Re: [secdir] Updated rev posted [Re: Review of draft-ietf-mpls-ldp-yang-07]
"Shawn M. Emery" <semery@uccs.edu> Sat, 29 February 2020 22:57 UTC
Return-Path: <semery@uccs.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCC293A153E; Sat, 29 Feb 2020 14:57:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.612
X-Spam-Level:
X-Spam-Status: No, score=-1.612 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.276, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dvEzWFSz5rMF; Sat, 29 Feb 2020 14:57:15 -0800 (PST)
Received: from exchange.uccs.edu (uccs-ex1.uccs.edu [128.198.1.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8447B3A153D; Sat, 29 Feb 2020 14:57:12 -0800 (PST)
Received: from mail-ed1-f46.google.com (209.85.208.46) by UCCS-EX1.uccs.edu (128.198.1.101) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sat, 29 Feb 2020 15:57:10 -0700
Received: by mail-ed1-f46.google.com with SMTP id y3so1624145edj.13; Sat, 29 Feb 2020 14:57:10 -0800 (PST)
X-Gm-Message-State: APjAAAVnr0ZrUZYRCYC0G5GmYfJHIwuv1lylYril4MExuSvcBYzhuiqc vYUrmYK3j44FX2j+jPVbkyZCOPi0hFaPJ/kEyLo=
X-Google-Smtp-Source: APXvYqyGyIIeHYuC/if5PP85UYU0bssR1RyFysdn0ZNAqzy2XDKUIvOgEyi1Ps5Sb/2sztIqxyx/JDInLVfgnS6Wnrs=
X-Received: by 2002:a17:906:7c9:: with SMTP id m9mr9527376ejc.243.1583017028791; Sat, 29 Feb 2020 14:57:08 -0800 (PST)
MIME-Version: 1.0
References: <F628A40F-73B3-40C5-A50B-CBC1E8D612F8@cisco.com>
In-Reply-To: <F628A40F-73B3-40C5-A50B-CBC1E8D612F8@cisco.com>
From: "Shawn M. Emery" <semery@uccs.edu>
Date: Sat, 29 Feb 2020 17:56:56 -0500
X-Gmail-Original-Message-ID: <CAChzXmZO+tV9tD43Ku32GYT6JRzq3Q11onsT3c43bK0o9v6nvQ@mail.gmail.com>
Message-ID: <CAChzXmZO+tV9tD43Ku32GYT6JRzq3Q11onsT3c43bK0o9v6nvQ@mail.gmail.com>
To: "Kamran Raza (skraza)" <skraza@cisco.com>
CC: secdir <secdir@ietf.org>, "draft-ietf-mpls-ldp-yang.all@ietf.org" <draft-ietf-mpls-ldp-yang.all@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000acb56e059fbedf45"
X-Originating-IP: [209.85.208.46]
X-ClientProxiedBy: UCCS-EX4.uccs.edu (128.198.1.104) To UCCS-EX1.uccs.edu (128.198.1.101)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/qMEMuGC6SrQ9_YG1Dsol6rSp5Dc>
Subject: Re: [secdir] Updated rev posted [Re: Review of draft-ietf-mpls-ldp-yang-07]
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Feb 2020 22:57:20 -0000
Thank you for the major update, the Security Consideration section looks much better. Here are my comments with rev 08: 1. In section 10.1.2, it states that LDP peer authentication can be augmented via a key generated with an algorithm such as MD5. I know it may be out of scope from this document, but why is MD5 given as an example rather than scrypt or is the assumption that the keys are based on high entropy? 2. In section 10.1.3, it states: These are the operations and their sensitivity/vulnerability: ... but the vulnerabilities were listed before this statement. Should reorder. Regards, Shawn. -- On Thu, Feb 27, 2020 at 11:26 PM Kamran Raza (skraza) <skraza@cisco.com> wrote: > Thanks for your review and comments. > > We have just posted a new rev -08 that takes care of your comments and > comments from other IESG reviewers. > > On behalf of authors, please see inline [skraza]: > > > > *From: *"Shawn M. Emery" <semery@uccs.edu> > *Date: *Monday, November 25, 2019 at 5:34 PM > *To: *secdir <secdir@ietf.org>, "draft-ietf-mpls-ldp-yang.all@ietf.org" < > draft-ietf-mpls-ldp-yang.all@ietf.org> > *Cc: *Shawn Emery <shawn.emery@gmail.com> > *Subject: *Review of draft-ietf-mpls-ldp-yang-07 > *Resent-From: *<alias-bounces@ietf.org> > *Resent-To: *<skraza@cisco.com>, <rajiva@cisco.com>, < > xufeng.liu.ietf@gmail.com>, <sesale@juniper.net>, < > jescia.chenxia@huawei.com>, <hshah@ciena.com>, <mach.chen@huawei.com>, < > tsaad.net@gmail.com>, <n.leymann@telekom.de>, <loa@pi.nu>, < > martin.vigoureux@nokia.com>, <db3546@att.com>, <aretana.ietf@gmail.com>, > Nicolai Leymann <n.leymann@telekom.de>, Tarek Saad <tsaad.net@gmail.com> > *Resent-Date: *Monday, November 25, 2019 at 5:33 PM > > > > Reviewer: Shawn M. Emery > Review result: Ready with nits > > > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security > area directors. Document editors and WG chairs should treat these > comments just like any other last call comments. > > > > This draft specifies a YANG model for the Multi-Protocol Label > > Switching (MPLS) Label Distribution Protocol (LDP). Network > > Configuration Protocol (NETCONF) and RESTCONF is used > > to mange network devices based on this model. > > > > The security considerations section does exist and for security > > and privacy concerns, discusses that the MTI for NETCONF is > > SSH and TLS for RESTCONF. For authorization, NETCONF > > and RESTCONF uses the Network Configuration Access Control > > Model (NACM). > > > > The section goes on to state that some data nodes > > and RPC operations in the YANG module are considered sensitive > > to various operations, but does not give guidance on which nodes > > or subtrees that would be affected. In the past, module specifications > > that I've reviewed have outlined each of these relevant items. > > > > [skraza]: Enhanced this section significantly and have added the relevant > items to this section. See draft rev -08. > > > > The section finishes with the statement that the security > > properties of the base specifications, LDP, LDP IPv6, etc., also applies > > to this draft. I agree with the above assertions. > > > > General comments: > > > > None. > > > > Editorial comments: > > [skraza]: Fixed all the listed. > > > > s/into following/into the following/ > > s/means and be read/should be read/ > > s/family"/family"./ > > s/VPN Forwarding and Routing/VPN Routing and Forwarding/ > > s/provides a mean/provides a means/ > > s/Neibgbor/Neighbor/ > > s/pereference/preference/ > > s/creatable\/ deletable/creatable\/deletable/ > > > > RESTCONF should be expanded on first ocurence. > > [skraza]: I could not find the expansion – even in the RESTCONF RFC 8040 . > > > > Shawn. > > -- >
- [secdir] Updated rev posted [Re: Review of draft-… Kamran Raza (skraza)
- Re: [secdir] Updated rev posted [Re: Review of dr… Shawn M. Emery
- Re: [secdir] Updated rev posted [Re: Review of dr… Kamran Raza (skraza)