Re: [I2nsf] [Int-dir] Intdir telechat review of draft-ietf-i2nsf-nsf-facing-interface-dm-21
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Wed, 06 April 2022 07:51 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 110AC3A16F2; Wed, 6 Apr 2022 00:51:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.606
X-Spam-Level:
X-Spam-Status: No, score=-9.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=NNmNAKgB; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=J8L78mt1
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zAaZZxlVvnmW; Wed, 6 Apr 2022 00:51:09 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64EDF3A16F0; Wed, 6 Apr 2022 00:51:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=40146; q=dns/txt; s=iport; t=1649231469; x=1650441069; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=t/KlKIDwIVCprn8RaSTG26asWBCiQP8tNrqSW0fhhY8=; b=NNmNAKgB856/Qi+CDbdg6fnm0mUTTzS0y7h9j51KDImT8f+v5zHb4DxR PWRSUFbRY2GHJUW58tzOkXDhtRAsfp6eRc12aTeYvYmd+rytlh9iVfwmD laH7EY9l/DZy31PUaj0aYpcKUurs3l1alDptUseu+uDlo9GHIqmuwDfCM M=;
IronPort-PHdr: A9a23:PlPWFRxzh3gGGz/XCzPZngc9DxPP8534PQ8Qv5wgjb8GMqGu5I/rM0GX4/JxxETIUoPW57Mh6aLWvqnsVHZG7cOHt3YPI5BJXgUO3MMRmQFoCcWZCEr9efjtaSFyHMlLWFJ/uX+hNk0AE8flbFqUqXq3vlYv
IronPort-Data: A9a23:Ui9laK2hzstMqhfN5fbD5Stzkn2cJEfYwER7XKvMYLTBsI5bpzAAyDMaUT+BOK2LMDbwfdsnYdyw8kxS75SDn4BhSAc63Hw8FHgiRegpqji6wuYcB84ZRyH6ZBoPA/42N5+RdKjYcleG/k33auS58yElvU21buOU5NDsa3gZqTBMEE/NuTo78wIIqtYAbeqRWmthivuqyyHrA2JJ7hYvWo4iBw1vnzs01Bj6kGtwUlXT/pmntneG/5UeJMp3ya1csxLFrodo8u6SH44vzZmj9W/fuhwqEN7gw/Dwc1YBRfjZOg3mZnh+Avf5xEMd4H1plP9naZLwam8P49mNt91v2dNGtpGYQgYyNaqKk+MYO/VdO3gmZP0aoeCbcCXXXcu7iheun2HX6/l0BU8qeIwV5ugyADtI7vJdLisDKx6KjOOwz/e6TPVhnMoqJ8SuMIZZs3Vk5TDUEfhgRorMK43Lv9lD0h8xi9xAW/HEaKIxaDxzKRjBeTVON0sZTpUkk4+AhHT2dThZo1KYoew85G3ZwRdZ373kMd6TcduPLfi5NG7wSnnu5W/1BFQRM8aSjGvD+XO3jeiJliT+ML/+3YaQrpZC6GB/DERKYPHOaWaGnA==
IronPort-HdrOrdr: A9a23:jG7NoKM4Hkl1UMBcT7P255DYdb4zR+YMi2TDiHoedfUFSKOlfp6V8MjzjSWE9Ar4WBkb6LS90DHpewKcyXcH2/hvAV7EZninhILIFvAt0WKG+Vzd8kLFh5ZgPMtbAspD4ZjLfCVHZKXBkUqF+rQbsaK6GcmT7I+0pRoMPGJXguNbnn1E422gYypLrXx9dOME/e2nl6x6TlSbCBEqR/X+IkNAc/nIptXNmp6jSwUBHQQb5A6Hii7twKLmEjCDty1uEQ9n8PMHyyzoggb57qKsv7WQ0RnHzVLe6JxQhZ/I1sZDPsqRkcIYQw+czzpAJb4RH4FqjgpF5t1H22xayeUkZC1QZ/ib3kmhOV1dZyGdgDUIngxesUMKgmXo/0cL6faJNQ7STfAx2L6wtnDimhUdVBYW6tMW44vRjeslMfuL9h6Nl+TgRlVkkFG5rmEllvNWh3tDUZEGYLsUtoAH+lhJea1wVh4SxbpXWNWGNvusr8q+sGnqGEzxry1q2pihT34zFhCJTgwLvdGUySFfmDR8w1EDzMISk38c/NZlIqM0q9jsI+BtjvVDX8UWZaVyCKMIRta2EHXERVbJPHiJKVrqGakbMzaUwqSHr4kd9aWvYtgF3ZEykJPOXBdRsnMzYVvnDYmL0IdQ+h7ATW2hVXDmy91Y5ZJ+prrgLYCbfBGrWRQriY+tsv8fCsrUV7K6P49XGebqKS/0FYNAz2TFKtBvwLklIbsoU/oAKiezS5jwW//XX8TgAYLuGIY=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AJAAAdRU1i/5FdJa1QAQkaAQEBAQEBAQEBAQMBAQEBEgEBAQECAgEBAQFAgUYFAQEBAQsBgVEuKAd3WjdEhFWDSgOEWWCFEIMCA4sUkCaBLhSBEQNUCwEBAQ0BASwLDAQBAYFyAYMUAheESgIlNAkOAQIEAQEBEgEBBQEBAQIBBwSBCROFaA2GQgEBAQEDAQEQEREMAQEsCwELBAIBCBEDAQIDAiYCAgIfBgsVCAgCBAENBSKCBF4BgmUDLgEOoQgBgToCgQ6JEXqBMYEBgggBAQYEBIULDQuCOAMGgRAsAYMQgwCBKIRogSWBCCccgUlEgRUnHIFmgQE+giFCAQEDgSgBBwEKASgxAoJgN4IumTcKGjgZAgQBMSIQBBQUKgECEg4kFRgMBhMtCwoEJAYLDAgFDgwCAiUGkXIMEA0kgyeKJ4NEiX6RRERrCoNJixWObQSCXoMZBS6DdIw5ilONUZZeIIx4g1WQPC6FDQIEAgQFAg4BAQaBYTxpcHAVOyoBggoBM1EZD1aNSgwWFYM7hRSFSnU4AgYBCgEBAwmLXiyCHAEB
X-IronPort-AV: E=Sophos;i="5.90,239,1643673600"; d="scan'208";a="1018417495"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 06 Apr 2022 07:51:07 +0000
Received: from mail.cisco.com (xfe-rcd-001.cisco.com [173.37.227.249]) by rcdn-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id 2367p7wL009788 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Wed, 6 Apr 2022 07:51:07 GMT
Received: from xfe-rcd-003.cisco.com (173.37.227.251) by xfe-rcd-001.cisco.com (173.37.227.249) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Wed, 6 Apr 2022 02:51:06 -0500
