Hi Roman, Discussion on discuss.
From: Alvaro Retana <[email protected]> Date: Wednesday, August 21, 2019 at 11:11 AM To: "[email protected]" <[email protected]> Cc: Roman Danyliw <[email protected]>, Stephane Litkowski <[email protected]>, "[email protected]" <[email protected]>, "[email protected]" <[email protected]>, The IESG <[email protected]> Subject: Roman Danyliw’s DISCUSS on draft-ietf-ospf-yang-26 Resent-From: <[email protected]> Resent-To: Yingzhen Qu <[email protected]>, Christian Hopps <[email protected]>, Acee Lindem <[email protected]> Resent-Date: Wednesday, August 21, 2019 at 11:08 AM [It looks like the datatracker didn’t send out the text to Roman’s DISCUSS. I didn’t receive it, nor do I see it in the mail archive. So I’m pasting it here. — Alvaro.] - - - - - - - - - - - DISCUSS - - - - - - - - - - - A “discuss to discuss”. Per the convention outlined in https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines, thank you for clearly noting the implication of not securing these nodes properly. Furthermore, following the convention, I would have expected Section 4 to have enumerated the sensitive writeable/creatable/deletable data nodes; and the sensitive readable nodes individually. For a model this large, I can imagine that individual enumeration would be a long list. It doesn’t make sense to talk about every configurable leaf so the section describes the general problems that can ensue if OSPF protocol configuration is compromised. We could go into classes of writeable nodes but I question what benefit that would actually have. In the case of read operations, the text opens with saying that “some of the readable data nodes ...” and later says “The exposure of the ... LSDB will expose the detailed topology ...”. Can you help me understand which part of ietf-ospf.yang is the LSDB and which parts refer to “some of the readable nodes”? Is there are a difference, or is this text asserting that all parts of the modules are sensitive and need access control? The LSDB refers to the instance, area, virtual link, sham-link, and interface Link State DataBases (LSDB). /ospf/database /ospf/areas/area[area-id]/database /ospf/virtual-links/virtual-link[transit-area-id router-id]/database /ospf/areas/area[area-id]/interfaces/interface[name]/database /ospf/area/area[area-id]/sham-links/sham-link[local-id remote-id]/database All parts are sensitive. The LSDB is more so since it gives visibility beyond the network device itself. A related line of questioning for the write operation. The text opens with saying that “There are a number of data nodes defined in ietf-ospf.yang ... [and that] [w]rite operations ... to these nodes without proper protection can have a negative effect on the network operations ... [and] ... the ability to modify OSPF configuration ...” is problematic. Can you help me understand which parts of the text is the “OSPF configuration” vs. “there are number of data nodes ...”? If there isn’t a different, is the text asserting that all parts of the modules are sensitive and need access control? This is alludes to the “config true” nodes which comprise OSPF configuration. I guess this is a repeat of your first comment. Thanks, Acee - - - - - - - - - - - COMMENT - - - - - - - - - - - (1) Idnits returned a seemingly valid few reference issues: ** Downref: Normative reference to an Experimental RFC: RFC 1765 ** Downref: Normative reference to an Experimental RFC: RFC 4973 (2) Editorial -- Section 4. Isn’t RFC8341, “the Network Configuration Access Control Model” rather than the “NETCONF access control model”? -- Section 4. Typo. s/specificationn/specification/ -- Section 4. Remove the duplicate instance of the phrase “for legacy implementations that do not support key-chains”. -- Section 4. Typo. s/The OSPF YANG module support/the OSPF YANG module supports/ Alvaro Retana
_______________________________________________ Lsr mailing list [email protected] https://www.ietf.org/mailman/listinfo/lsr
