Re: [secdir] Security review of draft-ietf-l3sm-l3vpn-service-model-16 YANG Data Model for L3VPN service delivery

<> Thu, 20 October 2016 13:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9050F1295BA; Thu, 20 Oct 2016 06:28:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.05
X-Spam-Status: No, score=-3.05 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wvc1kAeX2Lof; Thu, 20 Oct 2016 06:28:04 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 38D1D1295BC; Thu, 20 Oct 2016 06:28:04 -0700 (PDT)
Received: from (unknown [xx.xx.xx.67]) by (ESMTP service) with ESMTP id A407240708; Thu, 20 Oct 2016 15:28:02 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.60]) by (ESMTP service) with ESMTP id 68E0E1A01BB; Thu, 20 Oct 2016 15:28:02 +0200 (CEST)
Received: from OPEXCLILMA4.corporate.adroot.infra.ftgroup ([fe80::65de:2f08:41e6:ebbe]) by OPEXCLILM7F.corporate.adroot.infra.ftgroup ([fe80::c1d7:e278:e357:11ad%19]) with mapi id 14.03.0319.002; Thu, 20 Oct 2016 15:28:02 +0200
From: <>
To: Hilarie Orman <>, "" <>, "" <>
Thread-Topic: Security review of draft-ietf-l3sm-l3vpn-service-model-16 YANG Data Model for L3VPN service delivery
Thread-Index: AQHSIylt3pEAtJd4K0qTTHQdGmYrLaCxYu8Q
Date: Thu, 20 Oct 2016 13:28:01 +0000
Message-ID: <15009_1476970082_5808C662_15009_624_1_9E32478DFA9976438E7A22F69B08FF921DB26F21@OPEXCLILMA4.corporate.adroot.infra.ftgroup>
References: <>
In-Reply-To: <>
Accept-Language: fr-FR, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>
Subject: Re: [secdir] Security review of draft-ietf-l3sm-l3vpn-service-model-16 YANG Data Model for L3VPN service delivery
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Oct 2016 13:28:06 -0000


Please find some comments inline


-----Original Message-----
From: Hilarie Orman [] 
Sent: Monday, October 10, 2016 21:05
Subject: Security review of draft-ietf-l3sm-l3vpn-service-model-16 YANG Data Model for L3VPN service delivery

[Including subject line on resend]

Security review of YANG Data Model for L3VPN service delivery

Do not be alarmed.  I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

The document uses the YANG data model to describe an abstracted view of Layer 3 Provider Provisioned VPN services.

The model has specific support for describing authentication and encryption requirements.  Perhaps I'm not imaginative enough to understand how they would be used, but my impression is that the models are incomplete.

    grouping site-security-authentication {
     container authentication {
       "Authentication parameters";
      "This grouping defines authentication
      for a site";

In the data model shown above for "authentication", I'm not sure who the parties in the authentication are and where enforcement takes place.  This may be evident to those who are more familiar with VPN provisioning.  If so, some additional description would be helpful.

[SLI] We are not defining any authentication mechanism in the model. The container is just there to allow easy augmentation. This is stated in section 5.9.1.

    grouping site-security-encryption {
     container encryption {
      if-feature encryption;
      leaf enabled {
       type boolean;
        "If true, access encryption is required.";
      leaf layer {
       type enumeration {
        enum layer2 {
          "Encryption will occur at layer2.";
        enum layer3 {
          "IPSec is requested.";

Is IPSec the only layer 3 encryption method that is supported?
[SLI] I think the description is bad, it can be any layer 3 encryption mechanism, IPSec is one.

        "Layer on which encryption is applied.";
      container encryption-profile {
       choice profile {
        case provider-profile {
         leaf profile-name {
          type string;
           "Name of the SP profile
           to be applied.";

The "SP profile" is something defined by the service provider.  All the parameters and their interpretations are defined in some out-of-band way by the service provider.  This seems to impose a great deal of difficulty for the customer. 
[SLI] Yes there is a need of out of band discussion. Operator is allowing customer to use a set of profiles. It's not really difficult as today, most of the SPs works this way with customers.

 Should the provider arbitrarily change the definition, the customer's configuration parameters might be dangerously misinterpreted.  
[SLI] We usually do not change the definition of the profile because it is linked to a particular service selled to a customer. We can change parameters that does not affect the service.

Or, a customer trying to move to a different service provider might see a similar profile and try to use the same parameters.  Subtle differences in interpretation could lead to a security vulnerability.

        case customer-profile {
         leaf algorithm {
          type string;
           "Encryption algorithm to
           be used.";
         choice key-type {
          case psk {
           leaf preshared-key {
            type string;
             "Key coming from

How does the customer submit the key?  Should there be a key identifier?  Perhaps the customer and the provider have a public key communication channel and the customer encrypts the keys and sends them to the provider, identifying them through the key identifiers?
Is there a key update procedure?
[SLI] The only supported method here is to submit the key through the RESTCONF or NETCONF over a secured channel.

          case pki {

           "Type of keys to be used.";

Is "type of keys" supposed to imply the algorithm for key derivation?
[SLI] The model does not support PKI, container is there just for augmentation. This is not highlighted , I can add it.

         "Choice of profile.";
        "Profile of encryption to be applied.";

I assume the profiles are the opaque "external identifiers"?
[SLI] Right.

"5.14.  External ID references

   The service model sometimes refers to external information through
   identifiers.  As an example, to order a cloud-access to a particular
   Cloud Service Provider (CSP), the model uses an identifier to refer
   to the targeted CSP.  In case, a customer is using directly this
   service model as an API (through REST or NETCONF for example) to
   order a particular service, the service provider should provide a
   list of authorized identifiers.  In case of cloud-access, the service
   provider will provide the identifiers associated of each available
   CSP.  The same applies to other identifiers like std-qos-profile, oam
   profile-name, provider-profile for encryption ...

   How SP provides those identifiers meaning to the customer is out of
   scope of this document."

If the request is spoofed or misunderstood in some way, then the encryption may be downgraded.  How is the configuration protected?

[SLI] I'm not sure it does really deal with this service model itself, it's more a global issue that the SP need to address.

I think there should be a way to sign a model.  There is an implied contract between the customer and the network owner, and the authenticity of the request seems paramount.

An example of the very confusing typos that are sprinkled throughout the document:
  "I want my current site-network-access to be not be connected on the
   same PoP ..."

Another confusing statement:
"1.  Introduction

   This document defines a YANG data model for communication between
   customers and network operators, and to provide input to automated
   control and configuration applications.

The introduction does not conform to the rules of English grammar.
I'm not entirely sure what it means.  Perhaps

" This document defines a YANG data model.  The model defines elements
   that can be used in communication protocols between customers and
   network operators.  Those elements can be used also as input to
   automated control and configuration applications.  "  ??

The document is marred by running afoul of the two notoriously difficult aspects of English grammar: subject/verb agreement and articles.  The errors are too numerous to mention.  For the most part, the meaning of the afflicted sentences is clear, but not always.  The document should not be published until the errors are corrected.


Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.