Re: [yang-doctors] Review of draft-ietf-rtgwg-yang-key-chain-13
"Acee Lindem (acee)" <acee@cisco.com> Mon, 20 February 2017 12:53 UTC
Return-Path: <acee@cisco.com>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1946012947D; Mon, 20 Feb 2017 04:53:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.523
X-Spam-Level:
X-Spam-Status: No, score=-14.523 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LYlj9QTuBxNn; Mon, 20 Feb 2017 04:53:28 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E6A5129434; Mon, 20 Feb 2017 04:53:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2526; q=dns/txt; s=iport; t=1487595208; x=1488804808; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=Oq0hHheM5PUHmVCUR4tfnud0Ti+JEvgE2uWPbGioGLs=; b=PpZCnobijN9McvK3VGFngCsy30iDK3E/w0DBpgTwj+c65jsN5XOnegcf pvo9HMQ1lMp27F6Nuxp86E1a51lDUX9ADaFNg+cZaCs1hMiyHmjXd+/Ni LDTiKs85/8tfnTrSW6ikRCuOZP2CZoxdBdBhVfIfEq5vCzVzwMOcgO6VA k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BwAQCU5qpY/4UNJK1eGgEBAQECAQEBAQgBAQEBg1FhgQkHjVynSIIMKoV4AoI4PxgBAgEBAQEBAQFiKIRxBnkQAgEIRjIlAgQBDQWJbw6vaotOAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWLO4o5BZAIi3wBkhyRCpMhAR84gQBTFT6ESR6BYXUBigOBDQEBAQ
X-IronPort-AV: E=Sophos;i="5.35,186,1484006400"; d="scan'208";a="210648156"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 20 Feb 2017 12:53:05 +0000
Received: from XCH-RTP-015.cisco.com (xch-rtp-015.cisco.com [64.101.220.155]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id v1KCr5ct015004 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 20 Feb 2017 12:53:05 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-015.cisco.com (64.101.220.155) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 20 Feb 2017 07:53:05 -0500
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1210.000; Mon, 20 Feb 2017 07:53:05 -0500
From: "Acee Lindem (acee)" <acee@cisco.com>
To: Ladislav Lhotka <lhotka@nic.cz>, "yang-doctors@ietf.org" <yang-doctors@ietf.org>
Thread-Topic: Review of draft-ietf-rtgwg-yang-key-chain-13
Thread-Index: AQHSi293pFk9o9mEqEaW7SaUvTwXFqFx2aOA
Date: Mon, 20 Feb 2017 12:53:04 +0000
Message-ID: <D4D04FCC.9CD7D%acee@cisco.com>
References: <148759139687.25976.6374643432126541498.idtracker@ietfa.amsl.com>
In-Reply-To: <148759139687.25976.6374643432126541498.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.116.152.196]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <DA05100CE288CB45A75960E847CE98A7@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/EhuP12tzfr_F05HbC7vx2isYL5M>
Cc: "draft-ietf-rtgwg-yang-key-chain.all@ietf.org" <draft-ietf-rtgwg-yang-key-chain.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "rtgwg@ietf.org" <rtgwg@ietf.org>
Subject: Re: [yang-doctors] Review of draft-ietf-rtgwg-yang-key-chain-13
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2017 12:53:30 -0000
Hi Lada, I believe we¹ve addressed all of these other than adding an explicit leaf for key direction (which was discussed on the RTGWG list). The current version is https://www.ietf.org/id/draft-ietf-rtgwg-yang-key-chain-15.txt Thanks, Acee On 2/20/17, 6:49 AM, "Ladislav Lhotka" <lhotka@nic.cz> wrote: >Reviewer: Ladislav Lhotka >Review result: Almost Ready > ># General Comments > >## Cryptographic algorithm types > >What is the reason for representing these as a YANG choice with empty >leaves? I think it would be more natural to use a single leaf, either >an enumeration or (if extensibility is important) identityref. > >## Reusability > >The module defines key-chain as a grouping with the aim of making it >reusable in other modules. However, this approach has known problems >that are discussed in draft-ietf-netmod-schema-mount. I am not sure >how relevant they are in this case but, for one, the "key-chain-ref" >type is not applicable if the "key-chain" grouping is used in another >module. An alternative is not to use the grouping and rely on schema >mount. > >## Key string style > >The difference between ASCII and hexadecimal formats of key strings >should be explained. I understand that the latter is a hash of the key >and, if so, I'd suggest to include "hexadecimal-string" also in state >data. > >Also, I believe that storing clear-text key in configuration is >insecure and Security Considerations should warn against it. > >## Example > >It might be useful to include an appendix with example instance data. > ># Specific comments > >## Sec. 2 > >- paragraph 2: s/where ever/wherever/ > >## Sec. 3 > >- paragraph 1: replace both Key-Id a Key-ID with Key ID (the latter >is used in other places of the > text). >- paragraph 2: the suggested way of supporting asymmetric keys looks >like a hack, I would suggest > a more explicit representation, e.g. using a choice. > >## Sec. 4 > >- The module has inconsistent indentation: up to "grouping >crypto-algorithm-types", top-level > statements are indented with four spaces, the subsequent ones with >five spaces. > >## Sec. 6 > >- The statement "Given that the key chains themselves are sensitive >data, it is RECOMMENDED > that the NETCONF communication channel be encrypted." is >misleading because RFC 6241 > requires that transport protocols for NETCONF guarantee >confidentiality (and RFC 8040 does the > same for RESTCONF). > >
- [yang-doctors] Review of draft-ietf-rtgwg-yang-ke… Ladislav Lhotka
- Re: [yang-doctors] Review of draft-ietf-rtgwg-yan… Ladislav Lhotka
- Re: [yang-doctors] Review of draft-ietf-rtgwg-yan… Acee Lindem (acee)
- Re: [yang-doctors] Review of draft-ietf-rtgwg-yan… Ladislav Lhotka