[I2nsf] AD review follow-up #2 on draft-ietf-i2nsf-consumer-facing-interface-dm-25
Roman Danyliw <rdd@cert.org> Tue, 28 February 2023 03:21 UTC
Return-Path: <rdd@cert.org>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A2D2C14CE45 for <i2nsf@ietfa.amsl.com>; Mon, 27 Feb 2023 19:21:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OqywVyHXgPVj for <i2nsf@ietfa.amsl.com>; Mon, 27 Feb 2023 19:21:38 -0800 (PST)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0701.outbound.protection.office365.us [IPv6:2001:489a:2202:d::701]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 923BBC14CE2D for <i2nsf@ietf.org>; Mon, 27 Feb 2023 19:21:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=MwF6M07YNJt14R3bHEiv2NPpz1H9yzJ3oJJr2ZK4zJJs7QEZHWuAgaFStBFDiy36w8dRguuX4a07tixXxS/X/7viOpzblaHBDwFphWmZ37Km0UUEKgW+2ELBTQ15Oh4U/TazFpau2XMftxGwrs4Xs2qSeiF8e6kQDO7S6K/3Vd0eZcOsa3eqRA2JmTjQlTBRjMHgGZi1F8MYu+m/Ww0h5l+0zRmhMTrjtoXjbPSsZWyEBUGdipwxTt48kFNQ14t1lgk9eJ0Fahr+BvWRk3hNonw99Zt94/F5uWX1komQ+joCuIdiXHJfUycB2iHjC389wkMJgEU5aeGB9HefbC12Aw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BJrjQ54qzN0bubCgPNp6bM4G/fEoQpaTiK+AUzjh1Xc=; b=LLYm//fC2M5nWQr34dmSGrD8dZGKOtCxE4+z63m2gOWdndkfXg9yn1HSvJtVpwDYp/txMNYbm2yNuzWSq8HrsKm+Yt+ScmXJB9y3f09NwdrATMlVIdKcP0O+WxGklze0LE587XGPRlgqCWIqF5CXBsSB+rW7v1DA6nge4PfQ6bESR0uOHk2crQckznGuXLzJMqQCsAQU498ENMpVLG4lVnJ0zj5xDLgmFRDhuXXicpzeVUFhoV2lU2N6wXIRq7J79Q4PnFx2N8kBwQfoU8JRfcdYlJIA2p30OV6TCl0p69/jv4JBAbdD5wX6fTME2IR/sS2tOFhtc0G/6dJlm/+atA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BJrjQ54qzN0bubCgPNp6bM4G/fEoQpaTiK+AUzjh1Xc=; b=AlQiEjUD9OupVAmGzpVRqy17nz2wVsjxM1Hcp45deIkD/tlLLlDEIzPYM/H6nn4VYglWBKChM3BwbK7phGlSJm3qTvnYeAHuvBP3o2lsY30JF9Yv7lAS1Hq4TKiG0XJEmCZt9tCfBXGz1minTTeB7qjzELA3k02VWQdhu6ScACY=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1511.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17d::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6134.30; Tue, 28 Feb 2023 03:21:35 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::b585:6958:6026:4b8a]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::b585:6958:6026:4b8a%5]) with mapi id 15.20.6134.027; Tue, 28 Feb 2023 03:21:34 +0000
From: Roman Danyliw <rdd@cert.org>
To: "i2nsf@ietf.org" <i2nsf@ietf.org>
Thread-Topic: AD review follow-up #2 on draft-ietf-i2nsf-consumer-facing-interface-dm-25
Thread-Index: AdlLIu4yKsBBIxGsTweKOjBKNsjUhQ==
Date: Tue, 28 Feb 2023 03:21:34 +0000
Message-ID: <BN2P110MB1107957DB42BA7638FE5D0DBDCAC9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1511:EE_
x-ms-office365-filtering-correlation-id: 445b923b-f713-4f34-be5a-08db193ae548
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: h7sD8siWmcORU0T+VmhLtiCAJZrXt5+kH8dv9m16gXFCA4Y8x+lApbQowOTXRdtuERrG6lWCRFkIZM8T5WrDz30KGax96moFASjLWJPqRJ1rcWhFCN4wrYO8W1Q4Sb11b5uED4ZoIkValzUQgF1ZZkbdCk8aoaiQENFYCYRS4IqeGopMa21HozZIY5YbuDjMQr5baZqycEBnOMUZYr/iTJZxIOZOun4ST0QlGWk//4CM2nL+7sBTgdACgCNHlONIJkYt+3cySTOwAjZK0RXNTUq08+u8A/p/e1eDyD7qPvQVXe7EwupHA9IiRr794Lp5O9hy8rUTozFRJV/9lOqFDb+1jpX9gxvcq8th2U1FJ7Yf5xje/e3I7eB6DVtjMDX9LZYxBQPMA65lHr3uOx5M/cLgmNJlpEF0voqhKl4W1I6zGZIgrqF/msEbN3dmVdPorwIqWa/n2y4vCzY+iil3CyY6uitxyrVYnQHVzyTDPB4axUtITKeOiIqUGp1WAtUL2cI1qkK8ePw+XrpHdimWLRY1DnjLOKUTeaWiSIMIMVUR+V6Ij/KmKcNczCvE0sS4OS/FqZoSt5bCii8I42DVO0FY2LTZq9fA+7a/QBqqpkx8bTL5zNsdChY1RM3FwMVTEfyj2FwS8d4D6ed0cZqRF9guHIbg/bxUYkEx8YWiGKz3GTRV/1cyfqTupJnFINQv
