Re: [I2nsf] AD review follow-up #2 on draft-ietf-i2nsf-consumer-facing-interface-dm-25
"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Wed, 01 March 2023 17:16 UTC
Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB19AC151AED for <i2nsf@ietfa.amsl.com>; Wed, 1 Mar 2023 09:16:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.073
X-Spam-Level:
X-Spam-Status: No, score=-2.073 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FREEMAIL_DOC_PDF=0.01, T_HK_NAME_FM_MR_MRS=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id If6qJjMie95J for <i2nsf@ietfa.amsl.com>; Wed, 1 Mar 2023 09:16:46 -0800 (PST)
Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 834CCC14F721 for <i2nsf@ietf.org>; Wed, 1 Mar 2023 09:16:26 -0800 (PST)
Received: by mail-pg1-x52c.google.com with SMTP id bn17so8136946pgb.10 for <i2nsf@ietf.org>; Wed, 01 Mar 2023 09:16:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1677690985; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=oAXSaxdNVTEojaeM4wyjS941yPWhiefMK3sLd4iBFq4=; b=lJvkNHp/rucefcp5ZwK1rbQW26RPQ4MZ0ce7agMgPU7GHZOS67F1DfUIosM+cdU17x nQe1O/mxnfYrrtmRyJbpjiFqbnqCsxgeMMQZD45nm6NpHpTM9rWRzI9mn7T4D2RGJIcb HA2j4eLvYIOifjK55y1pa0X04bEBuNNiTg8JkOvRuCRcq66UqtMa32/2vrO0Ph9iUJed Pg90xfoTyakWU0Uw2Y+tlNOvPpyAktqUzGtu6mSo+lWLFpGnMdZu1RIZVn+yGFVtLZNT eBSp8yMaD1qvCuHzYExYVL8QZ68v3qKF5iRdUmPPLhmWBpn8jx97yM7+Kii6KduZIDdl p4Tw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677690985; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=oAXSaxdNVTEojaeM4wyjS941yPWhiefMK3sLd4iBFq4=; b=eMMQIYH97lWfx38nAmbXxFqUpzBLU+uylB25xAkbqg92es4W8uOMs8Tw6actk3R/1B CYSn//z98b1ytNOqcoWPvMMtiroahthAfya7kJl7yZ3+xtFyvxqbpQklKzFgtiMGetDU T3ZDmCVXDX4T53fXcTaaqLJvialgrVvHtw6kNyaop8mg/ya0OIk+4KS/dCldjV5IE1uu ji9RZ7vRIlaoqto0W6oUPAcF1W0ZJRWjn3TzNo7FxIdINhUIZW7y0d0EMcr1NGQH4OMw /mPdTafe2uUZTr+I9ZozAv+QK86BN/yehGg1M6k4O8qXNuhXIEGa5Hn8AHnLn82gGb/B L0ww==
X-Gm-Message-State: AO0yUKWEnRwySzW3o/7SoXp6XZUOpVUvb+l6OmHCEDLljd3YZaVvZh99 6iBljFgzvWne7dFpVw50V2kJvEnioX6T2ox7PfE=
X-Google-Smtp-Source: AK7set9aAC8/qFeUNdFMztiVV9fOjQLk/BFYGI4ygeDONnn3ZrMgZcWkzaHlsTlA6XowwJG3lYwnhpOfZ+7MqtcUrKY=
X-Received: by 2002:a63:3545:0:b0:4fd:5105:eb93 with SMTP id c66-20020a633545000000b004fd5105eb93mr2383090pga.3.1677690985039; Wed, 01 Mar 2023 09:16:25 -0800 (PST)
MIME-Version: 1.0
References: <BN2P110MB1107957DB42BA7638FE5D0DBDCAC9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN2P110MB1107957DB42BA7638FE5D0DBDCAC9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Thu, 02 Mar 2023 02:15:48 +0900
Message-ID: <CAPK2DexPB85TfxgoQpzFyE_2M2WB8g4=nhTTo-CvRMbR0wyyMA@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>, skku-iotlab-members <skku-iotlab-members@googlegroups.com>, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Content-Type: multipart/mixed; boundary="00000000000035565605f5d9df51"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/F3XqJjNSl7UnaJj6_BfCWF9Mjz4>
Subject: Re: [I2nsf] AD review follow-up #2 on draft-ietf-i2nsf-consumer-facing-interface-dm-25
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2023 17:16:49 -0000
Hi Roman, Here is the revision of the CFI YANG Data Model: https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-consumer-facing-interface-dm-26 I attach the revision letter. Thanks. Best Regards, Paul On Tue, Feb 28, 2023 at 12:21 PM Roman Danyliw <rdd@cert.org> wrote: > Hi > > I performed an AD review on > draft-ietf-i2nsf-consumer-facing-interface-dm-23 ( > https://mailarchive.ietf.org/arch/msg/i2nsf/VHbdIrvHo5EjvcyQf5v9fjeVy1w/). > The authors produced at -24 in response (thank you!) and I provided > additional feedback ( > https://mailarchive.ietf.org/arch/msg/i2nsf/J5w-jujcwV3dve79Ta-SyEHjf28/). > The authors have published a -25. Much appreciated! > > To make it easier to track the remaining issues, I've created this new > thread. The following is feedback on the new text introduced in -25, or > unresolved issues from -24: > > ** Section 4.3. Location-group > > [-24] Thank you for the clarifying language in this section in -24. Per > the addition of the country, region and city fields please add normative > references for ISO3166-1 and ISO3166-2: > > [-25] Thanks for cleaning up the RFC8805 references. Please also add > normative references for ISO-3166-1 and -2. > > ** Section 5/Thread Feeds and IOC > > Thanks for the changes which resulted in "thread-feed-list/ioc" in -24. > > [-24] -- STIX, MISP and OpenIOC need to be normative references > > [-24] -- For [MISP] and [OpenIOC], if the best reference possible is in > github, please at least include a branch or tag. > > [-25] Thanks for adding "(branch master)" to [MISPCORE] and [OPENIOC] > reference. History from prior IESG reviews says that this is insufficient > because the main branch can be committed to at any time and won't be > considered stable. A specific commit has been sufficient. Check my > recommendations below for accuracy, but please use URLs to specific blobs > in github: > > MISP = > https://github.com/MISP/misp-rfc/blob/051e33b6711a660faf81733d825f1015aa0d301b/misp-core-format/raw.md.txt > > OpenIOC = > https://github.com/fireeye/OpenIOC_1.1/blob/d42a8777708e171f8bdd3c2c9f8590c83488285d/schemas/ioc.xsd > > As an aside, I'm being very particular on getting these reference right > now so we can confirm consensus during IETF LC on using them as normative > references. > > ** container anti-virus > > -- Per the description in Section 3.2 > > ==[ snip ]== > This field represents the configuration for an Antivirus interruption. A > specific security profile can be added to Security Controller in order to > update the security of the Antivirus. Filenames or paths that contain the > profile can be specified by I2NSF User. The decision to either perform or > skip the Antivirus interruption depends on the action of the rule. For > example, a drop action uses the security profile for dropping either > packets or flows in the Antivirus interruption. On the other hand, a pass > action uses the security profile for allowing either packets or flows > without the Antivirus interruption. > ==[ snip ]== > > o Editorial. Can a different word that "interruption" be used? I didn't > notice this change in -24. This is the first mention of that term, but > there are no "firewall interruptions" or "url filtering interruption". Why > introduce it? > > o The concept of "profiles" is introduced here. Per "... in order to > update the security of Antivirus", would it be clearer to call this the > configuration of the antivirus? > > -- per the leaf-list profile > > ==[ snip ]== > leaf-list profile { > type string; > description > "The path or name of the file that contains a security > profile for the Antivirus interruption. The security > profile is used to scan the viruses. The absolute > paths and relative ones are to be interpreted as > globs. The decision to perform or skip the Antivirus > interruption depends on the action of the rule. A drop > action uses the security profile for dropping either > packets or flows in the Antivirus interruption. On the > other hand, a pass action uses the security profile > for allowing either packets or flows without the > Antivirus interruption."; > reference > "GLOB: Linux Programmer's Manual - GLOB"; > } > } > ==[ snip ]== > > When this leaf-list was called "exception-file" (-24 and earlier), this > data element explicitly referenced filenames/paths/globs to skip. That is, > specific files names and hashes were enumerated. In this revised > definition, the semantics are less clear. What is meant by "profiles"? Is > that a configuration file loaded into the AV? Is it's format vendor > specific? > > Per "The absolute paths and relative ones are to be interpreted as globs", > why is it "paths", plural? Where are the multiple paths coming from? The > first sentence says the "The path or name of the file", singular. > > Since [GLOB] is being cited in the YANG module and seems integral to how > read a path, please make it a normative reference. Also, the new ubuntu > URL is no more stable. Please instead use the recommendation from Paul > Wouters (thanks Paul!) to cite glob as from the Open Group/IEEE: > > NEW > [GLOB] glob. Open Group Open Group Base Specifications Issue 7, 2018 > edition/IEEE IEEE Std 1003.1-2017. > https://pubs.opengroup.org/onlinepubs/9699919799/functions/glob.html > > > ** YANG. list payload-content > > Thanks for added the additional guidance on handling multiple content > fields and the support for depth and starting point. > > [-24] Both offset and distance limit themselves to a range of "0..65535". > If dealing with packet header information only, I can see this as being > adequate. I'm imagining a hypothetical multi-MB network stream. Should > there be flexibility to search past 65K? > > [-25] Thank you for the changes that made to both offset/distance to > define them as int32. Could you please also add text which describes how > to handle negative numbers. For example, what would offset=-72 mean? > > Regards, > Roman > > _______________________________________________ > I2nsf mailing list > I2nsf@ietf.org > https://www.ietf.org/mailman/listinfo/i2nsf >
- [I2nsf] AD review follow-up #2 on draft-ietf-i2ns… Roman Danyliw
- Re: [I2nsf] AD review follow-up #2 on draft-ietf-… Mr. Jaehoon Paul Jeong