IETF Logo Mail Archive

Re: [I2nsf] AD Review of draft-ietf-i2nsf-capability-data-model-05

Roman Danyliw <rdd@cert.org> Mon, 24 August 2020 12:09 UTC

Return-Path: <rdd@cert.org>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3999C3A0D3B for <i2nsf@ietfa.amsl.com>; Mon, 24 Aug 2020 05:09:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ow4CpCdMN_x1 for <i2nsf@ietfa.amsl.com>; Mon, 24 Aug 2020 05:09:03 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 250D63A0D39 for <i2nsf@ietf.org>; Mon, 24 Aug 2020 05:09:02 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 07OC8wev019214; Mon, 24 Aug 2020 08:08:58 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 07OC8wev019214
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1598270938; bh=T3uxY2CHOt4D9E6gB7Q24GVKQ8TAPruFyB+k5K37wqM=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=Lf6TSDBv6k2qZdQFccFaD2ymxxzbGMtN2ucCkgQ2EnJ/ib6BMgsQtm8zRiMz60C0x cWsvC/qHl6EM2zi4jrZV/rvc5UCZPIlalvnWPjVLPAVX3jWeTEihaEwEx9EJlryyzk /jRQlQKEzvLjysUN4jB+ipuxbquDWOlkzHe+Bjmw=
Received: from MURIEL.ad.sei.cmu.edu (muriel.ad.sei.cmu.edu [147.72.252.47]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 07OC8vaM029737; Mon, 24 Aug 2020 08:08:57 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MURIEL.ad.sei.cmu.edu (147.72.252.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Mon, 24 Aug 2020 08:08:57 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Mon, 24 Aug 2020 08:08:57 -0400
From: Roman Danyliw <rdd@cert.org>
To: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
CC: "i2nsf@ietf.org" <i2nsf@ietf.org>, Susan Hares <shares@ndzh.com>, skku-iotlab-members <skku-iotlab-members@googlegroups.com>
Thread-Topic: [I2nsf] AD Review of draft-ietf-i2nsf-capability-data-model-05
Thread-Index: AdYoqSlDnyl9jo3tQyGyet7LOXvgHwwjnBmAB7FPsaA=
Date: Mon, 24 Aug 2020 12:08:56 +0000
Message-ID: <81cf3d5e3708484aa157b37ad2431b63@cert.org>
References: <475d6c2be4a7447dba48a4529451b72f@cert.org> <CAPK2DezkJL3tVnT=3TVwWbjaqAbRDK_vs5SY3ueX=VKf3x0zFw@mail.gmail.com>
In-Reply-To: <CAPK2DezkJL3tVnT=3TVwWbjaqAbRDK_vs5SY3ueX=VKf3x0zFw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.203.1]
Content-Type: multipart/alternative; boundary="_000_81cf3d5e3708484aa157b37ad2431b63certorg_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/7YcRYldJ7mTJna5kSNDDUQfK_G0>
Subject: Re: [I2nsf] AD Review of draft-ietf-i2nsf-capability-data-model-05
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2020 12:09:06 -0000

Hi Paul!
(my apologies.  These email got stuck in my outbox and was intended to go out when I made the state change in the data tracker)

Thanks for the extensive changes you made in -06 and my apologizes in the delay in responding.  All feedback but the following has been addressed:

(1)         IDNits returned the following valid comment about references (many of the issue is noted were in the YANG module)
  == Missing Reference: 'RFC3688' is mentioned on line 1764, but not defined

[Paul]  => There is no reference to RFC3688 (The IETF XML Registry). Could you doublecheck your comment to let me follow it?

[Roman] See Section 7

--[ snip ]--
7.  IANA Considerations

   This document requests IANA to register the following URI in the
   "IETF XML Registry" [RFC3688]:
…
--[ snip ]--

(10)       Section 4.  Per "Note that the NSF-Facing Interface ... and the NSF Monitoring Interface is used to ...", does this text need additional precision based on the definitions in RFC8329.  Per RFC8329, the "NSF-Facing Interfaces" consists of the "NSF Operational and Administrative Interface" and a "Monitoring Interface". If draft-dong-i2nsf-asf-config is on the "Monitoring Interface", on which "sub-interface" of the "NSF-Facing Interface" does draft-ietf-i2nsf-nsf-facing-interface-dm belong?

