Hi Paul,
Thanks for the comment. I fully agree with what you said:
> All security parameters are sensitive - if
> modified to
> weaker or broken algorithms that are still supported, this could be
> used to
> downgrade connections to a lesser security level.
Especially when we have text in the draft that echo's that :-)
There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., "config true", which is the
default). All writable data nodes are likely to be sensitive or
vulnerable in some network environments. Write operations (e.g.,
edit-config) and delete operations to these data nodes without proper
protection or authentication can have a negative effect on network
operations. The following subtrees and data nodes have particular
sensitivities/vulnerabilities:
...
'client-identity' and 'server-authentication': Any modification to a
key or reference to a key may dramatically alter the implemented
security policy. For this reason, the NACM extension "default-
deny-write" has been set.
Cheers,
Med
> -----Message d'origine-----
> De : Paul Wouters via Datatracker <[email protected]>
> Envoyé : mercredi 9 juillet 2025 21:51
> À : The IESG <[email protected]>
> Cc : [email protected]; opsawg-
> [email protected]; [email protected]; [email protected];
> [email protected]
> Objet : Paul Wouters' No Objection on draft-ietf-opsawg-secure-
> tacacs-yang-13: (with COMMENT)
>
> --------------------------------------------------------------------
> ------------------------------------------
> CAUTION : This email originated outside the company. Do not click on
> any links or open attachments unless you are expecting them from the
> sender.
>
> ATTENTION : Cet e-mail provient de l'extérieur de l'entreprise. Ne
> cliquez pas sur les liens ou n'ouvrez pas les pièces jointes à moins
> de connaitre l'expéditeur.
> --------------------------------------------------------------------
> ------------------------------------------
>
> Paul Wouters has entered the following ballot position for
> draft-ietf-opsawg-secure-tacacs-yang-13: No Objection
>
> When responding, please keep the subject line intact and reply to
> all email addresses included in the To and CC lines. (Feel free to
> cut this introductory paragraph, however.)
>
>
>
>
> --------------------------------------------------------------------
> --
> COMMENT:
> --------------------------------------------------------------------
> --
>
> I support Deb's dicsuss. All security parameters are sensitive - if
> modified to
> weaker or broken algorithms that are still supported, this could be
> used to
> downgrade connections to a lesser security level.
>
>
____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou
falsifie. Merci.
This message and its attachments may contain confidential or privileged
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been
modified, changed or falsified.
Thank you.
_______________________________________________
OPSAWG mailing list -- [email protected]
To unsubscribe send an email to [email protected]
