[I2nsf] YANG Doctors Working Group Last Call Review for draft-ietf-i2nsf-nsf-facing-interface-dm-06

"Acee Lindem (acee)" <acee@cisco.com> Sat, 22 June 2019 18:03 UTC

Return-Path: <acee@cisco.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 409231200FE; Sat, 22 Jun 2019 11:03:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=VrJh0ga7; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=dC+4K+eS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZFh1sWOkSUtD; Sat, 22 Jun 2019 11:03:27 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A04EA1200CD; Sat, 22 Jun 2019 11:03:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=26415; q=dns/txt; s=iport; t=1561226606; x=1562436206; h=from:to:cc:subject:date:message-id:mime-version; bh=CEusurO4VlvM+AZlH4LkTQ+PvHjwo0cOdrCsomZALOY=; b=VrJh0ga7h02LJ7Zcwb9ir4raFH1wkEdhCoXAPP4pjOSRRLP2oKE0kPeF eMG5+Kr4+JdATGk6x7o/x6/fbyWiiCBempdT7ThoZX1AguiBZCs61X0QZ P395xFpk4CfZX8danR0hZeRC2AMpZn8gCv4l/Fs2FKtg6mjhVSPxsyy2z Q=;
IronPort-PHdr: =?us-ascii?q?9a23=3AdEUt2xIL3rwuoduZt9mcpTVXNCE6p7X5OBIU4Z?= =?us-ascii?q?M7irVIN76u5InmIFeCuKd2lFGcW4Ld5roEkOfQv636EU04qZea+DFKa5lQT1?= =?us-ascii?q?kAgMQSkRYnBZuMAkD2BPXrdCc9Ws9FUQwt8g=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BqBQANbA5d/4UNJK1ZChwBAQEEAQE?= =?us-ascii?q?HBAEBgWeBFS8pJwNqVSAECyiEFoNHA45ggjaXXYJSA1QJAQEBDAEBIwoCAQG?= =?us-ascii?q?EQBmCRyM4EwEDAQEEAQECAQVtijcMhU0WEQoTAQE3AREBHC4CBDAnBAENJ4I?= =?us-ascii?q?1SwGBHU0DHQEOmT0CgTiIX3GBMYJ5AQEFhHkYghEDBoE0i14XgX+BEScME4I?= =?us-ascii?q?eg00CgTZLgmoyggQijk6EeYhVjXEJAoIUhk2NFRQHl0eNJocvj1QCBAIEBQI?= =?us-ascii?q?OAQEFgWchgVhwFTsqAYJBgkE3bgEJgkGFFIU/cgyBHY58AQE?=
X-IronPort-AV: E=Sophos;i="5.63,405,1557187200"; d="scan'208,217";a="579725078"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 22 Jun 2019 18:03:24 +0000
Received: from XCH-RCD-017.cisco.com (xch-rcd-017.cisco.com [173.37.102.27]) by alln-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id x5MI3Oxi029864 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 22 Jun 2019 18:03:24 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-RCD-017.cisco.com (173.37.102.27) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sat, 22 Jun 2019 13:03:24 -0500
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sat, 22 Jun 2019 13:03:23 -0500
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Sat, 22 Jun 2019 13:03:23 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CEusurO4VlvM+AZlH4LkTQ+PvHjwo0cOdrCsomZALOY=; b=dC+4K+eSA65Kbu7fEorp5z1F2eImkEaWa/p9tduexHHZxxq+ez6YUZwq61JXcPdbkocdlf3M1E+CJylsHhG0Q8bfT3b5cyfem9K/mpNZMXqzBZrHk9cy/R4REGtxrWmVV5dA76zWOb0UXeFvI+DfovinqdBKs8Rr4z4OGL8eHpI=
Received: from MWHPR11MB1902.namprd11.prod.outlook.com (10.175.53.139) by MWHPR11MB1550.namprd11.prod.outlook.com (10.172.53.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.15; Sat, 22 Jun 2019 18:03:22 +0000
Received: from MWHPR11MB1902.namprd11.prod.outlook.com ([fe80::f1d4:41cf:84d6:ff73]) by MWHPR11MB1902.namprd11.prod.outlook.com ([fe80::f1d4:41cf:84d6:ff73%2]) with mapi id 15.20.1987.017; Sat, 22 Jun 2019 18:03:22 +0000
From: "Acee Lindem (acee)" <acee@cisco.com>
To: "draft-ietf-i2nsf-nsf-facing-interface-dm@ietf.org" <draft-ietf-i2nsf-nsf-facing-interface-dm@ietf.org>, "i2nsf-ads@ietf.org" <i2nsf-ads@ietf.org>
CC: "i2nsf@ietf.org" <i2nsf@ietf.org>, YANG Doctors <yang-doctors@ietf.org>
Thread-Topic: YANG Doctors Working Group Last Call Review for draft-ietf-i2nsf-nsf-facing-interface-dm-06
Thread-Index: AQHVKSTHKYQtMzvR+kSSqCB4rA4Jxw==
Date: Sat, 22 Jun 2019 18:03:22 +0000
Message-ID: <E650398F-D50C-486D-9717-90BA617BA0A1@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=acee@cisco.com;
x-originating-ip: [2001:420:c0c8:1008::842]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3ea437b7-3987-4d9c-0a8e-08d6f73bea2f
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:MWHPR11MB1550;
x-ms-traffictypediagnostic: MWHPR11MB1550:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <MWHPR11MB1550990077AFD2AD6F2FEDA3C2E60@MWHPR11MB1550.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0076F48C8A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(346002)(396003)(39860400002)(376002)(136003)(199004)(189003)(15404003)(6506007)(81156014)(2906002)(81166006)(102836004)(8676002)(8936002)(99286004)(33656002)(478600001)(186003)(7736002)(54906003)(36756003)(110136005)(14454004)(256004)(316002)(14444005)(966005)(486006)(76116006)(2616005)(46003)(73956011)(64756008)(5660300002)(6486002)(66476007)(66946007)(25786009)(91956017)(2501003)(6116002)(4326008)(790700001)(6306002)(6512007)(68736007)(6436002)(54896002)(450100002)(86362001)(53936002)(66556008)(66446008)(476003)(71190400001)(71200400001); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR11MB1550; H:MWHPR11MB1902.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: efj+kdx66lwcUaPdzPn/UGs2fG7/l8CmcOlBJM+IT05qwlr3m3sdrhiljgYZSmRnkA0J2NlG/zkGp7DkW1HlX7aalYCZr9jOFfC6j9E713yk85BCpJLWomKXCAfNAGxjyWEl2U2fZkHj9DPv5s8zu6IBN9+VB1CbvjqrKzqlqLja8AYleDS8uAYl7wF2hn4kZp6HF9RcY6vstG9UoCWeDD7AIfCTQ3ZeRQUKijIbmKZ8Tdx9jiO1f3hdD7V/kuXbDACUpeJX3ru7aU0BQn6PqfqbJbwHgja7zrvAiCDnmxzC6wSzTekQqFKKCi4l7+tNWKw+GCsF3zQRoxEnZ69HwvdebEHmW2Y3U3eeOSpdRWhWGrOZqV7k1dVLlul4oTCdiOPQK5EHKyj4Rbhwz3a86Lqvs+t508mN8lIQaotzyP4=
Content-Type: multipart/alternative; boundary="_000_E650398FD50C486D971790BA617BA0A1ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3ea437b7-3987-4d9c-0a8e-08d6f73bea2f
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jun 2019 18:03:22.2625 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: acee@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1550
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.27, xch-rcd-017.cisco.com
X-Outbound-Node: alln-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/lBGfNyqIZKsDCkDpboBEV8AtCvk>
Subject: [I2nsf] YANG Doctors Working Group Last Call Review for draft-ietf-i2nsf-nsf-facing-interface-dm-06
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Jun 2019 18:03:29 -0000

