RE: Opsdir telechat review of draft-ietf-lime-yang-connectionless-oam-methods-10

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks Jouni for valuable review, please see my reply inline.

-Qin
-----邮件原件-----
发件人: Jouni Korhonen [mailto:jouni.nospam@xxxxxxxxx] 
发送时间: 2017年10月24日 5:03
收件人: ops-dir@xxxxxxxx
抄送: draft-ietf-lime-yang-connectionless-oam-methods.all@xxxxxxxx; lime@xxxxxxxx; ietf@xxxxxxxx
主题: Opsdir telechat review of draft-ietf-lime-yang-connectionless-oam-methods-10

Reviewer: Jouni Korhonen
Review result: Ready

I did a quite shallow review on the document. Apart from some trivial editorials (that the RFC editor will catch better than I do anyway), and one comment in Section 5, the document is ready to go.

In Section 5 on lines:
1006       Some of the RPC operations in this YANG module may be considered
1007       sensitive or vulnerable in some network environments.  It is thus
1008       important to control access to these operations.  These are the
1009       operations and their sensitivity/vulnerability:
1011       o  continuity-check: Generates continuity check.
1013       o  path-discovery: Generates path discovery.
1015       which may lead to Denial-of-Service attack on both the local device
1016       and the network or unauthorized source access to some sensitive
1017       information.

Some basic questions. What are the mentioned "some networks environment" and why they are vulnerable? How/why the DoS is the identified vulnerability here?
And in general lines 1015-1017 are hard (at least to me) to understand in the light of earlier text.

[Qin]: Based on AD review comments, we update section 5 based on YANG security guideline
https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines
Answer your question, when authorized source or attacker get access to sensitive information and may use such information to launch DoS attack.
Here is the proposed change to address your comments:
"
   Some of the RPC operations in this YANG module may be considered
   sensitive or vulnerable in some network environments.  It is thus
   important to control access to these operations. These are the operations 
   and their sensitivity/vulnerability:

   o  continuity-check: Generates continuity check.

   o  path-discovery: Generates path discovery.

These operations are used to retrieve the data from the device that need to execute the OAM command. Unauthorized source access to some sensitive information in the above data may lead to Denial-of-Service attack on both the local device and the network.
"
Thanks.

The IDnits comments are not relevant (the reported error is just editorial).

[Qin]: Will get this clean up.
The YANG module also passed the validation (I used yangvalidator) with date related warnings.

[Qin]: Fixed in v-(10), it doesn't come from this draft but from referenced interface model draft.





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]