IETF Logo Mail Archive

Re: [I2nsf] [secdir] (updated) review of draft-ietf-i2nsf-capability-data-model-21

Roman Danyliw <rdd@cert.org> Thu, 06 January 2022 22:54 UTC

Return-Path: <rdd@cert.org>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35C173A0836; Thu, 6 Jan 2022 14:54:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z5G_sA0XvrzD; Thu, 6 Jan 2022 14:54:11 -0800 (PST)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0104.outbound.protection.office365.us [23.103.209.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F7613A0833; Thu, 6 Jan 2022 14:54:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=S2QzSClY6YiBd4ItYSxNEzfS+e4xg+I7mbCrCEiic4oYQzQrSdO69izMYl91h5oQ+Ya3xvVlKicbrAELswfM+9FUtHr4QHOUw+dO+8w6UMTsapuuPxx2miAvcylI6HBux0WFR4j7UjaTrO1xOQYVRk6UfbzWA1Q3eMbRQCjAS+QZrJ4PKOoeEEm7OLFM3HoYPPWIEUhQqrNfa5pkT/SxAV5zI9ZxuEKCjykMkj4xgudcjcSdmCeyiFuo38Y6JHug2VMHg39EMJjfaSbr7Xu844HJyMnkdkylWMn6kQ5HSWNU+YpY54NdAzqQsskx0NOiZ3A4Wx92lHBouQ+PEo9fow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pPWNPh65zz/4CJVHcCJJadVDjOOcJ+4KSFJLFIztwYc=; b=iDfOJJlgDmdzDfSqrwFvYTupJ2IrZeD5WonIyJy8FhZaBUdGkXHP85A3/sRHWVrr+dfLNJLi0qj8SyyhyG7/oJxplck9eUIh6mmX/dQRZBDHZUlJJxOCbiqFEZkSXZxsXLS7UZKJYBnaxFpa+JxBD+JFOHEpPdZy35pkoetpbMy7e+88BqGl9KkMLyDALgpGTqGM9uOUkDK8tkKuMF8QbdAXmUnLD20DfIElW709rd2LEl3vBQ2y4XPC5QnEFZq3YzXGkkXkTfEaoUDyxvySGV/fBgb/kdSnvpCwlC9lcTc4ewxgeU8yWtD0Som6+7ew1UIz3lxqHCIaHxYlRcl1ag==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pPWNPh65zz/4CJVHcCJJadVDjOOcJ+4KSFJLFIztwYc=; b=DcuEDQPjMAVuGTmqRjfdi4b31+JBFNBoDCXdvo2BmTWh7GAjqdrb9tU8vbl2Yrzvkkoy7hUZ+UndlfhFv9phteM6PyqwFJDkRQbYziBvPPTVa+TW7h3LTm57swt0bQliCXRJyBc4OYgWTYCJDzuJWGrLWDgDObVqsPCw403bOT0=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB0947.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4867.7; Thu, 6 Jan 2022 22:54:02 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::f0be:6d5:6544:cce0]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::f0be:6d5:6544:cce0%4]) with mapi id 15.20.4867.009; Thu, 6 Jan 2022 22:54:02 +0000
From: Roman Danyliw <rdd@cert.org>
To: Paul Wouters <paul@nohats.ca>
CC: "i2nsf@ietf.org" <i2nsf@ietf.org>, "draft-ietf-i2nsf-capability-data-model@ietf.org" <draft-ietf-i2nsf-capability-data-model@ietf.org>, secdir <secdir@ietf.org>
Thread-Topic: [secdir] (updated) review of draft-ietf-i2nsf-capability-data-model-21
