A YANG Data Model for System Management
draft-ietf-netmod-system-mgmt-16
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2014-07-23
|
16 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2014-07-14
|
16 | (System) | RFC Editor state changed to AUTH48 from RFC-EDITOR |
2014-07-11
|
16 | (System) | RFC Editor state changed to RFC-EDITOR from EDIT |
2014-06-05
|
16 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2014-06-04
|
16 | (System) | IANA Action state changed to Waiting on RFC Editor from Waiting on Authors |
2014-06-03
|
16 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2014-06-03
|
16 | Amy Vezza | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2014-06-03
|
16 | (System) | RFC Editor state changed to EDIT |
2014-06-03
|
16 | (System) | Announcement was received by RFC Editor |
2014-06-02
|
16 | (System) | IANA Action state changed to In Progress |
2014-06-02
|
16 | Amy Vezza | IESG state changed to Approved-announcement sent from Approved-announcement to be sent |
2014-06-02
|
16 | Amy Vezza | IESG has approved the document |
2014-06-02
|
16 | Amy Vezza | Closed "Approve" ballot |
2014-06-02
|
16 | Amy Vezza | Ballot approval text was generated |
2014-06-02
|
16 | Amy Vezza | Ballot writeup was changed |
2014-05-29
|
16 | Cindy Morgan | IESG state changed to Approved-announcement to be sent from Waiting for AD Go-Ahead |
2014-05-29
|
16 | Amanda Baber | IANA Review state changed to IANA OK - Actions Needed from Version Changed - Review Needed |
2014-05-29
|
16 | Amanda Baber | IANA Review state changed to IANA OK - Actions Needed |
2014-05-24
|
16 | Brian Carpenter | Request for Telechat review by GENART Completed: Ready. Reviewer: Brian Carpenter. |
2014-05-22
|
16 | Jean Mahoney | Request for Telechat review by GENART is assigned to Brian Carpenter |
2014-05-22
|
16 | Jean Mahoney | Request for Telechat review by GENART is assigned to Brian Carpenter |
2014-05-14
|
16 | Benoît Claise | Telechat date has been changed to 2014-05-29 from 2014-03-27 |
2014-05-14
|
16 | Kathleen Moriarty | [Ballot comment] Thank you for adding a reference to Section 4 of RFC3579 for the threats to radius. This will close out my discuss as … [Ballot comment] Thank you for adding a reference to Section 4 of RFC3579 for the threats to radius. This will close out my discuss as the other references describe the protocol without going deep enough into the threats for both privacy and security (the otehr references are from 2000, so that makes sense). The reference for RADIUS and other authentication methods are good and help to clear one of my discuss points, but should also include RFCs that have the threats included. The current references in the draft discuss the protocol, not really the threats and don't have security consideration sections. The best reference I could find is a discussion of RADIUS with IPsec in RFC3579. Then there is an experimental RFC that discusses the threats in detail, advocating for TLS is RFC6614, but that would require a downref. So adding in a reference to the security considerations in RFC3579 would help. The DISCUSS that was previously listed did not result in a change to the boilerplate or RFC6241 and I think there is an issue with the wording still. Since the only available transport options include session encryption, the concern is addressed, but the requirement for transport encryption should be more explicit in the language. Text included below. 2. Although SSH is Mandatory to Implement, it may not be mandatory to use and the risks should be called out or point to a discussion on the risks explicitly in this section. In the draft under review and the referenced RFC6241, there is no explicit requirement for session encryption to provide protection against passive or active attacks (Man in the Middle). Although the referenced RFC calls for integrity and confidentiality, it only says this "could" be provided through SSH or TLS. It does rely on transport to provide theses features, but falls short of covering the current threat landscape where we have to worry about passive and active monitoring. In other words, you could provide confidentiality and integrity in other ways (not likely, but possible). Stronger language to require session encryption explicitly would help either in this draft or section 2.2 of RFC6241. Even better would be to explicitly call out the threat of passive and active monitoring as the only one listed is replay protection right now. Then say protections are provided through a requirement for session encryption. Proposals of where this should be and what wording is preferred are welcome (this draft, the template, or the base RFC6241). |
2014-05-14
|
16 | Kathleen Moriarty | [Ballot Position Update] Position for Kathleen Moriarty has been changed to No Objection from Discuss |
2014-05-14
|
16 | Martin Björklund | IANA Review state changed to Version Changed - Review Needed from IANA - Not OK |
2014-05-14
|
16 | Martin Björklund | New version available: draft-ietf-netmod-system-mgmt-16.txt |
2014-05-13
|
15 | Kathleen Moriarty | [Ballot discuss] Please add a reference to Section 4 of RFC3579 for the threats to radius. This will close out my discuss. The current references … [Ballot discuss] Please add a reference to Section 4 of RFC3579 for the threats to radius. This will close out my discuss. The current references describe the protocol and this reference discusses the threats for both privacy and security. |
2014-05-13
|
15 | Kathleen Moriarty | [Ballot comment] The reference for RADIUS and other authentication methods are good and help to clear one of my discuss points, but should also include … [Ballot comment] The reference for RADIUS and other authentication methods are good and help to clear one of my discuss points, but should also include RFCs that have the threats included. The current references in the draft discuss the protocol, not really the threats and don't have security consideration sections. The best reference I could find is a discussion of RADIUS with IPsec in RFC3579. Then there is an experimental RFC that discusses the threats in detail, advocating for TLS is RFC6614, but that would require a downref. So adding in a reference to the security considerations in RFC3579 would help. The DISCUSS that was previously listed did not result in a change to the boilerplate or RFC6241 and I think there is an issue with the wording still. Since the only available transport options include session encryption, the concern is addressed, but the requirement for transport encryption should be more explicit in the language. Text included below. 2. Although SSH is Mandatory to Implement, it may not be mandatory to use and the risks should be called out or point to a discussion on the risks explicitly in this section. In the draft under review and the referenced RFC6241, there is no explicit requirement for session encryption to provide protection against passive or active attacks (Man in the Middle). Although the referenced RFC calls for integrity and confidentiality, it only says this "could" be provided through SSH or TLS. It does rely on transport to provide theses features, but falls short of covering the current threat landscape where we have to worry about passive and active monitoring. In other words, you could provide confidentiality and integrity in other ways (not likely, but possible). Stronger language to require session encryption explicitly would help either in this draft or section 2.2 of RFC6241. Even better would be to explicitly call out the threat of passive and active monitoring as the only one listed is replay protection right now. Then say protections are provided through a requirement for session encryption. Proposals of where this should be and what wording is preferred are welcome (this draft, the template, or the base RFC6241). |
