Early Review of draft-ietf-netconf-restconf-09
review-ietf-netconf-restconf-09-secdir-early-xia-2016-01-14-00

Request Review of draft-ietf-netconf-restconf
Requested rev. no specific revision (document currently at 18)
Type Early Review
Team Security Area Directorate (secdir)
Deadline 2016-10-11
Requested 2015-12-22
Other Reviews Genart Early review of -09 by Robert Sparks (diff)
Genart Last Call review of -15 by Robert Sparks (diff)
Genart Last Call review of -15 by Dale Worley (diff)
Genart Telechat review of -17 by Dale Worley (diff)
Secdir Last Call review of -15 by Liang Xia (diff)
Opsdir Early review of -13 by Lionel Morand (diff)
Review State Completed
Reviewer Liang Xia
Review review-ietf-netconf-restconf-09-secdir-early-xia-2016-01-14
Posted at https://www.ietf.org/mail-archive/web/secdir/current/msg06326.html
Reviewed rev. 09 (document currently at 18)
Review result Has Issues
Draft last updated 2016-01-14
Review completed: 2016-01-14

Review
review-ietf-netconf-restconf-09-secdir-early-xia-2016-01-14






Hello,




 




I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area
 directors.  Document editors and WG chairs should treat these comments just like any other last call comments.




 




 




This document describes an HTTP-based protocol that provides a programmatic interface for accessing data defined in YANG, using the datastores defined in NETCONF.




 




 




The document appears in reasonably good shape.




 




In general, the RESTCONF is an application protocol layered on the HTTP protocol. As mentioned in the document, just using the HTTPS (with TLS) can address most of the security issues such as confidentiality, integrity,
 etc. In other words, RESTCONF is designed inherently based on a good security foundation.





 




But there are still several security issues (TBDs) missing in the document that need to be addressed before publication.




 




 




Below is a series of my comments, questions for your consideration.




 




 




Discussion: Section 2




Since this section is all about the security requirements to the RESTCONF transport protocol, is it appropriate to combine it into the security consideration section directly?




 




 




Questions: 




Section 4.3




What is the error handling if GET method is used to retrieve the operational resources?




 




Section 4.5




What is the error handing if PUT method does not include the message body?




 




Generally, the similar problems like the above two appear several times in the document, please double check them.




 




 




Comments: Section 12




In the security considerations section, there are still some serious security issues not mentioned:




1. DDoS attack: One RESTCONF client is possible to communicate with a lot of RESTCONF servers, which potentially leads to the situation of DDoS attack to itself or its link. How to avoid or mitigate it?




2. Replay attack: the attacker records a sequence of messages off the wire and plays them back to the RESTCONF server/client. To protect against it, the common methods include using timestamp or sequence id.




 




 




Questions: Section 12




1. "Security considerations for the content manipulated by RESTCONF can be found in the documents defining data models.": which documents are mentioned in this sentence for defining data models?




2. nits: "Implementors SHOULD provide a comprehensive authorization scheme with...". Here, should "authorization" be "authentication"?




 




 




Thank you.




 




B.R.




Frank