[I2nsf] Review of draft-ietf i2nsf-nsf-facing-17 was Re: Secdir last call review of draft-ietf-i2nsf-nsf-facing-interface-dm-16
tom petch <daedulus@btconnect.com> Thu, 03 February 2022 12:53 UTC
Return-Path: <daedulus@btconnect.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9894A3A1617; Thu, 3 Feb 2022 04:53:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jjp8jZadyb-L; Thu, 3 Feb 2022 04:53:30 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2112.outbound.protection.outlook.com [40.107.20.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F407E3A1615; Thu, 3 Feb 2022 04:53:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UZXPVt/ojlXxUTKirKGLUQVG6Y1xO5LtowgDlwnArGOrllFMmmK+IlwYKNIeLx6Ixy+rCY6M5a4/0mtTZeZ6JaviDYGlq1C1qLUHW4qG0NbqjXufT9GFv2suH2w1MWmQGP0jForjvbSnqpipSr5UyyYgp1spDGw52rzGgpWoXKF8KPY2KqKtm9K8pmWPL+gDBBOh8lWR8KuTdiYdiVkUo7H1MU1i1BXlM8d0+Jr3OfT5xXA/lNCAkK/2kIhxLVuuWPLf040JCzL/1KFKFW+5uoUHNkjm2kF/+UxObUf+cK+BSJULUbUqREuFziXhxc9o4HW2UOVWoznLaDvWamWk1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9P290Ivrt8oGqvr7bfhKFfXbE2cNg2SRfislOUdDaS0=; b=fLrncLWGjo/FGvaRnzcqxTYd/JokGNb18651J3RUVP2BnsPvfwnz2Fj0oM6jUfV9DZbpmgXEr/iTraTkPvxTK4JvPqLkrhXcD5/OK3RKGnJ/0KmhmsciUgFufFAbJ5dZx0KhN8ZJylrkLdZGvlXaeBDmsfhVrWf7gu5LUqi5WpEaT4utYuMXWO3UOwv9E5XkyVQbuDi5kw/wJZ1aMaNeAGGlCy5pn2vqRcNFtB/kdC0pwjXNi7Ji2s+h83rUDtgOxPl5vMwOAj6vMOe4hgTn5UIGLb4PJDSFzprrwJiPdO6gBeQ2Bv9C+Nh7uujRA/MsH9BR0lqujwx/BEto+IzLiQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9P290Ivrt8oGqvr7bfhKFfXbE2cNg2SRfislOUdDaS0=; b=Pcmh4/jr6Rs233NdRafmATM8LowSxu7Agmj8NylQoF/wo511g5LgqUXr6/v3QR6TCsTr+mRgAfWbcW8ispAlAl7lnIR3CpVQCfxTk13dDbUlyeRGoDPKpx3ILk4WZkIg0mpawMz7wRXbpJ9lH6YKsns708GkmrfdKzqLtfGDvmI=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=btconnect.com;
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8) by DB6PR0701MB2839.eurprd07.prod.outlook.com (2603:10a6:4:6f::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4951.12; Thu, 3 Feb 2022 12:53:26 +0000
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::1040:a0b:e4e1:f512]) by VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::1040:a0b:e4e1:f512%5]) with mapi id 15.20.4951.014; Thu, 3 Feb 2022 12:53:26 +0000
From: tom petch <daedulus@btconnect.com>
To: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Cc: i2nsf@ietf.org, JungSoo Park <pjs@etri.re.kr>, Last Call <last-call@ietf.org>, Yunchul Choi <cyc79@etri.re.kr>, Patrick Lingga <patricklink888@gmail.com>, skku-iotlab-members <skku-iotlab-members@googlegroups.com>, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Message-ID: <61FBD03E.6010006@btconnect.com>
Date: Thu, 03 Feb 2022 12:53:18 +0000
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ClientProxiedBy: LNXP265CA0060.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5d::24) To VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: a321d776-cfcf-4340-502f-08d9e7142b66
X-MS-TrafficTypeDiagnostic: DB6PR0701MB2839:EE_
X-Microsoft-Antispam-PRVS: <DB6PR0701MB28391D005D5BD3BD8311AB7AC6289@DB6PR0701MB2839.eurprd07.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 2ouLutxjkktsxJQORIx66gmo0+DATusVDvF8lf8O0nCxX1HiXAqNO3yicIBUZzclZIYNgLgdCznWsceLzFBeR5B8zE/D20QGXWGrXtXBTKzT6heTM8Yog2EsNsL9lQno2YEiMyGwe/chYVeMmcVuWgv4wQ1rZnYAE71uHATWi5rMNgkQzFrv6XE7dSVzxG2JKI8Vt1mbgm6iLMfnvGSz63bHJ9oeTtZf4czT2Qh9Qm68H2GQPiRcX9QZkOBWfpGekecQeroD+hCL+nSMjF2dLNrTfq+Y63WBvpGMOTHvLpKouuSgsoMSIDTC1VsK7s1Yu0d5bjLEDHOQpK3nLOi9MNHUr9TlVT/8cjt3RQb86dU0grx6Talk4HXZZMJMVb3pdPD9u/W5GZdd4ieBnn/eVLMZ9dNIdGQeTNCo+/kYlJYbaOQbV9F/J0XY8Yrx1jdSUH13xuKXY3ym0gPjdNRmjzvhaWKTa5VaZu2lB3RXCSLy8FMJMC8HV4f4WKyGdv6faJ3j5TYIJehwzeW2NcWnwfHVWnGviPCaiSUqOr6DkmzvyRuGCtRmnuOEknD5s9YPbGFbT87DGI1Shtb1z0RQUEjjmewpyFNe2v2Mw36D3OGMmKyrNqg5kuBmEX6RT/4r9/tgHFnezr1ZEkpv352iOedJ+CzWmC2gLfbx+UKQtDXDlilF8qtNyzV+VQg121yM1DLl1PwoTb01rslsCRyhMlyTkfjsBIrWGP6pxN79P5I2sLPFYjbFRyaD+iWhUXQzQV0iiV6wDgMd6JiGwhNGH4T2PUP50WnnAbtcOPhqCgNWCzkhfgoEYZ5GV8I2buyd
