IETF Logo Mail Archive

Re: [I2nsf] [Last-Call] Genart last call review of draft-ietf-i2nsf-nsf-facing-interface-dm-17

tom petch <daedulus@btconnect.com> Wed, 26 January 2022 13:10 UTC

Return-Path: <daedulus@btconnect.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C11583A0C87; Wed, 26 Jan 2022 05:10:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.614
X-Spam-Level:
X-Spam-Status: No, score=-2.614 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.714, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yB6zf3X6fi6m; Wed, 26 Jan 2022 05:10:14 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20126.outbound.protection.outlook.com [40.107.2.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21F7B3A0C84; Wed, 26 Jan 2022 05:10:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gKf4342PFI7i9TmOV41REGbXwjSfLBnY0Z96PzXOJzEPHtmqkaaM36cirhuPigTYNKtTGIYKQNkNc/t0Qp67XzSAZDRbhig3fnWey/w/R8ysXOs71Y/iDj5Y/x/bDDsUWI+0jsUHVhuOB9zUJiK8K82XlyfSchGYPfMzlL6hcsRWEXCCwLXwC4XFDQcJITg5KMHNe1ZDwNKurZFKUWDljAI+71d3GYXnXaPmihZ3IR7mgmT8isu+EbogVLoJmucvc8cUF7jgmaS8GebPI4caRBGcEor/2BvpknWwSAycpXpkDRA0QP3zbqD9fMMiaEu3DGxADV93nvUWdgrgEp2Jng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GYkcQgcqT83dl6uDg7P2KfwXT2vubtqgpegTnQwDWH4=; b=OHZ5QNeBbLWSHGYegqpD5D/JESOYp3LUcziUT8rgFm7R1mCLAvRfV7HmpOGBZ5vKn4ZFZxoP3KOhc0r5PZV7NxIb4wrJnjy/HdoIoJbqwRU2wIzRGE2IafFNQtPbK59E7Fce9EWGGrmbbZRYTVFclFtrnaN4/ojmonETzIEffnyhybVIHVCAuVFgw7jLBJjyXFK2NhwhC1wEivQI2cmwIE/bC2SsKzI3NRtEAxJIZPnKpARj9HW0iGUUOArf8TFG9HHZVRm2o4dSYICuMYSFJYTvCb6wuapSTZnIXWshoArAi6Uj+TA+Vm6ua2/zgUAzbC6e3iWINLN2iJWaXJNXtg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GYkcQgcqT83dl6uDg7P2KfwXT2vubtqgpegTnQwDWH4=; b=aRoqscJLTiGp0oGLyczUxMm+w+Er4riK1r/qqx938bLVkCVQ5+8dyXfUxbg63T+lEsZYM4kTk27tZKyYk0Z3EdWpPmaeP6wTEJY37rnqCou3hQoSYoz9SvdzLyPvs4drD7blSl+ZOgyBtLX2mpEPkSpN0Dvy9s4VT6VJ+Ek9UN4=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=btconnect.com;
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8) by VI1PR07MB5054.eurprd07.prod.outlook.com (2603:10a6:803:90::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4930.15; Wed, 26 Jan 2022 13:10:07 +0000
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::1040:a0b:e4e1:f512]) by VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::1040:a0b:e4e1:f512%4]) with mapi id 15.20.4930.015; Wed, 26 Jan 2022 13:10:07 +0000
