Last Call Review of draft-ietf-netconf-rfc4742bis-
review-ietf-netconf-rfc4742bis-secdir-lc-austein-2011-03-03-00

Request Review of draft-ietf-netconf-rfc4742bis
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2011-03-01
Requested 2011-02-06
Draft last updated 2011-03-03
Completed reviews Secdir Last Call review of -?? by Rob Austein
Assignment Reviewer Rob Austein
State Completed
Review review-ietf-netconf-rfc4742bis-secdir-lc-austein-2011-03-03
Review completed: 2011-03-03

Review
review-ietf-netconf-rfc4742bis-secdir-lc-austein-2011-03-03

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This draft is an updated specification for transport of NETCONF
message streams over SSH connections using the SSHv2 "subsystem"
protocol.  These message streams are bi-directional channels conveying
multiple complete XML documents in each direction.  The main change
from RFC 4742 to this draft is a revision to the framing protocol.

The original framing protocol in RFC 4742 used a magic delimiter
string "]]>]]>" in the mistaken belief that such a string could never
appear in a well-formed XML document.  The current document defines a
new counted-length framing protocol, but preserves vestiges of the old
framing protocol for backwards compatibility and requires use of the
old protocol during the initial capability exchange.

I have no serious security concerns regarding this document, but I do
have two comments:

1) If it's worth changing the framing protocol at all, which I'm
   willing to accept as a given, it is far from obvious to me that the
   current negotiated upgrade is the right way to do it, as this will
   require implementation of the old bad mechanism forever.  Switching
   to a new SSH subsystem name seems like a much simpler solution.

2) As a matter of stylistic consistency with the last several decades
   of Internet protocols, the delimiter sequence in the new framing
   protocol should have been <CRLF>, not <LF>.  Sigh.