IETF Logo Mail Archive

Re: [I2nsf] [secdir] (updated) review of draft-ietf-i2nsf-capability-data-model-21

t petch <ietfa@btconnect.com> Wed, 12 January 2022 12:55 UTC

Return-Path: <ietfa@btconnect.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC1D23A0AA8; Wed, 12 Jan 2022 04:55:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V8jenFU5x01i; Wed, 12 Jan 2022 04:55:12 -0800 (PST)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50092.outbound.protection.outlook.com [40.107.5.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C77C3A0AA7; Wed, 12 Jan 2022 04:55:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Pc2bI34MLD9pa/N3JGxSr91CUgednMod8xvjVSlOoeAKIjoxHAoMOffCfs3x9n4YD7f6yMmHWFjV1KNeD/ymjpaP7zFGLRXwikdLBUbkSLIK4sQP2HmMZLzWa7x8jhtuSsFv1HFunWJZEgqWBZHB9y2zuQfbZNlStU7AqXzAl1f9vfYM0UP8E6Iwi3/zCF10gAaRVkzjzxf4SIqq0PCce+GY5DOHtU2TNixxREi8Hn+a70hhdz6dse7fWDoXY9F+/3PYhaYLOPcKcDSamK/mnqTwgDEUtimRYvGLwlsdz10kS2TnNyC0I9Isli5kgZ3m+EITPsFGfXvbywpGKR04oA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=az79kAIlUNPC99e0yElhV/xqgR1oPWnpaD7VSXu2cgc=; b=CRnNOWcR7o6zbCQyq+eKgZ4Z2SuzxB5G/Q9+bv7iUyFbSMgzgoeL5VnMVxKVQ1Afj3KTz2hovJ2kt1H6lvvEAcM9lZ+5LqkJA6/+qtGspfeQ2HkU9Ud5VFeeB41etS5grudTr2ThMkKTGuDRH+ZdNKTYM5gJej6s+7vZPSQeaVovZT6xNwBV7dYlMbk6Mw6XlwXmxP+TMZxKiFdB8HJpgtXeUiOA+yEFbUn237TVqYL9XEjp/5lAmQIF51wnB8S9YoTTU3sVZ6YnXhOMugRqMEzRf/g8u3VBKAp8jciriIhqUElFUqM27wBrrujsqkuExj329lybO/rV3+uRJl214A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=az79kAIlUNPC99e0yElhV/xqgR1oPWnpaD7VSXu2cgc=; b=nG4YI+L6Ht92EOdSU9jENTxV9yJc8zUz5gR0JLTEvWsomrwtGnHDz7e7ohOlLiiJPjn9CmU9XaelbDj2e6ZFlY7+pEJsqekfjkYN3nl4SYDSvxq1rNZqb11aBpGwSN2gX1P86W5alnYMmMKaTGcPFxyviYx879clqZo9AYj7kqY=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=btconnect.com;
Received: from DB7PR07MB5546.eurprd07.prod.outlook.com (2603:10a6:10:73::23) by VI1PR07MB4143.eurprd07.prod.outlook.com (2603:10a6:803:30::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4888.4; Wed, 12 Jan 2022 12:55:06 +0000
Received: from DB7PR07MB5546.eurprd07.prod.outlook.com ([fe80::2090:eb3c:59e2:b4b2]) by DB7PR07MB5546.eurprd07.prod.outlook.com ([fe80::2090:eb3c:59e2:b4b2%6]) with mapi id 15.20.4888.009; Wed, 12 Jan 2022 12:55:06 +0000
From: t petch <ietfa@btconnect.com>