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-003.cisco.com (173.37.227.251) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14 via Frontend Transport; Wed, 6 Apr 2022 02:51:06 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UFCtw81+cIIBSx1x1HLqzww3i2SL0KNmH8Ps4Fl8EXSdd124PfN+4qVnfY+YXPbwTKKpKJh38EVyhXzflCGWJA2Hov5M5GtEOB2gExu+1IW2y7JVIbV82SHkXXmuIp+APfZhVQ/pBKjJl+/6mvSE5e1lk000wzLyAVzjIvnU7GIQIhD5+G89TIPY/wzhajex05kWfcBclJAXvgpF6Pr8YGjWbnkuqERHex76Yj06ANCVMdCc+XLLWl1wklkkC6MUlqFWJM7zAYKttb3EM6qMUn5jbsqGawYBWxB7TRRRw2rSqupfty0/s/vbBi+222Dy9svN3Zv28emAlHm3+yn4kA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=t/KlKIDwIVCprn8RaSTG26asWBCiQP8tNrqSW0fhhY8=; b=ehDXjANIEbQ/bGNf/3k2x6ljJDZ0sT2HTorz3VtkcqgHdbRg580vpZDLQAHag4jdX79ux3Vw2+vk3WUCEUOpKkqAhlRrCbSp4EWI+wvZDrjD9Q7hYlJEL1X9VV3RUmsfIjRneZltCMONZnotdEhBgKh8Lp0WJ2jbLm9yyr6rSbo59VCLG9l6Pd2WpgaoAmPvOYkurYb4T1CHI/Y+06QmLhvIoCOSdFH8yw+raoZe0gbOkmgA+cmsizMidD3SjNrCrKBOnSUHkBOiOj2U0GDUrvl7JC6HPcnPgvFcq8mfZYv57Kffl9tIW7sHi3jB0i6Xky4cRoQnnhzpEZwzXi5z4g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t/KlKIDwIVCprn8RaSTG26asWBCiQP8tNrqSW0fhhY8=; b=J8L78mt1NMbf1/54nRlSkoe1lXJ0+xXe6uT9ATK4m6QqU0a7vx/Yz9DRT4GkEZKs+/5JcedThprz7QANNqEiRUAIWcRM9FIRQMx7/rIuX7xb58YBqUk+EaQzOrGIBDNCk48MxNLONVEJOO6DXVbv9zyYXY21cna52Iq4Fzgmz1k=
Received: from PH0PR11MB4966.namprd11.prod.outlook.com (2603:10b6:510:42::21) by CO1PR11MB4916.namprd11.prod.outlook.com (2603:10b6:303:9c::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Wed, 6 Apr 2022 07:51:04 +0000
Received: from PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::5168:5785:a564:2cf8]) by PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::5168:5785:a564:2cf8%4]) with mapi id 15.20.5144.022; Wed, 6 Apr 2022 07:51:04 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Jean-Michel Combes <jeanmichel.combes@gmail.com>, "int-dir@ietf.org" <int-dir@ietf.org>
CC: "i2nsf@ietf.org" <i2nsf@ietf.org>, "draft-ietf-i2nsf-nsf-facing-interface-dm.all@ietf.org" <draft-ietf-i2nsf-nsf-facing-interface-dm.all@ietf.org>
Thread-Topic: [Int-dir] Intdir telechat review of draft-ietf-i2nsf-nsf-facing-interface-dm-21
Thread-Index: AQHYIpysRjRjtBKPkUSVs4rsWb7g2azi8m6A
Date: Wed, 06 Apr 2022 07:51:04 +0000
Message-ID: <6FBFFB2F-D6A2-4B28-A94D-3D5BBC7777F9@cisco.com>
References: <164495089507.31875.16708214686019174571@ietfa.amsl.com>
In-Reply-To: <164495089507.31875.16708214686019174571@ietfa.amsl.com>
Accept-Language: fr-BE, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.59.22031300
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a4235c88-32a4-498a-87f7-08da17a2338d
x-ms-traffictypediagnostic: CO1PR11MB4916:EE_
x-microsoft-antispam-prvs: <CO1PR11MB49162FA198F822E471E28DA1A9E79@CO1PR11MB4916.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Jw67J2G2mQp///ANvj5U+Ej9jjgVk/E/S/GjxyNsMa3hmex8J8R8eAj9Hls26Mq3JY66Q3QnuUdWRSTZ/jZnltpkq1BRWvKYedcrPedZL2FoBJ1WgOY2tTof0L+L0hlckKU/vtM63E2FCXZEoAgd2lyB1wP6NtKq4alrLzLNjia0Lu5gRrgfhue0cEVOf3oIrTLbeDI/plSIDohFXwUVMswohPCX8LzJrrvybFm56Bq5qUjF64+PU5sDSHRyUdP2Hocz+Vb+ICv8S7lPRXsZl4fyXseZHbw5aIdmKs8GLf+cyop2ZKY2Tqun2uueDmLtz9SbXTOjYpbPduODq3frZxK8rampl3d4yQNq/3p1y7yjaWqHCSXQDb4rDn7kkseQ/zmoplP4T8NaXYy2JscKN2vL4m/yLKymbvwOI01GofiSNxfZAQ93vcACRzYa7FUd2wpETU8sybsMb02v3CypK30InrrbdFdyWXPsQNLB/UsOMKsf3s2C1oSKc0n5PTMPswdQ5oeDJ6gqEhBuUzf9DblHdxoPhEDYzJWspKTuw/WLo+QyRPfey50aOalkL5+upkaUh47zqxb9CMzFXlJ5/XgE6hxl0ZGJyHAyd5CRkeYpl0WqBVCRdFlBTqEF/7G1e3xpDdH617q1oygvft7mKR0BvdFUBf4dCyrFfTVgqEJgzV65rDzejCUkMQQmYJpR4kA4GM/cTEfC0hQqwBwYm12FPNeDKBGpGrnfsd0OpPS1vpTpnqtsRdn/dMomwW7AMXdCmrlNYxGf915dhdY8GqR+MEPzC6TUb6AYOuIXytxdnkOkQPvJpISpuklXwhlNM1ekYwUCMY+P+7JQUgXb7SkpI5YFscRkfLUAGfBQhns=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB4966.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(54906003)(110136005)(186003)(76116006)(91956017)(2906002)(66946007)(4326008)(64756008)(66446008)(66476007)(122000001)(66556008)(38100700002)(38070700005)(83380400001)(8676002)(6512007)(316002)(86362001)(33656002)(6506007)(30864003)(6486002)(71200400001)(66574015)(8936002)(966005)(5660300002)(36756003)(2616005)(508600001)(45980500001)(579004)(559001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 2
