[MIB-DOCTORS] MIB Doctor review: mib content: draft-ietf-ipsp-ikeaction-mib-02.txt
"Wijnen, Bert \(Bert\)" <bwijnen@alcatel-lucent.com> Thu, 04 January 2007 15:05 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H2U9i-0005Zm-FM; Thu, 04 Jan 2007 10:05:22 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H2U9i-0005Z0-3W for mib-doctors@ietf.org; Thu, 04 Jan 2007 10:05:22 -0500
Received: from ihemail1.lucent.com ([135.245.0.33]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H2U9e-0002FZ-VM for mib-doctors@ietf.org; Thu, 04 Jan 2007 10:05:22 -0500
Received: from ilexp01.ndc.lucent.com (h135-3-39-1.lucent.com [135.3.39.1]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id l04F581H029576; Thu, 4 Jan 2007 09:05:09 -0600 (CST)
Received: from DEEXP02.DE.lucent.com ([135.248.187.66]) by ilexp01.ndc.lucent.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 4 Jan 2007 09:04:58 -0600
Received: from DEEXC1U02.de.lucent.com ([135.248.187.27]) by DEEXP02.DE.lucent.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 4 Jan 2007 16:04:57 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 04 Jan 2007 16:04:43 +0100
Message-ID: <D4D321F6118846429CD792F0B5AF471F08C61B@DEEXC1U02.de.lucent.com>
In-Reply-To: <D4D321F6118846429CD792F0B5AF471F08C604@DEEXC1U02.de.lucent.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: MIB Doctor review: mib content: draft-ietf-ipsp-ikeaction-mib-02.txt
Thread-Index: AccvOTd4xabe2tpGTcOOSADx970+HwACDkhw
From: "Wijnen, Bert (Bert)" <bwijnen@alcatel-lucent.com>
To: baerm@tislabs.com, rcharlet@alumni.calpoly.edu, hardaker@tislabs.com, rstory@sparta.com, cliffwangmail@yahoo.com
X-OriginalArrivalTime: 04 Jan 2007 15:04:57.0353 (UTC) FILETIME=[B2ABCF90:01C73011]
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e2b1c21e3dfd00bd40339b153dfe4f6a
Cc: Russ Housley <housley@vigilsec.com>, Keith McCloghrie <kzm@cisco.com>, "MIB Doctors \\\\\\(E-mail\\\\\\)" <mib-doctors@ietf.org>
Subject: [MIB-DOCTORS] MIB Doctor review: mib content: draft-ietf-ipsp-ikeaction-mib-02.txt
X-BeenThere: mib-doctors@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: MIB Doctors list <mib-doctors.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/mib-doctors>
List-Post: <mailto:mib-doctors@ietf.org>
List-Help: <mailto:mib-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=subscribe>
Errors-To: mib-doctors-bounces@ietf.org
[I have copied Keith, because I understand he did partially review this MIB module]. I have included Keith's comments (some are generic, some are specific T11 or IETF IMSS WG requirements and desires, yet I think they make a lot of sense) as well, so you have a complete set. Also, Keith and I are not (yet) in complete agreement on some aspects of MIB modules. I know that Keith has written to you about (for example) the IPSEC-SPD-MIB after I had done MIB doctor (and I guess at the time OPS AD review). These are the two issues: - I have advised, for objects of SYNTAX STorageType, to use some tekst aka For a storage type of permanent, none of the columns have to be writable." That is, I had interpreted the DESCRIPTION clause of the StorageType TC in RFC2579 to mandate that the use of the TC requires to specify which writable objects in the associated row must be writable (if any). Keith thinks this belongs in the MODULE-COMPLIANCE. We are still discussing this and so I cannot give any new advise yet. This explanation is to warn that I may revise my earlier advise as a result of our discussions (OPS AD will be consulted as well before I want to change my earlier advise. In fact, Dan is at least being copied on our email exhanges). - I have advised to write text aka An attempt to set this object to a value that does not exist in the ipiaSaNegotiationParametersTable MUST result in an inconsistentValue error." Keith believes that this is incorrect, because sometimes an other error can be returned. That is if in the Elements of Procedure in RFC3416 (sect 4.2.5, page 19, but specifcally pages 20 and 21) another error would be detected BEFORE you check the consistency of the value (i.e. step 10 on page 21). I had just assumed that that makes common sense (so if you detect a noAccess as per step 1 on page 20), then OF COURSE you return a noAccess error. Again I am not sure that Keith and I yet agree on how to word this. There are also others in the MIB doctors team (I believe our current OPS AD is one of them) who think that we should NEVER list