IETF Logo Mail Archive

Re: [I2nsf] Yangdoctors early review of draft-ietf-i2nsf-nsf-monitoring-data-model-04

Andy Bierman <andy@yumaworks.com> Wed, 07 October 2020 03:24 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D45D3A15DF for <i2nsf@ietfa.amsl.com>; Tue, 6 Oct 2020 20:24:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.886
X-Spam-Level:
X-Spam-Status: No, score=-1.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URI_DOTEDU=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bB-7o3hK4x3t for <i2nsf@ietfa.amsl.com>; Tue, 6 Oct 2020 20:24:32 -0700 (PDT)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4CCE3A15DA for <i2nsf@ietf.org>; Tue, 6 Oct 2020 20:24:31 -0700 (PDT)
Received: by mail-lf1-x132.google.com with SMTP id y11so617086lfl.5 for <i2nsf@ietf.org>; Tue, 06 Oct 2020 20:24:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TP1TvcFNzx2NMIFUASaOW7YIxoyja4WxjSVMDI1jASg=; b=lD26AeYjI5w1XAc9gKmXckl7cStbZPVc5tm5D8paBqIduFX6kVf1KXQr6s/oCPyjKW rbpMKsvBvCS8D2u3WuCPvYUxpIPvp0fvf8cXkTFOJE8uSmdZ5ATyadBm7QyKFruHimVA jC8Fn0ClNtO7x/Da1TZyLK7VFQufeFtQXoeSYyra4qqJyvUvqhgCe/JrvmGE4jnmzjS4 uZOfFnmGsZ+rBUwkiZ1wHR1FY0IL6mzeUby4O26OL0qCgLrEjMxDcLSK7ScMgGx1pztj /BVbjZ8KlkRMtKaAtObLGCqOmBXjWFimaK5+kbqmwQnGq+cBRXJHs4oFIL4VDJSo0Z57 CuLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TP1TvcFNzx2NMIFUASaOW7YIxoyja4WxjSVMDI1jASg=; b=Ddd51hSNGJcTWb7vN/wJr+VdTqGZ2wlTlVy2dw1RoTCuunnJs9XdI+a7MwG8pi/ccq iLnX4O4w6/QK4lGRQivh5D3yKA1zvZc2WUHnSsbzGHTOFtCt7bBHfoWvcuG6qX4WwYlX BoeBPNZ9yHTfzIFUEjRc92TrN0POvo+KwUx2s6ULc/24kElAoAYk0ygco91X5R3K7gMF fFzq+3aWRfANZWycS9ThfGfwlvjl3rIAHQLuUl8Kry4axciyfkCDo88je3G/e+SHjTG9 CvnJ2HGObug5oIWLUhKgVeFJZp8qoSGxU3fxnCsJzfbWwuIXWKNovu7ObIH49bjD98QN jMAQ==
X-Gm-Message-State: AOAM533XEXAq3pKqF8tPjoBV2eaIXmGdi6NHR54AR+Rk3Jh69P7xO3eT XNRzB1u7nHmUdPobvIOm+thnFB1z9HG3bdVf8NKqUw==
X-Google-Smtp-Source: ABdhPJwGPY6m4aze3YQLnIAqetkzYrN/++iA8yWnVDA/2uGx7SDvIcSDtz7OEf/+ch1MXxoy07fkiy/pyO6BfZRqyUg=
X-Received: by 2002:a19:6818:: with SMTP id d24mr240176lfc.107.1602041069549; Tue, 06 Oct 2020 20:24:29 -0700 (PDT)
MIME-Version: 1.0
References: <160192102291.6633.15935674903085952087@ietfa.amsl.com> <CAPK2DewOF7QcTD8UdFYdoGUvnJz_fxb53OOn-KmYQgNA38xLoA@mail.gmail.com> <CABCOCHQsxFVNdBgL9fyZHV+Bevs1D8d5B=+KJAgoVBVekz+VtQ@mail.gmail.com> <CAPK2DewNDq2_DtZhtxitTsavHczwiSKur9+yQPLR+18UbV-QHg@mail.gmail.com> <CABCOCHT-0mKbYBDtZHnANRLqMtSsT1ijhoe1znoS2_pDHn4WNA@mail.gmail.com> <CAPK2Dexfpfgt730k5Zn3Aq34946Q5go4TuRrekA2hbbm_Wj_Jg@mail.gmail.com>
In-Reply-To: <CAPK2Dexfpfgt730k5Zn3Aq34946Q5go4TuRrekA2hbbm_Wj_Jg@mail.gmail.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Tue, 06 Oct 2020 20:24:18 -0700
Message-ID: <CABCOCHQ3mCngcarHaL70KBEA4G7Wf4YSgf=UZTpYLESykn6Ckw@mail.gmail.com>
To: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Cc: YANG Doctors <yang-doctors@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>, draft-ietf-i2nsf-nsf-monitoring-data-model.all@ietf.org, Patrick Lingga <patricklink888@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000ddd73205b10c407e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/DgiqTbEKLQx5Xw2lNLCdDOrndvo>
Subject: Re: [I2nsf] Yangdoctors early review of draft-ietf-i2nsf-nsf-monitoring-data-model-04
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2020 03:24:35 -0000

