Thanks Balazs for heads up. I think the security guideline we are currently following is one defined in the following link: https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines If it is a issue, I believe it applies to all YANG related documents.
-Qin -----邮件原件----- 发件人: netmod [mailto:[email protected]] 代表 Balázs Lengyel 发送时间: 2020年3月10日 19:59 收件人: '[email protected]' <[email protected]> 主题: [netmod] FW: Secdir last call review of draft-ietf-netmod-factory-default-14 As an author of netmod drafts I would like to see some general guidance on this issue. Can someone help please. Balazs -----Original Message----- From: Stephen Kent via Datatracker <[email protected]> Sent: 2020. március 9., hétfő 20:15 To: [email protected] Cc: [email protected]; [email protected]; [email protected] Subject: Secdir last call review of draft-ietf-netmod-factory-default-14 Reviewer: Stephen Kent Review result: Has Issues SECDIR review of draft-ietf-netmod-factory-default-14 Section 6, Security Considerations, calls for use of SSH (RFC 6242) with NETCONF and HTTPS (RFC 8446) with RESTCONF. The TLS reference is current, citing TLS v1.3. However, RFC 6242 is a document that describes how to use SSH with NETCONF. That document, in turn, cites RFC 4254, and that RFC cites RFC 4253 for a description of SSH. 4253 is a very much out of date document; the integrity and key management algorithms in the original RFC have been updated 3 times (6668, 8268, and 8332). The encryption algorithms cited in 4253 are all outdated. This discussion of SSH security for use with NETCONF, based on the one citation, seems to be inconsistent with current IETF crypto guidelines. This is a problem that the net management area should address before this document is approved. The discussion of how a factory-reset RPC may isolate a device, is good, as is the warning about not relying on this RPC to prevent recovery of security-sensitive data from NV storage. _______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