2014-05-13
|
15 | Kathleen Moriarty | Ballot comment and discuss text updated for Kathleen Moriarty |
2014-05-13
|
15 | (System) | IESG state changed to Waiting for AD Go-Ahead from In Last Call |
2014-05-12
|
15 | (System) | IANA Review state changed to IANA - Not OK from Version Changed - Review Needed |
2014-05-12
|
15 | Amanda Baber | IESG/Authors/WG Chairs: IANA has reviewed draft-ietf-netmod-system-mgmt-15. Authors should review the comments and/or questions below. Please report any inaccuracies and respond to any questions as soon … IESG/Authors/WG Chairs: IANA has reviewed draft-ietf-netmod-system-mgmt-15. Authors should review the comments and/or questions below. Please report any inaccuracies and respond to any questions as soon as possible. IANA's reviewer has the following comments/questions: QUESTION: Is this document asking us to change the registration procedures for the YANG Module Names registry from "RFC Required" to "RFC Required; RFC and Expert Review required for assignments under or modifications to the 'iana-crypt-hash' module"? (In this case, we'll also make this document as a reference for the registry itself.) IANA understands that, upon approval of this document, there are two other actions which IANA must complete. First, in the namespace subregistry of the IETF XML Registry located at: http://www.iana.org/assignments/xml-registry/ two new namespaces will be registered as follows: ID: yang:iana-crypt-hash URI: urn:ietf:params:xml:ns:yang:iana-crypt-hash Filename: ns/yang/iana-crypt-hash.txt Reference: [ RFC-to-be ] ID: yang:ietf-system URI: urn:ietf:params:xml:ns:yang:ietf-system Filename: ns/yang/ietf-system.txt Reference: [ RFC-to-be ] Second, in the YANG Module Names subregistry of the YANG parameters registry located at: http://www.iana.org/assignments/yang-parameters/ two new YANG modules will be registered as follows: Name: ietf-system Namespace: urn:ietf:params:xml:ns:yang:ietf-system Prefix: sys Module: Reference: [ RFC-to-be ] Name: iana-crypt-hash Namespace: urn:ietf:params:xml:ns:yang:iana-crypt-hash Prefix: ianach Module: Reference: [ RFC-to-be ] IANA understands that these are the only actions that are required to be completed upon approval of this document. Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. |
2014-05-04
|
15 | Barry Leiba | [Ballot comment] An updated last call went out on 29 April, which calls out the two downrefs. Thanks! |
2014-05-04
|
15 | Barry Leiba | [Ballot Position Update] Position for Barry Leiba has been changed to No Objection from Discuss |
2014-04-29
|
15 | Amy Vezza | The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Sender: Subject: Last Call: (A YANG Data Model for … The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Sender: Subject: Last Call: (A YANG Data Model for System Management) to Proposed Standard The IESG has received a request from the NETCONF Data Modeling Language WG (netmod) to consider the following document: - 'A YANG Data Model for System Management' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2014-05-13. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document defines a YANG data model for the configuration and identification of some common system properties within a device containing a NETCONF server. This includes data node definitions for system identification, time-of-day management, user management, DNS resolver configuration, and some protocol operations for system management. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-netmod-system-mgmt/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-netmod-system-mgmt/ballot/ No IPR declarations have been submitted directly on this I-D. Note that RFC 1321 and RFC 6151 are normative references to Informational documents. |
2014-04-29
|
15 | Amy Vezza | IESG state changed to In Last Call from Last Call Requested |
2014-04-29
|
15 | Amy Vezza | Last call was requested |
2014-04-29
|
15 | Amy Vezza | IESG state changed to Last Call Requested from IESG Evaluation::AD Followup |
2014-04-29
|
15 | Amy Vezza | Last call announcement was changed |
2014-04-29
|
15 | Amy Vezza | Last call announcement was generated |
2014-04-29
|
15 | Benoît Claise | Last call announcement was changed |
2014-04-29
|
15 | Martin Björklund | New version available: draft-ietf-netmod-system-mgmt-15.txt |
2014-04-28
|
14 | Stephen Farrell | [Ballot comment] My discuss ended up being basically "what about securre NTP and more fully featured SSH admin and DNSSEC and other trust anchors?" to … [Ballot comment] My discuss ended up being basically "what about securre NTP and more fully featured SSH admin and DNSSEC and other trust anchors?" to which the responses were that those could be done as extensions, but had not yet been done because there was a desire to start with a simple model. And they might also be a lot of work to get done. On that basis, I've cleared my discuss and hope someone does get back around to thnking about those issues sometime. --- OLD Comments below here - 2.3: why not also Diameter? I can buy doing that later if you say that is less important for enterprise use-cases I guess. - 3.1: where is inet:domain-name defined? Is it ok that all hostnames (managed this way) must be valid DNS names? - 3.5.3: I agree with Kathleen's discuss point#1 that more details of which RADIUS schemes would be good to add. - The crypt-hash typedef seems very specific to Linux. Is that linux specific of glibc? And a wikipedia article might not make the RFC editor happy. - I agree with Kathleen's discuss point #2 that it might be reasonable to go beyond the boilerplate security considerations for this data model since it is transporting cleartext passwords and public keys used to authenticate and device settings (e.g. DNS) that could easily subvert almost any security function on the device. |
2014-04-28
|
14 | Stephen Farrell | [Ballot Position Update] Position for Stephen Farrell has been changed to No Objection from Discuss |
2014-04-16
|
14 | Brian Haberman | [Ballot comment] Thanks for addressing my discuss points. |