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230025)(136003)(366004)(396003)(39830400003)(451199018)(5660300002)(41320700001)(41300700001)(52536014)(8936002)(6916009)(86362001)(66899018)(8676002)(66946007)(66556008)(66476007)(66446008)(64756008)(76116006)(33656002)(55016003)(2906002)(83380400001)(9686003)(6506007)(26005)(186003)(82960400001)(38100700002)(66574015)(508600001)(122000001)(38070700005)(7696005)(966005)(71200400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: chi0BUZFIbAMb5barbLga2+wJYNpl1Ks50qf/zm6QhQzosmtz4tfe9ast5+mLA4sbB3GtWDS6UWuMEo50nSYWqCjRHl9MuDViXXYAMKKiaSMT6LDg8EFoczlY1hapFXxcxpnzr5djRnlmkOXI+67UTjevUfEn5xhQzhboyIeUlxf6gbPVvAf8ovk1hx9gUJEUxcy98QNUCjm89oAv++mns0W4omqjRK7+amFUvzdRA1ADw7kmvMd73mMkOnNNzs8/4h2olHaUfdeM05KuRJvekZ9h124HbKuEP92Dsgm1bU1gUHoJevDf4XZ9T/fzNL3rseYg3f0QGQygtTvdMre5LTBrkvQx1tq6hlyM/oqOpAXse7SI3FhGsrFYOpAKDJSamvMH0yDiti/mtmd6KP6eu+SrGtxMi12wPHDS7/TwoOAH3KQb+Ay80t5XLa1IMgpE23FCsg4W7cHci51xgZ1MPuCXJOzAUIyuRn1jpq4xPxh47v/WQdNqchefHJ1jpG3kH5yk5skW6BLyCFZekpmlQCGeqxvvOVkPCoTZXVmblmBdUftXaUFT9oT9TjBCrAQ1vWslh5BXKwH8g3JhAwdtlIzFBWMwjaU5vq5KErsncGAQMNCdIfkCBg+QKZ6sDA+AR2fiP2ADHV9NzWWgSFomM8TyvTPjvQ7iFdwBEn/1qCHAbNP0QmtbkShcU1g/vnBQXTYWn2gO4+riRAkHCCQRhBmN/IhaqMA5BVH28NvURMybL4Vy87tio9ScrRYO+Yfs+pYL4AJtIMFWra33ZIs3eYZasR7uMAWg5lT13sImbKJR4HJFwnVL/aEKl64O36UXuar58IpxLpRuK7Zk8L+syUQHJdixPJ1fasKX8kqzYW7nWaxkiaH5efpkbR4i8hHJetVYwIFdEGa5uFDmD89T5Jif0HA7gCmgjtVatc17hHhVmHnpWnCEzGn9gXwQEI+YDogP4/Hdm5eOtf+qQryKNkEdBAi4nweBxe5yorn8tkiepBJjq8noFGCaStQjX0idFxF2Y3eJMA2C86e9YFmcBWSLDThR3lLJZ6H8nnc/kMr9gsWNOct6EvNib5vY8fU6NfU4yIFjbztjDVfFWSGPweA+YXLCy6bfnxY+mCm00oHTUu3H4ldX7691VDSNdgYAIot7dZ0zVXcgR6N78y7KmHC9b9FaKOd8Y/WrMPIihuH+BxgSlLbe5Je99VENs1Lm5ETjxp+CjD/jZ3KoVJ1Z61neIKYisP8SzCDuGJ1NTtiaBMhoVnAD6zDDdH/JUEPYuIfyogxtTBfB/sL1EBiuvmq/Kv0L9StRnk+O/ea/WfogVrSeGVIIhWncft2mZRDoLyUGNg/ddcfKxANk9eNmkvGHYxMQJHM9VrHhj7r6taVMzAqf9gh5U6tGau5nhDykXG6WGxZijp7J5sCu+7r3OAs1lrqyXoP8J7jR2TZM1FIK3Ghkc8MRWnJHQPG+Y1urWGZEUNSubWzHo3ddFH8w6TwRtYk+X0dFuYmqTrlefI=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 445b923b-f713-4f34-be5a-08db193ae548
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Feb 2023 03:21:34.8292 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1511
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/ZyL2jXmXAtFHd9AhTdKcffL79fg>
Subject: [I2nsf] AD review follow-up #2 on draft-ietf-i2nsf-consumer-facing-interface-dm-25
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2023 03:21:44 -0000
Hi I performed an AD review on draft-ietf-i2nsf-consumer-facing-interface-dm-23 (https://mailarchive.ietf.org/arch/msg/i2nsf/VHbdIrvHo5EjvcyQf5v9fjeVy1w/). The authors produced at -24 in response (thank you!) and I provided additional feedback (https://mailarchive.ietf.org/arch/msg/i2nsf/J5w-jujcwV3dve79Ta-SyEHjf28/). The authors have published a -25. Much appreciated! To make it easier to track the remaining issues, I've created this new thread. The following is feedback on the new text introduced in -25, or unresolved issues from -24: ** Section 4.3. Location-group [-24] Thank you for the clarifying language in this section in -24. Per the addition of the country, region and city fields please add normative references for ISO3166-1 and ISO3166-2: [-25] Thanks for cleaning up the RFC8805 references. Please also add normative references for ISO-3166-1 and -2. ** Section 5/Thread Feeds and IOC Thanks for the changes which resulted in "thread-feed-list/ioc" in -24. [-24] -- STIX, MISP and OpenIOC need to be normative references [-24] -- For [MISP] and [OpenIOC], if the best reference possible is in github, please at least include a branch or tag. [-25] Thanks for adding "(branch master)" to [MISPCORE] and [OPENIOC] reference. History from prior IESG reviews says that this is insufficient because the main branch can be committed to at any time and won't be considered stable. A specific commit has been sufficient. Check my recommendations below for accuracy, but please use URLs to specific blobs in github: MISP = https://github.com/MISP/misp-rfc/blob/051e33b6711a660faf81733d825f1015aa0d301b/misp-core-format/raw.md.txt OpenIOC = https://github.com/fireeye/OpenIOC_1.1/blob/d42a8777708e171f8bdd3c2c9f8590c83488285d/schemas/ioc.xsd