I have reviewed this document as part of the YANG doctors directorate's
ongoing effort to review all IETF documents being processed by the IESG.  These
comments were written with the intent of improving the operational aspects of the
IETF drafts. Comments that are not addressed in last call may be included in AD reviews
during the IESG review.  Document editors and WG chairs should treat these comments
just like any other early review comments.


Document: draft-ietf-i2nsf-nsf-facing-interface-dm-06
Reviewer: Acee Lindem
Review Date: June 22, 2019
Review Type: Working Group Last Call
Intended Status: Standards Track
Summary: Needs to go back to Working Group for rework and another WGLC

Modules: "ietf-i2nsf-policy-rule-for-nsf@2019-06-12.yang"

Tech Summary: The model defines different types of I2NSF security policy. Each
                             is comprised of an event, a condition, and an action. There is
                             significant overlap with other IETF models. Within I2NSF, there
                             is repetition of definitions which needs to go into a common
                             I2NSF types module.  Additionally, the data descriptions were
                              were done quickly and never reviewed or edited. I believe
                             it needs to go back to the working group for another revision and
                             working group last call.
.

Major Comments:

 1. Why don't you leverage the definitions in RFC 8519 for packet matching?
    We don't need all this defined again.

 2. Date and time are defined in RFC 6991. Why don't those suffice?

 3. Refer to the intervals as "time-intervals" rather than "time-zones".
    The term "time-zone" has a completely different connotation.

 4. What the "acl-number"? Also, ACLs are named (RFC 8519). Also, why
    define all the packet matching and then reference an ACL.

 5. The descriptions are very awkwardly worded and in many cases simply
    repeat the data node or identify description without hyphens. I
    started trying to fix this but it was too much. I'll pass for on
    for some examples. There are enough co-authors and contributors that
    one would expect much better.

 6. There is overlap of definitions with the I2NSF capabilities draft.
    The common types and identities should be factored into a common
    I2NSF types module.

 7. The "Security Considerations" in section 8 do not conform to the
    recommended template in https://trac.ietf.org/trac/ops/wiki/yang-security-
    guidelines>


Minor Comments:

 1. Section 3.1 should reference RFC8340 rather than attempting to
    include tree diagram formatting semantics.

 2. "iiprfn" is a poor choice for default model prefix - I suggest
    "nsfintf". It is only one character longer and actually is expands
     to something meaningful.

 3. RFC 2460 is obsoleted by RFC 8200.

 4. RFC 791 is the wrong reference for IPv4 TOS. It should be RFC 1394.

 5. What is the IGRP protocol? I'm familiar with EIGRP but not IGRP.

 6. What is the skip protocol? Is this about skipping the check? If so,
    why is it needed.

 7. Reference for IPv6 ICMP should be RFC 2463.

 8. Why do you include Photuris definitions? Nobody uses this.

 9. Note that all the keys for all 'config true' lists must be
    unique so your specification in the description as well as
    'mandatory true' are redundant for the 'rules' list. This
    mistake is in other lists as well.

10. What is 'during' time?

11. What is a "security-grp"? Is this a security-group?

12. The module prologue doesn't match the example in Appendix B of
    RFC 8407.

13. There needs to be a good definition of absolute and periodic
       time in the descriptions.

14. The References do not include all the RFCs referenced by YANG
    model reference statements.

Nits: Will send diff to authors and i2nsf chairs as example of review that should be done on YANG documents prior to sending to YANG doctors.

Thanks,
Acee