2014-04-16
|
14 | Brian Haberman | [Ballot Position Update] Position for Brian Haberman has been changed to Yes from Discuss |
2014-04-15
|
14 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2014-04-15
|
14 | Martin Björklund | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2014-04-15
|
14 | Martin Björklund | New version available: draft-ietf-netmod-system-mgmt-14.txt |
2014-04-14
|
13 | Kathleen Moriarty | [Ballot discuss] I have a few items to DISCUSS based on the framework options supported to ensure there is enough information (or pointers on information) … [Ballot discuss] I have a few items to DISCUSS based on the framework options supported to ensure there is enough information (or pointers on information) to the options provided through the framework and the associated risks: 1. The Security Considerations section should include a pointer or a discussion on auth choices covered including CHAP, radius, & passwords for implementers to understand the risks associated with each choice. Update: Text (that looks fine) has been provided to enumerate the risks of RADIUS, but I have not seen text for the other authentication options provided in this framework yet. |
2014-04-14
|
13 | Kathleen Moriarty | [Ballot comment] This DiSCUSS did not result in a change to the boilerplate or RFC6241 and I think there is an issue with the wording … [Ballot comment] This DiSCUSS did not result in a change to the boilerplate or RFC6241 and I think there is an issue with the wording still. Since the only available transport options include session encryption, the concern is addressed, but the requirement for transport encryption should be more explicit in the language. Text included below. 2. Although SSH is Mandatory to Implement, it may not be mandatory to use and the risks should be called out or point to a discussion on the risks explicitly in this section. In the draft under review and the referenced RFC6241, there is no explicit requirement for session encryption to provide protection against passive or active attacks (Man in the Middle). Although the referenced RFC calls for integrity and confidentiality, it only says this "could" be provided through SSH or TLS. It does rely on transport to provide theses features, but falls short of covering the current threat landscape where we have to worry about passive and active monitoring. In other words, you could provide confidentiality and integrity in other ways (not likely, but possible). Stronger language to require session encryption explicitly would help either in this draft or section 2.2 of RFC6241. Even better would be to explicitly call out the threat of passive and active monitoring as the only one listed is replay protection right now. Then say protections are provided through a requirement for session encryption. Proposals of where this should be and what wording is preferred are welcome (this draft, the template, or the base RFC6241). |
2014-04-14
|
13 | Kathleen Moriarty | Ballot comment and discuss text updated for Kathleen Moriarty |
2014-04-14
|
13 | Stephen Farrell | [Ballot discuss] (1) cleared (2) 2.2: Is nothing else needed to support secure NTP? If more is needed, why not support that? (3) cleared (4) … [Ballot discuss] (1) cleared (2) 2.2: Is nothing else needed to support secure NTP? If more is needed, why not support that? (3) cleared (4) 2.3: Similar question about SSH, ssh_config [1] has many more settings, why aren't any of those needed? [1] http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5 (5) 2.4: Wouldn't DNSSEC trust anchor support be needed here? Assuming that the public DNSSEC root is used everywhere within enterprises where this might be used seems odd, since such enterprises would probably have to operate a private root for at least internal DNS names. Even if trust anchor public key inforamation is not needed here, wouldn't some DNSSEC settings be needed to configure DNSSEC validation on or off? (6) cleared |
2014-04-14
|
13 | Stephen Farrell | Ballot discuss text updated for Stephen Farrell |
2014-04-14
|
13 | Stephen Farrell | [Ballot discuss] (1) cleared (2) 2.2: Is nothing else needed to support secure NTP? If more is needed, why not support that? (3) cleared (4) … [Ballot discuss] (1) cleared (2) 2.2: Is nothing else needed to support secure NTP? If more is needed, why not support that? (3) cleared (4) 2.3: Similar question about SSH, ssh_config [1] has many more settings, why aren't any of those needed? [1] http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5 (5) 2.4: Wouldn't DNSSEC trust anchor support be needed here? Assuming that the public DNSSEC root is used everywhere within enterprises where this might be used seems odd, since such enterprises would probably have to operate a private root for at least internal DNS names. Even if trust anchor public key inforamation is not needed here, wouldn't some DNSSEC settings be needed to configure DNSSEC validation on or off? (6) 3.5.1: What's the semantics of setting SSH public keys here - are those added to the existing set or do they replace the current set (associated with an account)? The former is problematic as getting rid of old SSH keys is an ongoing problem. The latter creates the potential to brick a machine. Either would seem to call for more text and not saying seems worse than saying;-) Maybe this is determined by some more basic part of yang though, not sure? |
2014-04-14
|
13 | Stephen Farrell | Ballot discuss text updated for Stephen Farrell |
2014-03-27
|
13 | Cindy Morgan | IESG state changed to IESG Evaluation::Revised I-D Needed from IESG Evaluation |
2014-03-27
|
13 | Brian Haberman | [Ballot discuss] I support the publication of this document, but there were two points I wanted to DISCUSS to make sure they have been considered... … [Ballot discuss] I support the publication of this document, but there were two points I wanted to DISCUSS to make sure they have been considered... 1. [RESOLVED (Thanks for the quick feedback)] The time elements of this module support NTP. Was there any consideration to also support alternative methods of setting the system clock like IEEE 1588? 2. The crypt-hash typedef has a small table in the description clause that lists three hash algorithms and there are corresponding feature statements for each of those algorithms. Was there any thought given to how a new algorithm could be added without having to update this module? The feature statements for these algorithms only contain a description clause, so there doesn't appear to be any algorithm-specific things needed in this module. The reason I noticed this is that I have several Linux distros that support Blowfish in their crypt() functionality. Is it possible to maintain the set of supported algorithms in a registry? |
2014-03-27
|
13 | Brian Haberman | Ballot discuss text updated for Brian Haberman |
2014-03-27
|
