Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib
"ietfdbh" <ietfdbh@comcast.net> Fri, 31 May 2013 13:48 UTC
Return-Path: <ietfdbh@comcast.net>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7814221F96E1 for <behave@ietfa.amsl.com>; Fri, 31 May 2013 06:48:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.437
X-Spam-Level:
X-Spam-Status: No, score=-100.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DY1IYIvxx32q for <behave@ietfa.amsl.com>; Fri, 31 May 2013 06:47:59 -0700 (PDT)
Received: from qmta02.westchester.pa.mail.comcast.net (qmta02.westchester.pa.mail.comcast.net [IPv6:2001:558:fe14:43:76:96:62:24]) by ietfa.amsl.com (Postfix) with ESMTP id 64CB121F969C for <behave@ietf.org>; Fri, 31 May 2013 06:47:59 -0700 (PDT)
Received: from omta18.westchester.pa.mail.comcast.net ([76.96.62.90]) by qmta02.westchester.pa.mail.comcast.net with comcast id iban1l0031wpRvQ51dnyw3; Fri, 31 May 2013 13:47:58 +0000
Received: from JV6RVH1 ([67.189.237.137]) by omta18.westchester.pa.mail.comcast.net with comcast id idnx1l00S2yZEBF3ednxej; Fri, 31 May 2013 13:47:58 +0000
From: ietfdbh <ietfdbh@comcast.net>
To: 'Simon Perreault' <simon.perreault@viagenie.ca>, 'Dave Thaler' <dthaler@microsoft.com>
References: <7bc37af6cf764c2e965778b6b265a2d4@BY2PR03MB269.namprd03.prod.outlook.com> <ba99d2de63904656992c45255161910a@BY2PR03MB269.namprd03.prod.outlook.com> <51A72041.6060208@viagenie.ca> <2d6b12df967d4faf8fcfd6d6891b2ca2@BN1PR03MB267.namprd03.prod.outlook.com> <51A8565B.5070700@viagenie.ca>
In-Reply-To: <51A8565B.5070700@viagenie.ca>
Date: Fri, 31 May 2013 09:47:41 -0400
Message-ID: <004a01ce5e05$6bf10c90$43d325b0$@comcast.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJBxKJNP60xDQ0hdWTuJWe6MT5M0gKTgyxEAo3yDToCQZO96AGHXu79l/EandA=
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1370008078; bh=B2IpskxIYdgMQEAMlybG8dAGz9zhGawck42yokzCoF0=; h=Received:Received:From:To:Subject:Date:Message-ID:MIME-Version: Content-Type; b=bytcFEMmrxDYXTBVCvnyPszhCCq57UekmVJdzkM5vcSQy7aeTKlQUe2XEWJW3gqCZ j9WqUFoECYmTlbsETjpgKILfZ+Dy2mOPek1GTS7bK109C62Aa8owZzXxo0Pud2Rpp7 nPAkVyLN3j8w0+EgT/0gl7x1rtro3/COyb/NSF87nAzl8K5A3GTAP9y3rWZxEuGPWC Y4LuN72sM0xzebNQPTxPeAGhFwGfdVMtBL6L9D1Grc4tWeCUdJyr1TKacbPWjkAxTs sL1xi1he3UXXTyV77S/5WH6eVbjbDbHbUbVpup8JINqaRA1G7Vj+1Hr77gWsCepGek /hQVjlYxuQEkw==
Cc: draft-ietf-behave-nat-mib@tools.ietf.org, behave@ietf.org
Subject: Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2013 13:48:06 -0000
Hi, Three things. 1) A while back, I suggested that, if you are deprecating all of the NAT-MIB in rfc4008, that it would be better to do this as a separate document from the NEW-NAT-MIB (or whatever the new module gets called). Simon asked me to get consensus from the MIB Doctors. I checked with the MIB Doctor list, and only got one reply - from Juergen, who apparently recommended a single document. His response: " I have probably been pushing them into this because at the beginning it was not really clear why the existing NAT-MIB is fatally flawed such that it needs a complete replacement. If the behave WG has meanwhile reached consensus that indeed the existing NAT-MIB is fatally flawed and needs a complete replacement, then indeed what you suggest makes sense. I assume the WG has checked with those who have implementations of the existing NAT-MIB (if any) that they agree on a need for a complete new MIB." 2) Since deprecated objects are not obsoleted, I think new security considerations might be called for relating to the deprecated objects - especially if there are security implications of implementing BOTH the current and deprecated objects. Some NMS applications will support only the old MIB module; others may support only the new MIB module. Some agents will want to implement both, to make their devices manageable from either type of NMS application. Some NMS applications will want to support both, to deal with both legacy and new agents. MIB modules often make information available that could potentially be used by attackers. Are there particular risks involved in exposing the information of these two NAT-MIBs in combination? Are there potential risks associated with the potential confusion of looking at a NAT from the different perspectives used by these two NAT MIB approaches? 