Thread-Index: AQHX5WTpchJK+kUvkEuvqhapv/1FUqxWi9/g
Date: Thu, 06 Jan 2022 22:54:02 +0000
Message-ID: <BN2P110MB110792B379DA9145A92F095FDC4C9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <fcaa5588-26bd-30b3-7317-76757e7842b0@nohats.ca>
In-Reply-To: <fcaa5588-26bd-30b3-7317-76757e7842b0@nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9f255d79-4584-47f9-988c-08d9d1676f5a
x-ms-traffictypediagnostic: BN2P110MB0947:
x-microsoft-antispam-prvs: <BN2P110MB0947D57C8188E9340C2CBD85DC4C9@BN2P110MB0947.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: cph0s7yfYY2+oEw2Te3mBa1vpX2xu1xleQOfNXpLo5vrO06h2jLzi99EGB6r5kjntBwOdkInaSlcgWxye6u8QIKrJ4jfzFv0/pvEQaV3SnZ+I/owFIBINUzuMjaonT/pb8P6B3ygifLN63WzK9fZ8vFBw7HUus6Tez8y+RC1NxBCFnevKiWQyUJrhhemzHQOSV71kFCKy9t7LlCoVdwu4LcfAq0QVpJKS5xobHasvZgRQERNFb6/+lba+A7s3hq+VpbA6Zu1+q/bPKD0ofPOU+UoJK8KZ1C3xBqBcpnTosNA+V5U77dgslyuHfboeIn9iMj5Y2WrN4DULFwr8Bmla/+idEtwFFRMt2DwTPS5M4MFIDrLRFbuRIoD0+bKLwmQPpcBlSJibP/cB6wEIwf81vUfMY5q7Bau9iEqmiNysGA2XdpZXn3tY0JYEniChrvN5Oltdevt4P4oNIFbJW+kPxV0h7/JfK2WRUgyoOzIQgB/BjXJCiK7bwhMm+deIkgFwXkLXGKmTuI2D1k20ca/+s9WrqWLoww/o9SUwopp3Z66Cq3QahmEh87qn3ExOxWTsg22Xem5nQfi2uAgiOUJ7XUOv11yvMiYBojPxUbTASBjIbKMcUok55GEmpQ0nQAGPowoYTQF6atiETMjjJ8IFX4pO11VLE5eLYK5LnQffqZUC3MPK3/YoXSU1Y2hlsAGOaCBAb2hETkxJ75qtt4Y3A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(66574015)(6916009)(76116006)(5660300002)(26005)(122000001)(498600001)(8676002)(2906002)(82960400001)(15650500001)(38100700002)(4326008)(8936002)(83380400001)(9686003)(38070700005)(966005)(52536014)(55016003)(33656002)(7696005)(6506007)(54906003)(186003)(53546011)(71200400001)(86362001)(66556008)(66446008)(64756008)(66476007)(66946007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 2YSs2oIpQR6TQhc9J7W2MD+cPzgQeixLMHBIzIpO71ORTu7/+xgtzDlN2lPUlWX90R4BfyeqeNdRd6oyCyJsXtb9WI/ozxjLoFG0mJZWkzFU8lSyyjwqp+HTMXMCRUXmmICZTUNeO+t82AqN+NoHfQ==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 9f255d79-4584-47f9-988c-08d9d1676f5a
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jan 2022 22:54:02.8784 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB0947
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/gee6PshF774J9GmlQtozwQcIW-4>
Subject: Re: [I2nsf] [secdir] (updated) review of draft-ietf-i2nsf-capability-data-model-21
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jan 2022 22:54:16 -0000