13 | Spencer Dawkins | [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins |
2014-03-27
|
13 | Amanda Baber | IANA Review state changed to IANA OK - Actions Needed from Version Changed - Review Needed |
2014-03-26
|
13 | Joel Jaeggli | [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli |
2014-03-26
|
13 | Pete Resnick | [Ballot Position Update] New position, No Objection, has been recorded for Pete Resnick |
2014-03-26
|
13 | Richard Barnes | [Ballot Position Update] New position, No Objection, has been recorded for Richard Barnes |
2014-03-25
|
13 | Jari Arkko | [Ballot Position Update] New position, No Objection, has been recorded for Jari Arkko |
2014-03-25
|
13 | Kathleen Moriarty | [Ballot discuss] I have a few items to DISCUSS based on the framework options supported to ensure there is enough information (or pointers on information) … [Ballot discuss] I have a few items to DISCUSS based on the framework options supported to ensure there is enough information (or pointers on information) to the options provided through the framework and the associated risks: 1. The Security Considerations section should include a pointer or a discussion on auth choices covered including CHAP, radius, & passwords for implementers to understand the risks associated with each choice. Update: Text (that looks fine) has been provided to enumerate the risks of RADIUS, but not the other authentication choices yet. 2. Although SSH is Mandatory to Implement, it may not be mandatory to use and the risks should be called out or point to a discussion on the risks explicitly in this section. In the draft under review and the referenced RFC6241, there is no explicit requirement for session encryption to provide protection against passive or active attacks (Man in the Middle). Although the referenced RFC calls for integrity and confidentiality, it only says this "could" be provided through SSH or TLS. It does rely on transport to provide theses features, but falls short of covering the current threat landscape where we have to worry about passive and active monitoring. In other words, you could provide confidentiality and integrity in other ways (not likely, but possible). Stronger language to require session encryption explicitly would help either in this draft or section 2.2 of RFC6241. Even better would be to explicitly call out the threat of passive and active monitoring as the only one listed is replay protection right now. Then say protections are provided through a requirement for session encryption. Proposals of where this should be and what wording is preferred are welcome (this draft, the template, or the base RFC6241). 3. Is there a version or minimum version of CHAP that is supported to avoid security problems? Or a pointer on this that can be listed? - #3 has been addressed, no more discussion is needed here. |
2014-03-25
|
13 | Kathleen Moriarty | Ballot discuss text updated for Kathleen Moriarty |
2014-03-25
|
13 | Alia Atlas | [Ballot comment] 1) I agree with Brian's DISCUSS point (2) about some flexibility for new and different types of encryption algorithms. I'm particularly concerned that … [Ballot comment] 1) I agree with Brian's DISCUSS point (2) about some flexibility for new and different types of encryption algorithms. I'm particularly concerned that the algorithm-id appears to be tucked into the string. How can one extend that? The approach taken in authentication/user/ssh-key/algorithm with IANA allocated algorithms looks much better. 2) Not that I'm a security expert, but are these really the best encryption method for securing the configuration to routers via RADIUS? This is more minor, since it can obviously be extended as needed. 3) Is it possible to do any nesting of features? What does it mean to not support ntp but support ntp-udp-port? Comments below thanks to Wes George's quick review ; I agree with them. 4) 3.5 – since SSH is mandatory, “over any transport” doesn’t make sense. Should be something like MUST support SSH, MAY support others, not “password over any transport” as currently. Plaintext transport should be explicitly prohibited, or if not prohibited, at least strongly recommended against, and it should be in the body of the document, not buried in the security considerations. 5) 5 – MD5 is deprecated and a new YANG module should not support it and should instead support TCP-AO. I don’t see the point in having it here, and then burying a “not recommended” in the end of the security considerations. General: Odd that TACACS is not discussed at all as an alternative to RADIUS or DIAMETER. You rightly raise the concern about the level of access to the system this model proposes (ability to reload/shutdown, etc). I think this doc is making the implicit assumption that the AAA method being used will also include some level of role definition that controls which commands are usable and which are prohibited by user/client, including the potential for different roles for different systematic uses of this interface — different IDs with different authentication. This is obliquely discussed in the security considerations, but it would be very useful to make this assumption more explicit in the body of the document so that people are thinking in that way when implementing support for the different AAA models. It may even be worth explicitly defining a set of commands which must be separately authenticated before they are executed so that there’s a method for “are you sure?” before triggering reloads and the like. As to which Hashes and algorithms, I agree that SHA256 seems sort of puny but aren’t there much better documents discussing which algorithms and key lengths are appropriate that this document could refer to? For something like an RFC, it makes sense to define the most secure algorithm as mandatory to implement, while allowing enough extensibility to support others, whether they are newer/better or lesser due to hardware/scale limitations. This probably means SHA-512 with salt, but I defer to folks with a better background in security. |
2014-03-25
|
13 | Alia Atlas | Ballot comment text updated for Alia Atlas |
2014-03-24
|
13 | Alia Atlas | [Ballot comment] 1) I agree with Brian's DISCUSS point (2) about some flexibility for new and different types of encryption algorithms. I'm particularly concerned that … [Ballot comment] 1) I agree with Brian's DISCUSS point (2) about some flexibility for new and different types of encryption algorithms. I'm particularly concerned that the algorithm-id appears to be tucked into the string. How can one extend that? The approach taken in authentication/user/ssh-key/algorithm with IANA allocated algorithms looks much better. 2) Not that I'm a security expert, but is SHA-512 really the strongest encryption method for securing the configuration to routers via RADIUS? This is more minor, since it can obviously be extended as needed. 3) Is it possible to do any nesting of features? What does it mean to not support ntp but support ntp-udp-port? |