specific snmpErrorCodes in the DESCRIPTION clauses. This, because (at least in theory, we're not aware of any practice) a MIB could be used with non-SNMP management protocols. If that were the only issue, then we can solve it by using text aka An attempt to set this object to a value that does not exist in the ipiaSaNegotiationParametersTable would cause an inconsistency (and for example for SNMP could result in an inconsistentValue error)." Anyway, I again have to warn that I may change my earlier advise once this discussion closes on MIB doctors team. General remark I am not well enough versed/skilled in the security protocols and mechanisms/algorithms that are being modeled in this MIB module/document. So I have done a review with a SNMP/MIB view, but I have not (and cannot) review it from a security-point of view. In fact, after having spend more than a day on this MIB module, I cannot say that I really understand it all. So I am assuming that real security folk will do the securiy review and check if this indeed correctly models the management information as intended (or maybe already have done that). Also the grouping of Objects and the two MODULE-COMPLIANCE statements are outside my competency to determine if they make sense or not. The MIB documents are nearly clean (from a SYNTAX point of view) and also many of the issues I had brought up in the review if the IPSEC-SPD-MIB and also were rpesent in an earlier version of this MIB document, have been resolved. So a more detailed review made sense this time. Lots of comments and questions still remain though. Here are my comments on the IPSEC-IKEACTION-MIB module. 1. ipiaIkePhase1Filter and ipiaIkePhase2Filter are stated to be static filters. So just by pointing to it the filter is activated? No matter what the value is? I see that in the IPSEC-SPD-MIB we made it a fixed value of 1. Would it be wise to be consistent and do that here as well? Same for ipiaRejectIKEAction and ipiaRejectIKEActionLog 2. I am confused by: ipiaCredFiltCredentialType OBJECT-TYPE SYNTAX IpsaCredentialType MAX-ACCESS read-create STATUS current DESCRIPTION "The credential type that is expected for this filter to succeed." DEFVAL { x509 } ::= { ipiaCredentialFilterEntry 2 } The reason is that the IpsaCredentialType TC states: IpsaCredentialType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "IpsaCredentialType identifies the type of credential contained in a corresponding IpsaIdentityFilter object." SYNTAX INTEGER { reserved(0), unknown(1), sharedSecret(2), x509(3), kerberos(4) } So I am left wondering how I find the corresponding IpsaIdentityFilter object ?? 3. I see: ipiaCredFiltMatchFieldName OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..256)) MAX-ACCESS read-create STATUS current DESCRIPTION "The piece of the credential to match against. Examples: serialNumber, signatureAlgorithm, issuerName or subjectName. For credential types without fields (e.g. shared secret), this field SHOULD be left empty, and the entire credential will be matched against the ipiaCredFiltMatchFieldValue." ::= { ipiaCredentialFilterEntry 3 } So I wonder about a few things. - What is an empty field? I guess you mean the zero-length string. Pls be specific - What happens if some-one does not live up to the SHOULD requirement for exampel for a shared secret Credential Type? 4. I see: ipiaCredFiltAcceptCredFrom OBJECT-TYPE SYNTAX OCTET STRING(SIZE(1..117)) MAX-ACCESS read-create STATUS current DESCRIPTION "This value is used to look up a row in the ipiaIpsecCredMngServiceTable for the Certificate Authority (CA) Information. This value is empty if there is no CA used for this filter." ::= { ipiaCredentialFilterEntry 5 } And wonder what "empty" means here. Gievne the SIZE(1..117) it seems to me that it cannot mean zero-length string. So I have no idea how to determine if this "value" is "empty" ?? I also wonder how to look up a row in the ipiaIpsecCredMngServiceTable since in that table I see no column that has a similar SYNTAX. Well, I see some of SYNTAX OCTET STRING, but they have different SIZE ranges. So I guess I am (at least) confused. 