[secdir] Security review of draft-ietf-i2rs-yang-l3-topology-08.txt
"Hilarie Orman" <hilarie@purplestreak.com> Sun, 15 January 2017 21:08 UTC
Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F323F1296E9; Sun, 15 Jan 2017 13:08:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.72
X-Spam-Level:
X-Spam-Status: No, score=-0.72 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dq4KLQIh4Oqr; Sun, 15 Jan 2017 13:08:18 -0800 (PST)
Received: from out01.mta.xmission.com (out01.mta.xmission.com [166.70.13.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0B151296ED; Sun, 15 Jan 2017 13:08:16 -0800 (PST)
Received: from in02.mta.xmission.com ([166.70.13.52]) by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1cSs2B-0005BW-Kr; Sun, 15 Jan 2017 14:08:15 -0700
Received: from [72.250.219.84] (helo=rumpleteazer.rhmr.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1cSs2A-0003fZ-V4; Sun, 15 Jan 2017 14:08:15 -0700
Received: from rumpleteazer.rhmr.com (localhost [127.0.0.1]) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id v0FL83TS020238; Sun, 15 Jan 2017 14:08:03 -0700
Received: (from hilarie@localhost) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Submit) id v0FL83GA020237; Sun, 15 Jan 2017 14:08:03 -0700
Date: Sun, 15 Jan 2017 14:08:03 -0700
Message-Id: <201701152108.v0FL83GA020237@rumpleteazer.rhmr.com>
From: Hilarie Orman <hilarie@purplestreak.com>
To: iesg@ietf.org, secdir@ietf.org
X-XM-SPF: eid=1cSs2A-0003fZ-V4; ; ; mid=<201701152108.v0FL83GA020237@rumpleteazer.rhmr.com>; ; ; hst=in02.mta.xmission.com; ; ; ip=72.250.219.84; ; ; frm=hilarie@purplestreak.com; ; ; spf=none
X-XM-AID: U2FsdGVkX19SRZH8SCnRb+ne+3YUmjnm
X-SA-Exim-Connect-IP: 72.250.219.84
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: **;iesg@ietf.org, secdir@ietf.org
X-Spam-Relay-Country:
X-Spam-Timing: total 347 ms - load_scoreonly_sql: 0.03 (0.0%), signal_user_changed: 3.5 (1.0%), b_tie_ro: 2.4 (0.7%), parse: 0.67 (0.2%), extract_message_metadata: 3.3 (0.9%), get_uri_detail_list: 1.13 (0.3%), tests_pri_-1000: 2.8 (0.8%), tests_pri_-950: 1.28 (0.4%), tests_pri_-900: 1.13 (0.3%), tests_pri_-400: 25 (7.2%), check_bayes: 24 (6.9%), b_tokenize: 6 (1.7%), b_tok_get_all: 7 (1.9%), b_comp_prob: 2.6 (0.7%), b_tok_touch_all: 6 (1.8%), b_finish: 0.76 (0.2%), tests_pri_0: 304 (87.7%), check_dkim_signature: 0.43 (0.1%), check_dkim_adsp: 74 (21.4%), tests_pri_500: 3.1 (0.9%), rewrite_mail: 0.00 (0.0%)
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/llLlKuN52aDfqFRBMQdhoMpQe5A>
Cc: draft-ietf-i2rs-yang-l3-topology-all@tools.ietf.org
Subject: [secdir] Security review of draft-ietf-i2rs-yang-l3-topology-08.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: Hilarie Orman <hilarie@purplestreak.com>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2017 21:08:19 -0000
Security review of A YANG Data Model for Layer 3 Topologies draft-ietf-i2rs-yang-l3-topology-08.txt Do not be alarmed. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document provides "illustrative examples" of extensions to the YANG data model for IP unicast networks. The specific cases covered in the draft are OSPF and IS-IS. The security considerations state: "It is therefore important that the NETCONF access control model is vigorously applied to prevent topology configuration by unauthorized clients." NETCONF (RFC6536) states: 3.7.3. Data Model Design Considerations Designers need to clearly identify any sensitive data, notifications, or protocol operations defined within a YANG module. For such definitions, a "nacm:default-deny-write" or "nacm:default-deny-all" statement ought to be present, in addition to a clear description of the security risks. I don't see any guidance or examples of this in the draft under discussion. Shouldn't there be some? Or at least a statement of why they aren't included? NITS: Page 27 typo "The moodel defines a protocol independent YANG ... ". "moodel" should be "model". The use of "holistic" and "conceptual" in the opening paragraph caused me to pause in puzzlement: "The model allows an application to have a holistic view of the topology of a Layer 3 network, all contained in a single conceptual YANG datastore." I think that "holistic" means "stated in a single data language", and "conceptual" means "it is not a single datastore but it could be, conceptually." Or something like that. Less new-agey phrasing might convey the idea more directly. Hilarie
- [secdir] Security review of draft-ietf-i2rs-yang-… Hilarie Orman