2014-03-24
|
13 | Alia Atlas | [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas |
2014-03-24
|
13 | Stephen Farrell | [Ballot discuss] (1) I have some concerns about how widely this has been reviewed given that it touches on so many security sensitive aspects of … [Ballot discuss] (1) I have some concerns about how widely this has been reviewed given that it touches on so many security sensitive aspects of hosts in such a way as to potentially enable taking over the host being managed. (I.e. the impact of a problem here is high.) Wouldn't it be wise to get some review from say DIME, RADEXT and DNSOPS and to check with the openssh mailing list before calling this done? Or maybe that's been done already? My concern is that this data model appears to only support minimal or almost-no security variants of various protocols, which seems a shame for hosts that are going to be managed. If that's all been considered by all the right folks, that's fine, but I'm worried that it has not. (The LC went out quite early in the new year and didn't generate any comment that I can see, so maybe we should get a bit more review?) (2) 2.2: Is nothing else needed to support secure NTP? If more is needed, why not support that? (3) 2.3: Why not support RADIUS/TLS or radext-dtls? That would be needed in order to not send RADIUS usernames and passwords in clear out the other side of the box? That'd require a flag to say to use such a mechanism and some trust anchor information. (4) 2.3: Similar question about SSH, ssh_config [1] has many more settings, why aren't any of those needed? [1] http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5 (5) 2.4: Wouldn't DNSSEC trust anchor support be needed here? Assuming that the public DNSSEC root is used everywhere within enterprises where this might be used seems odd, since such enterprises would probably have to operate a private root for at least internal DNS names. Even if trust anchor public key inforamation is not needed here, wouldn't some DNSSEC settings be needed to configure DNSSEC validation on or off? (6) 3.5.1: What's the semantics of setting SSH public keys here - are those added to the existing set or do they replace the current set (associated with an account)? The former is problematic as getting rid of old SSH keys is an ongoing problem. The latter creates the potential to brick a machine. Either would seem to call for more text and not saying seems worse than saying;-) Maybe this is determined by some more basic part of yang though, not sure? |
2014-03-24
|
13 | Stephen Farrell | Ballot discuss text updated for Stephen Farrell |
2014-03-24
|
13 | Stephen Farrell | [Ballot discuss] (1) I have some concerns about how widely this has been reviewed given that it touches on so many security sensitive aspects of … [Ballot discuss] (1) I have some concerns about how widely this has been reviewed given that it touches on so many security sensitive aspects of hosts in such a way as to potentially enable taking over the host being managed. (I.e. the impact of a problem here is high.) Wouldn't it be wise to get some review from say DIME, RADEXT and DNSOPS and to check with the openssh mailing list before calling this done? Or maybe that's been done already? My concern is that this data model appears to only support minimal or almost-no security variants of various protocols, which seems a shame for hosts that are going to be managed. If that's all be considered by all the right folks, that's fine, but I'm worried that it has not. (The LC went out quite early in the new year and didn't generate any comment that I can see, so maybe we should get a bit more review?) (2) 2.2: Is nothing else needed to support secure NTP? If more is needed, why not support that? (3) 2.3: Why not support RADIUS/TLS or radext-dtls? That would be needed in order to not send RADIUS usernames and passwords in clear out the other side of the box? That'd require a flag to say to use such a mechanism and some trust anchor information. (4) 2.3: Similar question about SSH, ssh_config [1] has many more settings, why aren't any of those needed? [1] http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5 (5) 2.4: Wouldn't DNSSEC trust anchor support be needed here? Assuming that the public DNSSEC root is used everywhere within enterprises where this might be used seems odd, since such enterprises would probably have to operate a private root for at least internal DNS names. Even if trust anchor public key inforamation is not needed here, wouldn't some DNSSEC settings be needed to configure DNSSEC validation on or off? (6) 3.5.1: What's the semantics of setting SSH public keys here - are those added to the existing set or do they replace the current set (associated with an account)? The former is problematic as getting rid of old SSH keys is an ongoing problem. The latter creates the potential to brick a machine. Either would seem to call for more text and not saying seems worse than saying;-) Maybe this is determined by some more basic part of yang though, not sure? |
2014-03-24
|
13 | Stephen Farrell | [Ballot comment] - 2.3: why not also Diameter? I can buy doing that later if you say that is less important for enterprise use-cases I … [Ballot comment] - 2.3: why not also Diameter? I can buy doing that later if you say that is less important for enterprise use-cases I guess. - 3.1: where is inet:domain-name defined? Is it ok that all hostnames (managed this way) must be valid DNS names? - 3.5.3: I agree with Kathleen's discuss point#1 that more details of which RADIUS schemes would be good to add. - The crypt-hash typedef seems very specific to Linux. Is that linux specific of glibc? And a wikipedia article might not make the RFC editor happy. - I agree with Kathleen's discuss point #2 that it might be reasonable to go beyond the boilerplate security considerations for this data model since it is transporting cleartext passwords and public keys used to authenticate and device settings (e.g. DNS) that could easily subvert almost any security function on the device. |
2014-03-24
|
13 | Stephen Farrell | [Ballot Position Update] New position, Discuss, has been recorded for Stephen Farrell |
2014-03-21
|
13 | Barry Leiba | [Ballot discuss] I have no objection to the content of this document, and this is purely a procedural issue for the responsible AD: There are … [Ballot discuss] I have no objection to the content of this document, and this is purely a procedural issue for the responsible AD: There are two downrefs: RFC 1321 and RFC 6151 are normative references to Informational documents. Both are called out in the shepherd writeup (thanks, Jürgen), and 1321 is in the downref registry. But 6151 is not, and needed specific mention in the last call notice, which it did not have. I think we need to re-issue last call to point that out (and then put 6151 in the downref registry). |
2014-03-21