To: Paul Wouters <paul@nohats.ca>
Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>, "draft-ietf-i2nsf-capability-data-model@ietf.org" <draft-ietf-i2nsf-capability-data-model@ietf.org>, secdir <secdir@ietf.org>
Message-ID: <61DECFA3.5060208@btconnect.com>
Date: Wed, 12 Jan 2022 12:54:59 +0000
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ClientProxiedBy: LNXP265CA0016.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5e::28) To DB7PR07MB5546.eurprd07.prod.outlook.com (2603:10a6:10:73::23)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 8727427a-dc6a-4d3a-5d56-08d9d5cac180
X-MS-TrafficTypeDiagnostic: VI1PR07MB4143:EE_
X-Microsoft-Antispam-PRVS: <VI1PR07MB4143ADE2D0DE815D9FA6043DA2529@VI1PR07MB4143.eurprd07.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: HmHAhSshQHWL6iGRiAYdtjMLDVkGBAz7e236vHKSs8sHbw2smu1kxNRUi/GFb3ksUoXMq9K4j6Pnd7udw+xStkNihNsa1ffq/lbsKj4nP7r57iwrg7KbgkTBfNhSiY6BNgB3VVZTQWZWh4bNbJa5T6JD7yGriibg7XGa7n5A7NaX83kK86L6l6m1078+3dETn2NduDsdF+5c6qHCpX3oKQKnwZAvGVx45v1/8N7lbenKC5qft8pvNEj4YTZSUIkqrwd+cXIG+WTcWfm6tX5DaYlcfa9VvjDe1hF5c3zzzbZnYJvqUK/KtueGGo3d3GL0sb+Q4kFNbLbz4ahJl3FWf/02USWWFXnZec17ra1Jk3uO2GFkkLzikPQbZZrt0WnuH8hdMp7rqGBWsmu8QyWMKvoku7rpeEHyGy5LYxxlmsHsaMcmVSxA/TbBAX3Gk6qzQfLMd5UYANAIRjIiFhCckAaH6s+otYjhkUiU+6X8ayKTilZ13E3G7c8aUDyYxLE/aL2C6pjPKZ+4ucXYD9EjYniXIHBTLm3CrIGzNiITvwm/qYKtEprC9NmKlVOPvkHUP9HEN8hh7PiBpDMHZXDpuRNRCn0uCX2oj3TQNvxJDryhsvokNME63X5Zf4PFmqonHGMbE/tsJi2x7TgcP37M23Gfhy3x+6eDRPHfAwByqnm5xb2gcEYsWhkVXm++SUyMloX02pBIScNdLCJC1d7eze0/vcBIrz5wb9uI6JO8jaLpSTF9EVgYNx4+o7qgWvu3eHw9ThGPdDi5DoNURrjwz8xzPFbZQWU+VSR9QRDp4m6KSrEw2QaYBq5b4GbcxrDRxR2TLDssnrp7I67PLrQP3w==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR07MB5546.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(186003)(26005)(86362001)(2906002)(15650500001)(966005)(66574015)(30864003)(83380400001)(5660300002)(6512007)(316002)(2616005)(82960400001)(66946007)(66476007)(8676002)(36756003)(38350700002)(38100700002)(8936002)(66556008)(4326008)(87266011)(6506007)(6666004)(6916009)(54906003)(52116002)(33656002)(6486002)(508600001)(20210929001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: P4P3uUR065xDBcHbLa4DnQDzi0pwB9IlBYHFxYzUbGgafZeKtENACtlD9YdtVQd/ba/wUB7LfCCI/2cuxDLEPh+gup39eaKjOGyJlwdKqSZJh3yacraaGZDt+WfmuyOWHHIN8prC5gtWZ1VDPAf8CVksf7vN1q1sO2GZ+ulr+CQ7J7an9eadRuXpe6rsJXirq8WOyIUEkaGIze9VbH7MARb2hMaZG4iGZRSHb/vuKKtYLRZKI5yI2P1lZpdUQdNS6hfL/2ECtQiOWx0xxW+1VS2zD7SPmakop5bnoPvbtsePm0AuSXg3yRwavVnoxM4NprgKR74aSZJ5UEB3qwgPZPmL9st3Nn3FcXJngo0TzBKlgIZVtQ3HKlHj+TBbzbbRgm0pbb5VCqc8rMLKOdlV7tddBsEO84LvdgVxyNe3smuiBZbFTohjm4x5GnsZ79o1PoxVLXikl0oBLISEL1mc40Bz0aHFDG1BT8Q91kfkXmLtdC5sCrReLuk9/TbPsQ2B0VJA3x8NfZctVPoFJo29ObDKNGpDVXxX4oJAgbM0RS6zMBl9yykC8Xb54Ur88XkHSXIIGnaujXi4SUu6/ae9PnPjg8JM7GoCgQfNTXs0a0YyNamWS/bnxln379ZwxB4+sWG94GVkPrh/Kf/pv8OoxcpYznCNvGjjyRmLRnOpGQAft3dGS7jzyJCjltoKGtuJPooWHvI301AuNc7bRBzljG8ucOSxy5Oc++78n0LaWL22BCW2BXO4q7XFO4UBPD5+dyg05L+5dGgCNOCK/HwGht3UWXPs5jRGd6jSZGN0+5akeaAT6PqRrg+b0mF2Y2szHp3EuzGYCrfHVYb9S7VbYZUEvChTQsFQxuup3bt4MALtaLBf9jlR5z+g1RhqO0tVu/VfITyfPjfZNOkh/GTbX/oZhKx8LzMabsE+w8cMeAu27h7l9JzJ2cZJOrEPKpC//DAy8YFfDM6NSaHL1vbcLHDmNOwBgpiZ6kJVkR0iN25+qCOfwT6ynJhPz+EoQc4ENf8hOpOVgsIsjzBblqJmvuDaxnIr3NGy48G0x/EZIovEodTAPwhPxVIa39hNJhgIzXGW+SxC5lwvFjmUHAvW4jdDEtsjFyeEmeg0qHjusG1Sp7IXv2qgDDTXOIsqsqJBgAO81/1zMBbZ1k9Q3iycjMHHgaBSXguNNDr5TJS+SLYJv7G9y4wo13YCticITeESmMgLKvZm5Xdrmpcq3tZ4P6zhuZf819zfUW+P94Sd/pFiK4Exi5Vuq7emE58GQAOUIyFlbjeTZTCwt28vX863GUQb9x/AjL+Zb2ymHmT5cFwYWIMlOu6UYjfGkJHa/C4AN3R66tywTj2iSuco318/LwTCkmUNusKnEMmqAyHGNYeorWuCpbr93Dtn4vM3SCA7QGmt9D8h7m2yjnPNUFohhJhuZWjTg/oEb6Z+JHz2h1mx/yKjM/1zlI8VTLT+Tlw8/fVUfy7kBf0SYcxRwl/uH0Y82C0TfzXer52HVnDiWov68WiOkOPt6JxsS84C5qsTcfd5woDQgEpCG2Rd4O9QtJqCARquOBKaLrwHLjPIrQAjTYNn+5up6FBxKskk3f3V76gYYiMal6qq93x2V4DcqHzGjWbAnie5zHVS6sco8Vc=
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8727427a-dc6a-4d3a-5d56-08d9d5cac180
X-MS-Exchange-CrossTenant-AuthSource: DB7PR07MB5546.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Jan 2022 12:55:05.8449 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: UfXWP6CIyZTRQvBIAAZVBvy9odbIORTENNgfjU7o0/OLgCpCdU4q+PESzo8qa+r0LqSTeNOsHussUTRVpcA/FQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB4143
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/Mc2XMOhxbv8nmo2WpsqEr5Ubgt0>
Subject: Re: [I2nsf] [secdir] (updated) review of draft-ietf-i2nsf-capability-data-model-21
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jan 2022 12:55:17 -0000