5. I see: ipiaCredFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process MAY have a storage type of readOnly or permanent. For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { ipiaCredentialFilterEntry 7 } I do not see why you would use capitalized MAY. I assume one may also create readOnly or permanent rows via SNMP? This issue occurs in many (all) StorageType objects The last sentence in the DESCRIPTION clause probably better reads: For conceptual rows having the value of 'permanent', none of the writable columns in the row need to allow write-access." I.e. there is a difference of a column to has a MAX-ACCESS of read-create and the "allowed to actually get write access to an instance". This issue occurs in many (all) StorageType objects 6. I see ipiaPeerIdFiltIdentityValue OBJECT-TYPE SYNTAX IpsaIdentityFilter MAX-ACCESS read-create STATUS current DESCRIPTION "The string representation of the value that the peer ID payload value MUST match against. Wildcard mechanisms MUST be supported such that: - a ipiaPeerIdFiltIdentityValue of '*@example.com' will match a userFqdn ID payload of 'JDOE@EXAMPLE.COM' - a ipiaPeerIdFiltIdentityValue of '*.example.com' will match a fqdn ID payload of 'WWW.EXAMPLE.COM' So it seems that matching is case-insensitive? If so, pls be specific about that. Is it true for all IpsecDoiIdentTypes ?? 7. Not sure I understand this: ipiaIkeActThresholdDerivedKeys OBJECT-TYPE SYNTAX Integer32 (0..100) MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaIkeActThresholdDerivedKeys specifies what percentage of the derived key limit (see the LifetimeDerivedKeys property of IKEProposal) can expire before IKE SHOULD attempt to renegotiate the IKE phase 1 security association." DEFVAL { 100 } ::= { ipiaIkeActionEntry 3 } For example, is zero a valid value? If so, does that not mean that the system would always be renegotiating? And is this not making the system overly complex? You can see I am not a security expert, based on the last question I guess 8. I see: ipiaIkeActIdentityType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-create STATUS current DESCRIPTION "This column along with ipiaIkeActIdentityContext and endpoint information is used to refer an ipiaIkeIdentityEntry in the ipiaIkeIdentityTable." ::= { ipiaIkeActionEntry 6 } ipiaIkeActIdentityContext OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This column, along with ipiaIkeActIdentityType and endpoint information, is used to refer to an ipiaIkeIdentityEntry in the ipiaIkeIdentityTable." ::= { ipiaIkeActionEntry 7 } These two objects refer to the ipiaIkeIdentityTable, which I cannot find. I do find a ipiaIkeIdentityTable (which I don't think is about PEERs?) and a ipsaPeerIdentityTable (in the IPSEC-IPSECACTION-MIB). Possibly the latter is intended? Pls correct or explain. 9. I see: ipiaIkeActPeerName OBJECT-TYPE SYNTAX SnmpAdminString(SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the peer id name of the IKE peer. This object can be used to look up the peer id value, address, credentials and other values in the ipiaPeerIdentityTable." ::= { ipiaIkeActionEntry 8 } Is it valid to have a zero-length string? If so, what does a zero length string mean? 10. I see: ipiaIkeActVendorId OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..65535)) MAX-ACCESS read-create STATUS current DESCRIPTION "Vendor ID Payload. A value of NULL means that Vendor ID payload will be neither generated nor accepted. A non-NULL value means that a Vendor ID payload will be generated (when acting as an initiator) or is expected (when acting as a responder)." DEFVAL { "" } ::= { ipiaIkeActionEntry 11 } I think I would rename this object to ipiaIkeActVendorIdPayload. I believe that VendorId is often understood to be an enterprise-number and so the descriptor here may confuse people. More importantly, the "NULL" value is unclear to me. I think you mean "zero-length string" ?? Similar suggestion to rename ipiaIpsecActVendorId to ipiaIpsecActVendorGroupId or some such. Similar issue with ipiaIkePropVendorId 11. I see: ipiaIpsecActPeerGatewayIdName OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..116)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the peer id name of the peer gateway. This object can be used to look up the peer id value, address and other values in the ipiaPeerIdentityTable. This object is used when initiating a tunnel SA. This object is not used for transport SAs. If no value is set and ipiaIpsecActMode is tunnel, the peer gateway is determined from the source or destination address of the packet." ::= { ipiaIpsecActionEntry 7 } Pls be specific in "If no value is set". I guess you mean the zero-length octet string. It also mentions ipiaPeerIdentityTable, which I cannot find. Which table is intended? Is it ipsaPeerIdentityTable ?? Same for DESCRIPTION clause of ipiaIpsecActPeerGatewayIdName 12. In ipiaIpsecActGranularity OBJECT-TYPE SYNTAX INTEGER { subnet(1), address(2), protocol(3), port(4) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies how the proposed selector for the security association will be created. The selector is created by using the FilterList information. The selector can be subnet, address, porotocol, or port." ::= { ipiaIpsecActionEntry 9 } You may want to be a bit more specific as to what comprises the "FilterList" !!?? 