x-ms-exchange-antispam-messagedata-0: rRknjGWO2dB8mE2dQQOdjeDpsMdZUdmgSmxQCF0B82eQHnV3TrN8dI29GWe0w5JDdv6dgUkuOGvKk0yen4T++3uQDQDuD60/HZY36UMz+bFelbuRfXvEBqzkrVtJPbs4mXFM8dDp52nQ1X4Qk3cuFm8GTAlYhsBsbnjo34nlJUlrgu0DFSLTccOgtzEtf/bNG4sAJGdAMzzk3bC0Vr55VucMLBUAQ+sI3VASDUi8DCYW36IzuyRnqkpea4rRlspRaA3BxoDb56vFctRnq50CajD+Il/p5elXQ1TLRb2M2G6J+CVXgMFG7B9tnLa/Y+HLIsqoERGcbDYBFpBtsa6zLz/v9zXCbN0vJFqhjtJteqenQrWTQwEUDfEgKpZNhj24IdGsmlUopAtj1+Xhyr/WYvabodQInuMak832C/9c85lJTaM/UvBBGmM8+pLREN/S2PXRoWy4KRsGd8JH2nbBAyHqP974MpFVSXoLDGdUxgUlgQRFWb9997KHH+RE2pzXEbkdZ/JNEpkEVvT7A3usUAeYLzUm0WoEybLtkuvILVTcKpyUGwpAu6Xj3c5rwSKkd+iyYSR1JHgbQWJeLw3pMGcwGWhOM1Tfdk7+1lR0uYEwRwittU9ppsm/yyXFO2x/ctIhmRVavRzLgnsDhodKmOVh/SYcjyPyQAnBOB0tOSNoBLQEZU863aWdPD87KmihYSjP/5BnDQFMEsjWBougy/1dG17EBkHZO1RehEp9NCsTOUxGNXUKfg1oou0CGnOUhTcDXs9CncgXnVvHnsXj99fk/kPMeglkDnmqacxtwXx9iSnRdujiqO2KZ7OKbpxRMr/Vb0XbYYpvfkTua3xiCZVSaGkzlou/rMLMz5b8zpHVwgV4bGU6l53wUVb37D3C/09OV4hIXfYr81qRziGPjjZVJm6/rMOGS+7wmUOYnFwF0p/jLTeCQD4CZzHIiUtntNEVeZ4M/GPtC6VprD2r29cNI+6oFgWHLbeCis3lMiUkz3GbnvTaDkt50NsKgqhh3KS5a77Bj+QxUh1NM1wVw4R9HkTr4FNMBCh/J65JBGX15X5KTZhDDg9j2MyoKbp5ARC/WvFOpfHtrBuD60qymEFVuMinG+nnID97XFZk27Wh3OQyG6WaNGrZ8vPoUCtyoeWkhPYG9HW1JZcUSt3k5LRhDoIHbnJCcwPBeTDN/NauO2nVZP3EmV/80ZdNe1aVRA7fwTLOtDYF73UIFC/P/aDIbrvaVseVGPiuxP/mm2qmUvnZZGgJU0huPeXIxtBIJguipPHqvfox+u3+4lGzjKg8whbQJEOsNCvgtPoMKeidVpN8L61hO5iQzLpYRyYOMwXcncxKWipgJIYGN2ThNW3VBm5w/3PEXU7EADFn3EkAW7IdkOnYCIhoD99lcOKxR7rn7vZWytTqFDhQ5v/CiUcIvopdOiv7eW1xI0mPKO+rLqIWlHp29Oog6BAEePOZ9SiefwU3Tl6q/ml1wQW03nam9hsUoAtA5zxhRQ/FOa2MOrJ4CKSkm0eFOVH/lPtaJaS/AkVFJVxXEpQkSFV3JrmfXkj/3jkfMOgcXEm4dFLQbKFwC29MxR7GBKoENCSDpNQ+MWxzBIzutYgAR4Is9RLiUEkWXL+xmxKN2mWJCAWVCZOnn8TW0ahTzWpcmjPLvIFkAhkhZ6keyErFXu92rFIpLV8dhssMQ/RKH4pYjMuOOSkkWCIIdpTwQpdMvn0V4Kdl6B91JSwQ0IXSjtcl7Fn+N7m1aHS8fO7IA3GF8SNonpdeA9cjzbL5PYA7pvRYBdO+dGdl
x-ms-exchange-antispam-messagedata-1: b0oIRkEboz9fhPA5obmDlTc7lIKmMBI5Yfk=
Content-Type: text/plain; charset="utf-8"
Content-ID: <C2F7B75341862A42865BA98405B5DA6A@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a4235c88-32a4-498a-87f7-08da17a2338d
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Apr 2022 07:51:04.2139 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rhaVGpnUEyDp5S0/+eSCQ6rhloon1578TPXA/nn5ERQOzk0Pz8Zh0j+HiDQyyHW0qe5yQZaz3Wp7cMnPYN1WIw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB4916
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.227.249, xfe-rcd-001.cisco.com
X-Outbound-Node: rcdn-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/B7IYj7w5FZZ12vZmPyeU-PMvVdA>
Subject: Re: [I2nsf] [Int-dir] Intdir telechat review of draft-ietf-i2nsf-nsf-facing-interface-dm-21
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2022 07:51:16 -0000
Thank you, Jean-Michel, for the review. I had also balloted DISCUSS before reading your own review. I will reply shortly to the authors based on their revision letter / email dated 25th of March. Regards, -éric -----Original Message----- From: Int-dir <int-dir-bounces@ietf.org> on behalf of Jean-Michel Combes via Datatracker <noreply@ietf.org> Reply to: Jean-Michel Combes <jeanmichel.combes@gmail.com> Date: Tuesday, 15 February 2022 at 19:48 To: "int-dir@ietf.org" <int-dir@ietf.org> Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-i2nsf-nsf-facing-interface-dm.all@ietf.org" <draft-ietf-i2nsf-nsf-facing-interface-dm.all@ietf.org> Subject: [Int-dir] Intdir telechat review of