Last Call Review of draft-ietf-netmod-smi-yang-
review-ietf-netmod-smi-yang-secdir-lc-johansson-2012-04-26-00
Request | Review of | draft-ietf-netmod-smi-yang |
---|---|---|
Requested revision | No specific revision (document currently at 05) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2012-04-24 | |
Requested | 2012-04-03 | |
Authors | Jürgen Schönwälder | |
I-D last updated | 2012-04-26 | |
Completed reviews |
Genart Last Call review of -??
by Miguel Angel García
Secdir Last Call review of -?? by Leif Johansson |
|
Assignment | Reviewer | Leif Johansson |
State | Completed | |
Request | Last Call review on draft-ietf-netmod-smi-yang by Security Area Directorate Assigned | |
Completed | 2012-04-26 |
review-ietf-netmod-smi-yang-secdir-lc-johansson-2012-04-26-00
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document specifies a translation between SMIv2 (and by reference to RFC 3584, SMIv1) and YANG. YANG is the information model language used in NETCONF. This draft is outside my subject-matter expertise but the core security issue seems to be around translation of the SMIv2 MAX-ACCESS macro to YANG. Since YANG doesn't define any corresponding element an extension to YANG is defined. However there doesn't seem to be any requirement to implement that extension. The security considerations section refers the reader to the security considerations sections for YANG, NETCONF, SMI etc but claims that "The translation itself has no security impact on the Internet.". I would have liked to see a clear normative statement to the effect that if you relied on MAX-ACCESS in the SMIv2 version of a MIB then you MUST implement the YANG extension for SMI and that the NETCONF implementation used MUST respect the resulting smiv2:max-access statements. Cheers Leif -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+FPV8ACgkQ8Jx8FtbMZnfIMgCeOzipy2p+7IaJvAdqrrAGw4JV 0pIAn3TEZK/JLl9kICv2KliJcGnQZ37n =/RIl -----END PGP SIGNATURE-----