Re: [secdir] secdir review of draft-ietf-netconf-access-control-06
Martin Bjorklund <mbj@tail-f.com> Wed, 30 November 2011 20:48 UTC
Return-Path: <mbj@tail-f.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6036B1F0C4E; Wed, 30 Nov 2011 12:48:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level:
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VPsnwHepjZqs; Wed, 30 Nov 2011 12:48:02 -0800 (PST)
Received: from mail.tail-f.com (de-2007.d.ipeer.se [213.180.74.102]) by ietfa.amsl.com (Postfix) with ESMTP id BDD331F0C3B; Wed, 30 Nov 2011 12:48:01 -0800 (PST)
Received: from localhost (c213-100-166-57.cust.tele2.se [213.100.166.57]) by mail.tail-f.com (Postfix) with ESMTPSA id E368012008D2; Wed, 30 Nov 2011 21:48:00 +0100 (CET)
Date: Wed, 30 Nov 2011 21:47:59 +0100
Message-Id: <20111130.214759.42107896.mbj@tail-f.com>
To: carl@redhoundsoftware.com
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <CAF70484.E7EA%carl@redhoundsoftware.com>
References: <CAF70484.E7EA%carl@redhoundsoftware.com>
X-Mailer: Mew version 6.3.51 on Emacs 23.3 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 01 Dec 2011 08:15:46 -0800
Cc: secdir@ietf.org, iesg@ietf.org, draft-ietf-netconf-access-control.all@tools.ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-netconf-access-control-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2011 20:48:02 -0000
Hi, Thank you for your review. Comments inline. Carl Wallace <carl@redhoundsoftware.com> wrote: > I found the frequent references to "recovery sessions" and "non-recovery > sessions" unnecessary and somewhat confusing. Couldn't this concept be > described once and omitted from the various lists of steps? We did think about this, but although it is currently a bit redundant, we felt spelling it out expclitly made the "elements of procedure" descriptions more clear. > There are > probably some inconsistencies in the RFC 2119 language around the > "recovery session" concept. For example, section 3.4.4 provides a > bulleted list of steps that MUST be followed. Included in this list is an > exception for recovery sessions. Section 3.3.1 says a "server MAY support > a "recovery session" mechanism". Should 3.3.1 be a MUST? No, "MAY" is correct. The server MUST follow the procedure in 3.4.4, which says that if the session is a recovery session then <something>. If the server doesn't support recovery sessions, then the current session is clearly not a recovery session, and <something> won't happen. > Section 3.1.1 references both "recovery session" and the ability to > disable the entire access control model "during operation, in order to > debug operational problems". What does the latter bullet that mentions > debugging refer to in the model? Is this bullet just a second reference > to recovery session? The access control model can be disabled but setting the leaf /nacm/enable-nacm to false (see the leaf enable-nacm in the YANG module). > In section 3.2.4, copy operations may be partially performed while "nodes > to which the client does not have read access are silently omitted". Why > is this OK? It seems inconsistent with section 3.1.3, which says "If the > user is authorized to perform the requested access operation on the > requested data, then processing continues", implying that processing does > not continue otherwise. The same silent skipping of items appears > elsewhere as well, including edit config. At a minimum, some rationale > describing why these silent omissions are acceptable should be > provided. There are two reasons for this. One is consistency with <get-config>, and the other is if you just have access to a single leaf, you should still be allowed to perform "copy-config running to startup", making your change persistent. /martin
- [secdir] secdir review of draft-ietf-netconf-acce… Carl Wallace
- Re: [secdir] secdir review of draft-ietf-netconf-… Martin Bjorklund