[secdir] Secdir last call review of draft-ietf-netconf-nmda-netconf-06
Christian Huitema <huitema@huitema.net> Mon, 06 August 2018 00:28 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 655F4130DF3; Sun, 5 Aug 2018 17:28:02 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Christian Huitema <huitema@huitema.net>
To: secdir@ietf.org
Cc: ietf@ietf.org, draft-ietf-netconf-nmda-netconf.all@ietf.org, netconf@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.83.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <153351528236.13444.6191328032557284868@ietfa.amsl.com>
Date: Sun, 05 Aug 2018 17:28:02 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/vw-ibdrtuK3qsTwgVvY5gW6bnnw>
Subject: [secdir] Secdir last call review of draft-ietf-netconf-nmda-netconf-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.27
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Aug 2018 00:28:03 -0000
Reviewer: Christian Huitema Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready The document (draft-ietf-netconf-nmda-netconf-06) presents extentions to the original NETCONG protocol (RFC 6241). RFC 6241 defined operations to "get-config" and "edit-config". The proposed revision defines "get-data" and "edit-data" that have more parameters than "get-config" and "edit-config", allowing for more precise filtering of the data being retrieved or edited. The security consideration section essentially points to the security considerations of the original NETCONF protocol, enhanced by the access control procedures defined in RFC 8341. The security of NETCONF depends on operation over a secure transport, the default being SSH, with NETCONF over SSH defined in RFC 6242. In my mind, the newly defined operations are similar to the previously defined operation, with an option for more narrow targeting to a subset of the configuration data. If the security of NETCONF was adequate, it will still be adequate after these extensions.
- [secdir] Secdir last call review of draft-ietf-ne… Christian Huitema