Re: [MIB-DOCTORS] early MIB Doctor review for draft-ietf-softwire-map-mib-07
"Bert Wijnen (IETF)" <bertietf@bwijnen.net> Wed, 17 May 2017 07:21 UTC
Return-Path: <bertietf@bwijnen.net>
X-Original-To: mib-doctors@ietfa.amsl.com
Delivered-To: mib-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4EE2129B3C for <mib-doctors@ietfa.amsl.com>; Wed, 17 May 2017 00:21:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rwvlDhx7PAzT for <mib-doctors@ietfa.amsl.com>; Wed, 17 May 2017 00:21:16 -0700 (PDT)
Received: from lb1-smtp-cloud2.xs4all.net (lb1-smtp-cloud2.xs4all.net [194.109.24.21]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14B58129B67 for <mib-doctors@ietf.org>; Wed, 17 May 2017 00:17:38 -0700 (PDT)
Received: from Macintosh-4.fritz.box ([IPv6:2001:981:602b:1:4928:6836:108a:7846]) by smtp-cloud2.xs4all.net with ESMTP id MKHb1v0071etLTN01KHcDv; Wed, 17 May 2017 09:17:36 +0200
To: Yu Fu <fuyu@cnnic.cn>
References: <d7384d87-7a25-408d-86e7-9073a6c38278@bwijnen.net> <003201d2cad9$c83bec50$58b3c4f0$@cn> <6874911d-0535-8206-d96d-99a956c5bf85@bwijnen.net> <002201d2ce13$73ccd570$5b668050$@cn> <27ba3af4-49b4-17ee-a0f9-cb280a5141cb@bwijnen.net> <002401d2cedd$6efb6870$4cf23950$@cn>
Cc: draft-ietf-softwire-map-mib.all@ietf.org, 'MIB Doctors' <mib-doctors@ietf.org>, softwires@ietf.org
From: "Bert Wijnen (IETF)" <bertietf@bwijnen.net>
Message-ID: <e93c0505-20c8-74d5-1c34-b80cf102a5f2@bwijnen.net>
Date: Wed, 17 May 2017 09:17:36 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <002401d2cedd$6efb6870$4cf23950$@cn>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mib-doctors/_AOo5ZfGA2OmA8LYPo_DSiTliKI>
Subject: Re: [MIB-DOCTORS] early MIB Doctor review for draft-ietf-softwire-map-mib-07
X-BeenThere: mib-doctors@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: MIB Doctors list <mib-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mib-doctors/>
List-Post: <mailto:mib-doctors@ietf.org>
List-Help: <mailto:mib-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 May 2017 07:21:18 -0000
thank you. I am happy mow Bert On 17/05/2017 09:15, Yu Fu wrote: > Hi Bert, > > Please see my reply inline. > >>> >>>>> mapRuleID OBJECT-TYPE >>>>> SYNTAX Integer32 (1..2147483647) >>>>> MAX-ACCESS not-accessible >>>>> STATUS current >>>>> DESCRIPTION >>>>> "An identifier used to distinguish the multiple >>>>> mapping >>>>> rule which is unique with each CE in the same BR." >>>>> ::= { mapRuleEntry 1 } >>>>> >>>>> Since this is an index object, it be better defined as unsigned 32. >>>>> See RFC4181, section 4.6.1.1. Specifically page 15, which states >>>>> - Unsigned32 with a range that excludes zero is >>>>> RECOMMENDED for >>>>> most index objects. It is acceptable to include zero in the >>>>> range when it is semantically significant or when it is used as >>>>> the index value for a unique row with special properties. >>>>> Such >>>>> usage SHOULD be clearly documented in the DESCRIPTION >>>>> clause. >>>>>> >>>>> [fuyu]: I will change it into unsigned 32. >>>>> >>>>> Pls also think about the question if the value can ever be zero for a >>>>> good reason. >>>>> Normally INDEX object do not have a value of zero. >>>>> >>> [fuyu] Yes, since it is an index object and the value range is not include >>> zero. I think unsigned 32 is better. >>> >> OK, but then the definition would better be: >> >> SYNTAX Unsigned32 (1..4294967295) >> That wat it is machinereadably clear that valu 0 is not valid. > > > [fuyu] :OK, I will updated it. Thanks. > > >>>>> >>>>> >>>>> mapRulePSID OBJECT-TYPE >>>>> SYNTAX Integer32 >>>>> MAX-ACCESS read-only >>>>> STATUS current >>>>> DESCRIPTION >>>>> "The PSID value algorithmically identifies a set of >>>>> ports assigned to a CE." >>>>> REFERENCE >>>>> "PSID: section 3 of RFC 7597." >>>>> ::= { mapRuleEntry 9 } >>>>> >>>>> Mmmm... section 3 of RFC7597 only defines the term. The >>>>> algorithm is in section 5.1 >>>>> Maybe that is a better place to point to. >>>>> Reading that section 5.1 in RFC7597, I wonder if "Integer32" is >>>>> the best representation. >>>>> In section 5.1, I see a PSID that is 6 bits (figure 2 on page >>>>> 10). But there is also >>>>> text about a PSID of 0x00 and 0xFF, which does not fit in 6 bits. >>>>> I am not an expert (basically have no knowledge about) on >>>>> RFC7597. >>>>> But sofar I cannot >>>>> determine what the value range might be and how Integer32 is a >>>>> good representation for >>>>> the PSID. Please explain (not just to me, but adding text to the >>>>> internet drafts >>>>> and the DESCRIPTION clause of this object) >>>>> >>>>> [fuyu]:Different PSID values guarantee non-overlapping port sets. >>>>> The length of PSID is k bits, and the default value of PSID >>>>> offset is 6 bits. >>>>> So the bit length of PSID is variable. Thank you for your >>>>> question. >>>>> I have