(28)       Section 6.1.  In the advanced-nsf-capability section, there are multiple normative references to draft-dong-i2nsf-asf-config-01, an expired, individual draft.  Additionally, Section 4 notes how it supports the advanced capabilities. This draft is a substantial portion of the YANG module added in -03.  What's the plan on resolving this dependency?

[Paul] => This draft will be developed by I2NSF WG later.

I still have the same question.  It doesn’t appear to me that the WG is currently positioned to do anything with draft-dong-i2nsf-asf-config .  Practically, it isn’t even a WG product, but an individual submission that wasn’t adopted.  It was last updated 22 months ago and expired almost 18 months ago.  Correct me where I have it wrong, but this draft provides a generic model for the capabilities and draft-dong-i2nsf-asf-config appears to be acting as an extension for more advancing NSF capabilities.  I think we have (at least) two options:

(a) Remove references to the capabilities derived from draft-dong-i2nsf-asf-config; if there is energy, consider adopting it in the WG at some point in the future, and it could update this document (draft-ietf-i2nsf-capability-data-model); in the meantime this document gets published

(b) Continue advancing this document and stall awaiting a missing reference (MISREF) in the RFC Editor queue (just like draft-ietf-i2nsf-applicability) for something to happen to draft-dong-i2nsf-asf-config

I have a preference for (a) because I don’t see value in blocking the publication of a named deliverable of the WG for an unadopted (individual), expired draft; and this approach doesn’t preclude future enhancements (as proposed by draft-dong-i2nsf-asf-config).  What does everyone else think?

Regards,
Roman



From: Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com>
Sent: Monday, July 13, 2020 9:04 AM
To: Roman Danyliw <rdd@cert.org>
Cc: i2nsf@ietf.org; Susan Hares <shares@ndzh.com>; skku-iotlab-members <skku-iotlab-members@googlegroups.com>; Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com>
Subject: Re: [I2nsf] AD Review of draft-ietf-i2nsf-capability-data-model-05

Hi Roman,
I (as an editor) have revised the I2NSF Capability Data Model Draft and posted it into the IETF repository:
https://tools.ietf.org/html/draft-ietf-i2nsf-capability-data-model-06

Here is the revision letter to explain how to address your comments.
If you are satisfied with this revision, could you move this draft to the IESG evaluation?

Thanks for your valuable comments and help.

Best Regards,
Paul
  --
===========================
Mr. Jaehoon (Paul) Jeong, Ph.D.
Associate Professor
Department of Computer Science and Engineering
Sungkyunkwan University
Office: +82-31-299-4957
Email: jaehoon.paul@gmail.com<mailto:jaehoon.paul@gmail.com>, pauljeong@skku.edu<mailto:pauljeong@skku.edu>
Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php<http://cpslab.skku.edu/people-jaehoon-jeong.php>

On Wed, May 13, 2020 at 7:11 AM Roman Danyliw <rdd@cert.org<mailto:rdd@cert.org>> wrote:
Hi!

I conducted an AD review of draft-ietf-i2nsf-capability-data-model-05.  Thanks for the work in getting this document written.  My most significant items are around aligning of the text in Section 4 with RFC8329 and the dependency on draft-dong-i2nsf-asf-config-01.  My detailed feedback is below.

(1)     IDNits returned the following valid comment about references (many of the issue is noted were in the YANG module)
  == Missing Reference: 'RFC3688' is mentioned on line 1764, but not defined

(2)     Section 1.  Typo. s/[draft-ietf-i2nsf-capability]../ [draft-ietf-i2nsf-capability]./

(3)     Section 3.  Is there a reason to rely on two expired drafts for terminology -- [draft-ietf-i2nsf-terminology] and [draft-ietf-supa-generic-policy-info-model]?  In particular, couldn't RFC3444 provide the needed definitions of data and information models?

(4)     Section 4.  I would have expected somewhere in this overview section an explicit enumeration of which I2NSF interfaces use this YANG module.

