IETF Logo Mail Archive

[IPsec] AD Review of draft-ietf-ipsecme-mib-iptfs-03

Roman Danyliw <rdd@cert.org> Thu, 21 July 2022 18:27 UTC

Return-Path: <rdd@cert.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C95AC16ECC0 for <ipsec@ietfa.amsl.com>; Thu, 21 Jul 2022 11:27:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KwQmD2YR0VBB for <ipsec@ietfa.amsl.com>; Thu, 21 Jul 2022 11:27:07 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0131.outbound.protection.office365.us [23.103.208.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3421FC14F73B for <ipsec@ietf.org>; Thu, 21 Jul 2022 11:27:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=aNYvDW2Beyn3GXNZSkeTY2KQvxT3aj4TBbuHZ+ZFGdLAsd4hgx+QqZJPriZWpH4aDk2r6ZPN3+DbiO5zdWR8/y38MigLl/JlzSUZEC6R10dEJIpoymsZaDh92jqV4EiecX7x+oVUY7ZQywAi/gFni481xzFaphYxH8NNbUT48pKcZJDpLfoPAPjCHlgVyCqWWiACsTc8I/FC026Qm0pK+GT0X1R8Ny7mvafCavdnPRM8nRFpIFg3Q9sjpSFpuk0LYAkW+HO5IyHWC6Lm+5lcFpZCWnXz54fIj67sHzPZK72oBSFw/IR5XhTDKmGlfJf0XFdos/651RNlj7u2eMrfPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ETJDGYST3Sj2jjY2iDoJKg1ZWC8anwsOZ1Gaaehr7o0=; b=lJEy3mvc6B0wFOUHJVsCpxkrytKqLB3BOR/Mgb8tnTAnc+IEpbVJhblv5k3+roFKJcfy0vv0utLk4er2RrtzZBdYOyXG2C2S6sUAXv6sQ51emUJO+XKvl4qlmeTmLV10/i0TRl7h4wUUcPcu1rxB3K9E6SjlYjIsyoyMsbSItqppa31HNhaacju1Yz8A7lsrtzIlj0NoCIM2aCFv3hCE0XALZ5lbEZbQ2wXgh1xwIqqXM7xjoEW3ZOLt+b+b44qJF1jahzzA8rV+GinjESLPlmkp+/XCFSdhHzDIf8eOFHQVankLjdEJC+cs0GvtwmxPSwkau9xuVRdWU685HcpIqw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ETJDGYST3Sj2jjY2iDoJKg1ZWC8anwsOZ1Gaaehr7o0=; b=cQFKFZqiQEa1Mdx4Xpvfk+FBlzgO2NukaL5EOi6eHTsi85sHEN9cm2eAAGtI8sMOZ5iMRgVpHAregOwEbugZue3Rv3xgNf2cUHHxKhfika1fDDYzUtQqwo7LD9mH4okUtrD9KYK7LfZ+0nojGkrxTVKqRoxVGM5GC1hr0x5gRU0=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1207.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17c::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5438.23; Thu, 21 Jul 2022 18:27:01 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::61c5:afc3:7804:7d27]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::61c5:afc3:7804:7d27%3]) with mapi id 15.20.5438.024; Thu, 21 Jul 2022 18:27:01 +0000
From: Roman Danyliw <rdd@cert.org>
To: "ipsec@ietf.org WG" <ipsec@ietf.org>
Thread-Topic: AD Review of draft-ietf-ipsecme-mib-iptfs-03
Thread-Index: AdidLyNulkzFbqRDQV2nL3iEUfzovg==
Date: Thu, 21 Jul 2022 18:27:01 +0000
Message-ID: <BN2P110MB1107B4A565C794F43F6297FCDC919@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 86f008a7-42c3-4dc4-6f23-08da6b469aab
x-ms-traffictypediagnostic: BN2P110MB1207:EE_
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vNLy/68rlsnwJ5RH+36cfDu2+psGh7EZgslmio4sOkve7T905bwLpUD70v3auowTrGXw4+Mixyx/iZhOgsoU3SuyVIl+QJNmbs5d6DQ2G3ST/0SwWWUXyQ4rYdVx7UTbFyOZCpgwSu66/DBjFTRc/WSvAiFOkuLmtRr3YZbkcDEqjXTi0B5PCdavl0CGTVi6txd1U3+KmobcyL0ZxP4jQfD3BOyxJoV/+amHDIlxQEN82QyHNMR2UtNUski0KLl5qCq3qg87WnBqb8Pp7iEZf2bIkftPQ4XHvvzGNGh+hjSR0Evdwd44I74bVs14Ik9zYgWFve2fylM8fDQvs6nVLXwIgYbKvbMZD6RNL5VadB9OlVHuuPi05LKVmpVF4hMrDoLWglQ33pffQx3Z2oyQqxhvcUNrEou1VogRDRGAIsRqKBkVQ3PeGLVZtKpR0xIgMMAtKb4zZGaP8Uxu0KPBb4DhgtJUaPhF/V6SbuAx8auDzBcdE+6nMeRpkZ4vGc0xmD+UALS8+P7GZ82rE37u3XWzyGmwQO2JEcCV5q0QDzPXv3upvKU3qH8nBosOFEWrm/qFBJrrpDe2BztKGIq9r6/xeS7Ff1sj0IQGr/zNb5SPuQVE2RddA9UGqp+zE9iF8bWf5xdjIcWJGgRfy+O2/uTEZ+UpaBz+klbBi8mBLhHxowChNXHCec3z2PFCytXWktKwwWARA063CxzyJPINGLJCCkHuU/AApV6WiZDkTvA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(366004)(71200400001)(7696005)(26005)(38070700005)(38100700002)(33656002)(86362001)(122000001)(186003)(9686003)(82960400001)(6916009)(498600001)(66476007)(8676002)(64756008)(5660300002)(66556008)(6506007)(8936002)(52536014)(76116006)(66446008)(66946007)(55016003)(83380400001)(2906002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ubv2eY0DHOoNE3W0kTOomLzGNQNQHkfUZGS1PiizE2OfAJfQqn8EGoCSqCIdCm+WwMC+JExKHuK7tZBLMBmOnhiyKxmHTbMEMoOXQLHYScq4t5OmSrqcP+s4tpzdLkeVcw+B7M5Cuw0sYf9tpIFNaYLLkH7pWuMLIceyDB51THzAeQLBAIqVgBubQx56zzS2PpIS6C91Rbej3FVBIYbkXIeRmnqtle1Ccmqk3besvq6fLfBcp9g2JiK60f/TgevT5/8e/3O8hiDJ5xIxCym3jBn7xThR9cA9fNI5pTN0gabI9m435tnHbKzRbdiJqTpJl4zE7P6MiMnlTYYYFAhGXRqjHOk1X8MFDxhf5hs4MrDkEONm1SUhFi01fkmdKndO3OVXIk1w6DPGXojW+IRiiEP/IpSoeqQ0eJDR6qm3GaE=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 86f008a7-42c3-4dc4-6f23-08da6b469aab
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jul 2022 18:27:01.2843 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1207
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/CnWYTd3wcGM15ERr4JWvY2wHJEw>
Subject: [IPsec] AD Review of draft-ietf-ipsecme-mib-iptfs-03
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2022 18:27:09 -0000

Hi!

I performed an AD review of draft-ietf-ipsecme-mib-iptfs-03.  Thanks for this companion document to the YANG module for IP-TFS management.  Below is my feedback:

To the idea that this MIB is redrived from the YANG modules:

** Consider if you want to use the same names for field values.  I'm not sure if this divergence was an explicit design choice, or an accident.

-- usePathMTU (MIB) vs. use-path-mtu-discovery (YANG) (i.e., make it "usePathMTUDiscovery" here)

-- lostPktTimerInt (MIB) vs. lost-packet-timer-interval (YANG) (i.e., make it "lostPacketTimerInterval" here)

-- The various statistics fields in the MIB expand "Packet" but in the YANG they are abbreviated to "pkt" (e.g., txPackets in MIB vs. tx-pkts in YANG)

** Consider if the types are right:

-- in outerPacketSize (MIB)/outer-packet-size(YANG), the types are UnsignedShort/ uint16 respectively.  Practically, UnsignedShort is "Unsigned32 (0 .. 65535)".  However, windowSize(MIB)/window-size (YANG) are Unsigned32/ uint16 which don't match up.  Should windowSize then a UnsignedShort too to be symmetric to the YANG definition?  

-- maxAggregationTime and lostPktTimerInt (MIB) are of type NanoSeconds, practically "Counter64".  Their equivalent in YANG are max-aggregation-time and lost-packet-timer-interval of type decimal64.  These aren't equivalent datatypes.  YANG seems to support negative and fractional values.

** Abstract.  Typo. s/the the/the/

** Section 1.

   The objects defined here are the same as
   [I-D.ietf-ipsecme-yang-iptfs] with the exception that only
   operational data is supported.

-- Could this excluded "operational data" be enumerated?

-- I found this terminology of "operational data" confusing because in Section 3 the text says "This document defines configuration and operational parameters ...".  There is a taxonomy of "operational data" and "operational parameters" being constructed.

** Section 3.  What's the difference between:

(a) "This document is based on the concepts and management model defined
   in [I-D.ietf-ipsecme-yang-iptfs]."

(b) "It reuses the management model defined in
   [I-D.ietf-ipsecme-yang-iptfs]."

AND then

(c) This document defines configuration and operational parameters of IP
   traffic flow security (IP-TFS).

(d) This document specifies an extensible operational model for IP-TFS.

Consider if the both the first and third paragraph if this section is needed since it seems like there is a significant repetition.

** Section 4.2.  Surround the MIB module with  '<CODE BEGINS>' and '<CODE ENDS>' lines

** Section 4.2.  Typo. s/refrence/referenced/

** Section 6.  Thanks for calling out the sensitivity of iptfsOuterStatsTable.  Wouldn't the same caution apply to iptfsInnerStatsTable too?

** Section 6.
   Further, deployment of SNMP versions prior to SNMPv3 is NOT
   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
   enable cryptographic security.  

Given the IPTFS is new functionality and isn't likely to be added to legacy codebases or devices constrained to SNMPv1 is possible, could this read that SNMPv3 is required?

Thanks,
Roman

v2.23.0 | Report a Bug | By Email