Re: [secdir] Review of draft-ietf-netmod-schema-mount-10

Ladislav Lhotka <lhotka@nic.cz> Mon, 25 June 2018 13:38 UTC

Return-Path: <lhotka@nic.cz>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 874F2130E95 for <secdir@ietfa.amsl.com>; Mon, 25 Jun 2018 06:38:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bd49yQknfKHn for <secdir@ietfa.amsl.com>; Mon, 25 Jun 2018 06:38:23 -0700 (PDT)
Received: from trail.lhotka.name (trail.lhotka.name [77.48.224.143]) by ietfa.amsl.com (Postfix) with ESMTP id 9928C130E93 for <secdir@ietf.org>; Mon, 25 Jun 2018 06:38:23 -0700 (PDT)
Received: by trail.lhotka.name (Postfix, from userid 109) id 2644C1820075; Mon, 25 Jun 2018 15:44:57 +0200 (CEST)
Received: from localhost (unknown [195.113.220.121]) by trail.lhotka.name (Postfix) with ESMTPSA id 4A1131820051; Mon, 25 Jun 2018 15:44:54 +0200 (CEST)
From: Ladislav Lhotka <lhotka@nic.cz>
To: Shawn Emery <shawn.emery@gmail.com>, secdir@ietf.org, draft-ietf-netmod-schema-mount.all@tools.ietf.org
In-Reply-To: <CAChzXmanxy0cn9i-E6FvnNmC2_gpir1qNd4jgPLAmDL7L8j-6A@mail.gmail.com>
References: <CAChzXmanxy0cn9i-E6FvnNmC2_gpir1qNd4jgPLAmDL7L8j-6A@mail.gmail.com>
Date: Mon, 25 Jun 2018 15:38:56 +0200
Message-ID: <87po0fgf4f.fsf@nic.cz>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/qihYxn2b8R8GGCwng5ueZ6K62A4>
Subject: Re: [secdir] Review of draft-ietf-netmod-schema-mount-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jun 2018 13:38:26 -0000

Hi Shawn,

thank you for the review, please see my comment below.

Shawn Emery <shawn.emery@gmail.com> writes:

> Reviewer: Shawn M. Emery
> Review result: Ready with nits
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security
> area directors. Document editors and WG chairs should treat these
> comments just like any other last call comments.
>
> This draft specifies a schema for YANG module mount points for yet another
> specified schema location.
>
> The security considerations section does exist and refers to transport
> security
> through SSH and HTTPS for NETCONF and RESTCONF, respectively.  For
> authorization, the spec refers to RFC 8341 for controlling NETCONF and
> RESTCONF user access.  Data that would be considered sensitive or subject
> to attack is briefly described and prescribes read access controls for said
> data.
> I agree with the authors' assertions.
>
> General comments:
>
> None.
>
> Editorial comments:
>
> OLD:
>
> These are the subtrees and data nodes and their sensitivity/vulnerability:
>
> NEW:
>
> The following should be considered for subtrees/data nodes and their
> corresponding
>
> sensitivity/vulnerability:
>

The OLD formulation actually comes from RFC 6087, section 6.1 (Security
Considerations Section Template). Your NEW formulation indeed looks
better, so we will use it in the present draft, and I will also send it
to the netmod mailing list in order to apply this change in
draft-ietf-netmod-rfc6087bis.

Thanks, Lada

>
> Shawn.
> --

-- 
Ladislav Lhotka
Head, CZ.NIC Labs
PGP Key ID: 0xB8F92B08A9F76C67