Telechat Review of draft-ietf-netmod-rfc8407bis-25
review-ietf-netmod-rfc8407bis-25-secdir-telechat-nir-2025-05-25-00

Request Review of draft-ietf-netmod-rfc8407bis
Requested revision No specific revision (document currently at 28)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2025-06-03
Requested 2025-05-13
Requested by Deb Cooley
Authors Andy Bierman , Mohamed Boucadair , Qin Wu
I-D last updated 2026-01-09 (Latest revision 2025-06-05)
Completed reviews Yangdoctors IETF Last Call review of -11 by Xufeng Liu (diff)
Yangdoctors Early review of -24 by Xufeng Liu (diff)
Opsdir Early review of -24 by Giuseppe Fioccola (diff)
Dnsdir IETF Last Call review of -24 by Ralf Weber (diff)
Genart IETF Last Call review of -24 by Christer Holmberg (diff)
Tsvart IETF Last Call review of -25 by Dr. Joseph D. Touch (diff)
Dnsdir Telechat review of -25 by Ralf Weber (diff)
Secdir Telechat review of -25 by Yoav Nir (diff)
Assignment Reviewer Yoav Nir
State Completed
Request Telechat review on draft-ietf-netmod-rfc8407bis by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/uK1TpB3oY5Fo2N7OEkBsSaNOtic
Reviewed revision 25 (document currently at 28)
Result Ready
Completed 2025-05-25
review-ietf-netmod-rfc8407bis-25-secdir-telechat-nir-2025-05-25-00
Well, this is very meta. I'm reviewing a document about guidelines for (authors
and) reviewers of documents. In particular, documents contraining YANG models.
My review is specifically a security (directorate) review, and the document has
a section (3.7) about (writing and) reviewing Security Considerations sections.
The document, among other things, defines (in section 3.7.1) a template for the
Security Considerations section of documents containing YANG modules.

The document has an obligatory Security Consideration section of its own, that
sadly does not follow the template in section 3.7.1, even though section 5.1
does seem to register the "ietf-template" and the "iana-template" YANG modules.
However, those only exists as examples, so that is fine. Instead the section
has the usual (and true) statement that the document does not introduce any new
risks.

Section 3.7 has guidelines for the Security Considerations, specifically that
documents following RFC 8791 (data structure extensions) are exempt from
following the template in 3.7.1, while others are not. I'm no expert on YANG,
but the content of the template seems fine, discussing the need for
authentication and authorization when writing to writable nodes, and the
protection of sensitive data in the readable nodes. The template does not go
into details about what sensitive data is, but that varies by domain and cannot
be generalized to all uses of YANG. To me, the template looks fine, and I have
seen it or earlier versions of it in previous documents.

There is one oddity that I'd like to point out. Section 3.7 gives a URL for the
"official template". The webpage for that URL has the exact same text as the
template in section 3.7.1. That is fine now, but the text is explicit that the
text of the template on the web page may change - "Authors MUST check the web
page at the URL listed above in case there is a more recent version available".
The template itself does not contain RFC 2119 terminology, and anyway, the
Security Considerations section in any document is subject to review whether it
is based on a template or not.  Still, it is strange for a document to
reference like that (and it is not mentioned in the References section) a web
page that is subject to change.