13. For ipiaSaNegParamMinLifetimeSecs OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaSaNegParamMinLifetimeSecs specifies the minimum seconds lifetime that will be accepted from the peer." ::= { ipiaSaNegotiationParametersEntry 2 } ipiaSaNegParamMinLifetimeKB OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaSaNegParamMinLifetimeKB specifies the minimum kilobyte lifetime that will be accepted from the peer." ::= { ipiaSaNegotiationParametersEntry 3 } I wonder if the values zero mean anything special? Or are they not valid? 14. For ipiaIkePropCipherKeyLength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies, in bits, the key length for the cipher algorithm used in IKE Phase 1 negotiation." ::= { ipiaIkeProposalEntry 3 } Don't you want to say anything about KeyLength requirements? Is a value of zero valid at all? If so, what does that mean? 15. For ipiaIkePropCipherKeyRounds Is zero a valid value? Are there any other constraints? 16. For ipiaIkePropMaxLifetimeSecs OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaIkePropMaxLifetimeSecs specifies the maximum amount of time to propose a security association remain valid. A value of 0 indicates that the default lifetime of 8 hours SHOULD be used." ::= { ipiaIkeProposalEntry 10 } It would be good to add a UNIX clause "seconds" I guess. I am a bit surprised that if the default is 8 hours, why you would represent that by 0. But I can live with it. However is anything wrong using DEFVAL { 0 } Or possibly even DEFVAL { 28880 } -- 8 hours 17. For ipiaIkePropMaxLifetimeKB, is a value of zero valid? If so what does it mean? Any other constraints? 18. For ipiaIpsecPropProtocolId OBJECT-TYPE SYNTAX IpsecDoiSecProtocolId MAX-ACCESS not-accessible STATUS current DESCRIPTION "The protocol Id for the transforms for this proposal. The protoIsakmp(1) value is not valid for this object. This object, along with the ipiaIpsecPropTransformsName, is the index into the ipiaIpsecTransformsTable." ::= { ipiaIpsecProposalsEntry 3 } I guess that the value zero is also no valid. In that case (assuming all other potential values are valid), one could do a SYNTAX IpsecDoiSecProtocolId(2..255) So that it is also machine-readable that protoIsakmp is not valid. If zero is also a valid value, then one can do SYNTAX IpsecDoiSecProtocolId(0 | 2..255) Same for ipiaIpsecTranType 19. I see: ipiaAutoIkePriority OBJECT-TYPE SYNTAX Integer32 (0..65535) Since this is an INDEX object, I recommend to make it SYNTAX Unsigned (0..65535) 20. For ipiaAutoIkeAddressType I wonder if DNS is a valid type. If so, then you MUST describe at what time name resolution is to take place. See RFC4001. Mmm... I see in the MODULE-COMPLIANCE that only IPv4/v6 addresses need to be supported. But does that mean that dns cannot be supported? 21. When I see ipiaAutoIkeSourcePort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "The property ipiaAutoIkeSourcePort specifies the port number for the source port for auotstarting IKE SA's. The value of 0 for this object is illegal." ::= { ipiaAutostartIkeEntry 5 } Then I would use a SYNTAX InertPortNumber (1..65545) So that the illegal value is also detectable in machine readable form. 22. For ipiaAutoIkeProtocol OBJECT-TYPE SYNTAX Unsigned32 (0..255) MAX-ACCESS read-create STATUS current DESCRIPTION "The property Protocol specifies the protocol number used in comparing with policy filter entries and used in any phase 2 negotiations." ::= { ipiaAutostartIkeEntry 8 } Are these protocol number maintained by IANA some place maybe? If so it woul dbe good to point to it. 23. I see ipiaIcmsPolicyStatement OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..1024)) MAX-ACCESS read-create STATUS current DESCRIPTION "This Value represents the Credential Management Service Policy Statement, or a reference describing how to obtain it (e.g., a URL). If one