IETF Logo Mail Archive

Re: [I2nsf] Robert Wilton's Discuss on draft-ietf-i2nsf-consumer-facing-interface-dm-28: (with DISCUSS and COMMENT)

"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Tue, 18 April 2023 03:42 UTC

Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 037E6C16952D; Mon, 17 Apr 2023 20:42:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.074
X-Spam-Level:
X-Spam-Status: No, score=-2.074 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FREEMAIL_DOC_PDF=0.01, T_HK_NAME_FM_MR_MRS=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ksY6KWG945nn; Mon, 17 Apr 2023 20:41:58 -0700 (PDT)
Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F822C169523; Mon, 17 Apr 2023 20:41:58 -0700 (PDT)
Received: by mail-pg1-x52e.google.com with SMTP id 41be03b00d2f7-51b5490c6f0so1039084a12.0; Mon, 17 Apr 2023 20:41:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681789317; x=1684381317; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=tBGDcEw8PPy1s9Q7vQxsaaIsU+Vc99CifIf1eI1+4U0=; b=JaAlJVN3CzpjPzLzAKCJygS812rYuMSLG3Qg9c1A9fAd0fu2f46SNqbGA/ClaUCtxd kuEWzl4u+D7Py0t3Yhk9A/CZqgegj8VuPXc62qAe05XvgckdpAsqy06xV8308vhGFs2J 3GeX0F+3wh+GC146JdGW0lMySz07gNrymJrnQeWYD6p/Vd3GZhm1EvGtZmX9eF4YCtdI 9Ts9rheRc5LC6h5u2Ftf2oAqUZDq/FDfE5yp//q0q4VfBfYnl/ZjpokzqL58Ly2PQO75 BXy+BmITD2LVpyp+GFw+AXpz37evvk2ody1rPQOSgPLCIDAd3VKpGYhLFEEgAfRMg/oV YAEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681789317; x=1684381317; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tBGDcEw8PPy1s9Q7vQxsaaIsU+Vc99CifIf1eI1+4U0=; b=Go5Yy3uhao50E5z9lGj+P1w1oh/hzBs5WEC2fjw1hlUuxo5orKOEhY8sZB+L7tYclk IcXbAPySSbMcpZ12KxUknIvWrRI7kgK8utK4+3vG2C6bcaGX+Rqvyp2FWaId6IkGZutD Z9P2mQgF/GJPQxcThnphkcRvsBRAwlu2a+NUP0s174CSjl9mMlMrg0/wq2Q0dSubvax4 8gZz2XDrjhsy7ZS9wq+FKgkVJZEjhIdz7wPoAbAhU1H2vuXy7F97xSxUJ515zWv4kzgs /ZNpo4DppnWCyG2kGCdcuRfxS8tk1lIF61+gRK3vf27Oq/lrjBky+BY4ttFlGV14p0II P/yA==
X-Gm-Message-State: AAQBX9dUOcfTlOZt8968N62TlXKl7CyScI+YMgAai1yfpCdyFDqLeZQc WEosERqZ/+CQyTiKzxRDt9kyuUTmCVd+gjOPB7c=
X-Google-Smtp-Source: AKy350ZkM3DGYw7LRIAzsD+JZ/e8OM0BikZNK1nPf/C3mgK5L0Q+i9o9qMDGlfmW1v9ZWckzmqNruvmVkj6mRnUzslU=
X-Received: by 2002:a63:443:0:b0:51b:49ef:4721 with SMTP id 64-20020a630443000000b0051b49ef4721mr226889pge.3.1681789317091; Mon, 17 Apr 2023 20:41:57 -0700 (PDT)
MIME-Version: 1.0
References: <168138781150.47856.5757621655716682658@ietfa.amsl.com> <CAPK2DeyVg0GHtGKZnJ2SUAJ=f3+PFO-ga6Sh87SV--DNPRzL_w@mail.gmail.com> <BY5PR11MB4196AA3106A5A6B4DB2151B8B59C9@BY5PR11MB4196.namprd11.prod.outlook.com>
In-Reply-To: <BY5PR11MB4196AA3106A5A6B4DB2151B8B59C9@BY5PR11MB4196.namprd11.prod.outlook.com>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Tue, 18 Apr 2023 12:41:20 +0900
Message-ID: <CAPK2DeywPXDHmG_cw2j4V=8eSMEyG5cD_=XyNFMtA3pD+x8CPA@mail.gmail.com>
To: "Rob Wilton (rwilton)" <rwilton@cisco.com>
Cc: Erik Kline <ek.ietf@gmail.com>, Dirk Hugo <dirkvhugo@gmail.com>, Andrew Alston <andrew-ietf@liquid.tech>, Paul Wouters <paul.wouters@aiven.io>, The IESG <iesg@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>, skku-iotlab-members <skku-iotlab-members@googlegroups.com>, Patrick Lingga <patricklink888@gmail.com>, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Content-Type: multipart/mixed; boundary="000000000000d562cd05f99416de"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/6FGMSXcvE37StrV4j1_h0Dnfc3k>
Subject: Re: [I2nsf] Robert Wilton's Discuss on draft-ietf-i2nsf-consumer-facing-interface-dm-28: (with DISCUSS and COMMENT)
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2023 03:42:02 -0000

Hi Rob,
I will reflect your comments on the revision:
https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-consumer-facing-interface-dm-30

I attach the revision letter for your reference.