draft-ietf-i2nsf-nsf-facing-interface-dm-21 Reviewer: Jean-Michel Combes Review result: On the Right Track Hi, I am an assigned INT directorate reviewer for draft-ietf-i2nsf-nsf-facing-interface-dm-21. These comments were written primarily for the benefit of the Internet Area Directors. Document editors and shepherd(s) should treat these comments just like they would treat comments from any other IETF contributors and resolve them along with any other Last Call comments that have been received. For more details on the INT Directorate, see https://datatracker.ietf.org/group/intdir/about/ <https://datatracker.ietf.org/group/intdir/about/>. Based on my review, if I was on the IESG I would ballot this document as DISCUSS. I have the following DISCUSS level issues: - IPv6 (section 3.3) The following are other issues I found with this document that SHOULD be corrected before publication: - Event clause definition (section 3.2) - Action clause definition (section 3.4) - identity session-log description (section 4.1) - identity transformation (section 4.1) - identity redirection (section 4.1) The following are minor issues (typos, misspelling, minor text improvements) with the document: - Figure 2 (section 3.2) - identity hardware-alarm description (section 4.1) - identity reject description (section 4.1) I have also a question, for my curiosity, about identity application-protocol (section 4.1). Please, find below, my deep review. I2NSF Network Security Function-Facing Interface YANG Data Model draft-ietf-i2nsf-nsf-facing-interface-dm-21 <snip> 3.2. Event Clause <snip> module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy* [name] ... +--rw rules* [name] | ... | +--rw event | | +--rw description? string | | +--rw time | | | +--rw start-date-time? yang:date-and-time | | | +--rw end-date-time? yang:date-and-time | | | +--rw period | | | | +--rw start-time? time | | | | +--rw end-time? time | | | | +--rw day* day | | | | +--rw date* int8 | | | | +--rw month* string | | | +--rw frequency? enumeration | | +--rw event-clauses | | +--rw system-event* identityref | | +--rw system-alarm* identityref | +--rw condition | ... | +--rw action | ... +--rw rule-group ... module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy* [name] ... +--rw rules* [name] | ... | +--rw event | | +--rw description? string | | +--rw time | | | +--rw start-date-time? yang:date-and-time | | | +--rw end-date-time? yang:date-and-time | | | +--rw period | | | | +--rw start-time? time | | | | +--rw end-time? time | | | | +--rw day* day | | | | +--rw date* int8 | | | | +--rw month* string | | | +--rw frequency? enumeration | | +--rw event-clauses | | +--rw system-event* identityref | | +--rw system-alarm* identityref | +--rw condition | | ... | +--rw action | ... +--rw rule-group ... Figure 2: YANG Tree Diagram for an Event Clause <JMC> Except if I missed something, there is 2 times the same figure. I assume this is a copy/paste error. </JMC> An event clause is any important occurrence at a specific time of a change in the system being managed, and/or in the environment of the system being managed. <JMC> I am not English native but, IMHO, your definition is maybe too restrictive. Indeed, for me (and my English :)) your definition doesn’t apply to your “Example Security Requirement 1: Block Social Networking Service” because there is no change in the system being managed, and/or in the environment of the system being managed. IMHO, your definition only fits with the use cases where there is either a system event (called also alert) or a system alarm. </JMC> <snip> 3.3. Condition Clause <snip> module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy* [name] ... +--rw rules* [name] | ... | +--rw event | | ... | +--rw condition | | +--rw description? string | | +--rw ethernet | | | +--rw description? string | | | +--rw destination-mac-address? yang:mac-address | | | +--rw destination-mac-address-mask? yang:mac-address | | | +--rw source-mac-address? yang:mac-address | | | +--rw source-mac-address-mask? yang:mac-address | | | +--rw ethertype? eth:ethertype | | +--rw ipv4 | | | +--rw description? string | | | +--rw dscp? inet:dscp | | | +--rw ecn? uint8 | | | +--rw length? uint16 | | | +--rw ttl? uint8 | | | +--rw protocol? uint8 | | | +--rw ihl? uint8 | | | +--rw flags? bits | | | +--rw offset? uint16 | | | +--rw identification? uint16 | | | +--rw (destination-network)? | | | | +--:(destination-ipv4-network) | | | | | +--rw destination-ipv4-network? inet:ipv4-prefix | | | | +--:(destination-ipv4-range) | | | | +--rw destination-ipv4-range* [start end] | | | | +--rw start inet:ipv4-address-no-zone | | | | +--rw end inet:ipv4-address-no-zone | | | +--rw (source-network)? | | | +--:(source-ipv4-network) | | | | +--rw source-ipv4-network? inet:ipv4-prefix | | | +--:(source-ipv4-range) | | | +--rw source-ipv4-range* [start end] | | | +--rw start inet:ipv4-address-no-zone | | | +--rw end inet:ipv4-address-no-zone | | +--rw ipv6 | | | +--rw description? string | | | +--rw dscp? inet:dscp | | | +--rw ecn? uint8 | | | +--rw length? uint16 | | | +--rw ttl? uint8 | | | +--rw protocol? uint8 | | | +--rw (destination-network)? | | | | +--:(destination-ipv6-network) | | | | | +--rw destination-ipv6-network? inet:ipv6-prefix | | | | +--:(destination-ipv6-range) | | | | +--rw destination-ipv6-range* [start end] | | | | +--rw start inet:ipv6-address-no-zone | | | | +--rw end inet:ipv6-address-no-zone | | | +--rw (source-network)? | | | | +--:(source-ipv6-network) | | | | | +--rw source-ipv6-network? inet:ipv6-prefix | | | | +--:(source-ipv6-range) | | | | +--rw source-ipv6-range* [start end] | | | | +--rw start inet:ipv6-address-no-zone | | | | +--rw end inet:ipv6-address-no-zone | | | +--rw flow-label? inet:ipv6-flow-label | | +--rw tcp | | | +--rw description? string | | | +--rw source-port-number | | | | +--rw (source-port)? | | | | +--:(range-or-operator) | | | | | +--rw (port-range-or-operator)? | | | | | +--:(range) | | | | | | +--rw lower-port inet:port-number | | | | | | +--rw upper-port inet:port-number | | | | | +--:(operator) | | | | | +--rw operator? operator | | | | | +--rw port inet:port-number | | | | +--:(port-list) | | | | +--rw port-numbers* [start end] | | | | +--rw start inet:port-number | | | | +--rw end inet:port-number | | | +--rw destination-port-number | | | | +--rw (destination-port)? | | | | +--:(range-or-operator) | | | | | +--rw (port-range-or-operator)? | | | | | +--:(range) | | | | | | +--rw lower-port inet:port-number | | | | | | +--rw upper-port inet:port-number | | | | | +--:(operator) | | | | | +--rw operator? operator | | | | | +--rw port inet:port-number | | | | +--:(port-list) | | | | +--rw port-numbers* [start end] | | | | +--rw start inet:port-number | | | | +--rw end inet:port-number | | | +--rw sequence-number? uint32 | | | +--rw acknowledgement-number? uint32 | | | +--rw data-offset? uint8 | | | +--rw reserved? uint8 | | | +--rw flags? bits | | | +--rw window-size? uint16 | | | +--rw urgent-pointer? uint16 | | | +--rw options? binary | | +--rw udp | | | +--rw description? string | | | +--rw source-port-number | | | | +--rw (source-port)? | | | | +--:(range-or-operator) | | | | | +--rw (port-range-or-operator)? | | | | | +--:(range) | | | | | | +--rw lower-port inet:port-number | | | | | | +--rw upper-port inet:port-number | | | | | +--:(operator) | | | | | +--rw operator? operator | | | | | +--rw port inet:port-number | | | | +--:(port-list) | | | | +--rw port-numbers* [start end] | | | | +--rw start inet:port-number | | | | +--rw end inet:port-number | | | +--rw destination-port-number | | | | +--rw (destination-port)? | | | | +--:(range-or-operator) | | | | | +--rw (port-range-or-operator)? | | | | | +--:(range) | | | | | | +--rw lower-port inet:port-number | | | | | | +--rw upper-port inet:port-number | | | | | +--:(operator) | | | | | +--rw operator? operator | | | | | +--rw port inet:port-number | | | | +--:(port-list) | | | | +--rw port-numbers* [start end] | | | | +--rw start inet:port-number | | | | +--rw end inet:port-number | | | +--rw length? uint16 | | +--rw sctp | | | +--rw description? string | | | +--rw source-port-number | | | | +--rw (source-port)? | | | | +--:(range-or-operator) | | | | | +--rw (port-range-or-operator)? | | | | | +--:(range) | | | | | | +--rw lower-port inet:port-number | | | | | | +--rw upper-port inet:port-number | | | | | +--:(operator) | | | | | +--rw operator? operator | | | | | +--rw port inet:port-number | | | | +--:(port-list) | | | | +--rw port-numbers* [start end] | | | | +--rw start inet:port-number | | | | +--rw end inet:port-number | | | +--rw destination-port-number | | | | +--rw (destination-port)? | | | | +--:(range-or-operator) | | | | | +--rw (port-range-or-operator)? | | | | | +--:(range) | | | | | | +--rw lower-port inet:port-number | | | | | | +--rw upper-port inet:port-number | | | | | +--:(operator) | | | | | +--rw operator? operator | | | | | +--rw port inet:port-number | | | | +--:(port-list) | | | | +--rw port-numbers* [start end] | | | | +--rw start inet:port-number | | | | +--rw end inet:port-number | | | +--rw chunk-type* uint8 | | | +--rw chunk-length? uint16 | | +--rw dccp | | | +--rw description? string | | | +--rw source-port-number | | | | +--rw (source-port)? | | | | +--:(range-or-operator) | | | | | +--rw (port-range-or-operator)? | | | | | +--:(range) | | | | | | +--rw lower-port inet:port-number | | | | | | +--rw upper-port inet:port-number | | | | | +--:(operator) | | | | | +--rw operator? operator | | | | | +--rw port inet:port-number | | | | +--:(port-list) | | | | +--rw port-numbers* [start end] | | | | +--rw start inet:port-number | | | | +--rw end inet:port-number | | | +--rw destination-port-number | | | | +--rw (destination-port)? | | | | +--:(range-or-operator) | | | | | +--rw (port-range-or-operator)? | | | | | +--:(range) | | | | | | +--rw lower-port inet:port-number | | | | | | +--rw upper-port inet:port-number | | | | | +--:(operator) | | | | | +--rw operator? operator | | | | | +--rw port inet:port-number | | | | +--:(port-list) | | | | +--rw port-numbers* [start end] | | | | +--rw start inet:port-number | | | | +--rw end inet:port-number | | | +--rw service-code* uint32 | | | +--rw type* uint8 | | | +--rw data-offset? uint8 | | +--rw icmp* [version] | | | +--rw description? string | | | +--rw version enumeration | | | +--rw type? uint8 | | | +--rw code? uint8 | | | +--rw rest-of-header? binary | | +--rw url-category | | | +--rw description? string | | | +--rw pre-defined* string | | | +--rw user-defined* string | | +--rw voice | | | +--rw description? string | | | +--rw source-voice-id* string | | | +--rw destination-voice-id* string | | | +--rw user-agent* string | | +--rw ddos | | | +--rw description? string | | | +--rw alert-packet-rate? uint32 | | | +--rw alert-flow-rate? uint32 | | | +--rw alert-byte-rate? uint32 | | +--rw anti-virus | | | +--rw profile* string | | | +--rw exception-files* string | | +--rw payload | | | +--rw description? string | | | +--rw content* string | | +--rw context | | +--rw description? string | | +--rw application | | | +--rw description? string | | | +--rw protocol* identityref | | +--rw device-type | | | +--rw description? string | | | +--rw device* identityref | | +--rw users | | | +--rw description? string | | | +--rw user* [id] | | | | +--rw id uint32 | | | | +--rw name? string | | | +--rw group* [id] | | | | +--rw id uint32 | | | | +--rw name? string | | | +--rw security-group? string | | +--rw geographic-location | | +--rw description? string | | +--rw source* string | | +--rw destination* string | +--rw action | ... +--rw rule-group ... Figure 3: YANG Tree Diagram for a Condition Clause A condition clause is defined as a set of attributes, features, and/ or values that are to be compared with a set of known attributes, features, and/or values in order to determine whether the set of actions in that (imperative) I2NSF policy rule can be executed or not. A condition clause is classified as a condition of generic network security functions, advanced network security functions, or context. A condition clause of generic network security functions is defined as IPv4 condition, IPv6 condition, TCP condition, UDP condition, SCTP condition, DCCP condition, or ICMP (ICMPv4 and ICMPv6) condition. Note that the data model in this document does not focus on only IP addresses, but focuses on all the fields of IPv4 and IPv6 headers. The IPv4 and IPv6 headers have similarity with some different fields. In this case, it is better to handle separately the IPv4 and IPv6 headers such that the different fields can be used to handle IPv4 and IPv6 packets. <JMC> What about IPv6 options headers? FWIW, even basic FWs provide the granularity to set-up a policy regarding them. Seems you missed something important (i.e., a large part of the IPv6 world), IMHO ... Currently, your data model would be unusable to set-up an IPv6 filtering policy inside my company. </JMC> <snip> 3.4. Action Clause <snip> module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy* [name] ... +--rw rules* [name] | ... | +--rw event | ... | +--rw condition | ... | +--rw action | +--rw description? string | +--rw packet-action | | +--rw ingress-action? identityref | | +--rw egress-action? identityref | | +--rw log-action? identityref | +--rw flow-action | | +--rw ingress-action? identityref | | +--rw egress-action? identityref | | +--rw log-action? identityref | +--rw advanced-action | +--rw content-security-control* identityref | +--rw attack-mitigation-control* identityref +--rw rule-group ... Figure 4: YANG Tree Diagram for an Action Clause An action is used to control and monitor aspects of flow-based NSFs when the policy rule event and condition clauses are satisfied. <JMC> What happens when there is either no event clause (e.g., Example Security Requirement 2: Block Malicious VoIP/VoCN Packets Coming to a Company) or no condition clause? What I mean is: is it mandatory to have the both to trigger an action? IMHO, a text clarification is needed here. </JMC> 4.1. YANG Module of NSF-Facing Interface <snip> identity memory-alarm { base system-alarm; description "Identity for memory alarm. Memory is the hardware to store information temporarily or for a short period, i.e., Random Access Memory (RAM). A memory-alarm is emitted when the memory usage is exceeding the threshold."; reference "draft-ietf-i2nsf-nsf-monitoring-data-model-14: I2NSF NSF Monitoring Interface YANG Data Model - System alarm for memory"; } identity cpu-alarm { base system-alarm; description "Identity for CPU alarm. CPU is the Central Processing Unit that executes basic operations of the system. A cpu-alarm is emitted when the CPU usage is exceeding a threshold."; reference "draft-ietf-i2nsf-nsf-monitoring-data-model-14: I2NSF NSF Monitoring Interface YANG Data Model - System alarm for CPU"; } identity disk-alarm { base system-alarm; description "Identity for disk alarm. Disk is the hardware to store information for a long period, i.e., Hard Disk and Solid-State Drive. A disk-alarm is emitted when the disk usage is exceeding a threshold."; reference "draft-ietf-i2nsf-nsf-monitoring-data-model-14: I2NSF NSF Monitoring Interface YANG Data Model - System alarm for disk"; } identity