IETF Logo Mail Archive

[I2nsf] AD review follow-up on draft-ietf-i2nsf-consumer-facing-interface-dm-24

Roman Danyliw <rdd@cert.org> Mon, 09 January 2023 16:14 UTC

Return-Path: <rdd@cert.org>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95E71C14F729 for <i2nsf@ietfa.amsl.com>; Mon, 9 Jan 2023 08:14:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gZV_rQfZLAZO for <i2nsf@ietfa.amsl.com>; Mon, 9 Jan 2023 08:14:01 -0800 (PST)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0119.outbound.protection.office365.us [23.103.209.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58F6CC153CBB for <i2nsf@ietf.org>; Mon, 9 Jan 2023 08:09:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=bhAL5SyJOz6eNIBw7ssMg88pWRz0PwbCzWQ6gdmy8VNtgGmlQXc4rqw+0ryOrsyWfWiYdbC8GEUnEk7Hge9S0oAuZuH1wcu81aVy1WBhO9mw0Ist9CSlZPPNgfokBlG1gFmUYrc/N4e0sMYWXosIPosYztvqpueMe3lbZcNmgwCvWkpBz22S+OdsWApfmWriw6hrizhYMfuT/n+Of65QMP306uZ09DlPCeHzHnORH36cXBZciQ4Ho2+/ebWdSLcdBhwcOaQxLa5g0/PHnhmLjk7Tlu7mkoU6Eyi9vkOGk1Sy4VNAOt9rPSq1/ilKHonIETtuDfetDWpWCr9a/YvxuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=y3wy6bC6pXKamFvWaU3UjVNYbsHbBQrYYrK4N5O/Or0=; b=AlA393S0pO2uDglxNbAJO4rFUwxNEn+SjXbw6KD70arhj6tUoZ207teFUGxs6SyELpeWv++OPt7+Qn03l0ThFnnSHaJbjYaS15bRpl9whaT8d9QeOfuhGWz051jMx69rliGMAFsVTWmZsEFh2Xf5OwiMZ4Oh1dolRzG73qZ/2OMz97/CPM3btCuTiH+7ItoTriQ5Df+gdQljfc/4PeS5WQs8uVYU4yA9/YE336mMgMU5LjyVhEHYADdQrXDGoB4OKJuYXA6NP1D2k5aO5klafrXotPZ/oQcqYqMhUV3E8/h54x84OeQuATlZRH6LU3Bmsm4SJ5NKQRP+ZrNil2BC7Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y3wy6bC6pXKamFvWaU3UjVNYbsHbBQrYYrK4N5O/Or0=; b=HFN1x6dOJv8nmBsoySlYEIv1dEY3CFDHnNWZ10i3vKm0ALT4XSAkhB6xLWpnp7mJJfvEuaNHor/SFaKt672i/h52CQM5wACaMLwo6yB44JyyHAqE8SgCv4QQ3ywt0ZrtvYJat7gn20n0AEEeUD9WtzbQdAp9CZcBYWYiyALDAaQ=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1073.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:16b::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5944.19; Mon, 9 Jan 2023 16:09:44 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::dacc:e769:564c:f0e]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::dacc:e769:564c:f0e%6]) with mapi id 15.20.5944.019; Mon, 9 Jan 2023 16:09:44 +0000
From: Roman Danyliw <rdd@cert.org>
To: "i2nsf@ietf.org" <i2nsf@ietf.org>
Thread-Topic: AD review follow-up on draft-ietf-i2nsf-consumer-facing-interface-dm-24