|
13 | Barry Leiba | [Ballot Position Update] New position, Discuss, has been recorded for Barry Leiba |
2014-03-21
|
13 | Kathleen Moriarty | [Ballot discuss] I have a few items to DISCUSS based on the framework options supported to ensure there is enough information (or pointers on information) … [Ballot discuss] I have a few items to DISCUSS based on the framework options supported to ensure there is enough information (or pointers on information) to the options provided through the framework and the associated risks: 1. The Security Considerations section should include a pointer or a discussion on auth choices covered including CHAP, radius, & passwords for implementers to understand the risks associated with each choice. 2. Although SSH is Mandatory to Implement, it may not be mandatory to use and the risks should be called out or point to a discussion on the risks explicitly in this section. 3. Is there a version or minimum version of CHAP that is supported to avoid security problems? Or a pointer on this that can be listed? |
2014-03-21
|
13 | Kathleen Moriarty | [Ballot Position Update] New position, Discuss, has been recorded for Kathleen Moriarty |
2014-03-21
|
13 | Brian Carpenter | Request for Telechat review by GENART Completed: Ready. Reviewer: Brian Carpenter. |
2014-03-21
|
13 | Brian Haberman | [Ballot discuss] I support the publication of this document, but there are two points I would like to DISCUSS to make sure they have been … [Ballot discuss] I support the publication of this document, but there are two points I would like to DISCUSS to make sure they have been considered... 1. The time elements of this module support NTP. Was there any consideration to also support alternative methods of setting the system clock like IEEE 1588? 2. The crypt-hash typedef has a small table in the description clause that lists three hash algorithms and there are corresponding feature statements for each of those algorithms. Was there any thought given to how a new algorithm could be added without having to update this module? The feature statements for these algorithms only contain a description clause, so there doesn't appear to be any algorithm-specific things needed in this module. The reason I noticed this is that I have several Linux distros that support Blowfish in their crypt() functionality. Is it possible to maintain the set of supported algorithms in a registry? |
2014-03-21
|
13 | Brian Haberman | [Ballot Position Update] New position, Discuss, has been recorded for Brian Haberman |
2014-03-20
|
13 | Jean Mahoney | Request for Telechat review by GENART is assigned to Brian Carpenter |
2014-03-20
|
13 | Jean Mahoney | Request for Telechat review by GENART is assigned to Brian Carpenter |
2014-03-05
|
13 | Cindy Morgan | Telechat date has been changed to 2014-03-27 from 2014-03-20 |
2014-02-18
|
13 | Benoît Claise | Placed on agenda for telechat - 2014-03-20 |
2014-02-18
|
13 | Benoît Claise | IESG state changed to IESG Evaluation from IESG Evaluation::AD Followup |
2014-02-18
|
13 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2014-02-18
|
13 | Cindy Morgan | New revision available |
2014-02-18
|
12 | Benoît Claise | IESG state changed to IESG Evaluation::Revised I-D Needed from Waiting for AD Go-Ahead |
2014-02-13
|
12 | Martin Björklund | New version available: draft-ietf-netmod-system-mgmt-12.txt |
2014-02-03
|
11 | Brian Carpenter | Request for Telechat review by GENART Completed: Ready. Reviewer: Brian Carpenter. |
2014-01-30
|
11 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Has Issues. Reviewer: Donald Eastlake. |
2014-01-22
|
11 | (System) | State changed to Waiting for AD Go-Ahead from In Last Call (ends 2014-01-22) |
2014-01-20
|
11 | Benoît Claise | Removed from agenda for telechat |
2014-01-20
|
11 | Martin Björklund | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2014-01-20
|
11 | Martin Björklund | New version available: draft-ietf-netmod-system-mgmt-11.txt |
2014-01-20
|
10 | Martin Stiemerling | [Ballot Position Update] New position, No Objection, has been recorded for Martin Stiemerling |
2014-01-20
|
10 | Adrian Farrel | [Ballot comment] It might be nice at some stage to write a short RFC on data model tree diagrams to avoid repeating the terminology in … [Ballot comment] It might be nice at some stage to write a short RFC on data model tree diagrams to avoid repeating the terminology in each YANG document, and to provide a general home for discussion of the format of those diagrams. Such a document could also include some worked examples with explanations. |
2014-01-20
|
10 | Adrian Farrel | [Ballot Position Update] New position, No Objection, has been recorded for Adrian Farrel |
2014-01-16
|
10 | Jean Mahoney | Request for Telechat review by GENART is assigned to Brian Carpenter |
2014-01-16
|
10 | Jean Mahoney | Request for Telechat review by GENART is assigned to Brian Carpenter |
2014-01-14
|
10 | (System) | IANA Review state changed to IANA OK - Actions Needed from IANA - Review Needed |
2014-01-14
|
10 | Benoît Claise | Ballot has been issued |
2014-01-14
|
10 | Benoît Claise | [Ballot Position Update] New position, Yes, has been recorded for Benoit Claise |
2014-01-14
|
10 | Benoît Claise | Created "Approve" ballot |
2014-01-14
|
10 | Benoît Claise | Placed on agenda for telechat - 2014-01-23 |
2014-01-14
|
10 | Benoît Claise | Ballot writeup was changed |
2014-01-12
|
10 | Brian Carpenter | Request for Last Call review by GENART Completed: Ready. Reviewer: Brian Carpenter. |
2014-01-09
|
10 | Jean Mahoney | Request for Last Call review by GENART is assigned to Brian Carpenter |
2014-01-09
|
10 | Jean Mahoney | Request for Last Call review by GENART is assigned to Brian Carpenter |
2014-01-09
|
10 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Donald Eastlake |
2014-01-09
|
10 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Donald Eastlake |
2014-01-08
|
10 | Amy Vezza | IANA Review state changed to IANA - Review Needed |
2014-01-08
|
10 | Amy Vezza | The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Sender: Subject: Last Call: (A YANG Data Model for … The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Sender: Subject: Last Call: (A YANG Data Model for System Management) to Proposed Standard The IESG has received a request from the NETCONF Data Modeling Language WG (netmod) to consider the following document: - 'A YANG Data Model for System Management' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2014-01-22. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document defines a YANG data model for the configuration and identification of some common system properties within a device containing a NETCONF server. This includes data node definitions for system identification, time-of-day management, user management, DNS resolver configuration, and some protocol operations for system management. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-netmod-system-mgmt/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-netmod-system-mgmt/ballot/ No IPR declarations have been submitted directly on this I-D. |
