Re: [netmod] Eric Rescorla's No Objection on draft-ietf-netmod-syslog-model-23: (with COMMENT)

2018-03-08 Thread Benoit Claise

On 3/8/2018 2:15 PM, Eric Rescorla wrote:



On Thu, Mar 8, 2018 at 12:41 AM, Benoit Claise > wrote:


Eric,

Eric Rescorla has entered the following ballot position for
draft-ietf-netmod-syslog-model-23: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer tohttps://www.ietf.org/iesg/statement/discuss-criteria.html

for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-netmod-syslog-model/




--
COMMENT:
--

https://mozphab-ietf.devsvcdev.mozaws.net/D4614


It's not a problem with this document, but I took a quick look at
draft-ietf-netconf-tls-client-server and I've got some concerns. Here are a 
few
examples:

- You can set the cipher suite but not key sizes and groups You can
- say sort of incoherent things in TLS like "I support TLS 1.0 and TLS
  1.2 but not TLS 1.1" (there is no way to negotiate this in TLS 1.2)

I'll try to get a chance to give this a real review, but I wanted to 
mention it
before I forgot.

We are using definitions of syslog protocol from [RFC5424] in this
RFC.
Not a big deal, but this introduction feels like it ought to say what the
document is about, not just about syslog.

The severity is one of type syslog-severity, all severities, or none.
None is a special case that can be used to disable a filter.  When
filtering severity, the default comparison is that messages of the
This seems to be the first use of the term filter to mean this entity

I'm not sure I understand the call for action here.
In the YANG module, we called this facility-filter:


The introductory text here says:

"

   Within each action, a selector is used to filter syslog messages.  A
   selector consists of a list of one or more facility-severity matches,
   and, if supported via the select-match feature, an optional regular
   expression pattern match that is performed on the [RFC5424] field."

Perhaps"

"A selector consists of a list of one or more filters specified by
facility-severity pairs and, if supported..."

Got it. That makes sense.




       container facility-filter {

  description
"This container describes the syslog filter parameters.";
  list facility-list {
...


  subtree, implementations MUST NOT specify a private key that is
  used for any other purpose.
It seems like the data that syslog writes is sensitive, so the ability to 
write
a destination reflects a high degree of risk.

Again, what is the call for action here?


That the text say that writing those fields is dangerous. This is 
related to the secdir review comment that Kathleenamplifies in her 
comment.

Ack.


Regards, Benoit


-Ekr


Regards, B.

.






___
netmod mailing list
netmod@ietf.org
https://www.ietf.org/mailman/listinfo/netmod


Re: [netmod] Eric Rescorla's No Objection on draft-ietf-netmod-syslog-model-23: (with COMMENT)

2018-03-08 Thread Eric Rescorla
On Thu, Mar 8, 2018 at 12:41 AM, Benoit Claise  wrote:

> Eric,
>
> Eric Rescorla has entered the following ballot position for
> draft-ietf-netmod-syslog-model-23: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found 
> here:https://datatracker.ietf.org/doc/draft-ietf-netmod-syslog-model/
>
>
>
> --
> COMMENT:
> --
> https://mozphab-ietf.devsvcdev.mozaws.net/D4614
>
> It's not a problem with this document, but I took a quick look at
> draft-ietf-netconf-tls-client-server and I've got some concerns. Here are a 
> few
> examples:
>
> - You can set the cipher suite but not key sizes and groups You can
> - say sort of incoherent things in TLS like "I support TLS 1.0 and TLS
>  1.2 but not TLS 1.1" (there is no way to negotiate this in TLS 1.2)
>
> I'll try to get a chance to give this a real review, but I wanted to mention 
> it
> before I forgot.
>
>We are using definitions of syslog protocol from [RFC5424] in this
>RFC.
> Not a big deal, but this introduction feels like it ought to say what the
> document is about, not just about syslog.
>
>The severity is one of type syslog-severity, all severities, or none.
>None is a special case that can be used to disable a filter.  When
>filtering severity, the default comparison is that messages of the
> This seems to be the first use of the term filter to mean this entity
>
> I'm not sure I understand the call for action here.
> In the YANG module, we called this facility-filter:
>

The introductory text here says:

"

   Within each action, a selector is used to filter syslog messages.  A
   selector consists of a list of one or more facility-severity matches,
   and, if supported via the select-match feature, an optional regular
   expression pattern match that is performed on the [RFC5424] field."