Hi Paul!
(adding I2NSF and document alias like an official response to a directorate review)

Thanks for this review.  A response below and the authors/WG can correct me.

> -----Original Message-----
> From: secdir <secdir-bounces@ietf.org> On Behalf Of Paul Wouters
> Sent: Monday, November 29, 2021 4:06 PM
> To: secdir <secdir@ietf.org>
> Subject: [secdir] (updated) review of draft-ietf-i2nsf-capability-data-model-21
> 
> 
> Note to tools team: I was assigned draft-ietf-i2nsf-capability-data-model,
> although I had already reviewed the -16 version. I did a review now of the -21
> version but did not see a way within datatracker to update the review. So I
> opted to use the secdir mailing list for now.
> 
> Paul
> 
> 
> 
> I have reviewed this document as part of the security directorate's ongoing
> effort to review all IETF documents being processed by the IESG.  These
> comments were written primarily for the benefit of the security area directors.
> Document editors and WG chairs should treat these comments just like any
> other last call comments.
> 
> The summary of the review is Has Issues
> 
> I have reviewed the document. I don't have any particular security concerns,
> and the Security Considerations section is fine. I do have some questions/issues
> from reading the document.
> 
> 
> I am a bit confused about this part:
> 
>          |  |  +--rw ipv4-capability*       identityref
>          |  |  +--rw ipv6-capability*       identityref
>          |  |  +--rw icmpv4-capability*     identityref
>          |  |  +--rw icmpv6-capability*     identityref
>          |  |  +--rw tcp-capability*        identityref
>          |  |  +--rw udp-capability*        identityref
> 
> There is an item for v4 and v6 support. Why is there a split of icmpv4 and
> icmpv6?
> Why isn't that done similarly to tcp and udp that don't have v4/v6 versions?

This modeling choice was made because ICMPv4 and ICMPv6 are not the same protocol.  TCP and UDP are the same protocol regardless of whether they are using IPv4 or v6.

> This term seems to be rather generic:
> 
>          |  |  +--rw url-capability*                    identityref
> 
> Perhaps what is meant is url-filtering-capability or url-protection-capability ?

I'll leave it up to the WG to decide if they want to scope it as such.

> It also seems rw advanced-nsf-capabilities is really either "rw protection-nsf-
> capabilities" or "rw filtering-nsf-capabilities" ? It seems "advanced" is a very
> generic term? It could be useful to allow for further non-filter/non-protective
> options, but it does seem right now this "advanced" category really means
> some kind of "client protection" category.

There is a history in the naming convention of advanced vs. generic-nsf-capabilities.  Advanced capabilities were initially extension points discussed in other documents.  After refinement, the work didn't evolve this way.  The WG has discussed and modified this convention, and arrived at roughly the explanation documented in Section 5.1:

==[ snip ]==
   In this
   document, two kinds of condition capabilities are used to classify
   different capabilities of NSFs such as generic-nsf-capabilities and
   advanced-nsf-capabilities.  First, the generic-nsf-capabilities
   define NSFs that operate on packet header for layer 2 (i.e., Ethernet
   capability), layer 3 (i.e., IPv4 capability, IPv6 capability, ICMPv4
   capability, and ICMPv6 capability.), and layer 4 (i.e., TCP
   capability, UDP capability, SCTP capability, and DCCP capability).
   Second, the advanced-nsf-capabilities define NSFs that operate on
   features different from the generic-nsf-capabilities, e.g., the
   payload, cross flow state, application layer, traffic statistics,
   network behavior, etc.  This document defines the advanced-nsf into
   two categories such as content-security-control and attack-
   mitigation-control.
==[ snip ]==


> Similarly, "rw target-capabilities" might be better descriped as "rw destination-
> capabilities"
> to avoid confusing about this being a "targetting system" or the client being
> "targetted".

I can see your point.  "target" is used in place of "destination" in a few places.  This seems editorial and I'd leave it up to the WG to decide.  

> I also find "rw action-capabilities" confusing. Isn't "anti-virus" and "anti-ddos"
> also an action capability ? Or should I read this as a condition of "anti-virus"
> kind activate an action capability (filter in, filter out, log). 

It's the latter.  Consider Example 5 of Section A.5 which depicts the interrelationship between <anti-ddos-capability> and the <action-capabilities>.

> It also seems the
> selector (eg "anti-virus") is coupled to an action (eg "block") so I'm a bit
> confused on why there is no capability link between these. Eg having "filtering"
> as a capability seems related to some conditionals, but perhaps not all. So I am
> not sure if the current model could describe that. Eg lets say there is a packet
> filter, not but no filter based on anti-virus but it can detect anti-virus. How
> would one know from these capabilities that anti-virus has "filter" and not only
> "log" ?