doesn't exist, this value can be left blank" ::= { ipiaIpsecCredMngServiceEntry 3 } I am not sure what a 'blank value' is for an OCTET STRING. I could see/assume that it is the zero-length string. If so, better be specific/explicit about it to avoid confusion. The use of 'empty' and 'blanl' for OCTET STRINGS (or TCs based on OCTET STRINGs) occurs many times. Pls check them all 24. So for ipiaIcmsCredentialName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This value is used as an index into the ipiaCredentialFilterTable to look up the actual credential value." ::= { ipiaIpsecCredMngServiceEntry 5 } what does a zero length string mean? Pls add that to the DESCRIPTION clause 25. I see: ipiaCmcDistributionPoint OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..256)) MAX-ACCESS read-create STATUS current DESCRIPTION "This Value represents a Distribution Point for a Credential Revocation List. It can be relative to the Credential Management Service or a full name (URL, e-mail, etc...)." So I wonder what a zero length string means in this object?? 26. I see: ipiaCmcThisUpdate OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This value is the issue date of this CRL. This SHOULD be in utctime or generalizedtime." It would be good to have a REFERENCE clause to the utctime/generalized time, and how you expect this OCTET-STRING to be formatted? This occurs multiple times in this MIB module. 27. Keith had asked: - ipiaIpsecCredMngServiceTable - ipiaCredMngCRLTable Please could they have consistent descriptors, i.e., remove "Ipsec" from "ipiaIpsecCredMngServiceTable" so that they are: - ipiaCredMngServiceTable - ipiaCredMngCRLTable I think that makes sense. I do not see why the string "Ipsec" is needed in the ipiaIpsecCredMngServiceTable; But maybe I am missing something. 28. Keith had suggested (and for the IPSEC-SPD-MIB this have been applied) that xxxLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." Would be changed to something like: xxxLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means. If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." I think that makes sense, and so should be applid to the IKEACTION MIB as well. I would even change the SHOULD (you use that capitalize 2119 termonolo0gy too often). SO I would even say: xxxLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means. If this row has not been modified since the last re-initialization of the network management subsystem, this object has a zero value." 29. Comments from Keith (he did send them to (at least a subset) of you all. I support these comments; I think I also have some of the same comments, either above, or below in my NITS section): Substantive Comments: 1. None of the MODULE-COMPLIANCE statements apply to FC-SP, but that's OK. Instead, FC-SP can specify its requirement for compliance to the relevant subsets of both IPSP MIBs in the MODULE-COMPLIANCE statements in FC-SP's own MIB modules. However, in order to do that, the IPSP MIB modules need to define object groups with only the relevant subsets, i.e., not containing other objects. Specifically, a) the ipiaCredentialFilterGroup group, which contains the objects from the ipiaIpsecCredMngServiceTable & ipiaCredMngCRLTable tables, also contains objects from the ipiaCredentialFilterTable and ipiaRevokedCertificateTable tables. I request that the ipiaCredentialFilterGroup be split up so that there is one object group per table. b) the ipsaSharedGroup group which contains the objects in the ipsaCredentialTable & ipsaCredentialSegmentTable tables also contains objects from the ipsaAhTransformTable, ipsaEspTransformTable, ipsaIpcompTransformTable & ipsaPeerIdentityTable tables. I request that the ipsaSharedGroup be split up so that there is one object group per table. 2. T11.5 has discussed the usefulness of a management application being able to use managed objects in these MIB(s) to determine whether a CRL is still current, and that the simplest way to determine this is to compare the "CRL signature". To facilitate this, I request that an object be added to the ipiaCredMngCRLTable to contain the CRL-signature. (Note that while such an extension could be defined in a FC-SP MIB module, it would seem wrong to do so because the extension is not specific to FC-SP.) 3. It is necessary that the DESCRIPTION for the ipiaIcmsPolicyStatement object explain how the value is formatted within the OCTET STRING. 