Hi -
On 1/12/2018 8:00 AM, Juergen Schoenwaelder wrote:
On Fri, Jan 12, 2018 at 09:23:28AM -0500, Kathleen Moriarty wrote:
Hi Juergen,
On Fri, Jan 12, 2018 at 4:45 AM, Juergen Schoenwaelder
<[email protected]> wrote:
On Thu, Jan 11, 2018 at 11:03:30AM -0500, Kathleen Moriarty wrote:
Hi Juergen,
Thank you very much for the additional information. This was very
helpful. Benoit and I discussed it a bit further on the telechat and
some text changes in the introduction and security considerations
section to provide some of this information for the reader will be
helpful. I got the explanations and appreciate them and from the
explanations, my discuss questions have been answered and I'll switch
this to a no objection leaving you and Benoit to add the text as
helpful for other readers.
Kathleen,
we propose to add this text to the security considerations:
The origin metadata annotation exposes the origin of values in the
applied configuration. Origin information may provide hints that
certain control plane protocols are active on a device. Since origin
information is tied to applied configuration values, it is only
accessible to clients that have the permissions to read the applied
configuration values. Security administrators should consider the
sensitivity of origin information while defining access control
rules.
Thank you, that is very helpful. Would it also be possible to add
text in the introduction on where the data for these values comes from
(the device itself)?
The Introduction does not really talk about the origin annotation
details and hence it seems such text would be misplaced or at least
confusing to read. The definition of origin is in section 5.3.4. This
section starts with:
As configuration flows into <operational>, it is conceptually marked
with a metadata annotation ([RFC7952]) that indicates its origin.
Since the whole data flow between datastores resides on a 'device', it
seems clear that the origin values are added by the device itself. And
if any clarification is needed, I think it belongs into 5.3.4 and not
into the Introduction.
Except when the netmod server is acting as a "front" for other devices.
Randy
_______________________________________________
netmod mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/netmod