To: Dan Romascanu <dromasca@gmail.com>, gen-art@ietf.org
References: <164310636625.8725.4537493754931372277@ietfa.amsl.com>
Cc: i2nsf@ietf.org, last-call@ietf.org, draft-ietf-i2nsf-nsf-facing-interface-dm.all@ietf.org
From: tom petch <daedulus@btconnect.com>
Message-ID: <61F14826.9050804@btconnect.com>
Date: Wed, 26 Jan 2022 13:09:58 +0000
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
In-Reply-To: <164310636625.8725.4537493754931372277@ietfa.amsl.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ClientProxiedBy: LNXP265CA0064.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5d::28) To VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 299f01fb-c1ac-4c27-fc90-08d9e0cd2c15
X-MS-TrafficTypeDiagnostic: VI1PR07MB5054:EE_
X-Microsoft-Antispam-PRVS: <VI1PR07MB5054E4628E9B094CFC52C9FCC6209@VI1PR07MB5054.eurprd07.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: pR22zWJOirTqkPI5vEso4la+B72jJiHhJXwegpMf2LuRSWnyJ7T3g0pM87ayg1XLhYUDQJmg/xSeJzOd5XW0gXjHtMJbApbt3EWP11y+uyO6f3Bs9xcgYUiBdO+uMmY/Q3myO44GHhP84qYHGZQ7gptPONFXWD5QAJKmVaJXHerijqe6bWqeAAl/TGpBq41W842+RKeWf+3XJVGcSIcMER1u2kSehxj1qdfwTDvci8LF0ezVrrLON7BRbY2N3igxJCiCA0M7rQ0VDhsMqczUHoB6Mv/RmJSnNd3VoJnehcNAi030DDKwerwGc81/n2yCMEKoYYS6um/pL4iFCk2ePtFDYe6PeeppQVTLdVM5lyUZhRcJW8D1TE0OyuRXgFWRTST7zJVn4+xxe265WXkjyxHgUdHuSMqsfYAWevxKgIyfODrcrm0M1FHu5E0KYzByVL8SMJmOixdbniZjVuwshNnwyjId+f27PXwcu87k50Uu/TIB/W6iMBmhsoa13ICc3DIQ2Vw32Lr4KMLsmc+Twl00XlLyBKwgaEuaYWqn5qPHjsz9kxqRheRvFvibRIVSb7UNuFUS19p7DYfPNhGe2C0YovazrUMDxd2Rz7QLCxUWx/BQw0/I6uMyaTkGH75sryzxs3H8iFOw/NhusUsW/ZZxhbAvF1ZV2uj9CnJM+yPKtLunXYyH+S8H/Zplr88TPo+Jn5DCpe9VRCweT9GWjZMbzMt/cgxW5sE4ixKpDm6tebcF06aXots+huxRc1DnVHr/1NS7HSQvcKsDR7lBFuINfRSc53SXNbpd4ss1xPmYMkz6mmXaLHq1dOU+SOF2Qm3nB3lJcSVc0HzvZk+Xig==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB6704.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(38100700002)(38350700002)(4326008)(8676002)(66476007)(8936002)(33656002)(66556008)(316002)(26005)(66946007)(186003)(2616005)(86362001)(82960400001)(6506007)(508600001)(6666004)(83380400001)(6486002)(87266011)(53546011)(52116002)(36756003)(5660300002)(66574015)(4001150100001)(2906002)(6512007)(20210929001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: X8dTcBOefqO0NCLpxNy6H20TX7jwsdJwEwXierYZJZisRAdesvrR0sWZhhz4Z8BP4wFqg9l2p/7r3/D1+r6aufpvb7N9EJYO+TxT/uRumqP8L8Dm7dqAGUG+iqjWGj9Xeg08xQgizb1tVzWdR0gTyYJKHyueHBn3JKhHqgqUR1WGJPSaRztbzIBd0aDmJi48kSFJEPbQFoyzkj4+NKayfzuvYnz7fdlY+qkFyXlWUrBlNNjO5WA7vEFCR/nwj/+7Zl1AxKmXJyiLqBvLpE7STBw/0oj6JpjQ73FetE3E7/GNwNKSJY6oakcHXz8LGPjqExw4MfE/5pJ3W7kO2YDQWsKpRYKf4BKK03s5mw9yHMCeZTpmzq2vWRliyHHuEmSHn3nRg7hsj9jPa8cS7qsZmTSm8T1jr5lCxXM003gOCbG4zljs8BSTHnubPxxzj2DSMfEGOah0U29ZopnRSazQ5J0k7H40IVlYLFb5rTRBATHRkwgOH7AsDp9EWnw6gmQRlT7FvZRbvasakSvImL7jIexmFCBoCjIwHtP0u6Ejq2pbhFhffXGsPMn6o83OptHuJT+0DNOsiwhtAssOZpZG7YqGCkKiQ7h9BkQMbYOimfmfWD5IwdLSMXtQcgrGAZ4c0WdS6x9bDvavfZGI39Yf1rnDs8RuTjLymiBOzDCqpza06Qt1B3oculSPLlKANlNaYmOuB8+gUj3FvB3G5heAbULZcJr+Y1VBbrVzmghrb6obwoAw6vTbk0O+y9fweriEwKqEzbu+n4okzFmgSi38QBuzBLkzGtupupH63tuVQXTvLFeu3G6WbBBCBUNHlwKQuhA92fIXb/Ua+HlLV41U/Mp7dn4DehEMubejf5akfckA7AE3dlWeFeDzwZxdpkxpEXWFaLWtWaWc7O4aiiPfRLmT/RksdkFDn+mGD/VgsjXXQfbAaV1ZSzVcwv9dZlucJEIB5TQCuCJEuJ8EtJS7sIsJDhbJgyutvampkAl0O80j6ovIRXgPZmE/mZbekyZNnyY2vUgcJP325WckVMKvE1XhHbYRHaffGSO1wDS4PThFTUlzUx8nyv6HPwXDfPkO+o+qDlTANHjGmwqCctE8v+FB/Dj9IS1NhlFcm4BYtelqgIMndZLv7S44k8buqNyGDo1Sko0+AfjpvVsLoCBfM4hYwKSk/JeeqTDALXKZK8eeJModwkOhiwc77KcpfGbsO6KCzH+40Bekt8Vwa5jyiDd7BrqsGkrAj2F0yDwl4Tjmbl+1sMfrSpGOrSTLZs+XzzrMdmuLX3TK+SHdobqPbhmiVBW/raHxD94cyHi+Q+6Eg+HNpM3p1Wx44k6oQAgsZeXkLL5mBApTIfINHrfTEKjmgVAv0QdBXzXyDDrhxBUvhV5ohJvjqoGuLxO+3+1s+URSMF4SXGofnfsvjFX2h1HgQN79HYXO4o6ruLlzzn9i0K5mOTL/l/uXVttDdEk0Zma0hPNUOD9aoypJzOjlNuZIxWw8klpNv94oELn8KmLShl7ZWyPYYdGRqssktphDsU2mlZHS7AoBSoUBn101N95atXxvPO1RWQFI784bQIb8cMcSG8w5k8B395z49GJChg9LdmhGb7enoqnLvR6XNzujt4/50SCBuhD+ArHHCck=
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 299f01fb-c1ac-4c27-fc90-08d9e0cd2c15
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB6704.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Jan 2022 13:10:07.0315 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: Ga+BaZT6GTUML9v/phWzIpRtURBvRHoFQ3st7oZPYeBDKnHp3isVtNS+0MSZqIUydof/mSmdiR9xsjwMJhYDnA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB5054
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/u332m1dUuYtVBxHWFS5JURzxqFE>
Subject: Re: [I2nsf] [Last-Call] Genart last call review of draft-ietf-i2nsf-nsf-facing-interface-dm-17
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jan 2022 13:10:18 -0000