2014-01-08
|
10 | Amy Vezza | State changed to In Last Call from Last Call Requested |
2014-01-08
|
10 | Benoît Claise | Last call was requested |
2014-01-08
|
10 | Benoît Claise | Last call announcement was generated |
2014-01-08
|
10 | Benoît Claise | Ballot approval text was generated |
2014-01-08
|
10 | Benoît Claise | Ballot writeup was generated |
2014-01-08
|
10 | Benoît Claise | State changed to Last Call Requested from AD Evaluation |
2013-12-23
|
10 | Martin Björklund | New version available: draft-ietf-netmod-system-mgmt-10.txt |
2013-12-19
|
09 | Gunter Van de Velde | Request for Early review by OPSDIR Completed: Ready. Reviewer: Susan Hares. |
2013-12-03
|
09 | Benoît Claise | State changed to AD Evaluation from Publication Requested |
2013-12-03
|
09 | Jürgen Schönwälder | IETF WG state changed to Submitted to IESG for Publication |
2013-12-03
|
09 | Jürgen Schönwälder | IESG state changed to Publication Requested |
2013-12-03
|
09 | Jürgen Schönwälder | As required by RFC 4858, this is the current template for the Document Shepherd Write-Up. Changes are expected over time. This version is dated … As required by RFC 4858, this is the current template for the Document Shepherd Write-Up. Changes are expected over time. This version is dated 24 February 2012. (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? Publication of draft-ietf-netmod-system-mgmt-09 as Proposed Standard is requested. This is indicated in the title page header. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary: This document defines a YANG data model for the configuration and identification of some common system properties within a device containing a NETCONF server. This includes data node definitions for system identification, time-of-day management, user management, DNS resolver configuration, and some protocol operations for system management. Working Group Summary: The normal WG process was followed and the documents reflect WG consensus with nothing special worth mentioning. Document Quality: This document received extensive review within the working group and ample time was spent to review and reconsider all design choices. Some working group members have indicated that they plan to implement this data model once approved by the IESG. Personnel: Juergen Schoenwaelder is the Document Shepherd. Benoit Claise is the responsible Area Director. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The document shepherd reviewed the document for correctness after earlier reviews done when the document was Last Called. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? No. The netmod working group has a healthy cooperative spirit and many reviews were contributed from all the major contributors to this work. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. Input from RADIUS experts was requested on the RADIUS part of the data model and Alan DeKok provided some valuable input. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. None. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why? We have not received any IPR disclosures. We believe that the authors/editors understand the IETF rules regarding IPR. (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. No. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? This document has strong concensus. This is not a large working group but it is an active and diverse working group with many contributing individuals. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. None. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. This document has been reviewed by people who are also YANG doctors. As such, further YANG doctor reviews do not seem to be needed. (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? No. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. There is a downward reference to RFC 1321 which however seems to be unavoidable. The downward reference to RFC 6151 may be resolved by making this reference informational but since RFC 6151 updates RFC 1321, it also may make sense to keep it as a normative downward reference. Reference to draft-ietf-netmod-iana-timezones-00 needs to be updated (this I-D is being shipped to IESG together with this document). (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. No. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). Done. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. None. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. The YANG module has been checked using pyang v1.3. |
2013-12-03
|
09 | Jürgen Schönwälder | State Change Notice email list changed to netmod-chairs@tools.ietf.org, draft-ietf-netmod-system-mgmt@tools.ietf.org |
2013-12-03
|
09 | Jürgen Schönwälder | Responsible AD changed to Benoit Claise |
2013-12-03
|
09 | Jürgen Schönwälder | Working group state set to Submitted to IESG for Publication |
2013-12-03
|
09 | Jürgen Schönwälder | IESG state set to Publication Requested |
2013-12-03
|
09 | Jürgen Schönwälder | IESG process started in state Publication Requested |
2013-12-03
|
09 | Jürgen Schönwälder | As required by RFC 4858, this is the current template for the Document Shepherd Write-Up. Changes are expected over time. This version is dated … As required by RFC 4858, this is the current template for the Document Shepherd Write-Up. Changes are expected over time. This version is dated 24 February 2012. (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? Publication of draft-ietf-netmod-system-mgmt-09 as Proposed Standard is requested. This is indicated in the title page header. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary: This document defines a YANG data model for the configuration and identification of some common system properties within a device containing a NETCONF server. This includes data node definitions for system identification, time-of-day management, user management, DNS resolver configuration, and some protocol operations for system management. Working Group Summary: The normal WG process was followed and the documents reflect WG consensus with nothing special worth mentioning. Document Quality: This document received extensive review within the working group and ample time was spent to review and reconsider all design choices. Some working group members have indicated that they plan to implement this data model once approved by the IESG. Personnel: Juergen Schoenwaelder is the Document Shepherd. Benoit Claise is the responsible Area Director. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The document shepherd reviewed the document for correctness after earlier reviews done when the document was Last Called. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? No. The netmod working group has a healthy cooperative spirit and many reviews were contributed from all the major contributors to this work. