Hi Med! The changes described below is even clearer text than I proposed. Thanks for merging it into -16.
Roman > -----Original Message----- > From: mohamed.boucad...@orange.com <mohamed.boucad...@orange.com> > Sent: Thursday, September 30, 2021 12:36 AM > To: Roman Danyliw <r...@cert.org>; The IESG <i...@ietf.org> > Cc: draft-ietf-opsawg-l3sm-l...@ietf.org; opsawg@ietf.org; opsawg- > cha...@ietf.org; adr...@olddog.co.uk > Subject: RE: Roman Danyliw's Discuss on draft-ietf-opsawg-l3sm-l3nm-11: (with > DISCUSS and COMMENT) > > Hi Roman, > > Thank you. > > Please see one comment inline. > > Cheers, > Med > > > -----Message d'origine----- > > De : Roman Danyliw <r...@cert.org> > > Envoyé : mercredi 29 septembre 2021 22:16 À : BOUCADAIR Mohamed > > INNOV/NET <mohamed.boucad...@orange.com>; The IESG <i...@ietf.org> > Cc > > : draft-ietf-opsawg-l3sm-l...@ietf.org; opsawg@ietf.org; opsawg- > > cha...@ietf.org; adr...@olddog.co.uk Objet : RE: Roman Danyliw's > > Discuss on draft-ietf-opsawg-l3sm-l3nm-11: > > (with DISCUSS and COMMENT) > > > > Hi Med! > > > > Thanks for the revised draft. Your explanations and those updates > > addressed all of my feedback but the one noted in line below. I've > > updated my ballot to reflect that. > > > > > -----Original Message----- > > > From: iesg <iesg-boun...@ietf.org> On Behalf Of > > > mohamed.boucad...@orange.com > > > Sent: Wednesday, September 22, 2021 8:12 AM > > > To: Roman Danyliw <r...@cert.org>; The IESG <i...@ietf.org> > > > Cc: draft-ietf-opsawg-l3sm-l...@ietf.org; opsawg@ietf.org; opsawg- > > > cha...@ietf.org; adr...@olddog.co.uk > > > Subject: RE: Roman Danyliw's Discuss on > > > draft-ietf-opsawg-l3sm-l3nm-11: (with DISCUSS and COMMENT) > > > > [snip] > > > > > > ** Section 9. The text enumerating sensitive read operations > > > > provides no caution about protecting the various key material. > > > > RFC8177 is cited later, but as noted in the DISCUSS, the suggested > > > > key wrap primitive is not usable with instances of “key” as the > > > > hex-key-string feature is not supported. > > > > > > [[Med]] Do you have in mind a specific text we can add? Thanks. > > > > I was looking for something to align with the YANG security template. > > > > OLD: > > These are the subtrees and data > > nodes and their sensitivity/vulnerability: > > > > * 'customer-name' and 'ip-connection': An attacker can retrieve > > privacy-related information which can be used to track a customer. > > Disclosing such information may be considered as a violation of > > the customer-provider trust relationship. > > > > NEW > > > > These are the subtrees and data > > nodes and their sensitivity/vulnerability: > > > > * 'customer-name' and 'ip-connection': An attacker can retrieve > > privacy-related information which can be used to track a customer. > > Disclosing such information may be considered as a violation of > > the customer-provider trust relationship. > > > > * 'keying-material': An attacker can retrieve the cryptographic keys > > protecting the underlying VPN service. These keys could be used to > > disrupt or alter the configuration of the service. > > [Med] As this is about considerations related to readable data nodes, I went > with this wording: > > NEW: > o 'keying-material': An attacker can retrieve the cryptographic keys > protecting the underlying VPN service (CE-PE routing, in > particular). These keys could be used to inject spoofed routing > advertisements. > > I also made this change to cover the writeable case: > > OLD: > o 'vpn-services': An attacker who is able to access network nodes > can undertake various attacks, such as deleting a running L3VPN > service, interrupting all the traffic of a client. In addition, > an attacker may modify the attributes of a running service (e.g., > QoS, bandwidth, routing protocols), > NEW: > o 'vpn-services': An attacker who is able to access network nodes > can undertake various attacks, such as deleting a running L3VPN > service, interrupting all the traffic of a client. In addition, > an attacker may modify the attributes of a running service (e.g., > QoS, bandwidth, routing protocols, keying material), > ^^^^^^^^^^^^^^^^ > > These two changes will be in -16. > > Thank you again for the review. Much appreciated. > > > ___________________________________________________________________ > ______________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc pas etre diffuses, > exploites ou > copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le > signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les > messages > electroniques etant susceptibles d'alteration, Orange decline toute > responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged > information that may be protected by law; they should not be distributed, used > or copied without authorisation. > If you have received this email in error, please notify the sender and delete > this > message and its attachments. > As emails may be altered, Orange is not liable for messages that have been > modified, changed or falsified. > Thank you. _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
