Hi Melinda,
Thanks for the review. We have posted the updated revision https://tools.ietf.org/html/draft-ietf-teas-yang-te-topo-21 to address these issues. We have updated the text in the Security Considerations section to describe the possible actions by a malicious attacker. As for the mandatory references to RFC5246 and RFC6536, they were obsoleted by newer RFCs so we replaced them with the newer ones.
RFC5246 has been obsoleted by RFC8446, so we now use RFC8446 instead. Do we still need to reference RFC5246?
RFC6536 has been obsoleted by RFC8341, so we now use RFC8341 instead. Do we still need to reference RFC6536?
Thanks,
- Xufeng
RFC5246 has been obsoleted by RFC8446, so we now use RFC8446 instead. Do we still need to reference RFC5246?
RFC6536 has been obsoleted by RFC8341, so we now use RFC8341 instead. Do we still need to reference RFC6536?
Thanks,
- Xufeng
On Tue, May 14, 2019 at 2:25 PM Melinda Shore via Datatracker <noreply@xxxxxxxx> wrote:
Reviewer: Melinda Shore
Review result: Not Ready
This review updates my previous review of the -15 draft (see
https://datatracker.ietf.org/doc/review-ietf-teas-yang-te-topo-15-secdir-lc-shore-2018-06-07/).
I'm pleased to see the update to the security considerations sections,
although it's still fairly generic and doesn't describe the threat environment
(this may seem like a nit but it's not: describing how changes to individual
subtrees may impact the system does not really detail how a malicious actor may
subvert or disable the system). I think this section arguably does conform to
the yang-security-guidelines template despite the missing detail and modulo the
missing mandatory references to 5246 and 6536. I'm torn between marking this
has "Has Issues" (because of the lack of threat description in the Security
Considerations) and "Not Ready" (because of the missing mandatory references)
but am going with the latter, and it's up to the IESG how heavily they'd like
to weight the generic descriptions of modified subtree impacts.