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB6704.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(6916009)(33656002)(38350700002)(54906003)(2906002)(6512007)(36756003)(8936002)(5660300002)(87266011)(86362001)(52116002)(53546011)(6506007)(38100700002)(66946007)(66556008)(66476007)(82960400001)(8676002)(508600001)(6486002)(186003)(26005)(6666004)(316002)(4326008)(966005)(2616005)(83380400001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: Nm2yDHxRQstUUyHJyAHuAbUx4jwSnRT7guZiY9vkI+124PevSE3MDhth9y/SMjmmpQGtjsydaWeu/PGW7sLsiYybIhVbnqMXDVB5Daa5IZ2ZCobgho4/y68+ylHkqkHFlMpApIbkMwDu7HRhZD4fA1DKXR99kYtdPhWdDc6SFQOcF5ftKt0e5NG2xbDdFT4XFCqBQvX5hv67amLn8JUM7ChsbKEgUKuyhg9wyV43Zql0Hp5fCvSVr3eWu+ieFdLwQ6DOlbM1teAvrvPMCkDV5H2l9VWqDO6Qj5uSebe61BfNPE+5h8b6FjhqpgCSYz84ggaiY7r6HBr+E7xWj1jNmrmqwekwJV93deLfSpB/wf4u240QA1zv0OnNB18SWVOVSzFshV5cc3t5XWO1VoH1zhk/gzq8EZoc08mI/Y0rZPuN80/qCFtWV3pIZsOAhjbc7qQ9L4DC3QOhrSj3Lh4j+5pKR8VQlHyT/ss+ZZ+6wFUIamIzRdJUeqE/rEjom3r8MNL04Empa4T5IHeObl/99NFO/OyHOREi98kwhD09M4Ej0Xe6BRSaiNfP9+uwgYyMqU5jWVxy0yjH4BA4VCzMPDlqMJE589cUUT3EyDSGrvIfXpIUtJwxn5O1iMkWg0rcIHS3lH/J50/yHCZjbxxaxt/v3pqGlOYEy4fJo6X6epSXtfFtqWqVeCtP7AvQNEBpUEl45c8FsjyDfJ3lepbeFfN+TLM7TiT0QHmzmVNDuUcNrdK4C1VE5QUqO7LsWW0TpK7T+IXZ1J0O+em5GLQKDqBQ1YIT62p/wlCCQ59UTTOfJNcEfU6X4YGHVAxPB+UKe20MPjFKpvOLg6ib17vXIOF+JjF8yn7jbXB/RtkQ2dWy8V6mOr39IOoPqJmYGl2uufFtvLYbUS/E//a7TVBm1mK5J/hB2gVgkqCvbhfvosDWUrDMEZRdNY3zfEboVfvKvGzgjRSFIDBKPqYJURk4F7c3ftpfh8oFhGWkvsbN2mld9zBTpuk65iYOCCzgg3M+65ipr4pmzsyd0KNnSqrDtDWV+4v1nLWKwXq9nOSohHOTCsKSoF6OekN3PxykO2dgUVi0cURq3FV032Q0HcGmTH+Wc/YfJ01nlgOBKV2y4U3VFWOeOcUweQP04Cd04i6A6sicYtHeiQEq6pgeL5bj7JfOzqUWFI6+hgmN9NlBr63VWnl56wzC7GWSEulJ9oj64+UvseK3nrJZxxfl7BFSju5AvTXm49YTlEfrIdDR3940+PNs1IPz8mFpWUMYFTAANeEi4CIvsU39Xy0d1rtMW2Ye/230uHuLuqLB3mkDg9aJNRTpGijMw2s/w1X+eGwoyRfV3fxrPbVr0A9HxYI0ZO0aqNZ5D5oWlHfrExiVBBYg86KEdV2rMIY+ng1K8ZsMvh+jJIVE6N2+bjD1KigsvoaALkjRIDUCWgQEP9gUbC9vzH+t7wHkB79y0TrC7mr3KYQpAeaWNYOV7JoCZw6kGzNzG0W+YLoArmZtPLXHMckMtfyTwIdqP7CrAjW4AmAXpJ/FTdwFLhReq0YfYDvJBW2ybgh3r+h7tMvM2+rl3YkOS+f+TodFs09kAM9mLrVgKrOSuDHkkWtdO3kzDg43uPYSjtzsuCdceeTlY9R7yjI=
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a321d776-cfcf-4340-502f-08d9e7142b66
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB6704.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Feb 2022 12:53:26.5310 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: G9nE9pjBWLBA3rjQXHFIMKGB4DxS+XY+vTGVHMA4UG0eRLWmhuGE2KVixnDB7z6LxULqO8eB5WLR21NXpf2u+w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0701MB2839
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/COr1U72WBpgjkfNpqnQgUoVvOzk>
Subject: [I2nsf] Review of draft-ietf i2nsf-nsf-facing-17 was Re: Secdir last call review of draft-ietf-i2nsf-nsf-facing-interface-dm-16
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Feb 2022 12:53:36 -0000
With an IESG telechat scheduled for 17th February, I believe that -17 goes in the wrong direction, with its expanded descriptions, with its import of packet filters and its addition of application-protocol identity. The I-D has been reviewed many times without comment on the descriptions so when one reviewer does comment I see that as more a comment on the reviewer than on the I-D:-) Here it is problematic because the same YANG definitions appear in other I-D without the expanded descriptions so there is a mismatch within the set of I-D. And as an