Re: [I2nsf] Robert Wilton's Discuss on draft-ietf-i2nsf-consumer-facing-interface-dm-28: (with DISCUSS and COMMENT)
"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Tue, 18 April 2023 03:42 UTC
Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 037E6C16952D; Mon, 17 Apr 2023 20:42:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.074
X-Spam-Level:
X-Spam-Status: No, score=-2.074 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FREEMAIL_DOC_PDF=0.01, T_HK_NAME_FM_MR_MRS=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ksY6KWG945nn; Mon, 17 Apr 2023 20:41:58 -0700 (PDT)
Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F822C169523; Mon, 17 Apr 2023 20:41:58 -0700 (PDT)
Received: by mail-pg1-x52e.google.com with SMTP id 41be03b00d2f7-51b5490c6f0so1039084a12.0; Mon, 17 Apr 2023 20:41:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681789317; x=1684381317; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=tBGDcEw8PPy1s9Q7vQxsaaIsU+Vc99CifIf1eI1+4U0=; b=JaAlJVN3CzpjPzLzAKCJygS812rYuMSLG3Qg9c1A9fAd0fu2f46SNqbGA/ClaUCtxd kuEWzl4u+D7Py0t3Yhk9A/CZqgegj8VuPXc62qAe05XvgckdpAsqy06xV8308vhGFs2J 3GeX0F+3wh+GC146JdGW0lMySz07gNrymJrnQeWYD6p/Vd3GZhm1EvGtZmX9eF4YCtdI 9Ts9rheRc5LC6h5u2Ftf2oAqUZDq/FDfE5yp//q0q4VfBfYnl/ZjpokzqL58Ly2PQO75 BXy+BmITD2LVpyp+GFw+AXpz37evvk2ody1rPQOSgPLCIDAd3VKpGYhLFEEgAfRMg/oV YAEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681789317; x=1684381317; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tBGDcEw8PPy1s9Q7vQxsaaIsU+Vc99CifIf1eI1+4U0=; b=Go5Yy3uhao50E5z9lGj+P1w1oh/hzBs5WEC2fjw1hlUuxo5orKOEhY8sZB+L7tYclk IcXbAPySSbMcpZ12KxUknIvWrRI7kgK8utK4+3vG2C6bcaGX+Rqvyp2FWaId6IkGZutD Z9P2mQgF/GJPQxcThnphkcRvsBRAwlu2a+NUP0s174CSjl9mMlMrg0/wq2Q0dSubvax4 8gZz2XDrjhsy7ZS9wq+FKgkVJZEjhIdz7wPoAbAhU1H2vuXy7F97xSxUJ515zWv4kzgs /ZNpo4DppnWCyG2kGCdcuRfxS8tk1lIF61+gRK3vf27Oq/lrjBky+BY4ttFlGV14p0II P/yA==
X-Gm-Message-State: AAQBX9dUOcfTlOZt8968N62TlXKl7CyScI+YMgAai1yfpCdyFDqLeZQc WEosERqZ/+CQyTiKzxRDt9kyuUTmCVd+gjOPB7c=
X-Google-Smtp-Source: AKy350ZkM3DGYw7LRIAzsD+JZ/e8OM0BikZNK1nPf/C3mgK5L0Q+i9o9qMDGlfmW1v9ZWckzmqNruvmVkj6mRnUzslU=
X-Received: by 2002:a63:443:0:b0:51b:49ef:4721 with SMTP id 64-20020a630443000000b0051b49ef4721mr226889pge.3.1681789317091; Mon, 17 Apr 2023 20:41:57 -0700 (PDT)
MIME-Version: 1.0
References: <168138781150.47856.5757621655716682658@ietfa.amsl.com> <CAPK2DeyVg0GHtGKZnJ2SUAJ=f3+PFO-ga6Sh87SV--DNPRzL_w@mail.gmail.com> <BY5PR11MB4196AA3106A5A6B4DB2151B8B59C9@BY5PR11MB4196.namprd11.prod.outlook.com>
In-Reply-To: <BY5PR11MB4196AA3106A5A6B4DB2151B8B59C9@BY5PR11MB4196.namprd11.prod.outlook.com>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Tue, 18 Apr 2023 12:41:20 +0900
Message-ID: <CAPK2DeywPXDHmG_cw2j4V=8eSMEyG5cD_=XyNFMtA3pD+x8CPA@mail.gmail.com>
To: "Rob Wilton (rwilton)" <rwilton@cisco.com>
Cc: Erik Kline <ek.ietf@gmail.com>, Dirk Hugo <dirkvhugo@gmail.com>, Andrew Alston <andrew-ietf@liquid.tech>, Paul Wouters <paul.wouters@aiven.io>, The IESG <iesg@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>, skku-iotlab-members <skku-iotlab-members@googlegroups.com>, Patrick Lingga <patricklink888@gmail.com>, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Content-Type: multipart/mixed; boundary="000000000000d562cd05f99416de"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/6FGMSXcvE37StrV4j1_h0Dnfc3k>
Subject: Re: [I2nsf] Robert Wilton's Discuss on draft-ietf-i2nsf-consumer-facing-interface-dm-28: (with DISCUSS and COMMENT)
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2023 03:42:02 -0000
Hi Rob, I will reflect your comments on the revision: https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-consumer-facing-interface-dm-30 I attach the revision letter for your reference. If you have further comments, please let me know. Thanks. Best Regards, Paul On Mon, Apr 17, 2023 at 11:07 PM Rob Wilton (rwilton) <rwilton@cisco.com> wrote: > Hi Paul, > > > > I’ll clear my discuss. > > > > One further comment: > > > > Did you consider using an "order-by-user" list to define the priority > instead? I.e., process the rules in the order that they are specified in > the list. > > => [PAUL] Yes, it is possible to use “order-by-user”. As far as I know, > most implementation does not actually define the order to match the rule > for