If you have further comments, please let me know.

Thanks.

Best Regards,
Paul


On Mon, Apr 17, 2023 at 11:07 PM Rob Wilton (rwilton) <rwilton@cisco.com>
wrote:

> Hi Paul,
>
>
>
> I’ll clear my discuss.
>
>
>
> One further comment:
>
>
>
> Did you consider using an "order-by-user" list to define the priority
> instead? I.e., process the rules in the order that they are specified in
> the list.
>
> => [PAUL] Yes, it is possible to use “order-by-user”. As far as I know,
> most implementation does not actually define the order to match the rule
> for similar priority values, since the priority values are supposed to be
> the ones that define the order. The implementation itself can be chosen
> based on the order of the user’s specified list or based on the
> alphabetical order of the rule’s key (i.e., rule name). According to your
> comment, we updated the description text to be clearer as follows:
>
>
>
> I meant marking the containing list “rule” as “ordered-by user” rather
> than having a priority leaf that defines a partial order.  I don’t think
> that it would be helpful to have an “ordered-by user” list alongside a
> priority leaf.  I think that it should be one or the other.
>
>
>
> Regards,
>
> Rob
>
>
>
>
>
> *From:* Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com>
> *Sent:* 15 April 2023 07:48
> *To:* Rob Wilton (rwilton) <rwilton@cisco.com>; Erik Kline <
> ek.ietf@gmail.com>; Dirk Hugo <dirkvhugo@gmail.com>; Andrew Alston
> <andrew-ietf@liquid.tech>; Paul Wouters <paul.wouters@aiven.io>
> *Cc:* The IESG <iesg@ietf.org>; i2nsf@ietf.org; skku-iotlab-members <
> skku-iotlab-members@googlegroups.com>; Patrick Lingga <
> patricklink888@gmail.com>; Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com>
> *Subject:* Re: [I2nsf] Robert Wilton's Discuss on
> draft-ietf-i2nsf-consumer-facing-interface-dm-28: (with DISCUSS and COMMENT)
>
>
>
> Dear Robert Wilton, Erik Kline, Dirk Von Hugo, Andrew Alston, and Paul
> Wouters,
>
> Here is the revised draft to address all your comments:
>
>
> https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-consumer-facing-interface-dm-29
>
>
>
> I attach the revision letter.
>
>
>
> Thanks for your valuable comments.
>
>
>
> Best Regards,
>
> Paul
>
>
>
>
>
> On Thu, Apr 13, 2023 at 9:10 PM Robert Wilton via Datatracker <
> noreply@ietf.org> wrote:
>
> Robert Wilton has entered the following ballot position for
> draft-ietf-i2nsf-consumer-facing-interface-dm-28: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to
> https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
> for more information about how to handle DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
>
> https://datatracker.ietf.org/doc/draft-ietf-i2nsf-consumer-facing-interface-dm/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> Hi,
>
> Thanks for this document.  There is one issue that I think are worthy of
> discussion:
>
> (1) p 7, sec 3.2.  Condition Sub-model
>
>    Case (firewall):  This field represents the layer-2 header (e.g., MAC
>              addresses), layer-3 header (e.g., IPv4 or IPv6 addresses,
>              ICMPv4 or ICMPv6 parameters, and transport layer protocol)
>              and layer-4 header (e.g., port numbers) of the network
>              traffic.  Note that the YANG module only provides high-
>              level ICMP messages that are concretely specified by either
>              ICMPv4 or ICMPv6 messages (e.g., Destination Unreachable:
>              Port Unreachable which is ICMPv4's type 3 and code 3 or
>              ICMPv6's type 1 and code 4).  Also note that QUIC protocol
>              [RFC9000] is excluded in the data model as it is not
>              considered in the initial I2NSF documents [RFC8329].  The
>              QUIC traffic should not be treated as UDP traffic.  The
>              data model should be extended or augmented appropriately to
>              support the handling of QUIC traffic according to the needs
>              of the implementer.
>
> (2) p 8, sec 3.2.  Condition Sub-model
>
>    Note that due to the exclusion of QUIC protocol in the I2NSF
>    documents, HTTP/3 is also excluded in the document along with the
>    QUIC protocol.  HTTP/3 should neither be interpreted as HTTP/1.1 nor
>    HTTP/2.  The data model should be extended or augmented appropriately
>    to support the handling of HTTP/3 traffic according to the needs of
>    the implementer.
>
> Is there a concrete plan for adding support for QUIC and HTTP/3, given
> that it
> stated that these cannot be handled as UDP or HTTP/1.1 or HTTP/2?
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> (3) p 38, sec 6.1.  YANG Module of Consumer-Facing Interface
>
>            leaf-list system-alarm {
>              type identityref {
>                base i2nsfmi:system-alarm;
>              }
>              description
>                "The security policy rule according to
>                 system alarms.";
