[I2nsf] AD review of draft-ietf-i2nsf-registration-interface-dm-21
Roman Danyliw <rdd@cert.org> Thu, 27 October 2022 03:34 UTC
Return-Path: <rdd@cert.org>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2FF6C14F73B for <i2nsf@ietfa.amsl.com>; Wed, 26 Oct 2022 20:34:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Bo_lxajzl5S for <i2nsf@ietfa.amsl.com>; Wed, 26 Oct 2022 20:33:57 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0117.outbound.protection.office365.us [23.103.208.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A291EC14F6EC for <i2nsf@ietf.org>; Wed, 26 Oct 2022 20:33:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=mKxwxJXm1Q7v8Jm7OQD5rkK+vw9FOFhMFPCSEsjf1PhFtHM8OGDCDuMOKxlDvYi/TSYTsgLvVcbexF875Gj0I+hZgOBjLNzVvzbAfFlmYG3y0KmogSa3G3qQX0Gq8ST6XjGd/oIkP/Hly4h9cFa2OMTrfK5qUIiN8sp/9iCNcw+yyr6OEnZINnfAjKADY2LB4j3eLhTuCzvcW4llqeZTutXrI7G0AhfX0ySa8vPYOgnniAE1YklHCzpUi9II17qbbZEP4ksSsXHYthxz+IZzWr4LhiC3y1r/LEAe7qkCG62RVEblUQH1JPnpyQ+RU2l3hdXpj3A7AGVlcHGfeFAD2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ipNuaEuWu9TgirfbBJWbrDlIML+okFluXn9kbOQxm7A=; b=OCE783dDZ0Y2d611YjPpJOzEb6v74a2sv42goIZB+lMrQLLdPrerYBJ/oVEdDmL/F7TC9QSk+stLLgxVmt1JR9+ID5TX9c6OVA1KNgYQFiG7BUqe6Do/tH3K6HKF5h+wbUCj4gZ53m9eYzeayn6Ste4jJLTDbQyOFooC5ZVAFSSbCoDkhMVvB/B45Xkgn7NP5A5QzOAlKeH0RvZOgIDm0JreZTNgjLGpjgjFaksarJgHkuhrYeslVhfFTASDwLMSi0eWUCezTexs/aTGBRsPHn8+lPsULcEqGE9ANj3jMiWXjntehUJnng+pTUrtRf2NtoP5I7uQeAGxvGoHIJLs8g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ipNuaEuWu9TgirfbBJWbrDlIML+okFluXn9kbOQxm7A=; b=SCShSBnaU82ih9AupDL1hON2krX/pjJnoj0MAq0dsuA+o7PYy3/Qtv/7SzlCZugh9jyCJXPkwiQpST9ppO8WPvwsUDpR7cU++VWI10E2ixIQA3VvMu7pt1zPsWGoLUIJ1PZtO5KdQQyhw1NbQ2ProbVEHTgMFKzKH0W4s61Knng=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB0994.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:16a::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.23; Thu, 27 Oct 2022 03:33:52 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::11dc:e93c:167b:f429]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::11dc:e93c:167b:f429%6]) with mapi id 15.20.5746.028; Thu, 27 Oct 2022 03:33:52 +0000
From: Roman Danyliw <rdd@cert.org>
To: "i2nsf@ietf.org" <i2nsf@ietf.org>
Thread-Topic: AD review of draft-ietf-i2nsf-registration-interface-dm-21
Thread-Index: AdjptBxpPd/N2uODToqa02iO/FsYyQ==
Date: Thu, 27 Oct 2022 03:33:52 +0000
Message-ID: <BN2P110MB11077D28DBFCD00E00B42CCCDC339@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB0994:EE_
x-ms-office365-filtering-correlation-id: 4017a139-d660-4527-9e50-08dab7cc11c0
