Re: [I2nsf] AD Review of draft-ietf-i2nsf-capability-data-model-16
"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Sat, 14 August 2021 07:45 UTC
Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74C033A0F06 for <i2nsf@ietfa.amsl.com>; Sat, 14 Aug 2021 00:45:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.545
X-Spam-Level:
X-Spam-Status: No, score=-1.545 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HK_NAME_FM_MR_MRS=0.542, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FREEMAIL_DOC_PDF=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8qtedQwlh73B for <i2nsf@ietfa.amsl.com>; Sat, 14 Aug 2021 00:45:44 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC3DE3A0FAF for <i2nsf@ietf.org>; Sat, 14 Aug 2021 00:45:05 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id n17so24318290lft.13 for <i2nsf@ietf.org>; Sat, 14 Aug 2021 00:45:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xQIldGiu6oE/xYX3Wt3whptwAeTOW6uepKZq7XNr9lE=; b=Tr5WrRB7JkgbvDmVpVne87Wv/sWAtLL+HKjDk1PYc87P6p8fZwhVIxqxiAsHDqp41m XsKqo43W1V/L6EJu6FAXx70sPZfGjTeWDQhNSrWX0IQUX6Ho0my4HgyjyOdyBii5hUWf TbQ83D1KYoOui2XdsHI4dGUcI0RJ6vVtZ59/L19xYZS3AX5fkZoz52cICfDs6qoAEH0j IBQz3mmXTF7d3/DwIzHTQx7MmfusuztGE03TNT4eX0dlxAbRg4hOHJ7+TDK8h4OByl4G vEK6JquYWdn6IGA6G8daFD1IqyMPv1FH5fZup5X82D78mHs4bK5eLu0qbDxeQrOKuB3/ 7Ydg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xQIldGiu6oE/xYX3Wt3whptwAeTOW6uepKZq7XNr9lE=; b=gYnkVFQH92DiKrf9JZdRmaCQEQCgJvrFVa9CpLWpAEsWD6aBzjFFPvFib80oZvM5aJ x4rZZfqT5WXZOP9f6qFS5lGAE7yF/L3yyJOstt4ySrF8QkIjR7763hKg15nRUBc+gYKs kXptwrFr/8emtqxBNyMQa5nqb+frQ0H/jjMnJvl7CQcSs0O0jlmRzzn/FGpCT/Efd9pj /Vm8ziRGGaok1AsghMXdW8dVpJ8an1L2EcpBMIVIP15ChSX/eO/5IEmyLVM54qt7/o40 eACCTqlHVErl3HBUo/fcqxTDC8ZFbdRRXgn78dtbJ1x+XqlVX8WAP9I9ZenyuoIkbkhG ZQkw==
X-Gm-Message-State: AOAM532/DMkmV7tOFePZoiC00ZGVrx/z0Q+A0Z+9UuB1oOXF6/1eX0i6 L4sfLd0RQDSonklYQgc7aV6bXtfziKB8qBGM19A=
X-Google-Smtp-Source: ABdhPJyza1OHtwL/RHl5sdVgg8qt+D0RblNviNr/kFublMGroriCUOQgl7PnmOfUYvwH+0t6DmiRfAZmoF0vhRbWUvQ=
X-Received: by 2002:a05:6512:2251:: with SMTP id i17mr4327443lfu.19.1628927100953; Sat, 14 Aug 2021 00:45:00 -0700 (PDT)
MIME-Version: 1.0
References: <DM3P110MB05385ABC1B53F91A63273021DCF29@DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <DM3P110MB05385ABC1B53F91A63273021DCF29@DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Sat, 14 Aug 2021 16:44:22 +0900
Message-ID: <CAPK2DeyP3LL8TUZK2La1hDVoWA9AN7-B_XSSYV5fgR47fJBXeQ@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>, tom petch <daedulus@btconnect.com>, Paul Wouters <paul@nohats.ca>, skku-iotlab-members <skku-iotlab-members@googlegroups.com>, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Content-Type: multipart/mixed; boundary="00000000000037c6ff05c980251e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/kESyaYmhxJbeLDYcCBQ8at1EGBo>
Subject: Re: [I2nsf] AD Review of draft-ietf-i2nsf-capability-data-model-16
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Aug 2021 07:45:51 -0000
Hi Roman, Here are the revision letter and revised draft reflecting your comments. https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-capability-data-model-17 You can find my responses to your comments from page 38 in the revision letter. Patrick and I worked together for this revision. Please let me know whether this version satisfies your comments or not. Thanks. Best Regards, Paul Jeong On Fri, Aug 6, 2021 at 2:09 AM Roman Danyliw <rdd@cert.org> wrote: > Hi! > > I conducted a second AD review on -16 of > draft-ietf-i2nsf-capability-data-model. Thanks for the work to merge the > text from the previous stand-alone information model document and the > preliminary IESG feedback that came before the document was removed from > the telechat. My feedback is below: > > ** Section 1. > As the industry becomes more sophisticated and network devices (e.g., > Internet-of-Things (IoT) devices, autonomous vehicles, and > smartphones using Voice over IP (VoIP) and Voice over LTE (VoLTE)) > require advanced security protection in various scenario, service > providers have a lot of problems described in [RFC8192]. > > There seems to be a slight change in framing between RFC8192 and this > sentence. RFC8192 discusses the problem as protecting