Each specification that defines one or more YANG modules MUST contain a section that discusses security considerations relevant to those modules. This section MUST be patterned after the latest approved template (available at https://wiki.ietf.org/group/ops/yang-security-guidelines).
In particular, writable data nodes that could be especially disruptive if abused MUST be explicitly listed by name and the associated security risks MUST be spelled out.
Similarly, readable data nodes that contain especially sensitive information or that raise significant privacy concerns MUST be explicitly listed by name and the reasons for the sensitivity/privacy concerns MUST be explained.
Further, if new RPC operations have been defined, then the security considerations of each new RPC operation MUST be explained.
This section is modeled after the template described in Section 3.7 of [RFCAAAA].
The "[module-name]" YANG module defines a data model that is designed to be accessed via YANG-based management protocols, such as NETCONF [RFC6241] and RESTCONF [RFC8040]. These protocols have to use a secure transport layer (e.g., SSH [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and have to use mutual authentication.
The Network Configuration Access Control Model (NACM) [RFC8341] provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content.
If the data model contains any writable data nodes (those are all the "config true" nodes), then include the following text:
There are a number of data nodes defined in this YANG module that are writable/creatable/deletable (i.e., "config true", which is the default). All writable data nodes are likely to be reasonably sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) and delete operations to these data nodes without proper protection or authentication can have a negative effect on network operations. The following subtrees and data nodes have particular sensitivities/vulnerabilities:
If the data model contains any particularly sensitive data nodes, e.g., ones that might be protected by a "nacm:default-deny-write" or a "nacm:default-deny-all" extensions statement, then those subtrees and data nodes must be listed, with an explanation of the associated security risks with a focus on how they can be disruptive if abused. Otherwise, state:
"There are no particularly sensitive writable data nodes."
If the data model contains any readable data nodes (i.e., those that are "config false" nodes, but also all other nodes, because they can also be read via operations like get or get-config), then include the following text:
Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. Specifically, the following subtrees and data nodes have particular sensitivities/vulnerabilities:
You must evaluate whether the data model contains any readable data nodes (those are all the "config false" nodes, but also all other nodes, because they can also be read via operations like get or get-config) are particularly sensitive or vulnerable (e.g., if they might reveal customer information or violate personal privacy laws). Typically, particularly sensitive readable data nodes are ones that might be protected by a "nacm:default-deny-read" or a "nacm:default-deny-all" extensions statement. Otherwise, state:
"There are no particularly sensitive readable data nodes."
If the data model contains any RPC or action operations, then include the following text:
Some of the RPC or action operations in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control access to these operations. Specifically, the following operations have particular sensitivities/ vulnerabilities:
If the data model contains any particularly sensitive RPC or action operations, then those operations must be listed here, along with an explanation of the associated specific sensitivity or vulnerability concerns. Otherwise, state:
"There are no particularly sensitive RPC or action operations."
If the data model reuses groupings from other modules and the document that specifies these groupings also includes those as data nodes, then add this text to remind the specific sensitivity or vulnerability of reused nodes.
This YANG module uses groupings from other YANG modules that define nodes that may be considered sensitive or vulnerable in network environments. Refer to the Security Considerations of [RFC-insert-numbers] for information as to which nodes may be considered sensitive or vulnerable in network environments.
If the data model does not define any data nodes (i.e., none of the above sections or readable/writable data nodes or RPCs have been included), then add the following text:
The YANG module defines a set of identities, types, and groupings. These nodes are intended to be reused by other YANG modules. The module by itself does not expose any data nodes that are writable, data nodes that contain read-only state, or RPCs. As such, there are no additional security issues related to the YANG module that need to be considered.
Modules that use the groupings that are defined in this document should identify the corresponding security considerations. For example, reusing some of these groupings will expose privacy-related information (e.g., 'node-example').