Hello,




I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area
 directors.  Document editors and WG chairs should treat these comments just like any other last call comments.




 




This document describes an HTTP-based protocol that provides a programmatic interface for accessing data defined in YANG, using the datastore concepts defined in NETCONF.




 




I have reviewed draft-ietf-netconf-restconf-09 as the Secdir before. My general thoughts about it is:




 




Firstly, the document appears in reasonably good shape.




 




Secondly, in general, the RESTCONF is an application protocol layered on the HTTP protocol. As mentioned in the document, just using the HTTPS (with TLS) can address most of the security issues such as confidentiality,
 integrity, authentication, etc. In other words, RESTCONF is designed inherently based on a good security base.




 




 




Now, after several rounds of update, this draft has became better in the aspect of security considerations. I don’t see further security issues in addition to the description in the sections of “Transport Protocol Requirements”
 and “Security Considerations”. 




 




In summary, I think this draft is Ready!




 




Thanks!




 




B.R.




Frank