AD said recently, you should reference and not replicate technical matter (which as ever highlights the lack of a common document for all the things that are common although I do not advocate tackling that at this stage of the cycle; perhaps a reissue of the framework document, RFC8329, or an update of the terminology one) so if expanded descriptions are needed they should be in one place. The expanded descriptions will need some editing of the English (perhaps a lot, IMHO) but since I do not think that they should exist I will not comment further on that. Packet filters (RFC8519) were referenced in the framework document and if they were in this I-D from the start then I might have been ok with that but I see such a big change so late in the day as the wrong thing to do especially as I do not see packet filters as the right approach. They are clumsy. Many YANG modules want to specify a range or a single value, of IP address and such like and many if not most achieve that with 'min' and 'max' with 'min = max' for the single value (some use the absence of max to denote this but for me that is fail danger). With that approach the model has two leaves min max With the packet filter approach you have e.g. grouping port-range-or-operator { choice port-range-or-operator { case range { leaf lower-port { leaf upper-port { case operator { <eq neq gte lte> leaf operator { leaf port { which I find overly complex and so prone to misunderstanding and error. 'application-protocol' has made an appearance in -17 and I do not know where that came from. I can see the need for applications in 'consumer-facing' but it seemed of little relevance in 'nsf-facing' with its emphasis on ethernet and such like so the difference between the I-D seemed logical to me. And in incorporating the YANG identity, with references, you have, as ever, failed to add the references to the I-D References introducing another ten errors. I note the shortening of the names which can be a good idea if it were done consistently across the I-D and it were done at an earlier stage. (I note that the examples would appear to be in line with this; on an earlier occasion they were not). In places though it may have gone too far; sometimes there are too many fields with an identifier of 'name' IMHO and a prefix thereto would be helpful. And as ever this introduces inconsistencies across the set of I-D which should be found and fixed, not an exercise I am likely to undertake any time soon. And as and when the terminology diverges from RFC8329 then I think some comment thereon is called for. I realise that multiple versions of nsf-facing have appeared since -17 but I planned my work to be complete in time for the IETF telechat and never imagined that there would be such extensive changes so late in the day I have yet to look at them. I may, I may not. Tom Petch ----- Original Message ----- From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> To: "Kyle Rose" <krose@krose.org>; "tom petch" <daedulus@btconnect.com> Cc: "secdir" <secdir@ietf.org>; <i2nsf@ietf.org>; "JungSoo Park" <pjs@etri.re.kr>; "Last Call" <last-call@ietf.org>; "Yunchul Choi" <cyc79@etri.re.kr>; "Patrick Lingga" <patricklink888@gmail.com>; "skku-iotlab-members" <skku-iotlab-members@googlegroups.com>; "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Sent: Saturday, January 22, 2022 1:57 PM Subject: Re: [I2nsf] Secdir last call review of draft-ietf-i2nsf-nsf-facing-interface-dm-16 > Hi Kyle and Tom, > Here is the revision of I2NSF NSF-Facing Interface YANG Data Model Draft: > https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-nsf-facing-interf ace-dm-17 > > I attach