(5)     Section 4.  Per "Figure 1 shows the capabilities of NSFs in I2NSF Framework."
-- Thanks for reusing the diagram from RFC8329 and annotating it with more detail.  It helps connect the documents
-- It wasn't clear to me where the "capabilities" are on the diagram
-- Is all of the detail under the NSFs (i.e., E, C and A) needed in the diagram?  Text doesn't explain it or reference it.  If kept, it should be explained and E, C and A should be defined (i.e., saying these correspond to Event, Condition and Action)

(6)     Global.  Editorial. Is there a reason to abbreviate "Mgmt" in "Developer's Mgmt System in the text?  Recommend s/Developer's Mgmt System/Developer's Management System/g

(7)     Section 4.  Per "To register NSFs in this way, the Developer's Mgmt System utilizes this standardized capabilities YANG data model through its registration interface.", this confused me a bit.  Doesn't the Developer Management System use the model described in draft-ietf-i2nsf-registration-interface-dm for registration?

(8)     Section 4.  Editorial. Per "... those security devices can be easily managed, ...", I might have used "more easily managed".

(9)     Section 4.  Per "The use cases are described below.", where are those use cases described?  Is this text a reference to the "Configuration Examples" in Appendix A?

(10)     Section 4.  Per "Note that the NSF-Facing Interface ... and the NSF Monitoring Interface is used to ...", does this text need additional precision based on the definitions in RFC8329.  Per RFC8329, the "NSF-Facing Interfaces" consists of the "NSF Operational and Administrative Interface" and a "Monitoring Interface". If draft-dong-i2nsf-asf-config is on the "Monitoring Interface", on which "sub-interface" of the "NSF-Facing Interface" does draft-ietf-i2nsf-nsf-facing-interface-dm belong?

(11)     Figure 1.  Editorial Nit.  Is there are reason that the Registration interface has a bidirectional arrow between the network operator management system and the developer management system, but the there is no directionality on the consumer or NSF facing interface?

(12)     Section 4.  The bulleted list under Figure 1 is helpful in describing Figure 1.  However, I'd recommend explicitly saying this is an example.  Explain the use case up front and then narrate the flow clearly delineating what is in and out of scope of I2NSF.  IMO, the text describes a number of internal processing functions which are in scope for standardization - please let me know if I'm reading it wrong.

(13)    Section 4.  Per "If network manager wants to block malicious users with IPv6, the network manager sends the security policy rules to block the users to the Network Operator Mgmt System using I2NSF user ....", can you please clarify "malicious users with IPv6"; is the intent that the network manager is concerned about malicious IPv6 traffic?

(14)    Section 4.  Bullet 1 under Figure 1.  Per "a web browser or a software", what's the difference between a browser and software?

(15)    Section 4.  Editorial.  Per the second bullet under Figure 1, "If NSFs encounter the malicious packets, it is a tremendous burden for the network manager to apply the rule to block the malicious packets to NSFs one-by-one.  This problem can be resolved by managing the capabilities of NSFs.", delete this text.  It is a duplicate of what was stated in the first bullet.

(16)    Section 4.  Per the paragraph, "If NSFs encounter the suspicious IPv4 packets, they can ask the Network Operator Mgmt System for information about the suspicious IPv4 packets in order to alter specific rules and/or configurations.  When the Network ...", how much of that signaling is in scope for I2NSF?

(17)    Section 4.  Typo. s/suspiciou/suspicious/

(18)    Section 5.1. Editorial.  s/The model includes NSF capabilities/The model describes NSF capabilities/

(19)    Section 5.1. Editorial. "specify" is used twice in the sentence.
OLD
Time capabilities are used to specify the capabilities to specify when to execute the I2NSF policy rule.
NEW
Time capabilities are used to specify the capabilities which describe when to execute the I2NSF policy rule.

(20)    Section 5.1. Editorial.  This sentence didn't parse for me.  The second contains duplicate text.
OLD
Event capabilities are used to specify capabilities how to trigger the evaluation of the condition clause of the I2NSF Policy Rule.  The defined event capabilities are defined as system event and system alarm.
NEW
Event capabilities are used to specify the capabilities that describe the event that would trigger the evaluation of the condition clause of the I2NSF Policy Rule.  The defined event capabilities are system event and system alarm.

