IETF Logo Mail Archive

[Anima] Review draft-ietf-anima-reference-model-04

Artur Hecker <Artur.Hecker@huawei.com> Wed, 26 July 2017 17:55 UTC

Return-Path: <Artur.Hecker@huawei.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5082C131DB6 for <anima@ietfa.amsl.com>; Wed, 26 Jul 2017 10:55:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.222
X-Spam-Level:
X-Spam-Status: No, score=-4.222 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FuH4QpoOLfNb for <anima@ietfa.amsl.com>; Wed, 26 Jul 2017 10:55:21 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CBE5131E05 for <anima@ietf.org>; Wed, 26 Jul 2017 10:55:20 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml707-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DLI96981; Wed, 26 Jul 2017 17:55:18 +0000 (GMT)
Received: from LHREML501-MBX.china.huawei.com ([10.201.109.49]) by lhreml707-cah.china.huawei.com ([10.201.108.48]) with mapi id 14.03.0301.000; Wed, 26 Jul 2017 18:55:14 +0100
From: Artur Hecker <Artur.Hecker@huawei.com>
To: "anima@ietf.org" <anima@ietf.org>
Thread-Topic: Review draft-ietf-anima-reference-model-04
Thread-Index: AdL8rftkcbJTFE6DSF+ugNLuguLV7A==
Date: Wed, 26 Jul 2017 17:55:13 +0000
Message-ID: <8DA547FB1280754AAC43A3E56DCB7AD20AEC33E8@lhreml501-mbx>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.204.65.211]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090206.5978D786.0175, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 75d95c7978b42fb94ef890893a43ce71
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/HYeCU1EtnZlOkFVSqzP3H6-Ek6A>
Subject: [Anima] Review draft-ietf-anima-reference-model-04
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2017 17:55:23 -0000

Dear community, dear Authors,


I reread the draft-ietf-anima-reference-model-04. I hope it's not arriving at an inappropriate moment, but please find some notes and remarks below:


1. Page 6: s/potentiall/potential

2. Page 8: Section 4. The text mentions "must implement" and "other" functions, but fails to correctly guide the reader as to the MUST or not MUST of the functions in the following subsections. It is partly not even clear from the semantics of the subsections.

Suggestion: clearly group MUST, SHOULD and MAY IMPLEMENT functions in the subsections.

3. Page 12: Information Distribution - consider rewriting parts of this section entirely. Several problems:

a) Remove repetitive text in the beginning:
"Certain forms of information, such as Intent, must be distributed across an autonomic domain. The distribution of information is also a function of the Autonomic Control Plane.  One form of such information is Intent."

Suggestion: Either remove the first inclusion, or the entire last sentence. I would rewrite these three, see next point:

b) There seems to be a problem with the statement above, as the "must" is somehow misleading in a potentially normative text. What is meant here is that some information requires dissemination, while other might not require that. 

Suggestion - please REWRITE e.g. as follows:
"Certain forms of information require per its nature distribution across a (part of) autonomic domain. Such information distribution is a function of the Autonomic Control Plane. As an example, Intents require distribution across the whole autonomic domain as per definitions from RFC7575."

c) Later, the text in this section somehow confuses the high level requirements (=information distribution) with a specific implementation, notably flooding. Note that there is a subtle difference between the requirement to reach all recipients (indeed, the current text seems to equal flooding to that) and flooding, which technically usually means "unconstrained broadcast". [E.g. Wikipedia: "Flooding is a simple computer network routing algorithm in which every incoming packet is sent through every outgoing link except the one it arrived on"]. This will lead to explosive message number growth, as the ACP uses routing - which does not guarantee a tree structure - while the scale of an autonomic domain is, by definitions of RFC7575, only constrained by the Intent as such ("the autonomic domain is the set of nodes, to which the intent needs to be sent"). At the same time, there are better known algorithms for routing, which achieve "distribution to all recipients" without "sending on all links except the one it arrived on" (e.g. structured broadcast, etc).

Suggestion: stay at the requirements level in the Reference text, which this draft represents. In other words, remove suggestions of implementations, or reword if the requirement to reach all nodes is meant.

4. Page 17, Section 6.3.3.  The Information Distribution ASA (*).
While the text above (on page 12: Information Distribution) says that Information Distribution is function of ACP, somehow there is a distinct section in this draft, talking about an Information Distribution ASA, which is NOT ACP ASA, and which is not obligatory.

How to read this correctly?

5. Page 17, Section 7.1: "How an AN Network Is Managed"
a) Please consider changing the title. AN is "autonomic network" network network :-)
b) The first paragraph says that the co-existence is twofold. However, I can think of at least one other way: the ACP could be used as a transport channel for "traditional" management. E.g. ACP could be used to transport NETCONF messages, instead of SSH or BEEP in NETCONF. Not clear, what twofold means here (just an example, limitation, strong statement, etc).

6. Page 18, Section 7.2: "Intent"
Please reread and correct this phrase: "It is expected Intent definitions from autonomic function(s) and even from traditional network management elements". (missing verb)

Later in the text, the section references I-D.liu-anima-grasp-distribution, which is odd, given that the actual Information Distribution section (see above) does not. Yet, information distribution in I-D.liu-anima-grasp-distribution is not limited to intents.

7. Page 19, Section 7.5: "Control loops"
The section talks about an "Autonomic System". Unless I am mistaken, an autonomic system is not defined (e.g. in RFC7575). This is a minor issue, as we all can imagine what a "system" is.

8. Page 20, Section 7.6: "APIs"
There is a strong "MUST" requirement in this section (express and preserve semantics across different domains), which is not as clear as a MUST should be. First, it's not clear what "express and preserve semantics" means (semantics of what? Of objects? Of object methods? Of the results delivered by object methods? Of all of them?). Second, the "domain" is not defined: is an autonomic domain meant? Note that this notion is dynamic, as per intent scope, so probably not a very good reference. Third, the requirement is not corroborated clearly. Instead, an example is given, which we might discuss in its relevance to the ANIMA WG and work scope. Is ANIMA implementing software contracts? Is it a MUST requirement? Probably not. Note that web-based systems today have no such formal specifications, as mentioned in this section. Example: invariants; these are nice to have, but hard to determine for any complex piece of software (like a web service, etc).

9. Page 20, Section 7.7: "Data Model"
Question: why do we need this section? This looks like some text book. Do we have a specification of data model in ANIMA? Information model? Anything like that? If not, I guess this can be shortened, as it is "for reference" only. (What is MRACL? Used without explanation in text).

10. Page 22, Section 8.1:
s/mechanisms exists/mechanisms exist.

11.  Page 23, Section 9: "Security Considerations"
Please rephrase "run inside the encrypted ACP". I hope that it's not simply "encrypted" but actually features the full range of cryptographic data protection methods.

Rationale: I would argue that integrity is more important than confidentiality in the ANIMA scope. As encryption alone does not provide any protection against modification, and since hopefully the used mechanisms (see Section 9.2) go beyond encryption, I would recommend to use a more correct wording, something like "protected" or "cryptographically protected ACP".

Generally, the section does not sufficiently presents the threat of message modification and replay, including the discovery messages. Also, authentication is not sufficiently covered, even though a reference to I-D.ietf-anima-bootstrapping-keyinfra is made. Not sure it's the best approach, as bootstrapping refers to how to enroll the node, and the authentication is probably using standard mechanisms? Normally, the threats should be described independently of the specific mechanisms.



Regards
artur

v2.23.0 | Report a Bug | By Email