Thanks Jouni for your review. Qin, your new text is an improvement IMO. Regards, B.
Thanks Jouni for valuable review, please see my reply inline. -Qin -----邮件原件----- 发件人: Jouni Korhonen [mailto:jouni.nospam@xxxxxxxxx] 发送时间: 2017年10月24日 5:03 收件人: ops-dir@xxxxxxxx 抄送: draft-ietf-lime-yang-connectionless-oam-methods.all@xxxxxxxx; lime@xxxxxxxx; ietf@xxxxxxxx 主题: Opsdir telechat review of draft-ietf-lime-yang-connectionless-oam-methods-10 Reviewer: Jouni Korhonen Review result: Ready I did a quite shallow review on the document. Apart from some trivial editorials (that the RFC editor will catch better than I do anyway), and one comment in Section 5, the document is ready to go. In Section 5 on lines: 1006 Some of the RPC operations in this YANG module may be considered 1007 sensitive or vulnerable in some network environments. It is thus 1008 important to control access to these operations. These are the 1009 operations and their sensitivity/vulnerability: 1011 o continuity-check: Generates continuity check. 1013 o path-discovery: Generates path discovery. 1015 which may lead to Denial-of-Service attack on both the local device 1016 and the network or unauthorized source access to some sensitive 1017 information. Some basic questions. What are the mentioned "some networks environment" and why they are vulnerable? How/why the DoS is the identified vulnerability here? And in general lines 1015-1017 are hard (at least to me) to understand in the light of earlier text. [Qin]: Based on AD review comments, we update section 5 based on YANG security guideline https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines Answer your question, when authorized source or attacker get access to sensitive information and may use such information to launch DoS attack. Here is the proposed change to address your comments: " Some of the RPC operations in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control access to these operations. These are the operations and their sensitivity/vulnerability: o continuity-check: Generates continuity check. o path-discovery: Generates path discovery. These operations are used to retrieve the data from the device that need to execute the OAM command. Unauthorized source access to some sensitive information in the above data may lead to Denial-of-Service attack on both the local device and the network. " Thanks. The IDnits comments are not relevant (the reported error is just editorial). [Qin]: Will get this clean up. The YANG module also passed the validation (I used yangvalidator) with date related warnings. [Qin]: Fixed in v-(10), it doesn't come from this draft but from referenced interface model draft.