infrastructures and > networks, this text frames it as "devices". This isn't necessarily a > problem, I just wanted to ask if that drift was intentional. > > ** Section 1. Editorial. > > OLD > Security Capabilities describe the functions that Network Security > Functions (NSFs) are available to provide for security policy > enforcement purposes. > > NEW > Security Capabilities describe the functions that Network Security > Functions (NSFs) can provide for security policy > enforcement. > > ** Section 1. > > Security Capabilities are independent of the > actual security control mechanisms that will implement them. > > Can you clarify the intent of this statement? There is a distinction > being made between a "security control mechanism" and a "policy" and the > "NSF functionality" that I don't follow. > > ** Section 1. Editorial. The sentence beginning with "That is, it is not > needed ..." seem repetitive to the text before and after it. I recommend > removing it. > > ** Section 1. Per "Note that this YANG data model outlines ...", can you > clarify what "outlines" means? > > ** Section 1. In the paragraph beginning with "This document provides an > information model ...", is there are reason that "NSF" and "Security > devices" is being used interchangeably. I thought architecturally, the > unit of capability was a NSF. > > ** Section 1. Per the bulleted list of starting with the text of "The > 'ietf-i2nsf-capability' YANG module defined in this document ...", there is > distinction made between "advanced network security functions" and "generic > network security functions". Where is the difference between those two > explained? (There is another comment on this below and Eric Vynke also > mentioned it in his initial ballot) > > ** Section 3. I'm having trouble finding the information model (CapIM). > Section 4 has a data model. Section 3.1. describes the properties of the > information model. Is the ECA text in Section 3.1 - 3.3 the CapIM? > > ** Section 3. Per the paragraph starting with "Analogous considerations > can be applied for channel protection protocols ...", this text seems > rather broad in scope. The data model appears to let you configure IPSec. > > ** Section 3. Editorial. s/[RFC8329] , /[RFC8329], / (i.e., remove the > extra space between the reference and the comma. > > ** Section 3.1. Editorial. s/-po This document/This document/ > > ** Section 3.1. Editorial. s/resepectively/ respectively/ (multiple places) > > ** Section 3.1. A few of these requirements are generically written, and > I wondering if it needs to be so in the I2NSF context. For example: > > -- For the Advertisement requirement, is this "dedicated, well-known" > interface anything but the registration interface? > > -- For the Execution requirement, is this "monitoring" capability more > than the monitoring module"? > > ** Section 3.1. Per the requirement for automation and scalability, no > I2NSF document I can find provides guidance on how to realize this design. > As there a normative MUSTs/SHOULDs here, the bounds of these need more > details. > > -- Are these implementation details out of scope for I2NSF? > > -- How much "scale up/down or scale in/out" is needed? > > ** Section 3.1. > > Furthermore, when an unknown threat (e.g., zero-day exploits and > unknown malware) is reported by an NSF, new capabilities may be > created, and/or existing capabilities may be updated (e.g., by > updating its signature and algorithm). This results in enhancing the > existing NSFs (and/or creating new NSFs) to address the new threats. > New capabilities may be sent to and stored in a centralized > repository, or stored separately in a vendor's local repository. In > either case, a standard interface facilitates this update process. > > I understand the general update mechanism of security tools with new > signatures of algorithms described here, but cannot link it to the abstract > nature of the capability model described in this document. The granularity > of the capability model appears to be "has ips capability" not "has ips > capability to mitigate exploit-X". > > ** Section 3.1. Per "definitions of all I2NSF policy-related terms are > also defined in [RFC8329]", the only defines in RFC8329 on