Re: [Last-Call] Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data Model for NTP) to Proposed Standardsecurity

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Tom,

Thanks for your detailed review. Lets discuss the security first -

On Mon, Feb 8, 2021 at 6:07 PM tom petch <daedulus@xxxxxxxxxxxxx> wrote:
>
> This is my second response to this Last Call, about a possible security
> issue.
>
> RFC8573 seems clear that MD5 must not be used to effect security for NTP
> but this I-D imports iana-crypt-hash which allows MD5 without any
> restriction, so is MD5 allowed or not?
>

Good question. While it is easy to restrict the use of MD5 by adding a
must statement, I want to check if it is a good idea. The YANG model
is written in such a way that it supports older versions of NTP as
well. Would barring MD5 configuration be an issue if there are older
implementations in the network still? I think perhaps adding a warning
in the description is a good idea. I did a quick search and dont see
other YANG models doing a check either. Would be good to get some
guidance on this.

> There are features defined which allow the hash in iana-crypt-hash to be
> restricted but this I-D does not use them.
>

I didn't see any reason to use them in the NTP Yang. Can you?

> Probably iana-crypt-hash should be updated - I will raise that on the
> NETMOD WG list.
>
> The I-D also uses MD5 in a way that would appear not to be security
> related, to hash an IPv6 address.
>

This is as per RFC 5905 -

   If using the IPv4 address family, the identifier is the four-
   octet IPv4 address.  If using the IPv6 address family, it is the
   first four octets of the MD5 hash of the IPv6 address.


> In passing, this I-D has three references to RFC7317.  This is wrong -
> the module is IANA-maintained and so the references should be to the
> IANA website.
>

But even the iana-crypt-hash YANG model put RFC 7317 as a reference -

     revision 2014-08-06 {
       description
         "Initial revision.";
       reference
         "RFC 7317: A YANG Data Model for System Management";
     }

I will start working on your other comments and prepare a new version.

Thanks!
Dhruv

> The secdir reviewer might be interested in my thoughts.
>
> Tom Petch
>
> On 29/01/2021 22:39, The IESG wrote:
> >
> > The IESG has received a request from the Network Time Protocol WG (ntp) to
> > consider the following document: - 'A YANG Data Model for NTP'
> >    <draft-ietf-ntp-yang-data-model-10.txt> as Proposed Standard
> >
> > The IESG plans to make a decision in the next few weeks, and solicits final
> > comments on this action. Please send substantive comments to the
> > last-call@xxxxxxxx mailing lists by 2021-02-12. Exceptionally, comments may
> > be sent to iesg@xxxxxxxx instead. In either case, please retain the beginning
> > of the Subject line to allow automated sorting.
> >
> > Abstract
> >
> >
> >     This document defines a YANG data model for Network Time Protocol
> >     (NTP) implementations.  The data model includes configuration data
> >     and state data.
> >
> >

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux