RE: [imss] imss WG Last Call: FC-SP MIB
Black_David@emc.com Tue, 27 November 2007 01:40 UTC
Return-path: <imss-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IwpQx-0003l3-6R; Mon, 26 Nov 2007 20:40:19 -0500
Received: from imss by megatron.ietf.org with local (Exim 4.43) id 1IwpQv-0003XP-1Q for imss-confirm+ok@megatron.ietf.org; Mon, 26 Nov 2007 20:40:17 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IwpQu-0003UW-JA for imss@ietf.org; Mon, 26 Nov 2007 20:40:16 -0500
Received: from mexforward.lss.emc.com ([128.222.32.20]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IwpQr-0005L0-8j for imss@ietf.org; Mon, 26 Nov 2007 20:40:16 -0500
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.2.5/Switch-3.1.7) with ESMTP id lAR1e9Vo000035; Mon, 26 Nov 2007 20:40:09 -0500 (EST)
Received: from mailhub.lss.emc.com (sesha.lss.emc.com [10.254.144.12]) by hop04-l1d11-si01.isus.emc.com (Tablus Interceptor); Mon, 26 Nov 2007 20:40:09 -0500
Received: from corpussmtp3.corp.emc.com (corpussmtp3.corp.emc.com [10.254.64.53]) by mailhub.lss.emc.com (Switch-3.2.5/Switch-3.1.7) with ESMTP id lAR1dqqw010253; Mon, 26 Nov 2007 20:40:04 -0500 (EST)
From: Black_David@emc.com
Received: from CORPUSMX20A.corp.emc.com ([128.221.62.11]) by corpussmtp3.corp.emc.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 26 Nov 2007 20:39:45 -0500
X-MIMEOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [imss] imss WG Last Call: FC-SP MIB
Date: Mon, 26 Nov 2007 20:39:45 -0500
Message-ID: <FF29F13E2D78C047B4B79F4E062D0363C2DCB6@CORPUSMX20A.corp.emc.com>
In-Reply-To: <200711261721.JAA27433@cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-topic: [imss] imss WG Last Call: FC-SP MIB
Thread-index: AcgwUQl06oxBArtvTn2uq6dyRgSd9AARCKiw
References: <no.id> from "WIJNEN, Bert \(Bert\)" at Nov 26, 2007 04:00:47 PM <200711261721.JAA27433@cisco.com>
To: kzm@cisco.com, bwijnen@alcatel-lucent.com
X-OriginalArrivalTime: 27 Nov 2007 01:39:45.0419 (UTC) FILETIME=[6397F5B0:01C83096]
X-PMX-Version: 4.7.1.128075, Antispam-Engine: 2.5.1.298604, Antispam-Data: 2007.8.30.53115
X-PerlMx-Spam: Gauge=, SPAM=0%, Reason='EMC_BODY_1+ -3, EMC_FROM_0+ -3, NO_REAL_NAME 0, __C230066_P5 0, __CP_NOT_1 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __IMS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0'
X-Tablus-Inspected: yes
X-Tablus-Classifications: public
X-Tablus-Action: allow
X-Spam-Score: -4.0 (----)
X-Scan-Signature: d8921dd2ebcb07edebf7bfaf4808c2ad
Cc: imss@ietf.org, Black_David@emc.com, dromasca@avaya.com
X-BeenThere: imss@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Internet and Management Support for Storage Working Group <imss.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/imss>, <mailto:imss-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:imss@ietf.org>
List-Help: <mailto:imss-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/imss>, <mailto:imss-request@ietf.org?subject=subscribe>
Errors-To: imss-bounces@ietf.org
Keith, At this juncture, I favor approach 3: > 3. Decide that the value of the one extra piece of information > (t11FcSpCertUsage) is not important enough for this MIB to have any sort > of dependency, and to decide not to define the T11-FC-SP-CERTS-MIB at > the present time. The extra information classifies a certificate as authentication (entity has private key) vs. trust anchor (used to verify certificates presented by other entities) and indicates which of the certificates is the default. Both of these are generic to certificates (i.e., there's nothing special to FC that requires them), and hence arguably belong in a certificate MIB somewhere as opposed to an FC MIB. In addition, I expect that the PKIX folks will probably have things to say about how to do certificate usage "right" which won't have much resemblance to what's in the MIB ;-). Finally, starting work on trust anchor management is on the PKIX agenda for Vancouver, and hence staying out of that entire area is probably a prudent step towards getting this MIB done in the nearer future. Unless there's objection from anyone else on the mailing list, I think we should just drop the CERTS-MIB. Thanks, --David ---------------------------------------------------- David L. Black, Distinguished Engineer EMC Corporation, 176 South St., Hopkinton, MA 01748 +1 (508) 293-7953 FAX: +1 (508) 293-7786 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------- > -----Original Message----- > From: Keith McCloghrie [mailto:kzm@cisco.com] > Sent: Monday, November 26, 2007 12:21 PM > To: bwijnen@alcatel-lucent.com > Cc: Keith McCloghrie; Black, David; imss@ietf.org; dromasca@avaya.com > Subject: Re: [imss] imss WG Last Call: FC-SP MIB > > > Here are three alternatives for what we could do: > > 1. Continue with the "dependency" as-is, but with the additional > note on compliance that you suggest. > > 2. Generalize the "dependency" so that it doesn't actually refer to > [IPSP-IKE-ACTION] or [IPSP-IPSEC-ACTION], but instead says something > like: > > Prior to the definition of the T11-FC-SP-CERTS-MIB, work had started > in the IETF to specify a set of MIBs for managing IPsec/IKEv2. The > work was far enough along for the definition of FC-SP MIBs to > leverage them as prior work, and to define a small extension of > importance in the Fibre Channel environment. However, the approval > process for the IPsec/IKEv2 MIBs was delayed such that the > definition > of FC-SP MIBs caught-up with and was expected to overtake those for > IPsec/IKEv2. In order not to create a dependency, this document > defines only the extension, and it does so in a generic manner so > that the extension can be applied to any MIB for IPsec/IKEv2, either > the completion of the previously-begun work or any alternative which > might begin in the future. > > I think a simple technical change is all that is required to make the > definitions (in T11-FC-SP-CERTS-MIB) generic. Specifcially, I suggest > we change syntax of t11FcSpCertPointer to be an OID, such that it can > point to any table, i.e., not only into the ipsaCredentialTable, but > also into any other MIB's table. > > I think the above would allow the references to be Informational. > > 3. Decide that the value of the one extra piece of information > (t11FcSpCertUsage) is not important enough for this MIB to > have any sort > of dependency, and to decide not to define the T11-FC-SP-CERTS-MIB at > the present time. > > Keith. > > > > W.r.t. > > > > One thing I do see that may need some action is the > fact that this > > > > document has normative dependencies on these 2 documents: > > > > > > > > [IPSP-IKE-ACTION] > > > > Baer, M., Charlet, R., Hardaker, W., Story, R., > and C. Wang, > > "IPsec > > > > Security Policy IKE Action MIB", > draft-ietf-ipsp-ikeaction-mib- > > > > nn.txt, work-in-progress, 19 October 2006. > > > > > > > > [IPSP-IPSEC-ACTION] > > > > Baer, M., Charlet, R., Hardaker, W., Story, R., > and C. Wang, > > "IPsec > > > > Security Policy IPsec Action MIB", > > draft-ietf-ipsp-ipsecaction-mib- > > > > nn.txt, work-in-progress, 19 October 2006. > > > > > > > > > > > > However, I do not see that any IMPORT is done for those > 2 IPSP MIB > > > > modules, so maybe the dependency is not really normative? > > > > > > I agree that such a "dependency" is a little risky, because I > > > too submitted some comments on those MIBs. The reason that > > > I'm using quotes around "dependency" is because it is not the > > > definitions in this MIB which depend on any definitions in > > > those MIBs, but rather the explanation of why this MIB has > > > the set of (certificate-related) objects that it does. > > > Without such explanations, the definitions in this MIB would > > > appear incomplete, and it seems to me that making it complete > > > requires either: > > > > > > 1. the reference to the IPSP MIB modules that it currently > > > has, or 2. definition of new MIB objects which > > > duplicate/overlap with the IPSP MIB modules. > > > > > > Given that the IPSP MIB modules are still expected to get > > > approved (in the future), then I'd say #2 is at least > > > undesirable, and probably unacceptable. > > > > > > > yep... that sounds unacceptable. At the other hand, you may > > end up having you approved I-D in the RFC-Editor queue for > > many years to come waiting for the dependent IPSP MIB module > > documents to come through (sorry... even though there > > was a message about the status of IPSP MIB modules in August > > this year, I have seen no activity since. I keep being > > very pessimistic about a reasonable result in this space). > > > > Maybe one of the ADs (possibly security ADs) can say something > > about this issue or about the "dependency". As long as the > > docs are listed as normative references, your doc will get > > block at the RFC-Editor gates till those normative docs are > > ready to become an RFC as well. > > > > > > > So, if you can provide guidance on how to reference the IPSP > > > MIB modules in a way which avoids creating normative > > > dependencies, then please do. > > > > > > > If I read your section 4.6, then it seems that the > > ipsaCredentialTable, the ipsaCredentialSegmentTable and the > > ipiaCredMngCRLTable are needed to manage CAs and CRLs. > > So that to me seems quite a dependency. Are you guys aware > > of how your implementations will/might run without those > > tables? Have they currently been implemented in prorpietary ways? > > Or have pre-RFC implementations been fielded? > > > > >From sect 4.6, it seems that your MODULE-COMPLIANCE ought to state > > that those tables from IPSP MIB modules have to be supported in > > order to let your MIB modules/security-features work, no? > > > > Bert > > > Keith. > > > > > > > > > > I will find out when > > > > I read the whole FC-SP MIB document. Sofar I did notice: > > > > > > > > - 4.8.6. The T11-FC-SP-CERTS-MIB Module > > > > > > > > This MIB module specifies extensions to IPSP MIBs > > > [IPSP-IPSEC-ACTION] > > > > and [IPSP-IKE-ACTION] which are specific to Fibre > Channel. In > > > > particular, it specifies one table, t11FcSpCertsTable, > > > with a row per > > > > certificate indicating how that certificate is being > used, and > > > > containing the "name" of the certificate. This "name" > > > can be used to > > > > obtain information, which is independent of FC-SP, about the > > > > certificate from the ipsaCredentialTable (and from the > > > > ipsaCredentialSegmentTable if the certificate is > longer than 1024 > > > > bytes). > > > > > > > > - In the T11-FC-SP-CERTS-MIB (page 230/231: > > > > > > > > Since FC-SP leverages a subset of IPsec and > > > IKEv2 (see RFC > > > > 4595), a subset of the management > information defined for > > > > the use of certificates with IPsec/IKEv2 is also > > > applicable > > > > to FC-SP. Thus, this MIB module leverages > RFC wwww and > > > > RFC xxxx for the management of certificates, CAs > > > and CRLs. > > > > -- RFC Editor: replace wwww with actual RFC number for > > > > -- [IPSP-IPSEC-ACTION], and replace xxxx with actual RFC > > > number for > > > > -- [IPSP-IKE-ACTION] & remove this note > > > > > > > > Specifically, the information defined in > this MIB module > > > > consists of a pointer into the IPsec/IKEv2 > MIB modules, > > > > plus minimal additional item(s) of > information which are > > > > considered to be important in a Fibre Channel > > > environment. > > > > > > > > So it does sound normative. So I have a warning: > > > > > > > > I have been reviewing those 2 IPSP documents a few times > > > over the last > > > > (mmmm probably) 2-3 or 2-4 years, and I must warn you that > > > the cycle > > > > times on those documents are EXTREMELY slow. The > current revisions > > > > are: > > > > > > > > draft-ietf-ipsp-ikeaction-mib-02.txt > > > > draft-ietf-ipsp-ipsecaction-mib-02.txt > > > > > > > > which showed up as I-D on 10 Nov 2006, and both are still > > > in Revised > > > > ID needed. Those MIB documents are also pretty complex, and > > > so if/when > > > > a new revision will eventually show up (if at all), then > > > whoever needs > > > > to re-review will need a serious block of time to > actually do so. > > > > My personal experience is pretty bad/sad with those 2 > > > documents, and I > > > > must admit that I am completely de- or un-motivated at this > > > point in > > > > time to re-review them a again if/when they do show up. But > > > possibly > > > > Dan can convince me otherwise at that time. > > > > > > > > Anyway, I just wanted the authors/editors/wg-chair and WG > > > members to > > > > be aware of this risky normative dependency. > > > > > > > > Bert Wijnen > > > > > > > > > -----Original Message----- > > > > > From: Black_David@emc.com [mailto:Black_David@emc.com] > > > > > Sent: Wednesday, October 10, 2007 2:18 AM > > > > > To: imss@ietf.org > > > > > Cc: dromasca@avaya.com; Black_David@emc.com > > > > > Subject: [imss] imss WG Last Call: FC-SP MIB > > > > > Importance: High > > > > > > > > > > This is to announce an imss WG Last Call on the following > > > MIB draft: > > > > > > > > > > MIB for Fibre-Channel Security Protocols (FC-SP) > > > > > draft-ietf-imss-fc-fcsp-mib-00.txt > > > > > > > > > > This WG Last Call will run through 12 midnight > Eastern Time on > > > > > Friday, October 26, 2007 (your WG chair hopes to deal > > > with Last Call > > > > > results during the week of October 29th and hopes that > > > any revisions > > > > > can be completed prior to the November 19th Internet Draft > > > > > submission cutoff for the Vancouver meeting). > > > > > > > > > > Technical comments *must* be sent to the imss mailing list. > > > > > Editorial comments may be sent directly to the draft > editor (but > > > > > please cc: me): > > > > > > > > > > Keith McCloghrie [kzm@cisco.com] > > > > > > > > > > In order to try to set a good example, I have completed > > > my WG chair > > > > > review of the MIB prior to announcing this Last Call. > > > > > > > > > > I found two technical concerns: > > > > > (1) The MIB defines precedence values for traffic selectors > > > > > as opposed to implicitly presenting them in order of > > > > > precedence. I guess this is ok, but Section 4.7 should > > > > > explain why this approach was chosen. > > > > > (2) Section 4.9 defines rate control for Authentication > > > > > failures on a per-fabric granularity. That strikes > > > > > me as overly coarse, and I wonder if per-SA would > > > > > be a more appropriate/useful granularity. > > > > > > > > > > I also found a number of editorial concerns: > > > > > > > > > > Section 1, 2nd paragraph. Remove the sentence starting > > > with "This > > > > > latest draft" or insert an instruction to the RFC Editor > > > to remove > > > > > it before publication as an RFC. > > > > > > > > > > Section 3.1 - Delete "The" at the start of the first > paragraph. > > > > > > > > > > Should Section 3.5 and subsequent subsections of > Section 3 all be > > > > > subsections of Section 3.4 Security? > > > > > > > > > > Section 3.10 - "To provide better scaling, the Switch > Connectivity > > > > > Objects are not Fabric-wide information such that they are > > > > > distributed only to where they are needed." > > > > > > > > > > "information such that they are" -> information, but are" > > > > > > > > > > Section 3.10 introduces "Active Zone Set" but does not > > > explain what > > > > > this term means. > > > > > > > > > > T11FcSpPolicyNameType - the DESCRIPTION needs to explain > > > the concept > > > > > of "restricted" - how does a "restricted" entity > differ from the > > > > > corresponding unrestricted entity? > > > > > > > > > > Thanks, > > > > > --David > > > > > ---------------------------------------------------- > > > > > David L. Black, Senior Technologist > > > > > EMC Corporation, 176 South St., Hopkinton, MA 01748 > > > > > +1 (508) 293-7953 FAX: +1 (508) 293-7786 > > > > > black_david@emc.com Mobile: +1 (978) 394-7754 > > > > > ---------------------------------------------------- > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > imss mailing list > > > > > imss@ietf.org > > > > > https://www1.ietf.org/mailman/listinfo/imss > > > > > > > > > > > > > > > > > _______________________________________________ > > > > imss mailing list > > > > imss@ietf.org > > > > https://www1.ietf.org/mailman/listinfo/imss > > > > > > > > > > > _______________________________________________ imss mailing list imss@ietf.org https://www1.ietf.org/mailman/listinfo/imss
- [imss] Changes to draft-ietf-imss-fc-fam-mib-00.t… Keith McCloghrie
- [imss] Re: Changes to draft-ietf-imss-fc-fam-mib-… Keith McCloghrie
- Re: [imss] Re: Changes to draft-ietf-imss-fc-fam-… Keith McCloghrie
- [imss] Re: Agenda for next week's T11.5 Managemen… Keith McCloghrie
- Re: [imss] FW: MIB Doctor review draft-ietf-imss-… Keith McCloghrie
- Re: [imss] FW: MIB Doctor review draft-ietf-imss-… Keith McCloghrie
- Re: [imss] FW: MIB Doctor review draft-ietf-imss-… Keith McCloghrie
- Re: [imss] Last Call: 'Fibre-Channel Name Server … Keith McCloghrie
- Re: [imss] Last Call: 'Fibre-Channel Name Server … Keith McCloghrie
- [imss] Re: DISCUSS on Keith McCloghrie
- [imss] Re: AD review of: draft-ietf-imss-fc-fspf-… Keith McCloghrie
- [imss] Re: AD review of: draft-ietf-imss-fc-fspf-… Keith McCloghrie
- [imss] Re: AD review of: draft-ietf-imss-fc-rtm-m… Keith McCloghrie
- [imss] Re: AD review of: draft-ietf-imss-fc-fspf-… Keith McCloghrie
- [imss] Re: AD review of: draft-ietf-imss-fc-fspf-… Claudio DeSanti
- Re: [imss] RE: AD review of: draft-ietf-imss-fc-r… Keith McCloghrie
- Re: [imss] RE: AD review of: draft-ietf-imss-fc-r… Keith McCloghrie
- Re: [imss] imss WG Last Call: Fibre Channel RSCN,… Keith McCloghrie
- Re: [imss] imss WG Last Call: Fibre Channel RSCN,… Keith McCloghrie
- Re: [imss] imss WG Last Call: Fibre Channel RSCN,… Keith McCloghrie
- Re: [imss] WG last call: draft-ietf-imss-fc-rscn-… Keith McCloghrie
- Re: [imss] imss WG Last Call: Fibre Channel RSCN,… Keith McCloghrie
- Re: [imss] WG Last Call: draft-ietf-imss-fc-fcs-m… Keith McCloghrie
- [imss] A couple of loose ends Keith McCloghrie
- Re: [imss] WG last call review: T11-FC-FABRIC-LOC… Keith McCloghrie
- Re: [imss] WG last call review: T11-FC-FABRIC-LOC… Keith McCloghrie
- Re: [imss] WG last call review: T11-FC-FABRIC-LOC… Claudio DeSanti
- Re: [imss] WG last call review: T11-FC-ZONE-SERVE… Keith McCloghrie
- Re: [imss] Last Call comments on draft-ietf-imss-… Keith McCloghrie
- RE: [imss] Last Call comments on draft-ietf-imss-… Black_David
- Re: [imss] Keith McCloghrie
- Re: [imss] Keith McCloghrie
- Re: [imss] T11 MIB issue resolutions Keith McCloghrie
- Re: [imss] T11 MIB issue resolutions Keith McCloghrie
- [imss] Rereview for draft-ietf-imss-fc-rscn-mib-0… Wijnen, Bert (Bert)
- Re: [imss] Rereview of: draft-ietf-imss-fc-fcs-mi… Keith McCloghrie
- RE: [imss] Rereview of: draft-ietf-imss-fc-fcs-mi… Black_David
- Re: [imss] re-view: T11-FC-FABRIC-LOCK-MIB in Keith McCloghrie
- RE: [imss] re-view: T11-FC-FABRIC-LOCK-MIB in Wijnen, Bert (Bert)
- Re: [imss] re-review: T11-FC-ZONE-SERVER-MIB in Keith McCloghrie
- RE: [imss] re-review: T11-FC-ZONE-SERVER-MIB in Wijnen, Bert (Bert)
- Re: [imss] Acceptance of draft-kzm-imss-fc-fcsp-m… Keith McCloghrie
- RE: [imss] Acceptance of draft-kzm-imss-fc-fcsp-m… Romascanu, Dan (Dan)
- Re: [imss] imss WG Last Call: FC-SP MIB Keith McCloghrie
- RE: [imss] imss WG Last Call: FC-SP MIB Black_David
- Re: [imss] imss WG Last Call: FC-SP MIB Keith McCloghrie
- Re: [imss] imss WG Last Call: FC-SP MIB Keith McCloghrie
- RE: [imss] imss WG Last Call: FC-SP MIB WIJNEN, Bert (Bert)
- Re: [imss] imss WG Last Call: FC-SP MIB Keith McCloghrie
- RE: [imss] imss WG Last Call: FC-SP MIB Black_David
- Re: [imss] imss WG Last Call: FC-SP MIB Keith McCloghrie
- RE: [imss] imss WG Last Call: FC-SP MIB WIJNEN, Bert (Bert)
- RE: [imss] imss WG Last Call: FC-SP MIB WIJNEN, Bert (Bert)
- Re: [imss] imss WG Last Call: FC-SP MIB Keith McCloghrie
- Re: [imss] MIB doctor review part 1 (SYNTAX Check… Keith McCloghrie
- Re: [imss] MIB doctor review part 2 (T11-FC-SP-TC… Keith McCloghrie
- RE: [imss] MIB doctor review part 2 (T11-FC-SP-TC… WIJNEN, Bert (Bert)
- RE: [imss] imss WG Last Call: FC-SP MIB WIJNEN, Bert (Bert)
- Re: [imss] AD Review for draft-ietf-imss-fc-fcsp-… Keith McCloghrie
- Re: [imss] AD Review for draft-ietf-imss-fc-fcsp-… Black_David
- Re: [imss] AD Review for draft-ietf-imss-fc-fcsp-… Romascanu, Dan (Dan)