IETF Logo Mail Archive

Re: [IPsec] AD Review of draft-ietf-ipsecme-mib-iptfs-03

Don Fedyk <dfedyk@labn.net> Tue, 20 September 2022 18:38 UTC

Return-Path: <dfedyk@labn.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22445C14CE36 for <ipsec@ietfa.amsl.com>; Tue, 20 Sep 2022 11:38:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=labn.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 69SLAAN_3O19 for <ipsec@ietfa.amsl.com>; Tue, 20 Sep 2022 11:38:23 -0700 (PDT)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2110.outbound.protection.outlook.com [40.107.93.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4636DC1522C8 for <ipsec@ietf.org>; Tue, 20 Sep 2022 11:38:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=a4t2Yz3CQUIwqPINtvcRRdPwhKzM18BQgf4gJA8JmdLCgpaGoluNHlPvV67H7+GJrpUu6BbAquj+VTLelRePe731nNjN3jErozkk/7V25z6Dtr+LaFuL45ni3vVAEvWRfiQIoflmHD8JFEUlvG1bUMfav/6uGuGTo+4imNLfmg+q5SLBvxE8TuB3uht4cdoTx90ZhOXqtaReS6pHCjPCexpyvP6zTzISbDcSC/uDcq7gNMci7/oskVwbjOPZIocr+2+xtSZIzQ8iCjdsv4MePMSP/DvmgKOuXsc1ofjFSG8WztteRV3I3HNFVJLX0yzEpHHBFRyTUN5dbl+GECOswQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5wYPYKv+/4zEh4LYj85NxOdplrTopjVGbOLd1VmfZto=; b=R5ZYI+5x9wGzmmyrvw1Rsf0rLygZSyy8L+HWrmSddJUtTrRkUdEwN8m7aDPOZgrdazgZju5G9apV8qIaDkKqdcetjxHDB4mAVIRVeyIM4rioGvq7B86i05MOtPU+dim4TLR+gz2WXbIOgduj5lqgHMC7yCaVpPyTTWhaPdI6cm2/yq8hyIb7JdK23vBsrdbnApTvjLaw866wXoxiFzofcmkRUyAuZiIav+XGdz3SAFVKOQmxgvrxWb6Q4YV8NOlIE26o1e6J3djfrQQzjpQxa/LmekqIiH0UGS5n/bQ29nT2bB9MkPY7/i9O1aKLhYdP+KUfR95AQTi65Xgs0TJY3w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=labn.net; dmarc=pass action=none header.from=labn.net; dkim=pass header.d=labn.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=labn.onmicrosoft.com; s=selector2-labn-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5wYPYKv+/4zEh4LYj85NxOdplrTopjVGbOLd1VmfZto=; b=e1iFwNDibQxr78CDc3c2cH31pi4yHH3243T/icBfwpb7ljLFkgRoe/ijFl57UzmBsMyv7knUH7v20IIFK67OKM7lutNU+Fwm07uNteA17HgS37hEjpNu2yODDBfLusMcDIVcCFQRmMCoxwlML0l2fV9djFldYIZga3/49Jq+bGQ=
Received: from MN2PR14MB4030.namprd14.prod.outlook.com (2603:10b6:208:1dc::14) by DM6PR14MB3497.namprd14.prod.outlook.com (2603:10b6:5:1e8::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5632.21; Tue, 20 Sep 2022 18:38:19 +0000