ECA is in > Section 7.0. The definitions in this section appears to be a super-set of > those. Is this reference needed? > > ** Section 3.1. The definitions of the ECA elements in this section don't > entirely agree with the definitions in Section 7 of RFC8329. For example, > for action, is it flow or packet+flow specific? > -- Here: "An action is used to control and monitor aspects of flow-based > NSFs" > > -- RFC8329: "defines the type of operations that may be performed on this > packet or flow" > > ** Section 3.2. I don't follow the intent of this section. It defines > the concept of a "matched policy rule" and terms like "Ac" and "Ec" which > aren't used anywhere else in the document. The title suggested (to me) > that there would be some guidance on how to match rules, but there is no > guidance there beyond what's already stated in Section 3.1. I would > recommend removing it. > > ** Section 3.2. Recommend removing the sentence "To precisely describe > ..." as it could be read a redefinition of the ECA terms. > > ** Section 3.2. Editorial. s/the properties to characterize/the > properties that characterize/ > > ** Section 3.3. R1 and R2 are presented to show rules that don't > conflict. Based on their descriptions their action clause affecting the > same object in different ways isn't clear because I don't know what > "conduct anti-malware investigation" entails. Please also expand "FW" to > be firewall. > > ** Section 3.3. I appreciate that R1 - R4 are high level rules that that > will get translated into more specific guidance and are intended to > demonstrate the parts of ECA. However, I'm having difficulty matching > those rules with the capabilities of the YANG module described in this > document. In particular, R3 and R4 don't appear to be security related > unless there is something assumed by virtue of being "GoldService" or > "BronzeServer". What capabilities expressed in the YANG module would one > use to encode these rules? > > ** Section 3.3. > > Conflicts theoretically compromise the correct functioning of devices > (as happened for routers several year ago). However, NSFs have been > designed to cope with these issues. Since conflicts are originated > by simultaneously matching rules, an additional process decides the > action to be applied, e.g., among the ones which the matching rule > would have enforced. This process is described by means of a > resolution strategy for conflicts. > > > -- Per "(as happened for routers several years ago)", can this event be > referenced or explained > > -- This text appears to be making assumptions about the internal > implementation of NSF (i.e., "conflicts are originated by simultaneously > matching rules"). Is that a safe assumption? Should this matching strategy > be more clearly stated an underlying requirement of the NSFs that I2NSF can > handle > > ** Section 3.3. > > On the other hand, it may happen that, if an event is caught, none of > the policy rules matches the event. > > How can an event be caught if there is no event clause in any rule to > match it? The subsequent logic about a firewall doesn't follow for me > because the default rule still is a rule. > > ** Section 3.3. As noted for Section 3.2, this section introduces RSc and > Dc, but this notation is used elsewhere in the document. Why is this > needed? > > ** Section 4. Editorial. s/is used for the Security Controller/is used by > the Security Controller/ > > ** Section 4 notes that the primary use of this YANG model is for the DMs > to populate (via the registration interface) the capabilities of various > NSFs. Given that scope, it is a bit striking that the narrative describing > Figure 1 primarily discusses only the byproduct of the database on the > controller created by the YANG module in this document. > > ** Section 5.1. Is it possible define generic-nsf and advanced-nsf > capabilities with a more principled definition. Perhaps that the > generic-nsf operates on layer 3 and 4 headers only; and the advanced in > application layer or those requiring cross flow state? > > ** Yang module. "This can be used for an extension point ..." is used in > a few places. Can the proposed approach for making extensions be further > explained? > > ** YANG