For your antivirus configuration there might be something like the following: 

<condition-capabilities>
   <advanced-nsf-capabilities>
   <anti-virus-capability>detect</anti-virus-capability>
...
<action-capabilities>
...
     <egress-action-capability>drop</ingress-action-capability>

> And "rw generic-nsf-capabilities" seems to be more like "rw transport-nsf-
> capabilities"

See explanation above on generic vs. advanced-capabilities

> There are many email contacts listed in Section 6. These will not stand the
> passing of time.
> Why are they needed? Should there be an IANA registry/contact instead ?

Not question this contact information will age.  However, it seems to be common convention to include all of the document authors in the YANG contact information.
 
> the identity targets include base target-device which only has a description
> field. So all these identity targets _only_ have a description. Is the presense of
> an empty identity entry enough to indicate this support, or is some kind of
> boolean field needed?

Thoughts from WG?

> identity flags is only about TCP. Should it be called tcp-flags (like tcp-options) ?
> Similar issue with identity total-length, verification-tag, identity chunk-type and
> service-code.

Seems like there should be consistency or an approach either way as to whether the protocol name is a prefix to a field name.  I'll leave it to the authors to decide on the approach.

> I see identity for pop3 and imap. Does that include pop3s and imaps (version of
> those protocols over TLS). If so, should it be clarified in the description text? If
> not, do we need seperate identity types for these?

I think the intent is for two identities: POP3+POP3S and IMAP+IMAPS, but I'll let the WG make the right change.

> I see identities for pass, drop, mirror and rate-limit, but not for reject (eg send
> an ICMP back)

Paul: Makes sense to me to add it in with your explanation.  
WG: What do you think?  I believe "reject" was in -05, but removed in -06 after the first AD review (https://mailarchive.ietf.org/arch/msg/i2nsf/Qkup2tKpVyAcelxy3QooLf7P1KI/) pointed out that all of these identities were undocumented.

> Security Considerations Section:
> 
>  	The lowest layer of RESTCONF protocol layers
>  	MUST use HTTP over Transport Layer Security (TLS), that is, HTTPS
>  	[RFC7230][RFC8446] as a secure transport layer.
> 
> This excludes QUIC? Perhaps it is better to say use an encrypted and
> authenticated transport layer, such as TLS or QUIC using HTTPS.

This text is a derivative of the standard YANG boiler plate text included in most YANG document recently in recent years.  The working source is kept at https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines.  

> I am a little confused at Example 3. It shows:
> 
> It's only capability is "user-defined". It's only actions are "ingress/egree options
> that do pass/drop/mirror. Where does it state this is a web filter capability ?

It's a web-filter capability because of "<url-capability>".

"user-defined" is a specific type of URL-filter whose list is generated by the operator:

     identity user-defined {
       base url-filtering;
       description
         "Identity for user-defined URL Database condition capability.
          that allows a users manual addition of URLs for URL
          filtering.";
     }


> And does it really mean the web URI and content can be
> passed/dropped/mirrored? It feels like these pass/drop/mirror targets are for
> packets, not web-uri streams ?

The semantics are definitely reused from packet focused behavior.  For security mitigation devices that operate on streams pass/drop/mirror/log/etc are common actions though.
 
> And should these actions not be inside the capability <url-capability> ? 

The YANG module design is modeled on the premise that each part of the E-C-A rule is a separate top-level container per Section 3.1.  That certainly does remove flexibility but was a design choice.

> What if
> you define an NSF that has url-capability and a packet filter capability, how
> would one know the pass/mirror/drop targets are for the url-capability ot the
> packet filter capability ?
> 
> Maybe, one of the examples can include an NSF with multiple conditions and
> actions that don't fully overlap?

WG thoughts?

> NITS

[...]

Thanks.  Leaving to the authors.

Regards,
Roman

v2.23.0 | Report a Bug | By Email