On Tue, Oct 6, 2020 at 8:04 PM Mr. Jaehoon Paul Jeong <
jaehoon.paul@gmail.com> wrote:

> Hi Andy,
> I will investigate the event stream with information you sent me below.
>
>
The notification RFCs are a bit new.
An event stream is shared by all sessions that subscribe to that event
stream.
There is a default value that must be supported : "NETCONF"

You do not have to create a new event stream (e.g. "I2NSF")
You can use "NETCONF" if you want.
It is really up to the device vendor and operator to use proprietary
mechanisms
to configure the event streams.


Thanks for your help and advice.
>
> Best Regards,
> Paul
>

Andy


>
> On Tue, Oct 6, 2020 at 1:51 PM Andy Bierman <andy@yumaworks.com> wrote:
>
>>
>>
>> On Mon, Oct 5, 2020 at 9:05 PM Mr. Jaehoon Paul Jeong <
>> jaehoon.paul@gmail.com> wrote:
>>
>>> Andy,
>>> What do you mean by the event stream?
>>>
>>>
>> https://tools.ietf.org/html/rfc8639#section-2.1
>>
>>
>>
>>> Actually, I am thinking that the NETCONF can deliver the monitoring data
>>> of a system or an NSF in an XML file.
>>>
>>> Do you think that we need another way to convey the monitoring data?
>>>
>>> Thanks.
>>>
>>> Best Regards,
>>> Paul
>>>
>>> On Tue, Oct 6, 2020 at 12:30 PM Andy Bierman <andy@yumaworks.com> wrote:
>>>
>>>>
>>>>
>>>> On Mon, Oct 5, 2020 at 7:30 PM Mr. Jaehoon Paul Jeong <
>>>> jaehoon.paul@gmail.com> wrote:
>>>>
>>>>> Hi Andy,
>>>>> Thanks for your valuable comments on our NSF Monitoring YANG Data
>>>>> Model Draft.
>>>>> We authors will reflect your comments on the revision and come back to
>>>>> you with
>>>>> the revised draft and revision letter.
>>>>>
>>>>>
>>>> I forgot 1 comment:
>>>>
>>>>  - the draft is not that explicit about the event stream to use for
>>>> these notifications
>>>>    Perhaps a new standard event stream (I2NSF) would be better than the
>>>> standard (NETCONF)
>>>>    The draft should be more clear wrt/ the NETCONF stream.
>>>>
>>>>
>>>> Andy
>>>>
>>>>
>>>>
>>>>> Thanks.
>>>>>
>>>>> Best Regards,
>>>>> Paul
>>>>>
>>>>>
>>>>> On Tue, Oct 6, 2020 at 3:03 AM Andy Bierman via Datatracker <
>>>>> noreply@ietf.org> wrote:
>>>>>
>>>>>> Reviewer: Andy Bierman
>>>>>> Review result: Almost Ready
>>>>>>
>>>>>>
>>>>>>
>>>>>> Major Issues:
>>>>>>
>>>>>>  - None
>>>>>>
>>>>>> Moderate Issues:
>>>>>>
>>>>>>  - top-level 'counters' container does not follow naming conventions.
>>>>>>    Should start with 'i2nsf', probably 'i2nsf-state'
>>>>>>
>>>>>>  - There do not seem to be any writable objects in the /counters
>>>>>>    subtree so this container should have a 'config false' statement
>>>>>>
>>>>>>  - top-level typedef and grouping description-stmts are
>>>>>> self-referential
>>>>>>    and not useful. Need to rewrite description-stmts and/or add
>>>>>>    reference-stmts as needed.
>>>>>>
>>>>>>  - grouping common-monitoring-data/time-stamp
>>>>>>    Is this a different time stamp than the one in the NETCONF
>>>>>> notification?
>>>>>>    The 'message generation time' sounds like the standard timestamp.
>>>>>>    Does this object represent the event detection time?
>>>>>>
>>>>>>  - grouping i2nsf-system-alarm-type-content/usage
>>>>>>  - grouping i2nsf-system-alarm-type-content/threshold
>>>>>>    These are uint8 leafs with unclear descriptions.