(21)    Section 5.1.  A number of capabilities note that they can be extended which is a helpful feature.  For example, "The condition capability can be extended according to specific vendor condition features."  However, where is the guidance on doing that?  Likewise, it might not be necessary to repeat this statement five times if the extension mechanism is the same.

(22)    Section 5.1.  A number of the described capability types state that they are described in detail in draft-ietf-i2nsf-capability.  For example, "The condition capability is described in detail in [draft-ietf-i2nsf-capability]."  I had difficulty locating which specific section to review.  Also, for the default action capabilities, no described of "pass, drop .. mirror" was found in draft-ietf-i2nsf-capability.  Please provide a specific section number for the event, condition, action, resolution strategy and default action in draft-ietf-i2nsf-capability.

(23)    Section 5.1.  Editorial.  These sentences didn't parse for me.
OLD
Action capabilities are used to specify capabilities of how to control and monitor aspects of flow-based NSFs when the event and condition clauses are satisfied.
NEW
Action capabilities are used to specify the capabilities that describe the control and monitoring aspects of flow-based NSFs when the event and condition clauses are satisfied.

OLD
Resolution strategy capabilities are used to specify capabilities of how to resolve conflicts that occur between the actions of the same or different policy rules that are matched and contained in this particular NSF.
NEW
Resolution strategy capabilities are used to specify the capabilities that describe conflicts that occur between the actions of the same or different policy rules that are matched and contained in this particular NSF.

OLD
Default action capabilities are used to specify capabilities of how to execute I2NSF policy rules when no rule matches a packet.
NEW
Default action capabilities are used to specify the capabilities that describe how to execute I2NSF policy rules when no rule matches a packet.

(24)    Section 6.1.  Update the copyright date and revision date to be in 2020.

(25)    Section 6.1.  Given that draft-ietf-i2nf-monitoring-data-model is referenced in the YANG model for event and system alarm, please make it a normative reference.

(26)    Section 6.1. identity ingress/egress-action-capability.  I found draft-ietf-i2nsf-capability-04 to be an unexpected reference.  There is no mention of ingress or egress in that document.

(27)    Section 6.1. identity pass, drop, reject, alert, mirror.  I found draft-ietf-i2nsf-capability-04 to be an unexpected reference.  There is no mention of pass, drop, reject, alert or mirror in that document.

(28)    Section 6.1.  In the advanced-nsf-capability section, there are multiple normative references to draft-dong-i2nsf-asf-config-01, an expired, individual draft.  Additionally, Section 4 notes how it supports the advanced capabilities. This draft is a substantial portion of the YANG module added in -03.  What's the plan on resolving this dependency?

(29)    Section 6.1. Typo. s/Funtion/Function/

(30)    Section 6.1.  The list of references in generic-nsf-capabilities don't line up with those in the child leaflist(s).  For example, RFC 792 is mentioned in the top level reference list but not in any of the child leaflist (specifically not in leaf-list icmp-capability)

(31)    Section 6.1. Typo. s/smae/same/

(32)    Section 8.  A few clarifying updates to the template:
OLD
These data nodes may be considered sensitive or vulnerable in some network environments.  Write operations (e.g., edit-config) to these data nodes without proper protection can have a negative effect on network operations.
ietf-i2nsf-capability: The attacker may provide incorrect information of the security capability of any target NSF by illegally modifying this.

NEW
These data nodes may be considered sensitive or vulnerable in some network environments.  Write operations to these data nodes could have a negative effect on network and security operations.
ietf-i2nsf-capability: An attacker could alter the security capabilities associated with an NSF whereby disabling or enabling the evasion of security mitigations.

OLD
ietf-i2nsf-capability: The attacker may gather the security capability information of any target NSF and misuse the information for subsequent attacks.
NEW
ietf-i2nsf-capability: An attacker could gather the security capability information of any NSF and use this information to evade detection or filtering.

Regards,
Roman

_______________________________________________
I2nsf mailing list
I2nsf@ietf.org<mailto:I2nsf@ietf.org>
https://www.ietf.org/mailman/listinfo/i2nsf

v2.23.0 | Report a Bug | By Email