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: b4HEDJV+k35jiv/xjYOUliq+xit13CpBeDMvtgLeRUjIT3uSyTox9CBvDJxejtWfRgzTJ4CzuE2lWTOm5xd+Z3hyXejHoL3OTc2OjJO6cgt9svwagY/2JKCDTXu+DdDhCXaD+veKJBrOkdXr9SFJqs68TBze+B/mLb9tumY8JHl5AaRk4TI2z/ECptFBsp2Bdxs0/0RTJoNfHjPc5FOO93ru7dY0CBbdFVXAjVddYhW3A28wT3LdCf7k87z250oTflB+2ksZLVuvRsPIoN7/jbxjB6nBonV2Hif9+1zw/ljZM1GECnfJJq3yI1aAIoogywCT9t9DbT/JDMcOVn+fiWGK7WIcotaMcm1fL3c7pINAJEeICzMkjh2C/5lwVOTGQErLHUNlOWf6++/CwpsORphTLU/KfLzYLBrT7UjJfZbqnAee+zbj0d61nGJUjvZfy6P1OFdddCtKI7Q64PPeJ1GAPx28Pga6o/S1keDaM2wnIWVFptpd9TSFO0IGypkEN1N8nMf+1Pej3Iprsban1ZCsc6KEeA6Zu3uo1ImWbSa9WKylJ+IorVZd+OUeFng+e8OrJzt9MmNHK3v/7NPkV9+FrElvY1AkWtIrDj07eD2i2pBQiztZcGMhIJb9fEQipb/PF6Yqn6pxrKP+npuqsE2JGyMt9FGeScTOuy5MNEPRmNcF3qx683/zsvd9dnaa0YkFRZQQSH62el1H5QU3rWrQwrEK2nHrcqpI5WLE4cT178GxF87lPIaW1YimCzvZ
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(451199015)(2906002)(66899015)(83380400001)(186003)(33656002)(86362001)(55016003)(9686003)(6506007)(66946007)(64756008)(7696005)(66556008)(8676002)(26005)(66476007)(38070700005)(66446008)(38100700002)(82960400001)(122000001)(8936002)(76116006)(498600001)(52536014)(5660300002)(30864003)(6916009)(71200400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: AlbAoUDH1Y424ioIW0rlFlyb0EezmBLOIxU7S/s9Lqc89cImsVdShhAtasA9OGCgGEhOLwSd6S5CA/d+caRgN+YtMWSwaO/gq7+yst3ZY96aWkZCjUCnLu4Eebt8cG1Yz6491myD6HWGecPvcUhuAXcMOFwldpx13vSTGsBA67bEOCTHWhDCWP1+O7a4vDk/HIPwePsxaJBMCPELDxsIF7XaLpStkaxB04gFSzRDwViqZkoS5097ZzvqHmHi0ammBZHabAK4u5eQK3ZVfGUJhoTuUMgqado18MUGTZHO+RY6UzZaYbs3oUv4izt+Q73zBZZQWjt+6aZoBbfcp6PkEQPtkC06NTUSeNcg2919FexrlvG5CDQ6mlGf3BteFG7BW2INloRzyUyFaESWXBTRIhW5z0AVA1TdJx178a2Zwrjz2yz9dh0vzkkduMEOqt0wfpgn5Ke/akXzYyfUFZiXE2Ce4VaESGQ+JxnuOlv4QSOjr7T9qotVt/hEZPkRiq0MEA2BDQfpZEgWvbrrqwIR7nuyxfoXazS17qjS7UiJ8IB5NArJSjj4VjBvUG2W7uKFWz7b9pP06Mo7KkHpxLbCMh075qAO5hAhmYSsSLt78h4xNqdiberCeVdvDNIPg8WlCP77z9MOuqsVVONfoPUfw443q9/qI4KsMHPAnLrg6ejehcjPxxPMhQWcKNmT4N3cjpMIV/INzNaV9DzoeHuDqte/IcxU2DHhcoePu5ba0k0VieyfieGxVKYQdc8sN8brSaTSmkBzkY10jv7nWTIkKgPSP6BabPlRQPvLXP7nKm1fztPJ+aEFQmuQPX8Ur8OEQwI8l2ocbIWoIkav06Z1bnmr4piMpRLuZnDsQCUIbQoSwx7MwdybfvBX6gqEPBPV658VTtMPJ/uBbGZoFYizxe1zvR5aGI5q8zUr5HBakLU0vIgFge59bE+Ue5bp/N9q3YZopffnp1xD63DOJBLAsc8Aj0duhWMWC6s/hbJSkGKmjT3jz94RnbM42NdYBNeSq/RgqLzhGggUdMmTshuDcKDdD0tfHY61yNCTUH+9Cq/SNkZIBXUGFDJUDAyOsCfGbVhYlLStpNafodA1Qm/Xsp2uOrcQemQ4up6qikWETplVuD6kBCeBrZlRdh1UkAa10ihOnjUl33oRrP8UgyepPfG1cqRWtwOH05tCH7t1DtekFRVIVcM5fPaZTOL/U6u180yVLtCQ4v43RbIjK+cvd+69tJeRshNutB4EIpA83VBNIvSV43D5xUsw0bJsS28DNhtwRVGVFPhOVn93JPBKfC03pdkaun9fzEV+nVZr4GpgY+2N6b8qgtoR98HhMY3zKQjpvGm0ZIV0xOezguIyFu0rWrpgtHZGWGk0qVdwG9pSW12fgIHL5l6lFn8EzwW4WHMvOlRK4xUpIw+ecrot+47Ixl0wFhuBZ+LTllKNCdKR7t+bRRui0nWRh120iW9LwA4xhKXi3tZn8/lf6sneZoniFNJuUk26SpCqIohweWY=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 4017a139-d660-4527-9e50-08dab7cc11c0
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Oct 2022 03:33:52.4925 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB0994
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/82QQzd1J6A8xqlyv5ZBRn4_xZCs>
Subject: [I2nsf] AD review of draft-ietf-i2nsf-registration-interface-dm-21
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2022 03:34:02 -0000
Hi!
