IETF Logo Mail Archive

Re: [IPsec] AD Review of draft-ietf-ipsecme-yang-iptfs-05

Don Fedyk <dfedyk@labn.net> Tue, 17 May 2022 22:56 UTC

Return-Path: <dfedyk@labn.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA736C15E6E1 for <ipsec@ietfa.amsl.com>; Tue, 17 May 2022 15:56:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=labn.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2aWftMVonkKS for <ipsec@ietfa.amsl.com>; Tue, 17 May 2022 15:56:56 -0700 (PDT)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2090.outbound.protection.outlook.com [40.107.244.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCCE6C15E6E0 for <ipsec@ietf.org>; Tue, 17 May 2022 15:56:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=K+QqD8n5K4sn4auHR8s98jAJHe8u5tdIfSF4LugdVZwylsD/0G8ozKwHuqjNbZuu0rhjGnRQwm/C7g/13duBXs0yeN/9XRivRuc/QbApxbAGDm2Uj6U0DFwuLxKb6P8LSBZBEKr7qmgfsmTNZVExRzCrol06G7ZBq5aKrNhSLG2ZQxc3WwvQ5G04qH95WMDArs9aEKlAwws1M3/5U6bkIE3iUiQJeDaVtnOxCzRlU1373uhUX08RAF+OfeIdYvF2Fx1DmPM44RubsCRqYisneE5lzzxd2mki42JoHbyMzLMYvICs4e/PC9lA7faQFdQFEXNgiLUlAbpTZt1MndxC2g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SdrAb0sAAePGwYkUGYjqtqpodbtcsvcL/s9HYkRdW50=; b=C5SfeGO4ax46nkHLJLVZTsdVOdP12Vvg146sviWHry+P1+CXSS+h7eW6PKzHUo4Txd0DS9G/gq/daUo9/8y2UXeBQmPjfxOwVfb2fJlHuSHBigsX62gN03yjnAMaa0YZ47feHWye3tMUem5rZeqkUHGrFmo3ZM91/pB3XHG0OO9ScdO0L7nlpo3wMDPoptjI3nmdz+hjE2xAPZNNxe93kfAvQuSMP6+WtA9CSUsIxDLiF6+poymET6+HjmOtS0CiyOgb52vaDYkFeKqIuI8BqLRWXtSJxlA8BVre/18PdXi+Y55m703GPKLtB/iZ72ucwrZPNBB+M6ol7fJrymRg7A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=labn.net; dmarc=pass action=none header.from=labn.net; dkim=pass header.d=labn.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=labn.onmicrosoft.com; s=selector2-labn-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SdrAb0sAAePGwYkUGYjqtqpodbtcsvcL/s9HYkRdW50=; b=o2ckCzl7z90yfiyoe2oGZJsW4xjoltew7wInE5+PXTkKT6SY1A8Kzakg7NVQwu0XDZo4GJYCrzBpgnUOBfedxOIh5hN7npQfToga0R7I2+TPZ7m4P4+jUFm+ckjhAqKhDBguGB1Kee/n7ywAr1VHZEhJwJT7YJsjxOTTMcFPydo=
Received: from MN2PR14MB4030.namprd14.prod.outlook.com (2603:10b6:208:1dc::14) by CH2PR14MB3658.namprd14.prod.outlook.com (2603:10b6:610:66::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5250.15; Tue, 17 May 2022 22:56:50 +0000
Received: from MN2PR14MB4030.namprd14.prod.outlook.com ([fe80::5994:a5a0:3b8a:b6f9]) by MN2PR14MB4030.namprd14.prod.outlook.com ([fe80::5994:a5a0:3b8a:b6f9%5]) with mapi id 15.20.5273.014; Tue, 17 May 2022 22:56:50 +0000
