Re: [secdir] Review of draft-ietf-netmod-schema-mount-10
Martin Bjorklund <mbj@tail-f.com> Tue, 07 August 2018 08:56 UTC
Return-Path: <mbj@tail-f.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C646130E6F for <secdir@ietfa.amsl.com>; Tue, 7 Aug 2018 01:56:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nE5Te_BdN7v6 for <secdir@ietfa.amsl.com>; Tue, 7 Aug 2018 01:56:42 -0700 (PDT)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id CF640130DF2 for <secdir@ietf.org>; Tue, 7 Aug 2018 01:56:41 -0700 (PDT)
Received: from localhost (unknown [173.38.220.61]) by mail.tail-f.com (Postfix) with ESMTPSA id E8A261AE0144; Tue, 7 Aug 2018 10:56:40 +0200 (CEST)
Date: Tue, 07 Aug 2018 10:56:40 +0200
Message-Id: <20180807.105640.1680662026219965166.mbj@tail-f.com>
To: shawn.emery@gmail.com
Cc: lhotka@nic.cz, secdir@ietf.org, draft-ietf-netmod-schema-mount.all@tools.ietf.org
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <87po0fgf4f.fsf@nic.cz>
References: <CAChzXmanxy0cn9i-E6FvnNmC2_gpir1qNd4jgPLAmDL7L8j-6A@mail.gmail.com> <87po0fgf4f.fsf@nic.cz>
X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/veOi6L-zbTAnv5FioBRco_hUmSg>
Subject: Re: [secdir] Review of draft-ietf-netmod-schema-mount-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Aug 2018 08:56:44 -0000
Hi Shawn, As mentioned, this text comes from the YANG security template (https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines) that has been approved by the security ADs. [This doesn't mean that the text can't be changed, but if it needs to be changed, the template should be changed (after being approved by the ADs).] But I brought this up in the WG, and a comment was made that *if* this change is made, we also need to change not just this sentence, but also the rest of the template; these are written as a list of data nodes/subtrees and their corresponding sensitivity/vulnerability. So, if the change is accepted, new drafts would need to be written as a list of sensitivities/vulnerabilities with the data nodes and subtrees to which they apply. So I suggest we keep the current text in this document. /martin Ladislav Lhotka <lhotka@nic.cz> wrote: > Hi Shawn, > > thank you for the review, please see my comment below. > > Shawn Emery <shawn.emery@gmail.com> writes: > > > Reviewer: Shawn M. Emery > > Review result: Ready with nits > > > > I have reviewed this document as part of the security directorate's > > ongoing effort to review all IETF documents being processed by the IESG. > > These comments were written primarily for the benefit of the security > > area directors. Document editors and WG chairs should treat these > > comments just like any other last call comments. > > > > This draft specifies a schema for YANG module mount points for yet another > > specified schema location. > > > > The security considerations section does exist and refers to transport > > security > > through SSH and HTTPS for NETCONF and RESTCONF, respectively. For > > authorization, the spec refers to RFC 8341 for controlling NETCONF and > > RESTCONF user access. Data that would be considered sensitive or subject > > to attack is briefly described and prescribes read access controls for said > > data. > > I agree with the authors' assertions. > > > > General comments: > > > > None. > > > > Editorial comments: > > > > OLD: > > > > These are the subtrees and data nodes and their sensitivity/vulnerability: > > > > NEW: > > > > The following should be considered for subtrees/data nodes and their > > corresponding > > > > sensitivity/vulnerability: > > > > The OLD formulation actually comes from RFC 6087, section 6.1 (Security > Considerations Section Template). Your NEW formulation indeed looks > better, so we will use it in the present draft, and I will also send it > to the netmod mailing list in order to apply this change in > draft-ietf-netmod-rfc6087bis. > > Thanks, Lada > > > > > Shawn. > > -- > > -- > Ladislav Lhotka > Head, CZ.NIC Labs > PGP Key ID: 0xB8F92B08A9F76C67 >
- Re: [secdir] Review of draft-ietf-netmod-schema-m… Ladislav Lhotka
- [secdir] Review of draft-ietf-netmod-schema-mount… Shawn Emery
- Re: [secdir] Review of draft-ietf-netmod-schema-m… joel jaeggli
- Re: [secdir] Review of draft-ietf-netmod-schema-m… Martin Bjorklund
- Re: [secdir] Review of draft-ietf-netmod-schema-m… Shawn Emery
- Re: [secdir] Review of draft-ietf-netmod-schema-m… joel jaeggli