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. Input from RADIUS experts was requested on the RADIUS part of the data model and Alan DeKok provided some valuable input. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. None. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why? We have not received any IPR disclosures. We believe that the authors/editors understand the IETF rules regarding IPR. (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. No. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? This document has strong concensus. This is not a large working group but it is an active and diverse working group with many contributing individuals. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. None. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. This document has been reviewed by people who are also YANG doctors. As such, further YANG doctor reviews do not seem to be needed. (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? No. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. There is a downward reference to RFC 1321 which however seems to be unavoidable. The downward reference to RFC 6151 may be resolved by making this reference informational but since RFC 6151 updates RFC 1321, it also may make sense to keep it as a normative downward reference. Reference to draft-ietf-netmod-iana-timezones-00 needs to be updated (this I-D is being shipped to IESG together with this document). (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. No. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). Done. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. None. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. The YANG module has been checked using pyang v1.3. |
2013-12-03
|
09 | Jürgen Schönwälder | As required by RFC 4858, this is the current template for the Document Shepherd Write-Up. Changes are expected over time. This version is dated … As required by RFC 4858, this is the current template for the Document Shepherd Write-Up. Changes are expected over time. This version is dated 24 February 2012. (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? Publication of draft-ietf-netmod-system-mgmt-09 as Proposed Standard is requested. This is indicated in the title page header. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary: This document defines a YANG data model for the configuration and identification of some common system properties within a device containing a NETCONF server. This includes data node definitions for system identification, time-of-day management, user management, DNS resolver configuration, and some protocol operations for system management. Working Group Summary: The normal WG process was followed and the documents reflect WG consensus with nothing special worth mentioning. Document Quality: This document received extensive review within the working group and ample time was spent to review and reconsider all design choices. Some working group members have indicated that they plan to implement this data model once approved by the IESG. Personnel: Juergen Schoenwaelder is the Document Shepherd. Benoit Claise is the responsible Area Director. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The document shepherd reviewed the document for correctness after earlier reviews done when the document was Last Called. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? No. The netmod working group has a healthy cooperative spirit and many reviews were contributed from all the major contributors to this work. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. Input from RADIUS experts was requested on the RADIUS part of the data model and Alan DeKok provided some valuable input. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. None. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why? We have not received any IPR disclosures. We believe that the author/editor understands the IETF rules regarding IPR. (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. No. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? This document has strong concensus. This is not a large working group but it is an active and diverse working group with many contributing individuals. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. None. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. This document has been reviewed by people who are also YANG doctors. As such, further YANG doctor reviews do not seem to be needed. (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? No. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. There is a downward reference to RFC 1321 which however seems to be unavoidable. The downward reference to RFC 6151 may be resolved by making this reference informational but since RFC 6151 updates RFC 1321, it also may make sense to keep it as a normative downward reference. Reference to draft-ietf-netmod-iana-timezones-00 needs to be updated (this I-D is being shipped to IESG together with this document). (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. No. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). Done. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. None. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. The YANG module has been checked using pyang v1.3. |
2013-12-03
|
09 | Jürgen Schönwälder | Changed consensus to Yes from Unknown |
2013-12-03
|
09 | Jürgen Schönwälder | IETF WG state changed to Submitted to IESG for Publication from In WG Last Call |
2013-11-28
|
09 | Gunter Van de Velde | Request for Early review by OPSDIR is assigned to Susan Hares |
2013-11-28
|
09 | Gunter Van de Velde | Request for Early review by OPSDIR is assigned to Susan Hares |
2013-11-07
|
09 | Martin Björklund | New version available: draft-ietf-netmod-system-mgmt-09.txt |
2013-07-05
|
08 | Jürgen Schönwälder | IETF WG state changed to In WG Last Call from WG Document |
2013-07-05
|
08 | Jürgen Schönwälder | Intended Status changed to Proposed Standard from None |
2013-07-05
|
08 | Jürgen Schönwälder | Document shepherd changed to Jürgen Schönwälder |
2013-07-04
|
08 | Martin Björklund | New version available: draft-ietf-netmod-system-mgmt-08.txt |
2013-06-17
|
07 | Martin Björklund | New version available: draft-ietf-netmod-system-mgmt-07.txt |
2013-04-21
|
06 | Andy Bierman | New version available: draft-ietf-netmod-system-mgmt-06.txt |
2013-02-25
|
05 | Andy Bierman | New version available: draft-ietf-netmod-system-mgmt-05.txt |
2012-12-26
|
04 | Andy Bierman | New version available: draft-ietf-netmod-system-mgmt-04.txt |
2012-09-07
|
03 | Andy Bierman | New version available: draft-ietf-netmod-system-mgmt-03.txt |
2012-07-11
|
02 | Andy Bierman | New version available: draft-ietf-netmod-system-mgmt-02.txt |
2012-06-30
|
01 | Andy Bierman | New version available: draft-ietf-netmod-system-mgmt-01.txt |
2012-01-31
|
00 | (System) | New version available: draft-ietf-netmod-system-mgmt-00.txt |