As an aside, I'm being very particular on getting these reference right now so we can confirm consensus during IETF LC on using them as normative references. ** container anti-virus -- Per the description in Section 3.2 ==[ snip ]== This field represents the configuration for an Antivirus interruption. A specific security profile can be added to Security Controller in order to update the security of the Antivirus. Filenames or paths that contain the profile can be specified by I2NSF User. The decision to either perform or skip the Antivirus interruption depends on the action of the rule. For example, a drop action uses the security profile for dropping either packets or flows in the Antivirus interruption. On the other hand, a pass action uses the security profile for allowing either packets or flows without the Antivirus interruption. ==[ snip ]== o Editorial. Can a different word that "interruption" be used? I didn't notice this change in -24. This is the first mention of that term, but there are no "firewall interruptions" or "url filtering interruption". Why introduce it? o The concept of "profiles" is introduced here. Per "... in order to update the security of Antivirus", would it be clearer to call this the configuration of the antivirus? -- per the leaf-list profile ==[ snip ]== leaf-list profile { type string; description "The path or name of the file that contains a security profile for the Antivirus interruption. The security profile is used to scan the viruses. The absolute paths and relative ones are to be interpreted as globs. The decision to perform or skip the Antivirus interruption depends on the action of the rule. A drop action uses the security profile for dropping either packets or flows in the Antivirus interruption. On the other hand, a pass action uses the security profile for allowing either packets or flows without the Antivirus interruption."; reference "GLOB: Linux Programmer's Manual - GLOB"; } } ==[ snip ]== When this leaf-list was called "exception-file" (-24 and earlier), this data element explicitly referenced filenames/paths/globs to skip. That is, specific files names and hashes were enumerated. In this revised definition, the semantics are less clear. What is meant by "profiles"? Is that a configuration file loaded into the AV? Is it's format vendor specific? Per "The absolute paths and relative ones are to be interpreted as globs", why is it "paths", plural? Where are the multiple paths coming from? The first sentence says the "The path or name of the file", singular. Since [GLOB] is being cited in the YANG module and seems integral to how read a path, please make it a normative reference. Also, the new ubuntu URL is no more stable. Please instead use the recommendation from Paul Wouters (thanks Paul!) to cite glob as from the Open Group/IEEE: NEW [GLOB] glob. Open Group Open Group Base Specifications Issue 7, 2018 edition/IEEE IEEE Std 1003.1-2017. https://pubs.opengroup.org/onlinepubs/9699919799/functions/glob.html ** YANG. list payload-content Thanks for added the additional guidance on handling multiple content fields and the support for depth and starting point. [-24] Both offset and distance limit themselves to a range of "0..65535". If dealing with packet header information only, I can see this as being adequate. I'm imagining a hypothetical multi-MB network stream. Should there be flexibility to search past 65K? [-25] Thank you for the changes that made to both offset/distance to define them as int32. Could you please also add text which describes how to handle negative numbers. For example, what would offset=-72 mean? Regards, Roman
- [I2nsf] AD review follow-up #2 on draft-ietf-i2ns… Roman Danyliw
- Re: [I2nsf] AD review follow-up #2 on draft-ietf-… Mr. Jaehoon Paul Jeong