reconsidered the SYNTAS of the PSID. It can never be a >>>>> negative value. >>>>> I think Unsigned32 will be better. >>>>> >>>>> So do you just map the 4 octets of the PSID into this object? >>>>> Is it not better to then use OCTET-STRING with a SIZE(4) ?? >>>>> Maybe with a DISPLY-HINT added as well >>>>> >>>>> Do you normally display the value as an (unsigned) integer? >>>>> Or do you normally display it as 0Xxxxxxxxx ?? >>>>> Or maybe as bits? >>>>> >>>>> [fuyu] We always describe a Basic mapping rule as below: >>>>> >>>>> A MAP node (CE or BR) can, via the BMR or equivalent FMR, >>>>> determine the IPv4 address and port set as shown below: >>>>> >>>>> EA bits offset: 40 >>>>> IPv4 suffix bits (p) Length of IPv4 address (32) - >>>>> IPv4 prefix length (24) = 8 >>>>> IPv4 address: 192.0.2.18 (0xc0000212) >>>>> PSID start: 40 + p = 40 + 8 = 48 >>>>> PSID length: o - p = (56 - 40) - 8 = 8 >>>>> PSID: 0x34 (1232) >>>>> >>>>> >> Not sure I understand: 0x34 (1232) ??? 0x34 in my mind is 52, no? > > > [fuyu] : Ops, sorry .....it's my fault. 1232 is the port number, not the integer. > > >> >> In fact I am not sure I understand much/any of the above. >> But that is OK, if people who are familiar with (or must use/implement) this >> and if they understand it then fine. >> >>>>> >>>>> So I think display the values as (unsigned) integer or display it as >>>>> 0Xxxxxxxxx both will be OK. >>>>> Do you have the surggstions? >>>>> >> My personal feeling/thinking is that it is probably best displayed as >> 0Xxxxxxxxx. >> That (I would think) makes it easier to see bit positions as opposed to an >> (unsigned) integer. But in princople I can live with either. The idea/hope is >> that if you add a DISPLAY HINT that everyone displays it in the same way. > > > [fuyu]:Thank you for your suggestions. I will define it as below: > > RulePSID ::= TEXTUAL-CONVENTION > DISPLAY-HINT "0x:" > STATUS current > DESCRIPTION > "Represents ..." > SYNTAX OCTET STRING (SIZE (4)) > > mapRulePSID OBJECT-TYPE > SYNTAX RulePSID > MAX-ACCESS read-only > STATUS current > DESCRIPTION > "The PSID value algorithmically identifies a set of > ports assigned to a CE." > REFERENCE > "PSID: section 5.1 of RFC 7597." > ::= { mapRuleEntry 9 } > > Do you think it will be Ok? > >>>>> >>>>>> - Section 7. Security considerations: >>>>>> >>>>> These are the objects and their sensitivity/vulnerability: >>>>> >>>>> mapRuleIPv6PrefixType >>>>> >>>>> mapRuleIPv6Prefix >>>>> >>>>> ... etc (quite a list of objects). >>>>> >>>>> But nowhere do I see text about "their >>>>> sensitivity/vulnerability". ?? >>>>> Still to be added? >>>>> >>>>> [fuyu]: Some of the readable objects in this MIB module may be >>>>> considered sensitive or >>>>> vulnerable in some network environments. These objects are >>>>> readable, >>>>> so maybe they are considered sensitive or vulnerable in some use >>>>> case. >>>>> We have a description why they are sensitive or vulnerable above >>>>> the list of objects. >>>>> >>>>> Mmmm... can you point me to that text? I do not see that you describe >>>>> the vulnerability at any place. You do describe what the objects are >>>>> for, but that does not clearly explain what the security risks are if >>>>> some unauthorize person would see them. >>>>> >>>>> If you describe that at some other place in the document, then at >>>>> least I would suggest to add a pointer to that text in the Security >>>>> COnsiderations Secion. >>>>> >>>>> [fuyu]: Sorry. I should point it more clearly. It is in the paragraph 2 of the >>>>> section 7. >>>>> From the first sentence that "Some of the readable objects in this >>>>> MIB module may be >>>>> considered sensitive or vulnerable..." >>>>> >>>>> >> It states that they " may be considered sensitive of vulnerable". >> But it does not state WHY or IN WHAT CIRCUMSTANCES they might be >> vulnerable. >> What bad things are there that an intruder can do (or find out) when >> he/she gets read access to these objects? >> I.e. does he get to see confidential or private information? Does he learn >> about a competitors internal network structure? Or something else? > > [fuyu] : I will update it in more detail in this paragraph.Thanks. >> >> Bert > > Thanks again > Yu > > >
- [MIB-DOCTORS] early MIB Doctor review for draft-i… Bert Wijnen (IETF)
- Re: [MIB-DOCTORS] early MIB Doctor review for dra… Yu Fu
- Re: [MIB-DOCTORS] early MIB Doctor review for dra… Bert Wijnen (IETF)
- Re: [MIB-DOCTORS] early MIB Doctor review for dra… Yu Fu
- Re: [MIB-DOCTORS] early MIB Doctor review for dra… Bert Wijnen (IETF)
- Re: [MIB-DOCTORS] early MIB Doctor review for dra… Yu Fu
- Re: [MIB-DOCTORS] early MIB Doctor review for dra… Bert Wijnen (IETF)
- Re: [MIB-DOCTORS] early MIB Doctor review for dra… Terry Manderson
- Re: [MIB-DOCTORS] early MIB Doctor review for dra… Yu Fu