Received: from MN2PR14MB4030.namprd14.prod.outlook.com ([fe80::ff1f:6a11:bf:fdd3]) by MN2PR14MB4030.namprd14.prod.outlook.com ([fe80::ff1f:6a11:bf:fdd3%5]) with mapi id 15.20.5654.014; Tue, 20 Sep 2022 18:38:18 +0000
From: Don Fedyk <dfedyk@labn.net>
To: Roman Danyliw <rdd@cert.org>, "ipsec@ietf.org WG" <ipsec@ietf.org>
Thread-Topic: AD Review of draft-ietf-ipsecme-mib-iptfs-03
Thread-Index: AdidLyNulkzFbqRDQV2nL3iEUfzovgv8GpCQ
Date: Tue, 20 Sep 2022 18:38:18 +0000
Message-ID: <MN2PR14MB4030599E84E6167EF53FA41FBB4C9@MN2PR14MB4030.namprd14.prod.outlook.com>
References: <BN2P110MB1107B4A565C794F43F6297FCDC919@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN2P110MB1107B4A565C794F43F6297FCDC919@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=labn.net;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MN2PR14MB4030:EE_|DM6PR14MB3497:EE_
x-ms-office365-filtering-correlation-id: 8a9eadc4-d1bb-4041-f820-08da9b374976
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5ys8/nCfFqlyczxSZDDjBUPEvUJenDq4whWtbeJRNLq0Bv7RulrVGxCPB2KEsRhrpgx6sJLulbQ4Evu25/p5qSoVIWbzJ4GO7xXVnb7wm39C5CtzhAe4aMFimcsjLjRyTsK0OJD38dUIn+x767LW3xrN4HQFQw8xLxW3SCAMYAQXdsxeGQ0FLY6iOSjUJPE4RxHJjkyyzPlhiPJsnVTQB3K7agyXDD7jOHDTjRzvo/Wg99awMxyZEGvsvzc928qbjO9mBjCLzGjijl149VkTpzkZzvnw/ZEDEenvA2G1pW8jd6VLlgYhoRM2pTulFqgyBZ1cNbiBHGJD/f5+UhWd3Yoxl6/jeuGSK9ia/4kNEBzQCUN3xa2efCbNXZpCUM3JDC8Xlyc3E5v7SsDDzctKN65Fx7I1t/Pa0L+bZaI5djIsY6GfDcRyNe299Y9i/RNJF5hWPBtbv/+X71N9X8lNwa7/MYJ/SaExIhlbgm444QMLG2IYQyIFXvsVOeY9Cx/c+RPAu3NtAFnY0pDqPS3+/yP7yQSdbb7vr1/GjVc//6zAvDaa7GVjb/Gy6/eD4uTzf5R8bDjbZQsl2bNBYz1ULJH47HvIl6bUQekUlv5sY6YrLczHs5z8mO7ol7I++HlYoEPempiQp5ImPPx4f1uvA8JY5rNVYaWsDjRx8xgOHl/rsAv/uhqMtiYrmRlEaojZUdhUyiu4LvtOartnsgw9eiZ4U4Pm8T/mZz5hWyVkx+7I3Uw5pMMKmXECbmDtJVyM6JQHWs9HHhcFnlBKj7BeaALxIgwncAluicStH7zI5FM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR14MB4030.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(376002)(366004)(396003)(346002)(136003)(39830400003)(451199015)(83380400001)(9686003)(41300700001)(71200400001)(53546011)(6506007)(7696005)(38070700005)(8936002)(186003)(55016003)(8676002)(316002)(110136005)(86362001)(966005)(76116006)(122000001)(33656002)(38100700002)(66946007)(66476007)(66556008)(64756008)(66446008)(478600001)(5660300002)(2906002)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: xBjlq0JhYcZD3nMFbemcc2rtvJ7iaHMowUSrE7wWHzzrzc2F1KnOiFYL7QDnf3q+KLVD6PwOI0Qsqf27Zt+rn0GmO1jfl6ra7tkKyNLsVex191XBHo8DDHVxsd0lrvhr7yWEuZIUHS/wbcycgT+AGVMfyMIm4qpMzP4IuyNwlQEW534jJzjM8YtqtbWBDb30r3eBcK/zjdo6Ri35kZY9iFSbSRcGnWv7MTnHQZVeUAlMMk42Ll+Uj+UopUvuSX1DjCYzpZH0s6Bc6pC89JqPsQo9uWfp2BcqRzkvT8Qp6K5xzahg4Y92zlAbayCq6A/8lj6s+fulC0q0IbhWMefQzqBANMfVVtsO972Hrvu6r1OIEOCDgym+y9Zebo/LSlNY9WPReUH5J4eEp3OFv9qrK5Bm5FDjOoQVKS+oFyoYA8P+c0mw+8zG9q6GoR8Eq8seZ9ViOGo5kcNgMrxWBem/v/9CMy42FhZwKVN6PvkhWHp6ySPf9JoCE3SpiTvnntTlYYMSrq6FIda0YSYKjuReCn5TpMiBg1WHO6eR562Jwk5agskgeKQdjds1EW4u/jdTzjyd/9Vfu5URqVYgnD3xn3GIN+iVgFCNFXEYXJ25rYFf4kgLXt8WXBwoQaARGjg+GmQCWSzzuEPj8gVkP+dMRS6wfyVeT4pxlR/M6Kn8Rj/3lw7vGLXzlWceirCWYYUw1m1XeEcerLv5l+vzUGdb53M6Tb7A6x5dyhPbYQlcD6fieqfiCEEWP1ZmGpdReGgsKWKApuk9dWOIj+WuO5FTApGiDugAGpW/CqiWc+YWsFnUyEv9Jvvz/EGi98ecvKpM0eTbZp6KJCKaxYeSJlekyDVIxWvZGO11aQ5FbmsgrfDIwbhkj1Vzb22pEPEFxIxl6JHWnn5iO4AB2z//n9JvVvQQP51IAoizUK40Lj4gkVvNYi1Ma2wZtRlOou4scTvTC4m36tg0wJCBdF/ls8C9pX7SZfkIZHl0iDyL9g6kV+bblpiaSx5cK+9xO3WDAENoTI/43xuomIa1HyjDSmlTdp6s8EmrMpEKwu9JZUoOGWrTsNNKSNFLbuzO8rNBulShhJHQdQaupH7/PGtrEBKwvL+NDia/3OG9u8OiDbWYdxRMqhW5cPR52SYSie/5c8PSUdm+kVNTBOkQlKiYBrUYeLkBCHznXybSaoB0+0rS6viIcHTD83wRKEdEBGOaGh81kCHnr8EQ8OT0C8bXW2Ny/I6KXKZheUAa3atlnW3NgWUH45LFd8FbwvxwsVjInC5AJMzclp1N71wOQNh0ALozmwp55Y+8Z44OcPpjyqwrdr2oAcMwb1jBHAAjZDiYNLl5bR9pCZsH/ARcMMvvr/mi5lpNQHZ8LJkaGaQnVQvY+zMiIU2Mnl+xUONMlDvOLbcYluzdZIrvHPrkCqotL9gGC37fXriBOrLuX2reUZhKF2ypge0xfWCdwQU99ri0/azwTO9ssFwbkHc1h4n3MPaOz/+R/uHKtcg12epa1VfZVzUW6oD6FbClu5aOOLKp/jO+oKWMfs8kWFftzBZcKeJsg0rb5/LJ3VvzPNEoqA7Z+u1OFDfd7Vri8MBq2sZxuqmH0vwDzrX962rls8OvBGZvoWW4f+VtxIwFQIIpW/zP3x5zAIly8+yIWbFnmQoB3j+L
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: labn.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR14MB4030.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8a9eadc4-d1bb-4041-f820-08da9b374976
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Sep 2022 18:38:18.3760 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: eb60ac54-2184-4344-9b60-40c8b2b72561
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GEW0kU5ItSceK34InyWxPGPwVObD4wfDL2wnFUx2aGVP8bG0Vz/Q5v6IJP/Gjw0QpJofOaYXJ9NJpqQzsC4Lew==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR14MB3497
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/yH1KDpZXwm4NSTknZCpSbQmoexM>
Subject: Re: [IPsec] AD Review of draft-ietf-ipsecme-mib-iptfs-03
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2022 18:38:24 -0000