3) I notice there is no "Operational Considerations" section. I wonder if one is called for here, because operators may be faced with NMS applications and/or agents that support both the deprecated and the new MIB module. What should operators (and NMS applications) do with this potentially conflicting information? What should they explicitly NOT do? E.g., What assumptions should they NOT make about the relationships between specific objects in the old and new versions? My impression is that the old and the new MIB modules might be appropriate depending on the environment in which they exist, and the old MIB is implemented (to whatever degree of compliance) in existing legacy devices, so simply saying "never use the old MIB" is not going to be an acceptable approach. David Harrington ietfdbh@comcast.net +1-603-828-1401 -----Original Message----- From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On Behalf Of Simon Perreault Sent: Friday, May 31, 2013 3:51 AM To: Dave Thaler Cc: behave@ietf.org; draft-ietf-behave-nat-mib@tools.ietf.org Subject: Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib Le 2013-05-30 21:38, Dave Thaler a écrit : >>> 4) The MIB compiler I used complained about this: >>>> natMappingPool OBJECT-TYPE >>>> SYNTAX NatPoolId (0|1..4294967295) >>> Because of >>>> NatPoolId ::= TEXTUAL-CONVENTION >>>> SYNTAX Unsigned32 (1..4294967295) >>> >>> That is, NatPoolId does not allow 0, and so natMappingPool cannot >>> add it and still use the NatPoolId syntax. >> >> Hmmmm... Would it be OK if I changed natMappingPool to an Unsigned32? >> >> natMappingPool OBJECT-TYPE >> SYNTAX Unsigned32 (0|1..4294967295) > > Yes, but you should remove the range restriction since that's the full range. > So just > SYNTAX Unsigned32 Right. Removed. > I see you added in the security considerations section: >> Note: This section only applies to objects with current status. >> For deprecated objects, please refer to the Security >> Considerations section from [RFC4008]. > > However that doesn't make sense in my opinion unless we make RFC4008 a > Normative (not informative) reference. But I would prefer keeping it as > an informative reference so it can be obsoleted. So I disagree with the > quoted limitation. Hmmm... So what should we do instead? Keeping in mind that the security considerations in 4008 aren't up to today's standards. a) Copy the security section verbatim from 4008. Add a preamble saying something like "These considerations apply to the deprecated elements. Others may apply, use at your own risk." b) Create brand new security considerations for deprecated elements. c) ??? Simon _______________________________________________ Behave mailing list Behave@ietf.org https://www.ietf.org/mailman/listinfo/behave
- [BEHAVE] WGLC on draft-ietf-behave-nat-mib Dave Thaler
- Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib Dave Thaler
- Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib Simon Perreault
- Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib Dave Thaler
- Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib Simon Perreault
- Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib ietfdbh
- Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib Simon Perreault
- Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib Juergen Schoenwaelder