From: Don Fedyk <dfedyk@labn.net>
To: Roman Danyliw <rdd@cert.org>, "ipsec@ietf.org WG" <ipsec@ietf.org>
Thread-Topic: AD Review of draft-ietf-ipsecme-yang-iptfs-05
Thread-Index: Adhhhs1Bs/5TAAVpRxK9Wwykswlw2gCHTtKwAadLaFA=
Date: Tue, 17 May 2022 22:56:49 +0000
Message-ID: <MN2PR14MB4030E749755F12DD685F56DEBBCE9@MN2PR14MB4030.namprd14.prod.outlook.com>
References: <BN2P110MB110771093E31F018C2CF5717DCC59@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <MN2PR14MB403037DC44CEFC2535B88F33BBC69@MN2PR14MB4030.namprd14.prod.outlook.com>
In-Reply-To: <MN2PR14MB403037DC44CEFC2535B88F33BBC69@MN2PR14MB4030.namprd14.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=labn.net;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 89112c73-dc38-47db-5b53-08da38588736
x-ms-traffictypediagnostic: CH2PR14MB3658:EE_
x-microsoft-antispam-prvs: <CH2PR14MB3658A31580A33C302772318FBBCE9@CH2PR14MB3658.namprd14.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oFXeNdZ4lvzFbn6UPGWYl+MBGnVJ3VF49FGIi4Gv/d3K2b+jLvI+Vynl0tslo1hW8EkAFWUtqXNBgyhzHtTxZHfdSwNNZc6K0buTRmnNJ5PIidQD6NL0KUZ08O8/gX8sVTQks7kMVArFcZZ8koqoPqCMW8wTGiRzLesjLBLh1JIvczasV92uQJbQWqexh+OqxaYMpj/EG7UVCtM3YRXUhHV6wquJTES7NIRopsOYqpoF1tAPRSUP+khm4Qmr+FsWF5npOzx3h70WnPGKASbDuTaLI34mRYjOYe0kg/DMSQlVqMOHi+lggDhqu+pnO9Kz5NJJ1wjWoGvCR8wDKCye2u2n2IZNT84WQMsjPUgwWg6qTmGEQUsqIvyIeROAAu0PMOjSqJMmpUtnJrA0+YjyqhQxtVLhUUDWjYB/6MHYIpUm6nMMj+I6mE/wF5ROSgXpbSdWEYJm08UIfmS43+k8zWtvsRvax5EMSOR4pOo5hawB9xC2rzbw6L5br/jHE8NEbztZEuEawyoAyGbiGkQMSkSI57I88guByAhKw2usFy4z6kf4+RAIG8Hf8I3T4lLPHGzT8TBx5ZqDvrOTCgV1VofjxdWv7/+41+dhHLMhp1LeMMs97E3SF0sjEpjcun/kLaWyRgp/PuSSSmOBeTCtppooQnoJ6zu6KeOyIXpGNnJijShO4g1XN8DVM5fE91RN2+KEu2uyClFa7KD0cf2ZYglbs0/nlb/yCChaR2MGUo2Yi4RQoftJ6qAKCdHe/ogIUDy+fpMK0jmfFIoXUqpW80s/zpVBQwpqMOXe6FHLNJs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR14MB4030.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(346002)(396003)(39830400003)(136003)(376002)(366004)(122000001)(966005)(83380400001)(316002)(41300700001)(2906002)(6506007)(66446008)(66556008)(8676002)(9686003)(71200400001)(52536014)(8936002)(53546011)(508600001)(26005)(66476007)(66946007)(86362001)(76116006)(64756008)(186003)(7696005)(110136005)(38100700002)(33656002)(55016003)(5660300002)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: i39BS+k1XojRlV9YCrnSomGbc8x8nF3nXab9IjQ1w7hLLdIQWwsEN6VeUFBckHZ/t8rKz/Y77B+E0D55ghqPIoE7wrrGkT0dHZtaeU7BIWB75D47bFz1/G1gCYc29HwbNz40A/XdvO0kpREgA71WIS8xtYjVkXrNdN1FPCoWKWPMyEiaZAjZLVkRqwTSXH4XrjKPL9fwJ3W2yUbreFjJRskzbVfsPLczEbMpx3OGjwW58RVibiBmKqoXhWX4ypV6G+/stqkXIIlT/3BLNj7wN9AhVEJIaZyEaem49oYEhVbrTV13GbWMnKAinjw6h42zRa4qbpQvasq+WfXJGEygty3Zt/i2quB2OJm6fCZUk7ECrbPa/OxNaDmJivOW2jtRXCK8kBidzvDivAcNh9fekZpc3lC1YF9BB7Y7T/h8F4H/qASaN98m133AWyl7aFxa0QClQsVIZzbRrt7IrzDZUNRh6vLgIj0+v17aIgsq01ZYemQnG4MhcTb+PJMhRjrCWS/GbWC5HXL1qWZTSPvp2IV4zJ2hEzABGcLDXsDGpMS5Hkmwfii27CX+H69YHyZ76UfM4AyODry98JDRk364CqlM40dTf5H9wVJ9uUsssVbtAMcLUKl+15DUvZ/lXHJ+qrnp7CNVOKLejUlWkrFDtgY4ITbKwX3NQSdw6W84+wd7YK6EUSJeaci8w89TwvqpJlCc1tjIH95Jg+E0LJXwbwRlDvX89QG5fTfNh3xAZgAxcM10pAg2hluzLPJM59NchZr+08cTZP/t/paUSPSt/FKOoruQtOPm5KvQ84C3dXE5oDtYl/DjdqTas26Cisc2xhONVajG1Q7SM8J72AbrBeXgulQkhS1hUXRDPztkDdptfVxySEtWg7K7xqSZWxDJfiR+NFjTsCt0yMRiAZ9kpzAtpP7akRAfIxaHRNTU9kZRZBtT1AVBtfa+IJTyOGAIhri0pkogqktUDYU9AbBpCOV6zvtzsVTY/wCIUvTdYXjnzRXLW0b6YM0o6e5ia0dXb51OblAVr1oM7rb4nqLaCQfwhvRG7+irbXH4t+AhQ/quJcDtJ53alpJtctyoJUjkGuy3C72t11ElHUDiR3F312IDobYKN0Vg7TMJ7x3YMiIji0fo50hr73BXCbKuL6v03TpSYEBHcptrnHCjit3yWOziKJ9lOoel/NXlmOcEfrSZxvLMnqkBI8ymBCyRKCUxuWWT1YblrWlliZyLbUBpr++DtAIQ19Vc6NVelRYTb1pd2kb+EMlJuNCjr0hM5iJl2Qk/wsQMy9qighpjs9B/yJPStUpMzcrdLxjMqnqDfDdjXfh7vDez0Za3eJpNGznvKmLOxoVGY/Kfkya1MqAlh78Wfa5/JMWzN+bCLIOda/LhCiEjR/Z4uXURXQimKqAFfp3Hpz9i39wmuFnSd46NorqB3WqmhGntFBBwzLDCKFvyzcc0hBk1BDDEtnm1iFEqgsLFBRb/LkPICo9rW2oz+Xd5KAs07lLePmMaZgOMzfoalCA1JKjDvb/Jp47QkdbqtwUckXg8SoSHAfPxyXFOvxBmid8U4GTpVd8vQkd/JxD7G0oSfwL/FmrgveqDdbG9GjgBTPBB/OPg5ajHxRZcsT4PtrhhqlGybgTarIsfbpBoPb03Qa2ePMrGgcIRvW8W31rF43FV9wsgqBN7iHmEcX3ZuGyAOwwpbaP4BO8pYoZIVJvKopsk8cE5nJwuOmFNCi8AReiSPRpUcrRv71ZBng==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: labn.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR14MB4030.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 89112c73-dc38-47db-5b53-08da38588736
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 May 2022 22:56:50.2641 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: eb60ac54-2184-4344-9b60-40c8b2b72561
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EDPaqncLaIOs3NzISIl1eK5mCQOaBm+wW3XsL1rUCkLtVQLOsl3L10mrIHz6wMmEaCnVqyvHUeoXoTKF3/NfCA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR14MB3658
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/7WyVORasXew8XAfRaRPqUUdccbc>
Subject: Re: [IPsec] AD Review of draft-ietf-ipsecme-yang-iptfs-05
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2022 22:56:57 -0000