Thread-Index: AdkkRHN6M724fbsdQs+PSgB6cn5MiQ==
Date: Mon, 09 Jan 2023 16:09:44 +0000
Message-ID: <BN2P110MB110791C0BBA0EA630B6E4BDADCFE9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1073:EE_
x-ms-office365-filtering-correlation-id: fc2c1516-1fec-4f3b-cfeb-08daf25bec34
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: PkzFj6nfAvRD3Ot0kVvM3cPlaJ2CkdGULmFGTt+qFtV17jzr/NBQk7u0qpg8Hz4Oqiwh7Z6VSv7jundJ16zXp22cc5ycs7t4I+6Bx2MU7aLMfeYMfF4z79VCPgr/bZ+W5UU0+hw+xQ/f25ic0wmbrVM8pBJHwDZSB44hrpS0EAGhJukYBlYv4yljSCA1et2x4cz03U0sQtDMxDS/jJYixETKPnlHEAN/wp+4C5J3bBUqy8MAqSNYKCW4AhTkyA52SYbiyW7T9ahCeO7fj8/Urb0QlW6VORlxx5SSsfPk3SeF0Y/QKzDUDKD513/cr9IiwMKYu9g7CwHKFPmM9QCJd2ALQI5uYEKFTshyVPj68yRHEJdDDCfsIBWu1SrBMDKVij6rio/TTxtPcqmJQ/ZjcsDqQW+soli9tItrF/TwuMmulc7pNfv5d3kGDpnohSmwiSY/PSES4vn5KvcYHFjmO1bt9mULA1C2uoEdnXoZAhyU8bQFQjwnaNYAkWkyqcxoWDKdqWRHws0nvqI2WZfwi9JsjHNtjERiVCCWtpDSL0/dMhbBQBpgGY0ya+7imy5OkLk6WIQsYlgAqspbwHRip5dmhdtu1De6w8bocL2wovrx5jiLLcTs0qNdVK+hvvS4Ms5+CO1/4gmArElrfNOT4Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(136003)(366004)(396003)(39830400003)(451199015)(33656002)(41300700001)(2906002)(52536014)(86362001)(66899015)(38100700002)(122000001)(8936002)(5660300002)(38070700005)(66574015)(83380400001)(66946007)(966005)(71200400001)(82960400001)(76116006)(6916009)(6506007)(66476007)(26005)(55016003)(41320700001)(66446008)(508600001)(186003)(7696005)(64756008)(8676002)(66556008)(9686003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: N1OFfUfjsENvcUCeb33Gd+mkI8w5HYTW5fGYrBp1R2uh2eqxA+P6FPNjOOvRRlbd8QjNgfTfJHZ82FbJVoXX4hj4fCoPSlyAdenfMMTjqza4OASfbcJ3FP0sf475lpAHRUAskmGW1vT3Z4c6PFNjC3QgQJM4udlwOEydX2rjJFB9UMa49SyDcJoenmtBeMh7UdAl68pV95DoLGs4uZfS2NUeXB28hWpPKU4qfV/e6wvvSLKOexaI3vVyJBXEx93c8KlC08WNnHE38Tu1JQc+PC4ixVYNMEYkBefAVaVGMjA4UC/lXnKMRWtVbXBmB+IPuRpxIon90A3HKhxg60j+B3e6sNggA9d5OUYnK8LXLfuurk5HbKWhVPNtFHEAW0iuY3qWoRX6I6pGePyq1cgRkTdNk415etB3GJgtmJg5iKQ=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: fc2c1516-1fec-4f3b-cfeb-08daf25bec34
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jan 2023 16:09:44.4550 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1073
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/J5w-jujcwV3dve79Ta-SyEHjf28>
Subject: [I2nsf] AD review follow-up on draft-ietf-i2nsf-consumer-facing-interface-dm-24
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jan 2023 16:14:05 -0000