Picking on this e-mail as it is the most recent of those relating to 
nsf-facing -17 and not because this has anything to do with Genart

-17 has introduced a number of errors as a result of changes (which is 
why I was unenthusiastic about the comments made on -16).

It will take me quite a while to go through all the i2nsf I-D in detail 
(again) but meanwhile, the sort of thing that leaps out at me ..

A number of references have been added to this YANG module - these now 
need adding to the I-D References; I see ten at first glance.

The added action 'reject' needs adding to the YANG description in 
several places.

The terminology is drifting out of line with RFC8329 - I do not know if 
this is just something to live with or whether these I-D should contain 
notes along the lines of 'Where RFC8329 says xxxx, we now say AVFRT 
...'.  And the right answer may depend on whether or not this RFC is 
made Normative.


And the TLP in the YANG module is out of date

Tom Petch

On 25/01/2022 10:26, Dan Romascanu via Datatracker wrote:
> Reviewer: Dan Romascanu
> Review result: Ready with Issues
>
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair.  Please treat these comments just
> like any other last call comments.
>
> For more information, please see the FAQ at
>
> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
>
> Document: draft-ietf-i2nsf-nsf-facing-interface-dm-17
> Reviewer: Dan Romascanu
> Review Date: 2022-01-25
> IETF LC End Date: 2021-11-23
> IESG Telechat date: Not scheduled for a telechat
>
> Summary:
>
> This document defines a YANG data model for configuring security policy rules
> on Network Security Functions (NSF) in the Interface to the Network Security
> Functions (I2NSF) framework. It's a solid, well-written and complete document.
> It needs to be read in the context and together with several other documents
> belonging to the I2NSF deliveries. The document is Ready from the perspective
> of Gen-ART with a couple of minor non-blocking issues and a few editorial
> problems that could be easily clarified and fixed if needed.
>
> Major issues:
>
> Minor issues:
>
> 1. How can RFC 8329 be only an Informative Reference. The Introduction dully
> states that the YANG module is based upon the framework / architecture defined
> in RFC 8329, and Section 4 uses RFC 8329 in several reference clauses.
>
> 2. Section 4.
>
>>          leaf frequency {
>                 type enumeration
>
> Is this enumeration sufficient (once, daily, weekly, monthly, yearly)? Are not
> more cases  needed?  more flexibility?
>
> Nits/editorial comments:
>
> 1. Section 3.3:
>
>>   A condition clause of generic network security functions is defined as IPv4
> condition, IPv6 condition, TCP condition, UDP condition, SCTP condition, DCCP
> condition, and ICMP (ICMPv4 and ICMPv6) condition.
>
> Should not be rather 'or' instead of 'and'?
>
> 2. Section 4:
>
> description of identity acces-violation
>
>>        "Identity for access-violation. Access-violation system
>            event is an event when a user tries to access (read, write,
>            create, or delete) any information or execute commands above
>            their privilege."
>
> 'above their privilege' is vague - probably meaning not-conformant with the
> access profile
>
> 3. Section 4
>
> identity memory-alarm
>
> description
>           "Identity for memory alarm. Memory is the hardware to store
>            information temporarily or for a short period, i.e., Random
>            Access Memory (RAM). A memory-alarm is emitted when the RAM
>            usage exceeds the threshold.";
>
> memory-alarm is emitted when the memory usage is exceeding the threshold - RAM
> example does not really help, the alarm applies to all types of memory
>
> 4. Section 4
>
>      identity ot {
>         base device-type;
>         description
>           "Identity for Operational Technology devices";
>       }
>
>       identity vehicle {
>         base device-type;
>         description
>           "Identity for vehicle that connects to and shares
>            data through the Internet";
>       }
>
> reference clauses would help - what is an OT and a 'vehicle' (in this context)?
>
> 5. Section 4
>
>>      identity forwarding {
>         base egress-action;
>         description
>           "Identity for forwarding. This action forwards the packet to
>            another node in the network.";
>       }
>
> 'This action forwards ... ' sounds odd. The action consists of forwarding, but
> does not perform it. I suggest re-wording. There are a few more such instances
> of 'This action [does] ...
>
>
>

v2.23.0 | Report a Bug | By Email