Hi Roman

I have posted the change to the draft (regarding the items mentioned). One other item that does not show up in the diff the tree file was out of date. This is also fixed.  
Also note we already had used the YANG security template. It looked OK to me.

Please let us know if there is anything else required to keep this progressing.   

Thanks,
Don    

-----Original Message-----
From: Don Fedyk 
Sent: Monday, May 9, 2022 12:50 PM
To: Roman Danyliw <rdd@cert.org>; ipsec@ietf.org WG <ipsec@ietf.org>
Subject: RE: AD Review of draft-ietf-ipsecme-yang-iptfs-05

Hi Roman

Thank you for your review. Below are the answers I will make an update shortly. 

Don 

-----Original Message-----
From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Roman Danyliw
Sent: Friday, May 6, 2022 4:25 PM
To: ipsec@ietf.org WG <ipsec@ietf.org>
Subject: [IPsec] AD Review of draft-ietf-ipsecme-yang-iptfs-05

Hi!

I performed an AD review of draft-ietf-ipsecme-yang-iptfs-05.  Thanks for this complementary work to draft-ietf-ipsecme-iptfs.  Feedback is below.

** Section 2.  Editorial. s/ipsec/IPsec/ [Don]OK

** Section 2.  Typo. s/to fll/to fill/
[Don]OK

** Section 2.  Typo? Per "RFC [RFC9061] has a set of ", this strikes me as an odd way to make the reference.  Was it supposed to be "RFC 9061 [RFC9061]"?  I would recommend "RFC9061 [RFC9061] defines as set of".
[Don]Yes Thanks

** Section 2.  Editorial. s/IP-TFS YANG/The IP-TFS YANG module/ [Don]OK

** Section 3.2. Leaf rx-incomplete-pkts.  To check my understanding, this is a count of inner packets for which not all of the necessary fragments arrived?
[Don] Yes IP-TFS specifies a window for receiving fragments. The incomplete packets are packets where one or more fragments was not received within the allowed window and the packet is discarded.

** Section 3.2. Leaf out-packet-size.  Please state the units (bytes?).
[Don]OK

** Section 5.  Please use the YANG security template as a means to be specific about the read and write implications of this module.
[Don]OK

** Section 5.

   IP-TFS hides the traffic flows through the network, anywhere that
   access YANG statistics is enabled needs to be protected from third
   party observation.

Can this sentence please be restated as is doesn't parse.  Is the intent to say that the statistics need to be access controlled?  The template references above would help here.

[Don]OK The intent was access to YANG Statistics can reveal traffic information and that should be mentioned as a security consideration. 

Suggest :

   IP-TFS hides the traffic flows through the network, however anywhere that IP-TFS
   YANG statistics access is enabled, can reveal some information about traffic flows as well. 
   Therefore, access to IP-TFS YANG statistics also needs to be protected from third 
   party observation.


** Section A.*.  Editorial.  s/ipsec/IPsec/ [Don]OK

** Section A.*.   Editorial. s/ikeless/IKE-less/
[Don]OK

** Section A.5.  Typo.  s/json/JSON/
[Don]OK
** Section A.5.  Typo. s/formated/formatted/ [Don]OK

** Section A.5.  

   <tfs:traffic-flow-security> <tfs:reorder-window-
   size>300</tfs:reorder-window-size>

There is an XML fragment at the very end of the document.  Is that a typo?
[Don] Yes this seems to be a fragment from an earlier version there is no reorder-window-size just window-size. 


Thanks,
Roman

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email