IETF Logo Mail Archive

Re: [I2nsf] Yangdoctors early review of draft-ietf-i2nsf-nsf-monitoring-data-model-04

Andy Bierman <andy@yumaworks.com> Tue, 06 October 2020 03:31 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D1D83A0FD7 for <i2nsf@ietfa.amsl.com>; Mon, 5 Oct 2020 20:31:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.886
X-Spam-Level:
X-Spam-Status: No, score=-1.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URI_DOTEDU=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1HtwkRV7n3x9 for <i2nsf@ietfa.amsl.com>; Mon, 5 Oct 2020 20:30:58 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18FEA3A0FF1 for <i2nsf@ietf.org>; Mon, 5 Oct 2020 20:30:57 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id h20so2557401lji.9 for <i2nsf@ietf.org>; Mon, 05 Oct 2020 20:30:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/A3Wo8h+9Wh87JktRUD9BejhfbTdOux0INpFHwmneSs=; b=qmaMerDCnB+Rd/EJr6GB4wLYyO/RXvzqHFGf7qdEmCPoIStstRP/UUr4FCWCn2M/Rb gHWeeOmvO5ZjlXGoM9EJ3kku91RwgSLasbczMpspK345opa2LaN6mKykOQ+9AqKzpCBY H9B/NX3fcHgSVeFp3ZDlwV7h4gZAtoqhdsOAwphhFr6Q5R3PhnPHXZtDEXhHUiGMpRHt 40hk8Puo7vqTvcppti30NtjNDiJ8HaatltEDaifotC+TmaCObtVOsg7Y8/a6S+KgFOO9 wkhKiTtH8sWkUKwbLzKNtMzQCK9wI03sdkgzNR2F85Ydvw/Q7QtminlFxa6PAhqXUEFF t7SA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/A3Wo8h+9Wh87JktRUD9BejhfbTdOux0INpFHwmneSs=; b=fsDoUILHSwFtnx3VQrlcen/yhcUIGEDe9FGyBNNODu3ZTSp/IwrIFFvS2wbySElM/D rR42poI8EDg67bCqNXae3/iaM946Oe+ZFsi4IudxkfRTXLX78RqU9FOKinyz0DudXGCK KFWAn8QzuwU0q2V95W6/3CSypiNGMSIQpFiMSNA5+U3FpkfYSaBvOwLB5VP1DehuTNZg DUuC79FceXsLZmz/4TX+f7vBPRbhYY5MtYOLyhUHbWCbmOTBSdYagFMZEMr5+JnyTamg IRuGmc63ymWeTpELBha0x6gH301bbDErYgCbuW2OM6zGv19WcMUSGPJ06vHeJvm+fXd0 vs+g==
X-Gm-Message-State: AOAM532BHdJOeNgILGrtd5PI4xXAuVXyBYRcqyudGT32A+2jv8UhyYg2 hD+VwfwG5fetqFcTbbAzouqDKuFY2IHqeKGu60r5Kw==
X-Google-Smtp-Source: ABdhPJzB3kFKWhWrRvcTZN+UUR5AQUoWeSA64RZe32A12pzW69y3Jo3G/kBcOvWJlqvfaFQspiRSj5U/AkKE5ue1cOg=
X-Received: by 2002:a2e:4e01:: with SMTP id c1mr874727ljb.144.1601955055951; Mon, 05 Oct 2020 20:30:55 -0700 (PDT)
MIME-Version: 1.0
References: <160192102291.6633.15935674903085952087@ietfa.amsl.com> <CAPK2DewOF7QcTD8UdFYdoGUvnJz_fxb53OOn-KmYQgNA38xLoA@mail.gmail.com>
In-Reply-To: <CAPK2DewOF7QcTD8UdFYdoGUvnJz_fxb53OOn-KmYQgNA38xLoA@mail.gmail.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Mon, 05 Oct 2020 20:30:45 -0700
Message-ID: <CABCOCHQsxFVNdBgL9fyZHV+Bevs1D8d5B=+KJAgoVBVekz+VtQ@mail.gmail.com>
To: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Cc: YANG Doctors <yang-doctors@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>, draft-ietf-i2nsf-nsf-monitoring-data-model.all@ietf.org, Patrick Lingga <patricklink888@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000000e7b0205b0f83a6e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/42-g0oCdgPZpACOBmeQ5o2cfnwU>
Subject: Re: [I2nsf] Yangdoctors early review of draft-ietf-i2nsf-nsf-monitoring-data-model-04
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2020 03:31:00 -0000

On Mon, Oct 5, 2020 at 7:30 PM Mr. Jaehoon Paul Jeong <
jaehoon.paul@gmail.com> wrote:

> Hi Andy,
> Thanks for your valuable comments on our NSF Monitoring YANG Data Model
> Draft.
> We authors will reflect your comments on the revision and come back to you
> with
> the revised draft and revision letter.
>
>
I forgot 1 comment:

 - the draft is not that explicit about the event stream to use for these
notifications
   Perhaps a new standard event stream (I2NSF) would be better than the
standard (NETCONF)
   The draft should be more clear wrt/ the NETCONF stream.