Hi Roman

Sorry for the delay I wanted to address your points and align with the latest Iptfs-yang module, but I got delayed.  Here is a pass at addressing the issues you raised. I have posted an update with most of your suggestions. 

Thanks Don & Eric

Comments Inline below [don].



-----Original Message-----
From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Roman Danyliw
Sent: Thursday, July 21, 2022 2:27 PM
To: ipsec@ietf.org WG <ipsec@ietf.org>
Subject: [IPsec] AD Review of draft-ietf-ipsecme-mib-iptfs-03

Hi!

I performed an AD review of draft-ietf-ipsecme-mib-iptfs-03.  Thanks for this companion document to the YANG module for IP-TFS management.  Below is my feedback:

To the idea that this MIB is redrived from the YANG modules:

** Consider if you want to use the same names for field values.  I'm not sure if this divergence was an explicit design choice, or an accident.

-- usePathMTU (MIB) vs. use-path-mtu-discovery (YANG) (i.e., make it "usePathMTUDiscovery" here)
[don] Done

-- lostPktTimerInt (MIB) vs. lost-packet-timer-interval (YANG) (i.e., make it "lostPacketTimerInterval" here)
[don] Done

-- The various statistics fields in the MIB expand "Packet" but in the YANG they are abbreviated to "pkt" (e.g., txPackets in MIB vs. tx-pkts in YANG)
[don] The YANG use of pkt is common in YANG and the word pkt is common in MIBs so I have aligned the MIB

** Consider if the types are right:

-- in outerPacketSize (MIB)/outer-packet-size(YANG), the types are UnsignedShort/ uint16 respectively.  Practically, UnsignedShort is "Unsigned32 (0 .. 65535)".  However, windowSize(MIB)/window-size (YANG) are Unsigned32/ uint16 which don't match up.  Should windowSize then a UnsignedShort too to be symmetric to the YANG definition?  
[Don] Changed windowSize(MIB)  to UnssignedShort 

-- maxAggregationTime and lostPktTimerInt (MIB) are of type NanoSeconds, practically "Counter64".  Their equivalent in YANG are max-aggregation-time and lost-packet-timer-interval of type decimal64.  These aren't equivalent datatypes.  YANG seems to support negative and fractional values.
[Don] My understanding is the textual convention should handle this. I it now like this.
NanoSeconds ::= TEXTUAL-CONVENTION
    DISPLAY-HINT "d-6"
    STATUS  current         
    DESCRIPTION                     
      "Represents time unit value in nanoseconds."
    SYNTAX      Integer32


** Abstract.  Typo. s/the the/the/
[don] done. 

** Section 1.

   The objects defined here are the same as
   [I-D.ietf-ipsecme-yang-iptfs] with the exception that only
   operational data is supported.

-- Could this excluded "operational data" be enumerated?
[don] Referenced the tree diagram in section 4.5 

-- I found this terminology of "operational data" confusing because in Section 3 the text says "This document defines configuration and operational parameters ...".  There is a taxonomy of "operational data" and "operational parameters" being constructed.
[don] Clarified. 

** Section 3.  What's the difference between:

(a) "This document is based on the concepts and management model defined
   in [I-D.ietf-ipsecme-yang-iptfs]."

(b) "It reuses the management model defined in
   [I-D.ietf-ipsecme-yang-iptfs]."

AND then

(c) This document defines configuration and operational parameters of IP
   traffic flow security (IP-TFS).

(d) This document specifies an extensible operational model for IP-TFS.

[don] Adjusted. 

Consider if the both the first and third paragraph if this section is needed since it seems like there is a significant repetition.

** Section 4.2.  Surround the MIB module with  '<CODE BEGINS>' and '<CODE ENDS>' lines
[don] are we doing this anymore? The practice seems to have disappeared with YANG.  I don't see this in any MIBs I can add but I don't see an example.  

** Section 4.2.  Typo. s/refrence/referenced/
[don] done.
** Section 6.  Thanks for calling out the sensitivity of iptfsOuterStatsTable.  Wouldn't the same caution apply to iptfsInnerStatsTable too?
[don] Aligned with YANG doc - bot outer and inner are called out. 

** Section 6.
   Further, deployment of SNMP versions prior to SNMPv3 is NOT
   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
   enable cryptographic security.  

Given the IPTFS is new functionality and isn't likely to be added to legacy codebases or devices constrained to SNMPv1 is possible, could this read that SNMPv3 is required?
[don] We used the suggested text that was supplied from WG AD review.  I think this is kind of boiler plate.

Thanks,
Roman

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email