Last Call Review of draft-ietf-opsawg-sap-13
review-ietf-opsawg-sap-13-secdir-lc-petrov-2023-01-11-00

Reviewer: Ivaylo Petrov
Review result: Has Nits

Hi,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

For me the Security considerations section contains enough
information, but what seems to be the recommendations can be made more
explicit. The sentences

> Write operations (e.g., edit-config) to these data nodes without proper
protection can have a negative effect on network operations.

and

>  It is thus important to control read access (e.g., via get, get-config, or
notification) to these data nodes.

don't mention how those goals can be achieved. At the same time the paragraph

> The Network Configuration Access Control Model (NACM) [RFC8341] provides the
means to restrict access for particular NETCONF or RESTCONF users to a
preconfigured subset of all available NETCONF or RESTCONF protocol operations
and content.

is not directly connected to the other ones in the section. My
understanding is that the authors considered the usage of NACM a good
solution for those two, but if so please make that more explicit.

Best regards,
Ivaylo