module. There is a notation being used in the reference section > which is not clear to me. It is of the form: "RFC XXX: <title of RFC - > <text>". For example, in leaf-list default action-capabilities, the > reference reads "RFC 8329: Framework for Interface to Network Security > Functions - Ingress and egress actions." What part of RFC8329 am I > supposed to be reading. There is not Section with the title "Ingress and > egress" and that exact phrase appears only in Section 9.2 which doesn't > appear germane. It would be much clearer if the references were of the > form "RFC XXX: <title of RFC - <Section #>" instead. > > ** Identity application-layer-filter. The references seem to suggest that > this is HTTP only. Is the intent for generic capability or for an > HTTP-only focus? > > ** Identity baseline-learning, signature-set, ips-exception-signature. > RFC8329 makes no reference to these types of capabilities. What are these? > > ** leaf-list anti-virus-capability, anti-ddos-capability, url-capability, > voip-volte-capability. All of these refer to RFC8329 but I can't find the > reference Section in that document which describes these capabilities > > ** Section 8. I appreciate the inclusion of this new section in response > to the original IESG telechat. I don't follow how it informs awareness on > privacy issues - no insight is being provide on how the trade-off is being > made and even what privacy issues are arising beyond simply stating there > are some. I would suggest reframing this section to emphasize that this > module is intended to describe the capabilities of a diverse set of network > security function already in common use in enterprise security operations. > The specificity of the privacy issues can be addressed with reference as is > already done with further fidelity as noted in the next comment in Section > 9. Ben Kaduk made a few comments on privacy language in his initial ballot > too. > > ** Section 9. Thanks for using the YANG Security Considerations template ( > https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines) as a > starting point. Please include the other elements of the template: > > -- Discuss the readable nodes noting the consequences from the perspective > of the attacker (e.g., reading nodes will reveal the specific configuration > of security controls to an attacker (a) craft an attack path that avoids > observation or mitigations; may revealing topology information to inform > additional targets or enable lateral movement; enabling the construction of > an attack path that avoids observation or mitigations; or (c) provide an > indication that the operator has discovered the attack). The scope of this > is likely the entire data model. > > -- Discuss the specifics of which readable nodes might be considered > privacy sensitive > > ** References > > -- RFC8805 should be a normative reference > > -- Can the shepherd write-up please be updated to reflect that there are > several downrefs. From idnits: > > ** Downref: Normative reference to an Informational RFC: RFC 6691 > > ** Downref: Normative reference to an Informational RFC: RFC 8192 > > ** Downref: Normative reference to an Informational RFC: RFC 8329 > > ** and also RFC8805 as noted above > > -- Per "Unused Reference: 'RFC2119' is defined on line 2884, but no > explicit reference was found in the text", this means that the boiler > plate such as: > > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and > "OPTIONAL" in this document are to be interpreted as described in > BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all > capitals, as shown here. > > Is not present but the text is still citing RFC2119. Please add the above > text to Section 2 since I believe that the "MUSTs" and "SHOULDs" present in > the document are in fact intended to be normative? > > Regards, > Roman > > _______________________________________________ > I2nsf mailing list > I2nsf@ietf.org > https://www.ietf.org/mailman/listinfo/i2nsf >
- [I2nsf] AD Review of draft-ietf-i2nsf-capability-… Roman Danyliw
- Re: [I2nsf] AD Review of draft-ietf-i2nsf-capabil… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] AD Review of draft-ietf-i2nsf-capabil… Mr. Jaehoon Paul Jeong