I performed an AD review of draft-ietf-i2nsf-registration-interface-dm-21. More feedback is split into a two section: general comments on the document followed by specific section by section comments.
==[ General Comments
I appreciate that this document is intended to specify the registration interface of the I2NSF architecture. Typically, when the primary intent of a document is to specify a YANG module most operational and architectural considerations can be covered elsewhere. In my assessment, I2NSF is a special case. This is a niche YANG module for a specific architecture. To ensure that it can be implemented in a secure and interoperable way, additional details need to be specified beyond what is in RFC8329. Practically, there are no other documents in which to convey this information. Additionally, what makes this document different than the other four YANG module documents is that it appears to be specifying interactions across administrative domains. This suggests that even greater care needs to be taken with the Security, Operational, and Privacy Considerations. To that end, few high-level comments:
** Architectural considerations.
-- Who initiates the registration and update process? Is this Security Controller or DMS initiated, or is it expected to be possible for either to do it? My confusion originates from Section 3 saying the DMS “uses [the] Registration Interface to provide NSFs developed by the NSF vendor to Security Controller”, but Section 4 saying that “DMS registers NSFs and their capabilities with Security Controller via the registration interface” and Section 4.1 repeats “This submodel is used by DMS to register an NSF with Security Controller.” Please be consistent and explicit.
-- In NETCONF/RESTCONF parlance, who is expected to be the client and server?
-- I don’t see it in the YANG module definition, but the text phrases things as if the DMS is serving the NSF to the Security Controller. For example:
(a) Section 3. “Developer's Management System (DMS) in I2NSF framework is typically run by an NSF vendor, and uses Registration Interface to provide NSFs developed by the NSF vendor to Security Controller.”
(b) Section 3. “the I2NSF Registration Interface can be used as a standard interface for the DMSs to provide NSFs capability information to the Security Controller.”
(c) Section 3. “Security Controller needs to request DMS for additional NSF(s) that can provide the required security capabilities via Registration Interface.”
The text in (b) is clear in saying that the registration interface provide NSF capability information to the Security Controller. (a) and (c) seem to suggest that the NSF itself is being shared through the interface.
-- I was under the impression that the DMS was providing “NSF capability information” so I was surprised to see instances of what appeared to be local provisioning information. For example:
(a) Section 4.1.1.1 “The registration interface can control the usages and limitations of the created instance and make the appropriate request according to the status.)”
(b) Section 4.1.2. The “NSF Access Information” (or grouping nsf-access-info per the YANG module) appears to specify the IP address of an NSF
(c) YANG. rpc nsf-capability-query has the DMS returning nsf-access-info which is an IP address of an nsf.
Why would the DMS be privy to what appears to be local configuration information. Does the DMS have a role in provisioning the NSF? Is there any information about the Security Controller’s configuration stored on the DMS (beyond authorization or authentication information)?
** Operational considerations
-- What guides the cadence and workflow associated with the Security Controller getting updates on the NSFs?
-- How does the Security Controller discover the DMS?
** Security Considerations
-- Thanks for the YANG object level analysis. Please also provide high-level analysis about the supply-chain risk presented by this architecture which has the Security Controller relying on a DMS. What would be the impact to I2NSF if the DMS was not available? If the DMS was compromised? What does the DMS learn about the Security Controller’s configuration (and by proxy about the security architecture of the domain in which it is fielded) through this interface?
-- I recognize the boiler plate YANG security template on language on citing that TLS/SSH and that NETCONF/RESTCONF can restrict access, but this is generic. Given the described architecture (which entails exchanging information that could affect security configurations across administrative domains) there needs to be more specific guidance on the trust and authentication/authorization models between the Security Controller and DMS.
** What does the YANG module for an “update” operation look like? Registration is covered in Section 5.1.2.1 and Querying is in Section 5.1.2.2.
==[ Section-by-section feedback
The following are more detailed section specific feedback.
** Abstract. Typo. s/for Registration Interface/for the Registration Interface/
** Section 1. s/security controller/Security Controller/. Additionally, as noted for the draft-ietf-i2nsf-consumer-facing-interface-dm, since RFC8329 doesn’t mentioned Security Controller and uses Network Management Operator System instead. Please note their relationship.
** Section 3.
In this case, DMS
uses Registration Interface to update the capability of the NSF,
and this update SHOULD be reflected in the catalog of NSFs.