Hi Paul!
(adding I2NSF and document alias like an official response to a 
directorate review)

Thanks for this review.  A response below and the authors/WG can correct me.

<tp>

Chipping in as a WG member, my words of 2021 (2022, 2023...) are 
coherence and silos.

This I-D is one of a set of five, or more, which have a lot in common. 
'Improve' one and the risk is that the set as a whole becomes 
incoherent.  I put some effort in in 2021 to reduce the incoherence so I 
am twitchy about the nature of the IETF, operating in silos, the 
different parts bringing incoherence back in again.

Thus there is a comment about POP3 +/- POP3S. POP3 occurs in three I-D 
so change one and IMHO the others have to be changed.

url-capability appears in several I-D.  Change one and the other uses of 
it need changing.

tcp-flags already appears in another I-D so here I think that changing 
tcp to tcp-flags would be beneficial.

And so on.

Ideally, as I said about a Genart review, reviewers should be required 
to review the whole set, especially YANG Doctors, but I won't hold my 
breath.

Digging down, there is so much that ought to be in a common I-D, be that 
terminogy, YANG module or whatever but the time for that was several 
years ago, such as 6July 2019 when the WG produced a Terminology I-D.

Tom Petch

>> -----Original Message-----
>> From: secdir <secdir-bounces@ietf.org> On Behalf Of Paul Wouters
>> Sent: Monday, November 29, 2021 4:06 PM
>>
>> Note to tools team: I was assigned draft-ietf-i2nsf-capability-data-model,
>> although I had already reviewed the -16 version. I did a review now of the -21
>> version but did not see a way within datatracker to update the review. So I
>> opted to use the secdir mailing list for now.
>>
>> Paul
>>
>> I have reviewed this document as part of the security directorate's ongoing
>> effort to review all IETF documents being processed by the IESG.  These
>> comments were written primarily for the benefit of the security area directors.
>> Document editors and WG chairs should treat these comments just like any
>> other last call comments.
>>
>> The summary of the review is Has Issues
>>
>> I have reviewed the document. I don't have any particular security concerns,
>> and the Security Considerations section is fine. I do have some questions/issues
>> from reading the document.
>>
>> I am a bit confused about this part:
>>
>>          |  |  +--rw ipv4-capability*       identityref
>>          |  |  +--rw ipv6-capability*       identityref
>>          |  |  +--rw icmpv4-capability*     identityref
>>          |  |  +--rw icmpv6-capability*     identityref
>>          |  |  +--rw tcp-capability*        identityref
>>          |  |  +--rw udp-capability*        identityref
>>
>> There is an item for v4 and v6 support. Why is there a split of icmpv4 and
>> icmpv6?
>> Why isn't that done similarly to tcp and udp that don't have v4/v6 versions?

This modeling choice was made because ICMPv4 and ICMPv6 are not the same 
protocol.  TCP and UDP are the same protocol regardless of whether they 
are using IPv4 or v6.

>> This term seems to be rather generic:
>>
>>          |  |  +--rw url-capability*    identityref
>>
>> Perhaps what is meant is url-filtering-capability or url-protection-capability ?

I'll leave it up to the WG to decide if they want to scope it as such.

>> It also seems rw advanced-nsf-capabilities is really either "rw protection-nsf-
>> capabilities" or "rw filtering-nsf-capabilities" ? It seems "advanced" is a very
>> generic term? It could be useful to allow for further non-filter/non-protective
>> options, but it does seem right now this "advanced" category really means
>> some kind of "client protection" category.

There is a history in the naming convention of advanced vs. 
generic-nsf-capabilities.  Advanced capabilities were initially 
extension points discussed in other documents.  After refinement, the 
work didn't evolve this way.  The WG has discussed and modified this 
convention, and arrived at roughly the explanation documented in Section 
5.1:

==[ snip ]==
    In this
    document, two kinds of condition capabilities are used to classify
    different capabilities of NSFs such as generic-nsf-capabilities and
    advanced-nsf-capabilities.  First, the generic-nsf-capabilities
    define NSFs that operate on packet header for layer 2 (i.e., Ethernet
    capability), layer 3 (i.e., IPv4 capability, IPv6 capability, ICMPv4
    capability, and ICMPv6 capability.), and layer 4 (i.e., TCP
    capability, UDP capability, SCTP capability, and DCCP capability).
    Second, the advanced-nsf-capabilities define NSFs that operate on
    features different from the generic-nsf-capabilities, e.g., the
    payload, cross flow state, application layer, traffic statistics,
    network behavior, etc.  This document defines the advanced-nsf into
    two categories such as content-security-control and attack-
    mitigation-control.
==[ snip ]==


>> Similarly, "rw target-capabilities" might be better descriped as "rw destination-
>> capabilities"
>> to avoid confusing about this being a "targetting system" or the client being
>> "targetted".

I can see your point.  "target" is used in place of "destination" in a 
few places.  This seems editorial and I'd leave it up to the WG to decide.
>> I also find "rw action-capabilities" confusing. Isn't "anti-virus" and "anti-ddos"
>> also an action capability ? Or should I read this as a condition of "anti-virus"
>> kind activate an action capability (filter in, filter out, log).

It's the latter.  Consider Example 5 of Section A.5 which depicts the 
interrelationship between <anti-ddos-capability> and the 
<action-capabilities>.

>> It also seems the
>> selector (eg "anti-virus") is coupled to an action (eg "block") so I'm a bit
>> confused on why there is no capability link between these. Eg having "filtering"
>> as a capability seems related to some conditionals, but perhaps not all. So I am
>> not sure if the current model could describe that. Eg lets say there is a packet
>> filter, not but no filter based on anti-virus but it can detect anti-virus. How
>> would one know from these capabilities that anti-virus has "filter" and not only
>> "log" ?

