Last Call Review of draft-ietf-rtgwg-lne-model-05
review-ietf-rtgwg-lne-model-05-secdir-lc-yu-2018-02-06-00

Request Review of draft-ietf-rtgwg-lne-model
Requested rev. no specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2018-01-31
Requested 2018-01-17
Draft last updated 2018-02-06
Completed reviews Yangdoctors Early review of -02 by Martin Björklund (diff)
Rtgdir Early review of -02 by Ravi Singh (diff)
Genart Last Call review of -05 by Russ Housley (diff)
Secdir Last Call review of -05 by Taylor Yu (diff)
Opsdir Last Call review of -05 by Dan Romascanu (diff)
Assignment Reviewer Taylor Yu
State Completed
Review review-ietf-rtgwg-lne-model-05-secdir-lc-yu-2018-02-06
Reviewed rev. 05 (document currently at 10)
Review result Has Issues
Review completed: 2018-02-06

Review
review-ietf-rtgwg-lne-model-05-secdir-lc-yu-2018-02-06

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is Ready With Issues.

I agree somewhat with the Major Concerns in Russ Housley's Gen-ART
review
https://datatracker.ietf.org/doc/review-ietf-rtgwg-lne-model-05-genart-lc-housley-2018-01-20/
although I disagree that it makes the document Not Ready.

> Major Concerns:
>
> Section 4 listed three data nodes that are sensitive or vulnerable:
>    -  /logical-network-elements/logical-network-element
>    -  /logical-network-elements/logical-network-element/managed
>    -  /if:interfaces/if:interface/bind-lne-name
>
> All three of them deserve a bit more discussion, although the middle
> one is covered in much more detail than the other two.  If a bad actor
> gets "unauthorized access" is there something more specific about each
> of these that can be said?  The characterization of "network
> malfunctions, delivery of packets to inappropriate destinations, and
> other problems" seems very broad.  Consequences that are specific to
> these data nodes would be more helpful to the reader.

My limited understanding is that there is a lot of variation in the
security impact among specific equipment models and deployment
scenarios.  Therefore, they would likely need to be analyzed on a
case-by-case basis.  Perhaps there should be Security Considerations
text to this effect, maybe with some broad guidance about how to do such
an analysis?

For example, does changing the "bind-lne-name" of an interface have the
effect of making it unavailable to the LNE it was previously associated
with, while providing the new LNE with an unconfigured new interface?
Or does it also carry some configuration or routing state from the
former LNE with it to the new LNE?  The latter might have a greater
security impact.

This final paragraph in the Security Considerations of this document
seems copied almost verbatim from that of RFC 8022:

>    Unauthorized access to any of these lists can adversely affect the
>    security of both the local device and the network.  This may lead to
>    network malfunctions, delivery of packets to inappropriate
>    destinations, and other problems.

That seems to have been acceptable for RFC 8022, but perhaps we should
do better here?  Or do we follow the precedent that this level of
detail in the Security Considerations of YANG specifications is
acceptable?

Best regards,
-Taylor