If an update is going to occur, shouldn’t it be mandatory that the catalog is modified?
** Section 3. Typo. s/from an I2NSF user, Security Controller/from an I2NSF user, the Security Controller/
** Section 4. The operations summarized in bullets (1) and (2), appear to repeat the objectives 1 and 2 in Section 3? Is there a reason to do that twice?
** Section 4.1.
The NSF Name contains a unique name of this NSF with the
specified set of capabilities.
-- Unique within the scope of all NSF’s published by the DMS?
-- I note that draft-ietf-i2nsf-capability-data-model provides no guidance beyond "The name of Network Security Function (NSF)", and on a registration operation is uses that definition. As an side, on the rpc query response, there is normative language in the YANG module.
** Section 4.1.1.1. Should this “NSF Specification” include other dimensions like memory or disk? These are exposed alarms in the monitoring-data-model.
** Section 4.1.1.1.
This information represents the processing capability of an NSF.
This sentence summarized the “NSF Specification” as “processing capability”. However the descriptive text notes that this sub-model element covers both “processing” and “bandwidth”.
** Section 4.1.1.1.
Assuming that the current workload status of each NSF is being
collected through NSF monitoring
[I-D.ietf-i2nsf-nsf-monitoring-data-model], this capability
information of the NSF can be used to determine whether the NSF is in
congestion by comparing it with the current workload of the NSF.
Is this guidance only intended to cover “bandwidth”? I ask because I don’t see a way to align the “% CPU load” metrics in the monitoring-data-model with the processing-average and processing-peak fields whose units are GHz.
** Section 4.1.1.1.
These two information can be
used for the NSF's instance request.
-- What is an instance request?
-- Editorial. "These two information" doesn't parse.
** Section 4.1.2. NSF Access Information. See earlier comments on not understanding why this information is in the model. Setting that aside, and just thinking of this container as what is necessary to connect to an NSF over NETCONF/RESTCONF.
-- Isn’t there also the possibility of various credentials being needed to make a connection? Are they not represented for a reason?
-- Why are domain names not supported?
** YANG. container processing
I believe this is intended to express the processing capability of the NSF.
-- Could the difference between “processing-average” and “processing-peak” be explained. Is the latter expressing a concept like “Intel Turbo Boost”?
-- Could the kind of decision support this is driving be better explained. I ask because I’m not sure that GHz is the right unit. Comparing clock speed absent a lot of other factors doesn’t seem meaningful. Off the top of my head (and I’m not proposing this), something like BogoMips or a benchmark seems more applicable.
-- How would some of these figures be relevant in a virtualized environment?
** YANG. container bandwidth. Outbound/inbound-average and -peak field.
“The network bandwidth available to the NSF”
-- Is this measuring the capacity of the NICs, throughput to inspect/groom/filter a particular network load or the bandwidth of the links provisioned to the NSF?
-- If this is the provisioned bandwidth, please see my comments inquiring about the role of the DMS with provisioning information.
-- If this is measuring capacity, then “bandwidth” doesn’t seem like the right metric (maybe throughput)? What would “peak” throughput mean?
** Section 7. Please do not specifying normative behavior for the attacker (i.e., “The attacker MAY …”, say “The attacker may”).
** Section 7.
nsf-registration: The attacker MAY try to gather some sensitive
information of a registered NSF by sniffing this.
Sniffing implies on-path inspection. Is the intent different here? Shouldn’t the use of TLS or SSH preclude that? The subtext here is a controlling read-access to the DMS server (I think). Can the threat please be clarified?
** Section 7. For the “readable node analysis”, the following assessment is used for the nsf-specification and nsf-capability-info:
The attacker MAY gather the {specification / capability information}
information of any target NSF and misuse the information for
subsequent attacks.
I would expect that knowing that a particular NSF is fielded by a controller is of interest to the attacker as described. Is this architecture, is the information tied to the specific and capability information generic across all instances of that NSF for that vendor’s deployment base?
** Section 7.
* nsf-capability-query: The attacker MAY exploit this RPC operation
to deteriorate the availability of the DMS and/or gather the
information of some interested NSFs from the DMS.
If the DMS is a vendor, wouldn’t the product capabilities be public in some cases? Would that be worth clarifying?
** Appendix A. Step 5.
5. The NSF can have processing power and bandwidth.
Could this please be made more descriptive.
Regards,
Roman
- [I2nsf] AD review of draft-ietf-i2nsf-registratio… Roman Danyliw
- Re: [I2nsf] AD review of draft-ietf-i2nsf-registr… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] AD review of draft-ietf-i2nsf-registr… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] AD review of draft-ietf-i2nsf-registr… Mr. Jaehoon Paul Jeong