On Fri, Jan 12, 2018 at 11:00 AM, Juergen Schoenwaelder <[email protected]> wrote: > On Fri, Jan 12, 2018 at 09:23:28AM -0500, Kathleen Moriarty wrote: >> Hi Juergen, >> >> On Fri, Jan 12, 2018 at 4:45 AM, Juergen Schoenwaelder >> <[email protected]> wrote: >> > On Thu, Jan 11, 2018 at 11:03:30AM -0500, Kathleen Moriarty wrote: >> >> Hi Juergen, >> >> >> >> Thank you very much for the additional information. This was very >> >> helpful. Benoit and I discussed it a bit further on the telechat and >> >> some text changes in the introduction and security considerations >> >> section to provide some of this information for the reader will be >> >> helpful. I got the explanations and appreciate them and from the >> >> explanations, my discuss questions have been answered and I'll switch >> >> this to a no objection leaving you and Benoit to add the text as >> >> helpful for other readers. >> >> >> > >> > Kathleen, >> > >> > we propose to add this text to the security considerations: >> > >> > The origin metadata annotation exposes the origin of values in the >> > applied configuration. Origin information may provide hints that >> > certain control plane protocols are active on a device. Since origin >> > information is tied to applied configuration values, it is only >> > accessible to clients that have the permissions to read the applied >> > configuration values. Security administrators should consider the >> > sensitivity of origin information while defining access control >> > rules. >> >> Thank you, that is very helpful. Would it also be possible to add >> text in the introduction on where the data for these values comes from >> (the device itself)? > > The Introduction does not really talk about the origin annotation > details and hence it seems such text would be misplaced or at least > confusing to read. The definition of origin is in section 5.3.4. This > section starts with: > > As configuration flows into <operational>, it is conceptually marked > with a metadata annotation ([RFC7952]) that indicates its origin. > > Since the whole data flow between datastores resides on a 'device', it > seems clear that the origin values are added by the device itself. And > if any clarification is needed, I think it belongs into 5.3.4 and not > into the Introduction.
That sounds good, thank you. Kathleen > > /js > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103 <http://www.jacobs-university.de/> -- Best regards, Kathleen _______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
