Re: [secdir] YANG Reviews

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 09 January 2018 19:15 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15ACE12D77A for <secdir@ietfa.amsl.com>; Tue, 9 Jan 2018 11:15:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ytiSTePx898 for <secdir@ietfa.amsl.com>; Tue, 9 Jan 2018 11:15:25 -0800 (PST)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC8981271DF for <secdir@ietf.org>; Tue, 9 Jan 2018 11:15:24 -0800 (PST)
Received: by mail-qk0-x233.google.com with SMTP id u76so1114959qku.11 for <secdir@ietf.org>; Tue, 09 Jan 2018 11:15:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Qh240NBLB9yfqsVf/WBHaJjya93MQMbSmB2sCRIR4Ig=; b=bReRaL0K2WomUdfi5IrdKxA3vUEqd0diNp+355ToDJ3hY9Db9EA2bAJNyG4aFZIH4Z CsXc7z0RXXhT/gJnVeKpLX+5kaadxaiFL3HQsnLZr0BiWRFjcEsf7S8tcHTgIhtmrfz9 YGOySgAYqhUFkwC9mdizFYcmgbUbm3AIFf+ihSIJZiFpjIBT9Lsseg18yz5pr4F8cGP0 LslMyoJmBRiSjq5ronDhGnSFyVWMjxZSOBDmU5aw31829PIUm6WB8yVOPkjNBzSbbbuA ot1r0tJccpOM04c93ckXlrBFc9AKTSCtPFARw8JyE+cAQF+vMi0MJ+4fgjJEB6q9ERFG +VqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Qh240NBLB9yfqsVf/WBHaJjya93MQMbSmB2sCRIR4Ig=; b=rc6riRr8YpxW+csyXwU19HSMEaJWiBQvmTyo1kNoOP+VV2MPIb9iKtVicNXRtnLntw 8rTM/nBCrrXMarWux4+yfHm5a+D+RMqiNZwqf93dtaR5vVLOpKPn4xpRYTy4rkQ+QbUl dIayi3IUV+AMW5+C7OoOIL2vYWCbPEzJ5BuTUDj0kt/phweL8tqQt3thdbNzGBNeXfUB Ya3O6wBh+g7Ca+JEo9s7LtxH7SrsRai3tnLUTMfPHMkZXdrXlTi380MN66oDYf92l8NI wCF0IKJ4wS309Ry/OGB9wTc/Wqcyy5iIb6zLSaY6j0J9Vcyk4qwYjlO6DWhLu1wwWD+F 91pA==
X-Gm-Message-State: AKwxytfvInDQn1ghtPExALQ4bxOxHVE7SZkdQlDZtJPf1SXB35mliNCj iYCvxxfG2fxU2eFUwJ+k0iA=
X-Google-Smtp-Source: ACJfBou0yS/dg1tN4E5jsDnwKDQOoITaxJFIVZ060Pni3bTBNFA1lzG/GgiMD3p2aN4R9la+qXGY1w==
X-Received: by 10.55.133.2 with SMTP id h2mr22801696qkd.329.1515525324023; Tue, 09 Jan 2018 11:15:24 -0800 (PST)
Received: from [192.168.1.219] (209-6-112-84.s338.c3-0.arl-ubr1.sbo-arl.ma.cable.rcncustomer.com. [209.6.112.84]) by smtp.gmail.com with ESMTPSA id w39sm9755934qtw.90.2018.01.09.11.15.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Jan 2018 11:15:23 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: iPhone Mail (15C153)
In-Reply-To: <E4143639-B607-458D-8319-45DCECEBB78F@vigilsec.com>
Date: Tue, 09 Jan 2018 14:15:22 -0500
Cc: IETF SecDir <secdir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <FD6C1F69-E382-42E1-971C-286193F498ED@gmail.com>
References: <CAHbuEH5hfwe0OVT74vNPgxF_HEPG2iCmQbr-bx7XB1vVSeekHw@mail.gmail.com> <E4143639-B607-458D-8319-45DCECEBB78F@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/tlPj7B_UjPcmrzT3yhYRKNKY9rg>
Subject: Re: [secdir] YANG Reviews
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jan 2018 19:15:27 -0000

Hi Russ,

Sent from my mobile device

> On Jan 9, 2018, at 1:46 PM, Russ Housley <housley@vigilsec.com> wrote:
> 
> For MIB modules, we came up with a short list of things or the SecDir Reviewer to do.  This is a quote from an email message in 2007:
> 
>> The job of the security reviewers, then, is three-fold: first, to
>> verify the existence of the boilerplate; second, to verify the adequacy
>> of the explanations given for particular items; third -- and this is
>> the hardest -- to scan the document to see if other items should have
>> been identified as sensitive but aren't.

The guidance is very similar.
> 
> The real guidance appears here: http://www.ops.ietf.org/mib-security.html
> 
> It would be very helpful if we can come up with an equivalent yang-security.html document.
> 
We can work with Benoit &Warren as it’s better for those writing the drafts to see it first, so I think the home should be the same.

Best,
Kathleen 

> Russ
> 
> 
>> On Jan 8, 2018, at 4:43 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
>> 
>> Hello,
>> 
>> We will be seeing many YANG module reviews come through, please don't
>> let page counts scare you on these.  One of the main things to look
>> for is that they used the Security Considerations template and filled
>> it out, catching any data nodes that need to be enumerated in the
>> considerations.
>> 
>> Templates like this tend to get updated every time there's a new
>> SecAD, :-) . As such, it'll likely be updated again in a few months.
>> Here's the draft with the current template.  Have a look so you know
>> key things to look for (transport security is called out and
>> subtrees/data nodes of concern should be listed out).  Sometimes more
>> is needed specific to the draft, but often times, this covers it.
>> 
>> https://tools.ietf.org/html/draft-ietf-netmod-rfc6087bis-10#page-52
>> 
>> Thanks again for all your reviews, it is a tremendous help to us!
>> 
>> -- 
>> 
>> Best regards,
>> Kathleen
>