[secdir] Secdir last call review of draft-ietf-teas-yang-te-topo-20

Melinda Shore via Datatracker <noreply@ietf.org> Tue, 14 May 2019 18:25 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Melinda Shore via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: ietf@ietf.org, teas@ietf.org, draft-ietf-teas-yang-te-topo.all@ietf.org
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Melinda Shore <melinda.shore@nomountain.net>
Message-ID: <155785831655.30214.3189662700783001303@ietfa.amsl.com>
Date: Tue, 14 May 2019 11:25:16 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/m0PnRzUzRZW9RR2qYxE4YL069HM>
Subject: [secdir] Secdir last call review of draft-ietf-teas-yang-te-topo-20

Reviewer: Melinda Shore
Review result: Not Ready

This review updates my previous review of the -15 draft (see
https://datatracker.ietf.org/doc/review-ietf-teas-yang-te-topo-15-secdir-lc-shore-2018-06-07/).
 I'm pleased to see the update to the security considerations sections,
although it's still fairly generic and doesn't describe the threat environment
(this may seem like a nit but it's not: describing how changes to individual
subtrees may impact the system does not really detail how a malicious actor may
subvert or disable the system).  I think this section arguably does conform to
the yang-security-guidelines template despite the missing detail and modulo the
missing mandatory references to 5246 and 6536.  I'm torn between marking this
has "Has Issues" (because of the lack of threat description in the Security
Considerations) and "Not Ready" (because of the missing mandatory references)
but am going with the latter, and it's up to the IESG how heavily they'd like
to weight the generic descriptions of modified subtree impacts.

[secdir] Secdir last call review of draft-ietf-te… Melinda Shore via Datatracker
Re: [secdir] Secdir last call review of draft-iet… Xufeng Liu