4. A SIZE clause is needed on the SYNTAX of ipsaCredSegValue. Clarification/Editorial Comments 5. It is helpful for a MIB module to contain REFERENCE clauses. These MIB modules contain REFERENCE clauses only for TC definitions, none for any MIB objects. To pick just one of many potential examples, shouldn't ipiaIcmsPolicyStatement's definition have a REFERENCE clause pointing to RFC 3280 ?? 6. ipiaCredMngCRLEntry's DECSRIPTION needs to specify (explicitly) what is represented by the value of ipiaIcmsName in its INDEX clause. 7. ipiaIpsecCredMngServiceTable's DESCRIPTION says that it is: "A table of Credential Management Service values. This table is usually used for credential/certificate values that are used with a management service (e.g. Certificate Authorities)." it would be clearer if it explained (explicitly) that each row in this table represents one Credential Management Service. 8. ipiaCmcDistributionPoint's DESCRIPTION says: "This Value represents a Distribution Point for a Credential Revocation List. It can be relative to the Credential Management Service or a full name (URL, e-mail, etc...)." a) the format needs to be specified, b) "it can be relative to ..." needs to be expanded to specify how to determine if, and if so, to which of the cited examples it is relative. c) the DESCRIPTION also needs to explain what it means to have the zero-length string as the value of this object. 9. ipiaCmcNextUpdate's DESCRIPTION says: "This value indicates the date the next version of this CRL will be issued. This SHOULD be in utctime or generalizedtime." a) REFERENCEs are needed for "utctime" and "generalizedtime", b) how is it determined which format is being used: utctime or generalizedtime? c) perhaps, it would be better to use the IETF-standardized DateAndTime as the syntax ?? d) similarly for ipiaCmcThisUpdate. 10. Several DESCRIPTIONs use the ambiguous terms: "blank", "null string" and "empty". One use of "empty" is clarified by appending "(0 length)". One use of "null string" is also clarified by appending "(0 length)". If "(0 length)" is the intended meaning for all such cases, then *all* such usages should be changed to be "zero-length string" (with the words "blank", "null" and "empty" deleted). 11. ipiaIcmsCredentialName's DESCRIPTION defines only how its value is used. From this descripiton of its usage, the definition of what the value actually means has to be infered. This needsx to be changed so that both the definition of what the value means and how it can be used are explicitly defined. Further, its syntax allows the value to be the zero-length string which cannot be used in the prescribed manner. Presumably, having the zero-length string as its value is appropriate when the value is not intended to be looked up, as will be the case for FC=SP. Thus, the DESCRIPTION needs to be expanded to define the meaning of the value and explicitly describe the case where the value is the zero-length string, e.g., similarly to how ipiaIkeIdCredentialName's DESCRIPTION does (but with "blank" changed to "zero-length string".) 12. The DESCRIPTION of ipsaCredMngName says: "This value is used as an index into the ipsaIpsecCredMngServiceTable. For IDs that have no credential management service, this value is left blank." Each row in this table is (I think) for a "credential" -- it would be helpful to explain the relationship between "IDs" and a row's credential. 13. The DECSRIPTION of ipsaCredRemoteID says: "This object represents the Identification (e.g. user name) of the user of the key information on the remote site. If there is no ID associated with this credential, the value of this object SHOULD be the null string." Is "ID" a reference to "the Identification (e.g. user name) ... on the remote site", or is it a reference to the same "IDs" as in ipsaCredMngName ?? 