Hi!

I performed an AD review on draft-ietf-i2nsf-consumer-facing-interface-dm-23 (https://mailarchive.ietf.org/arch/msg/i2nsf/VHbdIrvHo5EjvcyQf5v9fjeVy1w/).  The authors produced at -24 in response.  Thank you!

To make it easier to track the remaining issues, I've created this new thread. The following is feedback on the new text introduced in -24.

** Section 4.3. Location-group

Thank you for the clarifying language in this section in -24.  Per the addition of the country, region and city fields please add normative references for ISO3166-1 and ISO3166-2:

[-23]  Geo-ip-ipv4 and Geo-ip-ipv6 are citing RFC8805.  My understanding of that specification is that it provides a way to bind a geographic name to an IP address.  I don't see anything in the Location object that ties a human readable geographic label to an IP address.  Is the related geography in the Name field?

[-24] The YANG definition of "location-group" still cites RFC8805.  With the addition of the country, region and city fields, in what way is RFC8805 still used?  It seems like with the current fields there is a complete mechanism to map human readable names to IP addresses (and then I don't see a reliance on RFC8805); or all of these fields could be dropped in favor of a single uri field that points to a RFC8805 file.  Perhaps a hybrid would be possible too.

** Section 5/Thread Feeds and IOC

Thanks for the changes which resulted in "thread-feed-list/ioc" in -24.

-- STIX, MISP and OpenIOC need to be normative references

-- For [MISP] and [OpenIOC], if the best reference possible is in github, please at least include a branch or tag.

-- Conflict of interest as I am one of the document's co-author's: _consider_ if you also want to include RFC8727 (JSON binding of IODEF).

** YANG.  Per the fields under "rules":

The revised text says:

         leaf name {
           type string;
           description
             "This represents the name for a rule. The name must be
              unique to represent different rules.";
         }

-- Should the "unique" constraint per Section 7.8.3 of RFC7950 be applied here?

-- Editorial. Is it that the "name must be unique to represent different rules" or that "each rule name must be unique"?

** YANG.  container anti-virus.  

[feedback for -24]
          leaf-list exception-files {
            type string;
            description
              "The type or name of the files to be excluded by the
               antivirus. This can be used to keep the known
               harmless files. Absolute paths are filenames/paths
               to be excluded and relative ones are interpreted as
               globs. Note that the file names can be hash names
               to specify malicious files to block.";
            reference
              "GLOB: Linux Programmer's Manual - GLOB";

The above text is new in -24 to address feedback in -23.  This new text 

-- The semantics of the "hash name" idea would benefit from further specification.  How does one know if one has a hash name as opposed to a file name?  How does one know which hash algorithm was used?  Why are the block values (i.e., the hash files) in the same leaf-list as those being explicitly allowed (i.e., block values are being shared in an "exception-file" list)

-- [GLOB] needs to be a normative reference.  Please also find a more stable reference than https://man7.org/linux/man-pages/man7/glob.7.html


** YANG.  list payload-content

Thanks for added the additional guidance on handling multiple content fields and the support for depth and starting point.

[-24] Both offset and distance limit themselves to a range of "0..65535".  If dealing with packet header information only, I can see this as being adequate.  I'm imagining a hypothetical multi-MB network stream.  Should there be flexibility to search past 65K?


** Section 7.1 (was: Section 8.1).  Per Figure 20:

Thanks for the changes in -24 to address prior feedback on Figure 19 and 20.

[-24] The following text was added to Figure 20:

  <voice-group>
    <name>malicious-id-v6</name>
    <sip-id>sip:david@[2001:db8:2ef0::32b7]</sip-id>
  </voice-group>


Use of the brackets around the IP address ("sip:david@[2001:db8:2ef0::32b7]") is not a valid address.  It should be "sip:david@2001:db8:2ef0::32b7".

** Section 7.4 (was: Section 8.4)

[Per -24]
Thanks for explaining how the rates are computed.  It appears that in this section the following text was added:

  Note that tcpdump can be used to capture packets per host as source
  [tcpdump]. tcpdump can limit capture to only packets related to a
  specific host (e.g., source) by using the host filter.

No disagreement on the capabilities of tcpdump.  However, I'm having trouble understanding the role it plays in the example.  Is tcpdump being invoked  If so, how is that evident from the example?

Thanks,
Roman

v2.23.0 | Report a Bug | By Email