similar priority values, since the priority values are supposed to be > the ones that define the order. The implementation itself can be chosen > based on the order of the user’s specified list or based on the > alphabetical order of the rule’s key (i.e., rule name). According to your > comment, we updated the description text to be clearer as follows: > > > > I meant marking the containing list “rule” as “ordered-by user” rather > than having a priority leaf that defines a partial order. I don’t think > that it would be helpful to have an “ordered-by user” list alongside a > priority leaf. I think that it should be one or the other. > > > > Regards, > > Rob > > > > > > *From:* Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com> > *Sent:* 15 April 2023 07:48 > *To:* Rob Wilton (rwilton) <rwilton@cisco.com>; Erik Kline < > ek.ietf@gmail.com>; Dirk Hugo <dirkvhugo@gmail.com>; Andrew Alston > <andrew-ietf@liquid.tech>; Paul Wouters <paul.wouters@aiven.io> > *Cc:* The IESG <iesg@ietf.org>; i2nsf@ietf.org; skku-iotlab-members < > skku-iotlab-members@googlegroups.com>; Patrick Lingga < > patricklink888@gmail.com>; Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com> > *Subject:* Re: [I2nsf] Robert Wilton's Discuss on > draft-ietf-i2nsf-consumer-facing-interface-dm-28: (with DISCUSS and COMMENT) > > > > Dear Robert Wilton, Erik Kline, Dirk Von Hugo, Andrew Alston, and Paul > Wouters, > > Here is the revised draft to address all your comments: > > > https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-consumer-facing-interface-dm-29 > > > > I attach the revision letter. > > > > Thanks for your valuable comments. > > > > Best Regards, > > Paul > > > > > > On Thu, Apr 13, 2023 at 9:10 PM Robert Wilton via Datatracker < > noreply@ietf.org> wrote: > > Robert Wilton has entered the following ballot position for > draft-ietf-i2nsf-consumer-facing-interface-dm-28: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-i2nsf-consumer-facing-interface-dm/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Hi, > > Thanks for this document. There is one issue that I think are worthy of > discussion: > > (1) p 7, sec 3.2. Condition Sub-model > > Case (firewall): This field represents the layer-2 header (e.g., MAC > addresses), layer-3 header (e.g., IPv4 or IPv6 addresses, > ICMPv4 or ICMPv6 parameters, and transport layer protocol) > and layer-4 header (e.g., port numbers) of the network > traffic. Note that the YANG module only provides high- > level ICMP messages that are concretely specified by either > ICMPv4 or ICMPv6 messages (e.g., Destination Unreachable: > Port Unreachable which is ICMPv4's type 3 and code 3 or > ICMPv6's type 1 and code 4). Also note that QUIC protocol > [RFC9000] is excluded in the data model as it is not > considered in the initial I2NSF documents [RFC8329]. The > QUIC traffic should not be treated as UDP traffic. The > data model should be extended or augmented appropriately to > support the handling of QUIC traffic according to the needs > of the implementer. > > (2) p 8, sec 3.2. Condition Sub-model > > Note that due to the exclusion of QUIC protocol in the I2NSF > documents, HTTP/3 is also excluded in the document along with the > QUIC protocol. HTTP/3 should neither be interpreted as HTTP/1.1 nor > HTTP/2. The data model should be extended or augmented appropriately > to support the handling of HTTP/3 traffic according to the needs of > the implementer. > > Is there a concrete plan for adding support for QUIC and HTTP/3, given > that it > stated that these cannot be handled as UDP or HTTP/1.1 or HTTP/2? > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > (3) p 38, sec 6.1. YANG Module of Consumer-Facing Interface > > leaf-list system-alarm { > type identityref { > base i2nsfmi:system-alarm; > } > description > "The security policy rule according to > system alarms."; > } > } > container condition { > description > "Conditions for general security policies."; > > Please include documentation here for the condition container as to how the > different fields are combined (i.e., that all configured conditions must > match > for a rule to trigger). > > (4) p 4, sec 3. YANG Tree Diagram of Policy > > Resolution-strategy: This field represents how to resolve conflicts > that