a revision letter to explain how Patrick and I have addressed your > comments. > > Thanks. > > Best Regards, > Paul > > > On Tue, Nov 23, 2021 at 2:57 AM Kyle Rose via Datatracker <noreply@ietf.org> > wrote: > > > Reviewer: Kyle Rose > > Review result: Has Issues > > > > I have reviewed this document as part of the security directorate's ongoing > > effort to review all IETF documents being processed by the IESG. These > > comments were written primarily for the benefit of the security area > > directors. > > Document editors and WG chairs should treat these comments just like any > > other > > last call comments. > > > > This document Has Issues. > > > > I don't actually have a lot to say about this document from a security > > perspective: its purpose is to describe, using YANG, a data model intended > > as > > the basis for configuration schemas developed for implementations of the > > Interface to Network Security Functions (I2NSF) framework. Security > > considerations for the most part should be addressed in documents > > describing > > system architecture or normatively detailing how implementations are to > > make > > use of the data model described here. I'm not going to relitigate any such > > issues here. > > > > The main issues I found in this document are ones that I, as someone not > > terribly familiar with YANG, found troubling from a general engineering > > perspective. These are best illustrated by example: > > > > * Why are `ipvX-prefix`, `-range`, and (the misleadingly-named) `-address` > > defined here? These concepts are generic enough that they should be in > > modules > > of their own to minimize variation among data models and the errors that > > will > > inevitably result from capturing the same concept in slightly different > > ways > > that are not obvious to the user. * Overall, I have to imagine that much > > of > > the `nsfintf` data model is generic enough that it should be captured > > externally. For instance, `tcp-flags`, `port-range`, `flow-label`, `dscp`, > > etc. are generally useful elements of an abstract transport data model > > that > > they shouldn't be defined here, but rather incorporated from an external > > data > > model that is maintained by those in (for example) the transport area. > > > > Am I just commenting on the YANG ecosystem in general? If these are > > standard > > practices, then the overall ecosystem has major latent problems. Ideally, a > > particular YANG module seems like it should describe only those elements > > defined at a particular layer, in this case rules and actions, and use > > reference external modules for elements that are defined at lower layers. > > > > Also some nits: > > > > * `ipvX-address` describes a subspace of the global IPvX address space, > > not a > > single address. The name is going to cause problems. * The descriptions > > given > > are often (usually?) just restatements of the entity name. Example is > > `identity priority-by-order` described as "Identity for priority by > > order". > > The description should provide some value for the user beyond simply > > restating > > the name. * The headings in section 5 should be clearly labeled with the > > word > > "example", such as "Example Security Requirement 1". * IPv6 addresses in > > text > > MUST be represented in lowercase, according to RFC 5952 section 4.3. > > > > > > _______________________________________________ > > I2nsf mailing list > > I2nsf@ietf.org > > https://www.ietf.org/mailman/listinfo/i2nsf > > >
- [I2nsf] Review of draft-ietf i2nsf-nsf-facing-17 … tom petch
- Re: [I2nsf] Review of draft-ietf i2nsf-nsf-facing… Mr. Jaehoon Paul Jeong