Hi Tom, Thanks for your detailed review. Lets discuss the security first - On Mon, Feb 8, 2021 at 6:07 PM tom petch <daedulus@xxxxxxxxxxxxx> wrote: > > This is my second response to this Last Call, about a possible security > issue. > > RFC8573 seems clear that MD5 must not be used to effect security for NTP > but this I-D imports iana-crypt-hash which allows MD5 without any > restriction, so is MD5 allowed or not? > Good question. While it is easy to restrict the use of MD5 by adding a must statement, I want to check if it is a good idea. The YANG model is written in such a way that it supports older versions of NTP as well. Would barring MD5 configuration be an issue if there are older implementations in the network still? I think perhaps adding a warning in the description is a good idea. I did a quick search and dont see other YANG models doing a check either. Would be good to get some guidance on this. > There are features defined which allow the hash in iana-crypt-hash to be > restricted but this I-D does not use them. > I didn't see any reason to use them in the NTP Yang. Can you? > Probably iana-crypt-hash should be updated - I will raise that on the > NETMOD WG list. > > The I-D also uses MD5 in a way that would appear not to be security > related, to hash an IPv6 address. > This is as per RFC 5905 - If using the IPv4 address family, the identifier is the four- octet IPv4 address. If using the IPv6 address family, it is the first four octets of the MD5 hash of the IPv6 address. > In passing, this I-D has three references to RFC7317. This is wrong - > the module is IANA-maintained and so the references should be to the > IANA website. > But even the iana-crypt-hash YANG model put RFC 7317 as a reference - revision 2014-08-06 { description "Initial revision."; reference "RFC 7317: A YANG Data Model for System Management"; } I will start working on your other comments and prepare a new version. Thanks! Dhruv > The secdir reviewer might be interested in my thoughts. > > Tom Petch > > On 29/01/2021 22:39, The IESG wrote: > > > > The IESG has received a request from the Network Time Protocol WG (ntp) to > > consider the following document: - 'A YANG Data Model for NTP' > > <draft-ietf-ntp-yang-data-model-10.txt> as Proposed Standard > > > > The IESG plans to make a decision in the next few weeks, and solicits final > > comments on this action. Please send substantive comments to the > > last-call@xxxxxxxx mailing lists by 2021-02-12. Exceptionally, comments may > > be sent to iesg@xxxxxxxx instead. In either case, please retain the beginning > > of the Subject line to allow automated sorting. > > > > Abstract > > > > > > This document defines a YANG data model for Network Time Protocol > > (NTP) implementations. The data model includes configuration data > > and state data. > > > > -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call