject: Re: [secdir] secdir review of draft-ietf-netconf-monitoring
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2010 08:55:10 -0000

On Fri, Jun 11, 2010 at 10:19:49AM +0200, Martin Bjorklund wrote:
 
> Actually, this document follows the latest security considerations
> template.

I guess I have to dig out the latest guidelines now... OK, I stand
corrected - the template is indeed pretty short for a read-only
module.
 
> However, the template does not mention that NETCONF runs over a secure
> transport.  Maybe the template (and this document) should be updated
> to make this clear?

Yes, it seems some introductionary text in the security considerations
about NETCONF might be useful, especially since not all people are
familiar with NETCONF yet. Here is a first draft:

   The YANG module defined in this memo is designed to be accessed 
   via the NETCONF protocol [RFC4741]. The lowest NETCONF layer is
   the secure transport layer and the mandatory to implement secure
   transport is SSH [RFC4742].

I am CCing Bert Wijnen since he drove the development of the security
considerations template.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>