>>>>>>    Not sure why uint8 is the appropriate type.
>>>>>>    Needs 1 or more of (reference, units, better description)
>>>>>>
>>>>>>  - grouping traffic-rates
>>>>>>    Add a units statement to each leaf. Not sure what units to use
>>>>>>    but it should be consistent. (e.g, pps, bps used in descriptions
>>>>>>    should also be in a units-stmt)
>>>>>>
>>>>>>  - grouping i2nsf-system-counter-type-content
>>>>>>    These counters should use the yang:counter32 type instead of uint32
>>>>>>
>>>>>>  - container counters/system-interface
>>>>>>  - container counters/nsf-firewall
>>>>>>  - container counters/nsf-policy-hits
>>>>>>   The descriptions are too terse and confusing, and need a rewrite.
>>>>>>
>>>>>>  -  container counters/nsf-firewall
>>>>>>  -  container counters/nsf-policy-hits
>>>>>>     - uses i2nsf-nsf-counters-type-content;
>>>>>>     Many of the fields expanded from this grouping all say
>>>>>>     they refer to 'the packet'. Why are they in this global
>>>>>>     container of counters? E.g. (src-ip, dst-ip, src-port, dst-port)
>>>>>>     Not clear at all how the server is supposed to apply this
>>>>>>     grouping to these containers.
>>>>>>
>>>>>>  - many leafs use "uint32" type for a rate.
>>>>>>    Should add a units-stmt
>>>>>>
>>>>>>  - leaf counters/nsf-policy-hits/hit-times
>>>>>>    The purpose and type are confusing and generic.
>>>>>>    If this is a counter then use counter32
>>>>>>
>>>>>>  - cut-and-paste for notification-stmt content should be replaced
>>>>>>    with grouping/uses instead. Applies to the nsf-detection-*
>>>>>>    and the various logging notifications. Even a grouping that
>>>>>>    has 1 object in it is better than cut-and-paste 5+ times
>>>>>>
>>>>>> Minor Issues:
>>>>>>
>>>>>>  - top-level identifiers are too generic
>>>>>>    should have 'i2nsf-' prefix to be more reusable outside this module
>>>>>>
>>>>>>  - quite a lot of identities that an implementation is required to
>>>>>> support.
>>>>>>    If this set of identities might change a lot faster than the
>>>>>>    notifications and counter objects, then consider putting them
>>>>>>    in a separate module
>>>>>>
>>>>>>  - leaf with same type named differently; both intrusion-attack-type
>>>>>>    - nsf-detection-intrusion/sub-attack-type
>>>>>>    - nsf-log-intrusion/attack-type
>>>>>>
>>>>>>  - quite a lot of notification event types for a server to implement
>>>>>>    and a user to manage. All are mandatory (no if-feature statements).
>>>>>>    Some such as nsf-detection-* subset are very similar.
>>>>>>    A section or table would be useful that showed the YANG
>>>>>> notification
>>>>>>    names and their purpose -- maybe a reference to another RFC
>>>>>>    with more details
>>>>>>
>>>>>>  - there seems to be notifications for intrusion events and then
>>>>>>    again for the logging of those events.  This seems excessive
>>>>>>    but
>>>>>>
>>>>>>
>>>>>>  - grouping common-monitoring-data/time-stamp
>>>>>>    Is this a different time stamp than the one in the NETCONF
>>>>>> notification?
>>>>>>    The 'message generation time' sounds like the standard timestamp.
>>>>>>    Is this event detection time?
>>>>>>
>>>>>>  - grouping common-monitoring-data/module-name
