[secdir] Security review of draft-ietf-i2rs-yang-l3-topology-08.txt

"Hilarie Orman" <hilarie@purplestreak.com> Sun, 15 January 2017 21:08 UTC

Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F323F1296E9; Sun, 15 Jan 2017 13:08:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.72
X-Spam-Level:
X-Spam-Status: No, score=-0.72 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dq4KLQIh4Oqr; Sun, 15 Jan 2017 13:08:18 -0800 (PST)
Received: from out01.mta.xmission.com (out01.mta.xmission.com [166.70.13.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0B151296ED; Sun, 15 Jan 2017 13:08:16 -0800 (PST)
Received: from in02.mta.xmission.com ([166.70.13.52]) by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1cSs2B-0005BW-Kr; Sun, 15 Jan 2017 14:08:15 -0700
Received: from [72.250.219.84] (helo=rumpleteazer.rhmr.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1cSs2A-0003fZ-V4; Sun, 15 Jan 2017 14:08:15 -0700
Received: from rumpleteazer.rhmr.com (localhost [127.0.0.1]) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id v0FL83TS020238; Sun, 15 Jan 2017 14:08:03 -0700
Received: (from hilarie@localhost) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Submit) id v0FL83GA020237; Sun, 15 Jan 2017 14:08:03 -0700
Date: Sun, 15 Jan 2017 14:08:03 -0700
Message-Id: <201701152108.v0FL83GA020237@rumpleteazer.rhmr.com>
From: "Hilarie Orman" <hilarie@purplestreak.com>
To: iesg@ietf.org, secdir@ietf.org
X-XM-SPF: eid=1cSs2A-0003fZ-V4; ; ; mid=<201701152108.v0FL83GA020237@rumpleteazer.rhmr.com>; ; ; hst=in02.mta.xmission.com; ; ; ip=72.250.219.84; ; ; frm=hilarie@purplestreak.com; ; ; spf=none
X-XM-AID: U2FsdGVkX19SRZH8SCnRb+ne+3YUmjnm
X-SA-Exim-Connect-IP: 72.250.219.84
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: **;iesg@ietf.org, secdir@ietf.org
X-Spam-Relay-Country:
X-Spam-Timing: total 347 ms - load_scoreonly_sql: 0.03 (0.0%), signal_user_changed: 3.5 (1.0%), b_tie_ro: 2.4 (0.7%), parse: 0.67 (0.2%), extract_message_metadata: 3.3 (0.9%), get_uri_detail_list: 1.13 (0.3%), tests_pri_-1000: 2.8 (0.8%), tests_pri_-950: 1.28 (0.4%), tests_pri_-900: 1.13 (0.3%), tests_pri_-400: 25 (7.2%), check_bayes: 24 (6.9%), b_tokenize: 6 (1.7%), b_tok_get_all: 7 (1.9%), b_comp_prob: 2.6 (0.7%), b_tok_touch_all: 6 (1.8%), b_finish: 0.76 (0.2%), tests_pri_0: 304 (87.7%), check_dkim_signature: 0.43 (0.1%), check_dkim_adsp: 74 (21.4%), tests_pri_500: 3.1 (0.9%), rewrite_mail: 0.00 (0.0%)
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/llLlKuN52aDfqFRBMQdhoMpQe5A>
Cc: draft-ietf-i2rs-yang-l3-topology-all@tools.ietf.org
Subject: [secdir] Security review of draft-ietf-i2rs-yang-l3-topology-08.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: Hilarie Orman <hilarie@purplestreak.com>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2017 21:08:19 -0000

			  Security review of
	       A YANG Data Model for Layer 3 Topologies
	       draft-ietf-i2rs-yang-l3-topology-08.txt

Do not be alarmed.  I have reviewed this document as part of the
security directorate's ongoing effort to review all IETF documents
being processed by the IESG.  These comments were written primarily
for the benefit of the security area directors.  Document editors and
WG chairs should treat these comments just like any other last call
comments.

The document provides "illustrative examples" of extensions to the
YANG data model for IP unicast networks.  The specific cases covered
in the draft are OSPF and IS-IS.

The security considerations state:

"It is therefore important that the NETCONF access control model is
vigorously applied to prevent topology configuration by unauthorized
clients."

NETCONF (RFC6536) states:

  3.7.3.  Data Model Design Considerations

    Designers need to clearly identify any sensitive data, notifications,
    or protocol operations defined within a YANG module.  For such
    definitions, a "nacm:default-deny-write" or "nacm:default-deny-all"
    statement ought to be present, in addition to a clear description of
    the security risks.

I don't see any guidance or examples of this in the draft under
discussion.  Shouldn't there be some?  Or at least a statement of why
they aren't included?

NITS:

Page 27 typo "The moodel defines a protocol independent YANG ... ".
"moodel" should be "model".

The use of "holistic" and "conceptual" in the opening paragraph caused
me to pause in puzzlement:
"The model allows an application to have a holistic view of the
topology of a Layer 3 network, all contained in a single conceptual
YANG datastore."

I think that "holistic" means "stated in a single data language", and
"conceptual" means "it is not a single datastore but it could be,
conceptually."  Or something like that.  Less new-agey phrasing might
convey the idea more directly.

Hilarie