Andy



> Thanks.
>
> Best Regards,
> Paul
>
>
> On Tue, Oct 6, 2020 at 3:03 AM Andy Bierman via Datatracker <
> noreply@ietf.org> wrote:
>
>> Reviewer: Andy Bierman
>> Review result: Almost Ready
>>
>>
>>
>> Major Issues:
>>
>>  - None
>>
>> Moderate Issues:
>>
>>  - top-level 'counters' container does not follow naming conventions.
>>    Should start with 'i2nsf', probably 'i2nsf-state'
>>
>>  - There do not seem to be any writable objects in the /counters
>>    subtree so this container should have a 'config false' statement
>>
>>  - top-level typedef and grouping description-stmts are self-referential
>>    and not useful. Need to rewrite description-stmts and/or add
>>    reference-stmts as needed.
>>
>>  - grouping common-monitoring-data/time-stamp
>>    Is this a different time stamp than the one in the NETCONF
>> notification?
>>    The 'message generation time' sounds like the standard timestamp.
>>    Does this object represent the event detection time?
>>
>>  - grouping i2nsf-system-alarm-type-content/usage
>>  - grouping i2nsf-system-alarm-type-content/threshold
>>    These are uint8 leafs with unclear descriptions.
>>    Not sure why uint8 is the appropriate type.
>>    Needs 1 or more of (reference, units, better description)
>>
>>  - grouping traffic-rates
>>    Add a units statement to each leaf. Not sure what units to use
>>    but it should be consistent. (e.g, pps, bps used in descriptions
>>    should also be in a units-stmt)
>>
>>  - grouping i2nsf-system-counter-type-content
>>    These counters should use the yang:counter32 type instead of uint32
>>
>>  - container counters/system-interface
>>  - container counters/nsf-firewall
>>  - container counters/nsf-policy-hits
>>   The descriptions are too terse and confusing, and need a rewrite.
>>
>>  -  container counters/nsf-firewall
>>  -  container counters/nsf-policy-hits
>>     - uses i2nsf-nsf-counters-type-content;
>>     Many of the fields expanded from this grouping all say
>>     they refer to 'the packet'. Why are they in this global
>>     container of counters? E.g. (src-ip, dst-ip, src-port, dst-port)
>>     Not clear at all how the server is supposed to apply this
>>     grouping to these containers.
>>
>>  - many leafs use "uint32" type for a rate.
>>    Should add a units-stmt
>>
>>  - leaf counters/nsf-policy-hits/hit-times
>>    The purpose and type are confusing and generic.
>>    If this is a counter then use counter32
>>
>>  - cut-and-paste for notification-stmt content should be replaced
>>    with grouping/uses instead. Applies to the nsf-detection-*
>>    and the various logging notifications. Even a grouping that
>>    has 1 object in it is better than cut-and-paste 5+ times
>>
>> Minor Issues:
>>
>>  - top-level identifiers are too generic
>>    should have 'i2nsf-' prefix to be more reusable outside this module
>>
>>  - quite a lot of identities that an implementation is required to
>> support.
>>    If this set of identities might change a lot faster than the
>>    notifications and counter objects, then consider putting them
>>    in a separate module
>>
>>  - leaf with same type named differently; both intrusion-attack-type
>>    - nsf-detection-intrusion/sub-attack-type
>>    - nsf-log-intrusion/attack-type
>>
>>  - quite a lot of notification event types for a server to implement
>>    and a user to manage. All are mandatory (no if-feature statements).
>>    Some such as nsf-detection-* subset are very similar.
>>    A section or table would be useful that showed the YANG notification
>>    names and their purpose -- maybe a reference to another RFC
>>    with more details
>>
>>  - there seems to be notifications for intrusion events and then
>>    again for the logging of those events.  This seems excessive
>>    but
>>
>>
>>  - grouping common-monitoring-data/time-stamp
>>    Is this a different time stamp than the one in the NETCONF
>> notification?
>>    The 'message generation time' sounds like the standard timestamp.
>>    Is this event detection time?
>>
>>  - grouping common-monitoring-data/module-name
>>    Is this a YANG module or some other type of module?
>>
>>  - there is no way to configure which notifications should be generated
>>    or maybe how often.  YANG Push has its own dampening-period.
>>    Since these are event stream subscriptions, not datastore
>> subscriptions,
>>    YANG-Push does not apply to this document at all.
>>
>>    If there are a lot of notifications then a server implementation
>>    might drop some
>>
>>  - grouping i2nsf-nsf-event-type-content-extend/src-zone
>>  - grouping i2nsf-nsf-event-type-content-extend/src-zone
>>    These use type 'string'. Consider using a typedef that constrains
>>    the string.  General comment where unconstrained string is used:
>>    The corner-case values such as empty string are often not allowed
>>    in implementations.
>>
>>
>>  - grouping i2nsf-nsf-event-type-content-extend/rule-id
>>  - grouping i2nsf-nsf-event-type-content-extend/rule-name
>>  - grouping i2nsf-nsf-event-type-content-extend/profile
>>    These objects seem to reference objects in another YANG module.
>>    If so, then leafref types might be more appropriate.
>>
>>  - grouping i2nsf-nsf-event-type-content/rule-id
>>  - grouping i2nsf-nsf-event-type-content/rule-name
>>  - grouping i2nsf-nsf-event-type-content/profile
>>  - grouping i2nsf-nsf-event-type-content/raw-info
>>    These objects are cut-and-paste duplicates from
>>    grouping i2nsf-nsf-event-type-content. They should
>>    be in a separate grouping used by both. Also applies
>>    to some other sets of objects
>>
>>  - limits issues (e.g. current-session, maximum-session
>>    The type is uint8. This is only OK it is impossible for any
>>    implementation to ever have or want more than 255 of them.
>>    If some other RFC really does limit the values where uint8
>>    is used, then that is OK. If so, a reference-stmt would help.
>>
>>
>>
>> _______________________________________________
>> I2nsf mailing list
>> I2nsf@ietf.org
>> https://www.ietf.org/mailman/listinfo/i2nsf
>>
>
>
> --
> ===========================
> Mr. Jaehoon (Paul) Jeong, Ph.D.
> Associate Professor
> Department of Computer Science and Engineering
> Sungkyunkwan University
> Office: +82-31-299-4957
> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>

v2.23.0 | Report a Bug | By Email