>>>>>>    Is this a YANG module or some other type of module?
>>>>>>
>>>>>>  - there is no way to configure which notifications should be
>>>>>> generated
>>>>>>    or maybe how often.  YANG Push has its own dampening-period.
>>>>>>    Since these are event stream subscriptions, not datastore
>>>>>> subscriptions,
>>>>>>    YANG-Push does not apply to this document at all.
>>>>>>
>>>>>>    If there are a lot of notifications then a server implementation
>>>>>>    might drop some
>>>>>>
>>>>>>  - grouping i2nsf-nsf-event-type-content-extend/src-zone
>>>>>>  - grouping i2nsf-nsf-event-type-content-extend/src-zone
>>>>>>    These use type 'string'. Consider using a typedef that constrains
>>>>>>    the string.  General comment where unconstrained string is used:
>>>>>>    The corner-case values such as empty string are often not allowed
>>>>>>    in implementations.
>>>>>>
>>>>>>
>>>>>>  - grouping i2nsf-nsf-event-type-content-extend/rule-id
>>>>>>  - grouping i2nsf-nsf-event-type-content-extend/rule-name
>>>>>>  - grouping i2nsf-nsf-event-type-content-extend/profile
>>>>>>    These objects seem to reference objects in another YANG module.
>>>>>>    If so, then leafref types might be more appropriate.
>>>>>>
>>>>>>  - grouping i2nsf-nsf-event-type-content/rule-id
>>>>>>  - grouping i2nsf-nsf-event-type-content/rule-name
>>>>>>  - grouping i2nsf-nsf-event-type-content/profile
>>>>>>  - grouping i2nsf-nsf-event-type-content/raw-info
>>>>>>    These objects are cut-and-paste duplicates from
>>>>>>    grouping i2nsf-nsf-event-type-content. They should
>>>>>>    be in a separate grouping used by both. Also applies
>>>>>>    to some other sets of objects
>>>>>>
>>>>>>  - limits issues (e.g. current-session, maximum-session
>>>>>>    The type is uint8. This is only OK it is impossible for any
>>>>>>    implementation to ever have or want more than 255 of them.
>>>>>>    If some other RFC really does limit the values where uint8
>>>>>>    is used, then that is OK. If so, a reference-stmt would help.
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> I2nsf mailing list
>>>>>> I2nsf@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/i2nsf
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> ===========================
>>>>> Mr. Jaehoon (Paul) Jeong, Ph.D.
>>>>> Associate Professor
>>>>> Department of Computer Science and Engineering
>>>>> Sungkyunkwan University
>>>>> Office: +82-31-299-4957
>>>>> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
>>>>> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
>>>>> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>>>>>
>>>>
>>>
>>> --
>>> ===========================
>>> Mr. Jaehoon (Paul) Jeong, Ph.D.
>>> Associate Professor
>>> Department of Computer Science and Engineering
>>> Sungkyunkwan University
>>> Office: +82-31-299-4957
>>> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
>>> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
>>> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>>>
>>
>
> --
> ===========================
> Mr. Jaehoon (Paul) Jeong, Ph.D.
> Associate Professor
> Department of Computer Science and Engineering
> Sungkyunkwan University
> Office: +82-31-299-4957
> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>

v2.23.0 | Report a Bug | By Email