Skip to main content

Last Call Review of draft-ietf-netmod-nmda-diff-09
review-ietf-netmod-nmda-diff-09-secdir-lc-melnikov-2021-07-01-00

Request Review of draft-ietf-netmod-nmda-diff
Requested revision No specific revision (document currently at 12)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2021-07-02
Requested 2021-06-18
Authors Alexander Clemm , Yingzhen Qu , Jeff Tantsura , Andy Bierman
Draft last updated 2021-07-01
Completed reviews Yangdoctors Last Call review of -06 by Reshad Rahman (diff)
Opsdir Last Call review of -09 by Shwetha Bhandari (diff)
Genart Last Call review of -10 by Matt Joras (diff)
Secdir Last Call review of -09 by Alexey Melnikov (diff)
Assignment Reviewer Alexey Melnikov
State Completed
Review review-ietf-netmod-nmda-diff-09-secdir-lc-melnikov-2021-07-01
Posted at https://mailarchive.ietf.org/arch/msg/secdir/3qXpdpifYuDlt4_JWCiJeq7-zAQ
Reviewed revision 09 (document currently at 12)
Result Has Nits
Completed 2021-07-01
review-ietf-netmod-nmda-diff-09-secdir-lc-melnikov-2021-07-01-00
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This document defines an RPC operation to compare management
datastores that comply with the NMDA architecture.
The Security Considerations talks about a couple of issues specific to
the new operation:
1) sensitivity of the new "compare" operation and how access control rights
to access it should be restricted.
2) performance considerations of running "compare" and
how it can lead to Denial-of-Service, if the number of requests allowed
in any given time interval is not restricted.
I can't think of other security issues raised by this document that are
missing from it.

Nits:

In Section 6:

>   The same request in RESTCONF (using JSON format):
>
>   POST /restconf/operations/ietf-nmda-compare:compare HTTP/1.1
>   Host: example.com
>   Content-Type: application/yang-data+json
>   Accept: application/yang-d

Please insert an empty line after the HTTP request header and before the
following payload, or your example is not syntactically valid.

Also, I don't "application/yang-d" in the list of registered media types on
<https://www.iana.org/assignments/media-types/media-types.xhtml>. Did I miss it?

>   { "ietf-nmda-compare:input" {
>      "source" : "ietf-datastores:operational",
>      "target" : "ietf-datastores:intended",
>      "report-origin" : null,
>      "xpath-filter" : "/ietf-interfaces:interfaces"
>      }
>   }
>
>   The same response in RESTCONF (using JSON format):
>
>  HTTP/1.1 200 OK
>  Date: Thu, 26 Jan 2019 20:56:30 GMT
>  Server: example-server
>  Content-Type: application/yang-d

Similar to the above, you need an empty line inserted here.

>  { "ietf-nmda-compare:output" : {
>      "differences" : {
>        "ietf-yang-patch:yang-patch" : {
>          "patch-id" : "interface status",
>          "comment" : "diff between intended (source) and operational",
>          "edit" : [
>            {
>              "edit-id" : "1",
>              "operation" : "replace",
>              "target" : "/ietf-interfaces:interface=eth0/enabled",
>              "value" : {
>                 "ietf-interfaces:interface/enabled" : "false"
>              },
>              "source-value" : {
>                 "ietf-interfaces:interface/enabled" : "true",
>                 "@ietf-interfaces:interface/enabled" : {
>                   "ietf-origin:origin" : "ietf-origin:learned"
>                 }
>               }
>            },
>            {
>              "edit-id" : "2",
>              "operation" : "create",
>              "target" : "/ietf-interfaces:interface=eth0/description",
>              "value" : {
>                 "ietf-interface:interface/description" : "ip interface"
>              }
>            }
>          ]
>        }
>      }
>    }
>  }

Best Regards,
Alexey