14. "allowble" in ipiaIcmsMaxChainLength's DESCRIPTION has a typo. Other Comments 15. ipiaCredFiltAcceptCredFrom's DESCRIPTION says: ... This value is empty if there is no CA used for this filter. but its syntax is: SYNTAX OCTET STRING(SIZE(1..117)) Assuming the word "empty" will be rephrased as "zero-length string", then the SYNTAX needs to allow a length of zero. More comments as a result of comments I saw from Keith on the draft-ietf-ipsp-spd-mib-xx.txt, some of it has been applied to rev 7 of that doc, some not. Anyway.... Keith worried about text in sect 4 (SPD MIB, also for sect 4 IKEACTION-MIB): This MIB module is a task specific derivation (i.e. an SMIv2 instantiation) of the IPCP's IPsec configuration model for use with SNMPv3. I think it is better to s/for use with SNMPv3/that can be used with SNMP/ Your security Considerations section takes care of any possible use with SNMPv2c or SNMPv1, but certainly any future SNMPvx migth be able to support it (NO, I am not predicting or advocating an SNMPv4). Also an ISMS based usage is foreseable. You may want to re-check the use of SYNTAX Integer32. According to RFC4181 in several case use of Unsigned32 is recommended. I don't think that your use of Integer32 is fatally flawed, but it is better to follow the guidelines/recommendations. -------- NITS and admins and questions a. I see that the textual conventions are prefixed with Ike. I think I would prefer them to be prefixed with Ipia (same as mib module). But it is just a nit. I can live with it. b. I see that IpsecDoiSecProtocolId TC does not follow the Ike prefix naming. Why is this TC not moved to the IPSEC-IPSECACTION-MIB so it sits together with the other OpsecDoiXxx TCs? c. I do not see why you would use capitalized MAY in the DESCRIPTION clause of ipiaCredentialFilterTable. A lower case "may" seems more than adequate to me. d. In general I think the capitalize RFC2119 terms are OVERUSED in various DESCRIPTION clauses. e. For ipiaIkeActExchangeMode, I guess you could add some text (or better a REFERENCE clause to a document) explaining what 'main' and 'aggressive' mean? f. Various DESCRIPTION clause are "empty" or useless. For example: ipiaCredMngCRLEntry OBJECT-TYPE SYNTAX IpiaCredMngCRLEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row in the ipiaCredMngCRLTable." Sure it is a row in this table. Can you say something about what sort of information is recorded/managed in such a row? g. I see no need for the following. They are just empty placeholders -- -- -- Notification objects information -- -- ipiaNotificationVariables OBJECT IDENTIFIER ::= { ipiaNotificationObjects 1 } ipiaNotifications OBJECT IDENTIFIER ::= { ipiaNotificationObjects 0 } But... they do not harm, so if you want to keep them, fine. It just clutters the MIB module (which is big enough anyway). ------------- TYPOs (appology that they are not always in order as they appear in the MIB module; I entered them here as I ran into them while jumping around to find references/pointers etc.) ipiaAutostartIkeTable OBJECT-TYPE SYNTAX SEQUENCE OF IpiaAutostartIkeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The parameters in the autostart IKE Table are used to automatically initiate IKE phaes I and II (i.e. IPsec) s/phaes/phases/ ipiaIcmsMaxChainLength OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-create STATUS current DESCRIPTION "This value is the maximum length of the chain allowble from s/allowble/allowable/ ipiaIKECompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities that include an IPsec MIB implementation and supports IKE actions. -- OBJECT ipiaAutoIkeAddressType -- SYNTAX InetAddreessType { ipv4(1), ipv6(2) } s/InetAddreessType/InetAddressType/ ipiaIkeActAgressiveModeGroupId OBJECT-TYPE SYNTAX IkeGroupDescription MAX-ACCESS read-create STATUS current DESCRIPTION "The values to be used for Diffie-Hellman exchange." ::= { ipiaIkeActionEntry 5 } s/values/value/ ?? I think in the instantiation of one object, it represents only one value, no? ipiaIpsecActDoPacketLogging OBJECT-TYPE SYNTAX SpdIPPacketLogging MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaIpsecActDoPacketLogging specifies whether or not an audit message SHOULD be logged and if there is logging, how many bytes of the packet to place in the notification." s/notification/log record/ ?? ipiaIkeActDoPacketLogging OBJECT-TYPE SYNTAX SpdIPPacketLogging MAX-ACCESS read-create STATUS current DESCRIPTION "ikeDoPacketLogging specifies whether or not an audit message SHOULD be logged and if there is logging, how many bytes of the packet to place in the notification." s/notification/log record/ ?? Bert _______________________________________________ MIB-DOCTORS mailing list MIB-DOCTORS@ietf.org https://www1.ietf.org/mailman/listinfo/mib-doctors
- [MIB-DOCTORS] MIB Doctor review: SYNTAX checks: d… Wijnen, Bert (Bert)
- [MIB-DOCTORS] MIB Doctor review: mib content: dra… Wijnen, Bert (Bert)
- [MIB-DOCTORS] RE: MIB Doctor review: mib content:… Wijnen, Bert (Bert)
- [MIB-DOCTORS] MIB Doctor review: mib content: dra… Wijnen, Bert (Bert)