For your antivirus configuration there might be something like the 
following:
<condition-capabilities>
    <advanced-nsf-capabilities>
    <anti-virus-capability>detect</anti-virus-capability>
...
<action-capabilities>
...
      <egress-action-capability>drop</ingress-action-capability>

>> And "rw generic-nsf-capabilities" seems to be more like "rw transport-nsf-
>> capabilities"

See explanation above on generic vs. advanced-capabilities

>> There are many email contacts listed in Section 6. These will not stand the
>> passing of time.
>> Why are they needed? Should there be an IANA registry/contact instead ?

Not question this contact information will age.  However, it seems to be 
common convention to include all of the document authors in the YANG 
contact information.
  >> the identity targets include base target-device which only has a 
description
>> field. So all these identity targets _only_ have a description. Is the presense of
>> an empty identity entry enough to indicate this support, or is some kind of
>> boolean field needed?

Thoughts from WG?

>> identity flags is only about TCP. Should it be called tcp-flags (like tcp-options) ?
>> Similar issue with identity total-length, verification-tag, identity chunk-type and
>> service-code.

Seems like there should be consistency or an approach either way as to 
whether the protocol name is a prefix to a field name.  I'll leave it to 
the authors to decide on the approach.

>> I see identity for pop3 and imap. Does that include pop3s and imaps (version of
>> those protocols over TLS). If so, should it be clarified in the description text? If
>> not, do we need seperate identity types for these?

I think the intent is for two identities: POP3+POP3S and IMAP+IMAPS, but 
I'll let the WG make the right change.

>> I see identities for pass, drop, mirror and rate-limit, but not for reject (eg send
>> an ICMP back)

Paul: Makes sense to me to add it in with your explanation.  WG: What do 
you think?  I believe "reject" was in -05, but removed in -06 after the 
first AD review 
(https://mailarchive.ietf.org/arch/msg/i2nsf/Qkup2tKpVyAcelxy3QooLf7P1KI/) 
pointed out that all of these identities were undocumented.

>> Security Considerations Section:
>>
>>  	The lowest layer of RESTCONF protocol layers
>>  	MUST use HTTP over Transport Layer Security (TLS), that is, HTTPS
>>  	[RFC7230][RFC8446] as a secure transport layer.
>>
>> This excludes QUIC? Perhaps it is better to say use an encrypted and
>> authenticated transport layer, such as TLS or QUIC using HTTPS.

This text is a derivative of the standard YANG boiler plate text 
included in most YANG document recently in recent years.  The working 
source is kept at 
https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines.
>> I am a little confused at Example 3. It shows:
>>
>> It's only capability is "user-defined". It's only actions are "ingress/egree options
>> that do pass/drop/mirror. Where does it state this is a web filter capability ?

It's a web-filter capability because of "<url-capability>".

"user-defined" is a specific type of URL-filter whose list is generated 
by the operator:

      identity user-defined {
        base url-filtering;
        description
          "Identity for user-defined URL Database condition capability.
           that allows a users manual addition of URLs for URL
           filtering.";
      }


>> And does it really mean the web URI and content can be
>> passed/dropped/mirrored? It feels like these pass/drop/mirror targets are for
>> packets, not web-uri streams ?

The semantics are definitely reused from packet focused behavior.  For 
security mitigation devices that operate on streams 
pass/drop/mirror/log/etc are common actions though.
  >> And should these actions not be inside the capability 
<url-capability> ?
The YANG module design is modeled on the premise that each part of the 
E-C-A rule is a separate top-level container per Section 3.1.  That 
certainly does remove flexibility but was a design choice.

>> What if
>> you define an NSF that has url-capability and a packet filter capability, how
>> would one know the pass/mirror/drop targets are for the url-capability ot the
>> packet filter capability ?
>>
>> Maybe, one of the examples can include an NSF with multiple conditions and
>> actions that don't fully overlap?

WG thoughts?

>> NITS

[...]

Thanks.  Leaving to the authors.

Regards,
Roman

_______________________________________________
I2nsf mailing list
I2nsf@ietf.org
https://www.ietf.org/mailman/listinfo/i2nsf
.

v2.23.0 | Report a Bug | By Email