IETF Logo Mail Archive

Re: [secdir] YANG Reviews

Russ Housley <housley@vigilsec.com> Thu, 11 January 2018 16:52 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95C2012D811 for <secdir@ietfa.amsl.com>; Thu, 11 Jan 2018 08:52:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9aaRcdpUe4_o for <secdir@ietfa.amsl.com>; Thu, 11 Jan 2018 08:52:38 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1896B12D7F5 for <secdir@ietf.org>; Thu, 11 Jan 2018 08:52:38 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 72EAA300A01 for <secdir@ietf.org>; Thu, 11 Jan 2018 11:52:37 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id HO02Aj2PLuD7 for <secdir@ietf.org>; Thu, 11 Jan 2018 11:52:36 -0500 (EST)
Received: from a860b60074bd.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 54AD3300250; Thu, 11 Jan 2018 11:52:36 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <CAHbuEH5e2f0UdZOTLJ_E_rARUcpjh10fPM9WZ=DCcEusXsuzxA@mail.gmail.com>
Date: Thu, 11 Jan 2018 11:52:44 -0500
Cc: IETF SecDir <secdir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EC4AB885-9B5E-4CA6-9017-A5DE92D266EE@vigilsec.com>
References: <CAHbuEH5hfwe0OVT74vNPgxF_HEPG2iCmQbr-bx7XB1vVSeekHw@mail.gmail.com> <E4143639-B607-458D-8319-45DCECEBB78F@vigilsec.com> <FD6C1F69-E382-42E1-971C-286193F498ED@gmail.com> <CAHbuEH5e2f0UdZOTLJ_E_rARUcpjh10fPM9WZ=DCcEusXsuzxA@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/hgl5JHTH3DtvynlsbA39l5U1Yhg>
Subject: Re: [secdir] YANG Reviews
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jan 2018 16:52:40 -0000

https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines

This is exactly what a SecDir reviewer will need.  Awesome.

Russ


> On Jan 11, 2018, at 11:21 AM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
> 
> Hello,
> 
> As it turns out, there is a page:
> 
> https://www.ietf.org/iesg/directorate/yang-doctors.html
> 
> If anyone has comments on the bis draft with current security
> considerations template, please provide them to the WG.  Here is the
> link again for your convenience:
> https://tools.ietf.org/html/draft-ietf-netmod-rfc6087bis-10#page-52
> 
> Thank you!
> 
> On Tue, Jan 9, 2018 at 2:15 PM, Kathleen Moriarty
> <kathleen.moriarty.ietf@gmail.com> wrote:
>> Hi Russ,
>> 
>> Sent from my mobile device
>> 
>>> On Jan 9, 2018, at 1:46 PM, Russ Housley <housley@vigilsec.com> wrote:
>>> 
>>> For MIB modules, we came up with a short list of things or the SecDir Reviewer to do.  This is a quote from an email message in 2007:
>>> 
>>>> The job of the security reviewers, then, is three-fold: first, to
>>>> verify the existence of the boilerplate; second, to verify the adequacy
>>>> of the explanations given for particular items; third -- and this is
>>>> the hardest -- to scan the document to see if other items should have
>>>> been identified as sensitive but aren't.
>> 
>> The guidance is very similar.
>>> 
>>> The real guidance appears here: http://www.ops.ietf.org/mib-security.html
>>> 
>>> It would be very helpful if we can come up with an equivalent yang-security.html document.
>>> 
>> We can work with Benoit &Warren as it’s better for those writing the drafts to see it first, so I think the home should be the same.
>> 
>> Best,
>> Kathleen
>> 
>>> Russ
>>> 
>>> 
>>>> On Jan 8, 2018, at 4:43 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
>>>> 
>>>> Hello,
>>>> 
>>>> We will be seeing many YANG module reviews come through, please don't
>>>> let page counts scare you on these.  One of the main things to look
>>>> for is that they used the Security Considerations template and filled
>>>> it out, catching any data nodes that need to be enumerated in the
>>>> considerations.
>>>> 
>>>> Templates like this tend to get updated every time there's a new
>>>> SecAD, :-) . As such, it'll likely be updated again in a few months.
>>>> Here's the draft with the current template.  Have a look so you know
>>>> key things to look for (transport security is called out and
>>>> subtrees/data nodes of concern should be listed out).  Sometimes more
>>>> is needed specific to the draft, but often times, this covers it.
>>>> 
>>>> https://tools.ietf.org/html/draft-ietf-netmod-rfc6087bis-10#page-52
>>>> 
>>>> Thanks again for all your reviews, it is a tremendous help to us!
>>>> 
>>>> --
>>>> 
>>>> Best regards,
>>>> Kathleen
>>> 
> 
> 
> 
> -- 
> 
> Best regards,
> Kathleen

v2.23.0 | Report a Bug | By Email