Last Call Review of draft-ietf-netmod-snmp-cfg-06
review-ietf-netmod-snmp-cfg-06-secdir-lc-hallam-baker-2014-08-15-00

Request Review of draft-ietf-netmod-snmp-cfg
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2014-08-11
Requested 2014-08-01
Draft last updated 2014-08-15
Completed reviews Genart Last Call review of -06 by Roni Even (diff)
Secdir Last Call review of -06 by Phillip Hallam-Baker (diff)
Assignment Reviewer Phillip Hallam-Baker
State Completed
Review review-ietf-netmod-snmp-cfg-06-secdir-lc-hallam-baker-2014-08-15
Reviewed rev. 06 (document currently at 08)
Review result Ready
Review completed: 2014-08-15

Review
review-ietf-netmod-snmp-cfg-06-secdir-lc-hallam-baker-2014-08-15

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes the use of an alternate schema format, YANG
for describing SNMP configuration. As such the schema presented
defines modules that are equivalent to traditionally described ASN.1
MIBs but without the insertion of sharp sticks in the eyes or
underneath the fingernails.

Since SNMP (wisely) forked ASN.1 some time ago and is not tracking
developments in that spec, this is arguably a more principled
approach. This does not in itself raise security concerns but the new
model takes advantage of the modularity and block structure of YANG to
separate areas of the configuration with similar concerns, for example
similar access control requirements.

It might be worth having a look at the specific access control
requirements specified in the security considerations section.