hardware-alarm { base system-alarm; description "Identity for hardware alarm. A hardware alarm is emitted when a problem of hardware (e.g., CPU, memory, disk, or interface) is detected."; reference "draft-ietf-i2nsf-nsf-monitoring-data-model-14: I2NSF NSF Monitoring Interface YANG Data Model - System alarm for hardware"; } <JMC> I don’t understand the last identity here. If I refer to the identities defined here (i.e., previous ones and the one after, I would say that the description should be: “Identity for hardware” alarm. A hardware alarm is emitted when a problem of hardware – other than CPU/memory/disk/interface, is detected.”; Indeed, identities already exist for CPU, memory, disk and interface alarms. Or did I misunderstand something? </JMC> identity interface-alarm { base system-alarm; description "Identity for interface alarm. Interface is the network interface for connecting a device with the network. The interface-alarm is emitted when the state of the interface is changed."; reference "draft-ietf-i2nsf-nsf-monitoring-data-model-14: I2NSF NSF Monitoring Interface YANG Data Model - System alarm for interface"; } <snip> identity reject { base ingress-action; base egress-action; base default-action; description "Identity for reject action capability. The reject action denies a packet to go through the NSF entering or exiting the internal network and sends a response back to the source. The response depends on the packet and implementation. For example, a TCP packet is rejected with TCP RST response or a UDP packet may be rejected with an ICMP response message with Type 3 Code 3, i.e., Destination Unreachable: Destination port unreachable."; } <JMC> You really don’t like IPv6 :) Why not a ICMPv6 response message with Type 1 Code 4 ;) </JMC> <snip> identity session-log { base log-action; description "Identity for session log. Log the tasks that is performed during a session."; <JMC> Clarification (e.g., text, reference(s)), please, about the terms: - session - tasks </JMC> identity tunnel-encapsulation { base egress-action; description "Identity for tunnel encapsulation. The tunnel encapsulation action is used to encapsulate the packet to be tunneled across the network to enable a secure connection."; } <snip> identity transformation { base egress-action; description "Identity for transformation. The transformation action is used to transform the packet by modifying its protocol header such as HTTP-to-CoAP translation."; reference "RFC 8075: Guidelines for Mapping Implementations: HTTP to the Constrained Application Protocol (CoAP) - Translation between HTTP and CoAP."; } <JMC> IMHO, I would do the following change: s/by modifying its protocol header/by modifying it That would permit a more global scope (e.g., SFC, SRHv6). </JMC> identity redirection { base egress-action; description "Identity for redirection. This action redirects the packet to another destination."; } <JMC> I only know two ways to redirect a packet: either tunneling it or modifying it – what you call “transformation”. May you describe any other way you have in mind to do the job, and so to have the need to specify the identity redirection, please? </JMC> <snip> identity application-protocol { description "Base identity for Application protocol"; } <JMC> This question is just for my curiosity: why not to define a generic application-protocol, including the associated well-known port to identify the protocol you need? </JMC> <snip> Thanks in advance for you reply. Best regards, JMC. _______________________________________________ Int-dir mailing list Int-dir@ietf.org https://www.ietf.org/mailman/listinfo/int-dir
- [I2nsf] Intdir telechat review of draft-ietf-i2ns… Jean-Michel Combes via Datatracker
- Re: [I2nsf] [Int-dir] Intdir telechat review of d… Eric Vyncke (evyncke)