Last Call Review of draft-ietf-netmod-system-mgmt-10
review-ietf-netmod-system-mgmt-10-secdir-lc-eastlake-2014-01-30-00

Request Review of draft-ietf-netmod-system-mgmt
Requested rev. no specific revision (document currently at 16)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2014-01-21
Requested 2014-01-09
Authors Andy Bierman, Martin Björklund
Draft last updated 2014-01-30
Completed reviews Genart Last Call review of -11 by Brian Carpenter (diff)
Genart Telechat review of -11 by Brian Carpenter (diff)
Genart Telechat review of -13 by Brian Carpenter (diff)
Genart Telechat review of -16 by Brian Carpenter
Secdir Last Call review of -10 by Donald Eastlake (diff)
Opsdir Early review of -09 by Susan Hares (diff)
Assignment Reviewer Donald Eastlake
State Completed
Review review-ietf-netmod-system-mgmt-10-secdir-lc-eastlake-2014-01-30
Reviewed rev. 10 (document currently at 16)
Review result Has Issues
Review completed: 2014-01-30

Review
review-ietf-netmod-system-mgmt-10-secdir-lc-eastlake-2014-01-30

Hi,

Sorry this review is late.

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. Document editors and WG chairs should treat these comments just
like any other last call comments.

I believe this draft is ready with issues.

This draft specifies a YANG data model for configuration and
identification of NETCONF server device information. You might think
there would not be much in the way of Security Considerations for a
"data model" but the model includes User Authentication,  sensitive
writable data objects, and the like.

For user password authentication, there are provisions for storing a
plain text of the password or a salted hash. Hash functions available
are MD5, SHA-256, and SHA-512.

Security Considerations:

The Security Considerations section seems pretty thorough in covering
NETCONF security features such as SSH transport and access controls.
However, I believe the Security Considerations should recommend not
storing passwords as plaintext but rather as a salted hash. While the
Security Considerations section refers to RFC 6151 for MD5 Security
Considerations and having that reference is good, I believe this
document should also recommend that MD5 not be used as the password
salted hash function.

For the list of sensitive readable data and sensitive remote procedure
call operations, the draft is careful to say "It is thus important to
control access to these operations." However, while it is pretty
obvious, these words or equivalent seem to be missing in reference to
the sensitive writable data.

Trivial:

Section 2.3, first line: "need" -> "needs"
Section 2.3, 2nd paragraph, second line: "need" -> "needs"
I believe RPC should be expanded to "remote procedure call" at its one
use in the text of the draft, unless I've expanded the acronym wrong,
which would be proof that whatever it stands for it should be spelled
out.

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3 at gmail.com