Hi Alexey, thank you for your review and pointing out the nits (empty lines after HTTP headers), which are addressed in -12. Kind regards --- Alex On 7/1/2021 5:58 AM, Alexey Melnikov via Datatracker wrote: > Reviewer: Alexey Melnikov > Review result: Has Nits > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat these > comments just like any other last call comments. > > This document defines an RPC operation to compare management > datastores that comply with the NMDA architecture. > The Security Considerations talks about a couple of issues specific to > the new operation: > 1) sensitivity of the new "compare" operation and how access control rights > to access it should be restricted. > 2) performance considerations of running "compare" and > how it can lead to Denial-of-Service, if the number of requests allowed > in any given time interval is not restricted. > I can't think of other security issues raised by this document that are > missing from it. > > Nits: > > In Section 6: > >> The same request in RESTCONF (using JSON format): >> >> POST /restconf/operations/ietf-nmda-compare:compare HTTP/1.1 >> Host: example.com >> Content-Type: application/yang-data+json >> Accept: application/yang-d > Please insert an empty line after the HTTP request header and before the > following payload, or your example is not syntactically valid. > > Also, I don't "application/yang-d" in the list of registered media types on > <https://www.iana.org/assignments/media-types/media-types.xhtml>. Did I miss it? > >> { "ietf-nmda-compare:input" { >> "source" : "ietf-datastores:operational", >> "target" : "ietf-datastores:intended", >> "report-origin" : null, >> "xpath-filter" : "/ietf-interfaces:interfaces" >> } >> } >> >> The same response in RESTCONF (using JSON format): >> >> HTTP/1.1 200 OK >> Date: Thu, 26 Jan 2019 20:56:30 GMT >> Server: example-server >> Content-Type: application/yang-d > Similar to the above, you need an empty line inserted here. > >> { "ietf-nmda-compare:output" : { >> "differences" : { >> "ietf-yang-patch:yang-patch" : { >> "patch-id" : "interface status", >> "comment" : "diff between intended (source) and operational", >> "edit" : [ >> { >> "edit-id" : "1", >> "operation" : "replace", >> "target" : "/ietf-interfaces:interface=eth0/enabled", >> "value" : { >> "ietf-interfaces:interface/enabled" : "false" >> }, >> "source-value" : { >> "ietf-interfaces:interface/enabled" : "true", >> "@ietf-interfaces:interface/enabled" : { >> "ietf-origin:origin" : "ietf-origin:learned" >> } >> } >> }, >> { >> "edit-id" : "2", >> "operation" : "create", >> "target" : "/ietf-interfaces:interface=eth0/description", >> "value" : { >> "ietf-interface:interface/description" : "ip interface" >> } >> } >> ] >> } >> } >> } >> } > Best Regards, > Alexey > > > _______________________________________________ > netmod mailing list > netmod@xxxxxxxx > https://www.ietf.org/mailman/listinfo/netmod -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