occur between actions of the same or different policy > rules that are matched and contained in this particular > NSF. The resolution strategy is described in Section 3.2 > of [I-D.ietf-i2nsf-capability-data-model] in detail. > > Given you document the default for language above, would it name sense to > document the default matching rule here as well? > > (5) p 7, sec 3.2. Condition Sub-model > > The Condition object describes the network traffic pattern or fields > that must be matched against the observed network traffic for the > rule to trigger. The fields used to express the required conditions > to trigger the rule are organized around the class of NSFs expected > to be able to observe or compute them. Figure 5 shows the YANG tree > of the Condition object. The Condition Sub-model SHALL have the > following information: > > I find the use of "Case" confusing in the descriptions below. I mistakenly > thought that you were referring to the YANG case statements under choice, > and > hence only one of these conditions can be expressed for a given rule. > > (6) p 20, sec 6.1. YANG Module of Consumer-Facing Interface > > identity fmr { > > Using longer identity names for the resolution-strategies may make the > module > more readable. E.g. 'first-matching-rule' might be clearer than fmr. If > you > change this, then I would suggest changing it for the other > resolution-strategies as well (and the any default values). > > (7) p 37, sec 6.1. YANG Module of Consumer-Facing Interface > > leaf priority { > type uint8; > description > "The priority of the rule to indicate the order of the > rules to be matched. A higher value means a higher priority. > The packet or flow will be matched with the rule with > the highest priority value first and continues to a lower > priority value. Once a rule matches the packet or flow, > the NSF should execute the rule and terminate the matching > process. If multiple rules have an equal priority, the > actual order is undefined. The handling of the selection > of those rules depends on the implementer, e.g., non-rule > selection, first rule selection or random rule selection."; > } > > Did you consider using an "order-by-user" list to define the priority > instead? > I.e., process the rules in the order that they are specified in the list. > > (8) p 39, sec 6.1. YANG Module of Consumer-Facing Interface > > error-message > "An end port number MUST be equal to or greater than > a start port number."; > > I would suggest changing this to 'must', or otherwise you need to add the > standard RFC 2119 boilerplate to the YANG module (pyang can help with > this). > > (9) p 43, sec 6.1. YANG Module of Consumer-Facing Interface > > description > "This represents the repetition time. In the case > where the frequency is weekly, the days can be > set."; > > This comment is slightly misleading. I would suggest deleting, or perhaps > rewording "In the case where the frequency is weekly, the days can be > set.";" > > (10) p 43, sec 6.1. YANG Module of Consumer-Facing Interface > > leaf-list date { > > 'date' is a somewhat confusing name for this. Would 'day-of-month' be > better? > > (11) p 44, sec 6.1. YANG Module of Consumer-Facing Interface > > leaf-list month { > > 'month' is a confusing name for this. Would 'month-and-day' be better? > > (12) p 44, sec 6.1. YANG Module of Consumer-Facing Interface > > description > "This represents the repeated date and month of > every year. More than one can be specified. > A pattern used here is Month and Date (MM-DD)."; > > So, if you wanted the policy to apply for a particular 3 weeks per year, > then I > presume that it would be necessary to list each of those day separately? > Did > you consider allowing ranges here, or what that be too much complexity? > > Regards, > Rob > > > > _______________________________________________ > I2nsf mailing list > I2nsf@ietf.org > https://www.ietf.org/mailman/listinfo/i2nsf > >
- [I2nsf] Robert Wilton's Discuss on draft-ietf-i2n… Robert Wilton via Datatracker
- Re: [I2nsf] Robert Wilton's Discuss on draft-ietf… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] Robert Wilton's Discuss on draft-ietf… Rob Wilton (rwilton)
- Re: [I2nsf] Robert Wilton's Discuss on draft-ietf… Mr. Jaehoon Paul Jeong