Hi Rifaat, Thank you for the review.
Please see inline. Cheers, Med > -----Message d'origine----- > De : Rifaat Shekh-Yusef via Datatracker [mailto:nore...@ietf.org] > Envoyé : dimanche 25 juillet 2021 22:55 > À : sec...@ietf.org > Cc : draft-ietf-opsawg-l3sm-l3nm....@ietf.org; last-c...@ietf.org; > opsawg@ietf.org > Objet : Secdir last call review of draft-ietf-opsawg-l3sm-l3nm-10 > > Reviewer: Rifaat Shekh-Yusef > Review result: Has Issues > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should > treat these comments just like any other last call comments. > > This document defines an L3VPN Network YANG Model (L3NM) that can be > used for the provisioning of Layer 3 Virtual Private Network (VPN) > services within a service provider network. The model provides a > network-centric view of L3VPN services. > > > Issues: > > 1. The following is a quote from Security Consideration section: > "Several data nodes defined in the L3NM rely upon [RFC8177] for > authentication purposes." > > I think it would be helpful to elaborate on which nodes need the > mechanism defined in RFC8177 and why? > [Med] 8177 is used here to ease the mapping with underlying device modules, particularly routing protocols. Updated the text to cite the nodes. NEW: "Several data nodes ('bgp', 'ospf', 'isis', 'rip', and 'bfd') rely upon ..." > > 2. The summary bullets: > > o Malicious clients attempting to delete or modify VPN services. > > Why 'create' and 'read' are not part of the risks in this case? > [Med] because 'create' is covered in the next bullet: o Unauthorized clients attempting to create/modify/delete a VPN service. And 'read' in the third one: o Unauthorized clients attempting to read VPN service related information. After re-reading the text to check your comment, I figured out that we don't actually need this list as it is redundant with the risks cited for both write and read nodes. The bullet list will be removed. Your review will be ACKed in the next iteration of the document. Thank you. Cheers, Med _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg