I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready With Issues. I agree somewhat with the Major Concerns in Russ Housley's Gen-ART review https://datatracker.ietf.org/doc/review-ietf-rtgwg-lne-model-05-genart-lc-housley-2018-01-20/ although I disagree that it makes the document Not Ready. > Major Concerns: > > Section 4 listed three data nodes that are sensitive or vulnerable: > - /logical-network-elements/logical-network-element > - /logical-network-elements/logical-network-element/managed > - /if:interfaces/if:interface/bind-lne-name > > All three of them deserve a bit more discussion, although the middle > one is covered in much more detail than the other two. If a bad actor > gets "unauthorized access" is there something more specific about each > of these that can be said? The characterization of "network > malfunctions, delivery of packets to inappropriate destinations, and > other problems" seems very broad. Consequences that are specific to > these data nodes would be more helpful to the reader. My limited understanding is that there is a lot of variation in the security impact among specific equipment models and deployment scenarios. Therefore, they would likely need to be analyzed on a case-by-case basis. Perhaps there should be Security Considerations text to this effect, maybe with some broad guidance about how to do such an analysis? For example, does changing the "bind-lne-name" of an interface have the effect of making it unavailable to the LNE it was previously associated with, while providing the new LNE with an unconfigured new interface? Or does it also carry some configuration or routing state from the former LNE with it to the new LNE? The latter might have a greater security impact. This final paragraph in the Security Considerations of this document seems copied almost verbatim from that of RFC 8022: > Unauthorized access to any of these lists can adversely affect the > security of both the local device and the network. This may lead to > network malfunctions, delivery of packets to inappropriate > destinations, and other problems. That seems to have been acceptable for RFC 8022, but perhaps we should do better here? Or do we follow the precedent that this level of detail in the Security Considerations of YANG specifications is acceptable? Best regards, -Taylor