>            }
>          }
>          container condition {
>            description
>            "Conditions for general security policies.";
>
> Please include documentation here for the condition container as to how the
> different fields are combined (i.e., that all configured conditions must
> match
> for a rule to trigger).
>
> (4) p 4, sec 3.  YANG Tree Diagram of Policy
>
>    Resolution-strategy:  This field represents how to resolve conflicts
>              that occur between actions of the same or different policy
>              rules that are matched and contained in this particular
>              NSF.  The resolution strategy is described in Section 3.2
>              of [I-D.ietf-i2nsf-capability-data-model] in detail.
>
> Given you document the default for language above, would it name sense to
> document the default matching rule here as well?
>
> (5) p 7, sec 3.2.  Condition Sub-model
>
>    The Condition object describes the network traffic pattern or fields
>    that must be matched against the observed network traffic for the
>    rule to trigger.  The fields used to express the required conditions
>    to trigger the rule are organized around the class of NSFs expected
>    to be able to observe or compute them.  Figure 5 shows the YANG tree
>    of the Condition object.  The Condition Sub-model SHALL have the
>    following information:
>
> I find the use of "Case" confusing in the descriptions below.  I mistakenly
> thought that you were referring to the YANG case statements under choice,
> and
> hence only one of these conditions can be expressed for a given rule.
>
> (6) p 20, sec 6.1.  YANG Module of Consumer-Facing Interface
>
>      identity fmr {
>
> Using longer identity names for the resolution-strategies may make the
> module
> more readable.  E.g. 'first-matching-rule' might be clearer than fmr.  If
> you
> change this, then I would suggest changing it for the other
> resolution-strategies as well (and the any default values).
>
> (7) p 37, sec 6.1.  YANG Module of Consumer-Facing Interface
>
>          leaf priority {
>            type uint8;
>            description
>              "The priority of the rule to indicate the order of the
>               rules to be matched. A higher value means a higher priority.
>               The packet or flow will be matched with the rule with
>               the highest priority value first and continues to a lower
>               priority value. Once a rule matches the packet or flow,
>               the NSF should execute the rule and terminate the matching
>               process. If multiple rules have an equal priority, the
>               actual order is undefined. The handling of the selection
>               of those rules depends on the implementer, e.g., non-rule
>               selection, first rule selection or random rule selection.";
>          }
>
> Did you consider using an "order-by-user" list to define the priority
> instead?
> I.e., process the rules in the order that they are specified in the list.
>
> (8) p 39, sec 6.1.  YANG Module of Consumer-Facing Interface
>
>                    error-message
>                      "An end port number MUST be equal to or greater than
>                       a start port number.";
>
> I would suggest changing this to 'must', or otherwise you need to add the
> standard RFC 2119 boilerplate to the YANG module (pyang can help with
> this).
>
> (9) p 43, sec 6.1.  YANG Module of Consumer-Facing Interface
>
>                  description
>                    "This represents the repetition time.  In the case
>                     where the frequency is weekly, the days can be
>                     set.";
>
> This comment is slightly misleading.  I would suggest deleting, or perhaps
> rewording "In the case where the frequency is weekly, the days can be
> set.";"
>
> (10) p 43, sec 6.1.  YANG Module of Consumer-Facing Interface
>
>                  leaf-list date {
>
> 'date' is a somewhat confusing name for this.  Would 'day-of-month' be
> better?
>
> (11) p 44, sec 6.1.  YANG Module of Consumer-Facing Interface
>
>                  leaf-list month {
>
> 'month' is a confusing name for this.  Would 'month-and-day' be better?
>
> (12) p 44, sec 6.1.  YANG Module of Consumer-Facing Interface
>
>                    description
>                      "This represents the repeated date and month of
>                       every year.  More than one can be specified.
>                       A pattern used here is Month and Date (MM-DD).";
>
> So, if you wanted the policy to apply for a particular 3 weeks per year,
> then I
> presume that it would be necessary to list each of those day separately?
> Did
> you consider allowing ranges here, or what that be too much complexity?
>
> Regards,
> Rob
>
>
>
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org
> https://www.ietf.org/mailman/listinfo/i2nsf
>
>

v2.23.0 | Report a Bug | By Email