Perhaps"

"A selector consists of a list of one or more filters specified by
facility-severity pairs and, if supported..."


   container facility-filter {
>
>  description
>"This container describes the syslog filter parameters.";
>  list facility-list {
>...
>
>  subtree, implementations MUST NOT specify a private key that is
>  used for any other purpose.
> It seems like the data that syslog writes is sensitive, so the ability to 
> write
> a destination reflects a high degree of risk.
>
> Again, what is the call for action here?
>

That the text say that writing those fields is dangerous. This is related
to the secdir review comment that Kathleenamplifies in her comment.

-Ekr


> Regards, B.
>
> .
>
>
>
>
___
netmod mailing list
netmod@ietf.org
https://www.ietf.org/mailman/listinfo/netmod


Re: [netmod] Eric Rescorla's No Objection on draft-ietf-netmod-syslog-model-23: (with COMMENT)

2018-03-08 Thread Benoit Claise

Eric,

Eric Rescorla has entered the following ballot position for
draft-ietf-netmod-syslog-model-23: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-netmod-syslog-model/



--
COMMENT:
--

https://mozphab-ietf.devsvcdev.mozaws.net/D4614

It's not a problem with this document, but I took a quick look at
draft-ietf-netconf-tls-client-server and I've got some concerns. Here are a few
examples:

- You can set the cipher suite but not key sizes and groups You can
- say sort of incoherent things in TLS like "I support TLS 1.0 and TLS
  1.2 but not TLS 1.1" (there is no way to negotiate this in TLS 1.2)

I'll try to get a chance to give this a real review, but I wanted to mention it
before I forgot.

We are using definitions of syslog protocol from [RFC5424] in this
RFC.
Not a big deal, but this introduction feels like it ought to say what the
document is about, not just about syslog.

The severity is one of type syslog-severity, all severities, or none.
None is a special case that can be used to disable a filter.  When
filtering severity, the default comparison is that messages of the
This seems to be the first use of the term filter to mean this entity

I'm not sure I understand the call for action here.
In the YANG module, we called this facility-filter:

   container facility-filter {
 description
   "This container describes the syslog filter parameters.";
 list facility-list {
   ...



  subtree, implementations MUST NOT specify a private key that is
  used for any other purpose.
It seems like the data that syslog writes is sensitive, so the ability to write
a destination reflects a high degree of risk.

Again, what is the call for action here?

Regards, B.



.



___
netmod mailing list
netmod@ietf.org
https://www.ietf.org/mailman/listinfo/netmod


[netmod] Eric Rescorla's No Objection on draft-ietf-netmod-syslog-model-23: (with COMMENT)

2018-03-07 Thread Eric Rescorla
Eric Rescorla has entered the following ballot position for
draft-ietf-netmod-syslog-model-23: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-netmod-syslog-model/



--
COMMENT:
--

https://mozphab-ietf.devsvcdev.mozaws.net/D4614

It's not a problem with this document, but I took a quick look at
draft-ietf-netconf-tls-client-server and I've got some concerns. Here are a few
examples:

- You can set the cipher suite but not key sizes and groups You can
- say sort of incoherent things in TLS like "I support TLS 1.0 and TLS
 1.2 but not TLS 1.1" (there is no way to negotiate this in TLS 1.2)

I'll try to get a chance to give this a real review, but I wanted to mention it
before I forgot.

   We are using definitions of syslog protocol from [RFC5424] in this
   RFC.
Not a big deal, but this introduction feels like it ought to say what the
document is about, not just about syslog.

   The severity is one of type syslog-severity, all severities, or none.
   None is a special case that can be used to disable a filter.  When
   filtering severity, the default comparison is that messages of the
This seems to be the first use of the term filter to mean this entity

 subtree, implementations MUST NOT specify a private key that is
 used for any other purpose.
It seems like the data that syslog writes is sensitive, so the ability to write
a destination reflects a high degree of risk.


___
netmod mailing list
netmod@ietf.org
https://www.ietf.org/mailman/listinfo/netmod