[MIB-DOCTORS] RE: MIB Doctor review: mib content: draft-ietf-ipsp-ikeaction-mib-02.txt
"Wijnen, Bert \(Bert\)" <bwijnen@alcatel-lucent.com> Thu, 04 January 2007 17:07 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H2W3k-0006UL-6C; Thu, 04 Jan 2007 12:07:20 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H2W3j-0006Tt-3B for mib-doctors@ietf.org; Thu, 04 Jan 2007 12:07:19 -0500
Received: from ihemail1.lucent.com ([135.245.0.33]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H2W3h-0000PR-T6 for mib-doctors@ietf.org; Thu, 04 Jan 2007 12:07:18 -0500
Received: from ilexp02.ndc.lucent.com (h135-3-39-2.lucent.com [135.3.39.2]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id l04H78eZ022721; Thu, 4 Jan 2007 11:07:10 -0600 (CST)
Received: from DEEXP02.DE.lucent.com ([135.248.187.66]) by ilexp02.ndc.lucent.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 4 Jan 2007 11:07:08 -0600
Received: from DEEXC1U02.de.lucent.com ([135.248.187.27]) by DEEXP02.DE.lucent.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 4 Jan 2007 18:07:05 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 04 Jan 2007 18:06:56 +0100
Message-ID: <D4D321F6118846429CD792F0B5AF471F08C61D@DEEXC1U02.de.lucent.com>
In-Reply-To: <D4D321F6118846429CD792F0B5AF471F08C61B@DEEXC1U02.de.lucent.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: MIB Doctor review: mib content: draft-ietf-ipsp-ikeaction-mib-02.txt
Thread-Index: AccvOTd4xabe2tpGTcOOSADx970+HwACDkhwADfneqA=
From: "Wijnen, Bert (Bert)" <bwijnen@alcatel-lucent.com>
To: baerm@tislabs.com, rcharlet@alumni.calpoly.edu, hardaker@tislabs.com, rstory@sparta.com, cliffwangmail@yahoo.com
X-OriginalArrivalTime: 04 Jan 2007 17:07:05.0770 (UTC) FILETIME=[C2BF80A0:01C73022]
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 94ece52724d73f694b3c64d571240d51
Cc: Russ Housley <housley@vigilsec.com>, Keith McCloghrie <kzm@cisco.com>, "MIB Doctors \\\\\\(E-mail\\\\\\)" <mib-doctors@ietf.org>
Subject: [MIB-DOCTORS] RE: MIB Doctor review: mib content: draft-ietf-ipsp-ikeaction-mib-02.txt
X-BeenThere: mib-doctors@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: MIB Doctors list <mib-doctors.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/mib-doctors>
List-Post: <mailto:mib-doctors@ietf.org>
List-Help: <mailto:mib-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=subscribe>
Errors-To: mib-doctors-bounces@ietf.org
One more comment
ipiaIKECompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities that include an
IPsec MIB implementation and supports IKE actions.
-- OBJECT ipiaAutoIkeAddressType
-- SYNTAX InetAddreessType { ipv4(1), ipv6(2) }
-- DESCRIPTION
-- Only support for global IPv4 and IPv6 address
-- types is required.
--
-- OBJECT ipiaAutoIkeSourceAddress
-- SYNTAX InetAddress (SIZE(4|16))
-- DESCRIPTION
-- Only support for global IPv4 and IPv6 address
-- types is required.
-- OBJECT ipiaAutoIkeDestAddress
-- SYNTAX InetAddress (SIZE(4|16))
-- DESCRIPTION
-- Only support for global IPv4 and IPv6 address
-- types is required.
--"
The above notation is done for INDEX objects (they cannot be
lisyed in a real OBJECT clause, and so we put them as commnets
in a DESCRIPTION clasue. For these objects though you can
(and should use) real OBJECT clauses, not just comments.
Bert
> -----Original Message-----
> From: Wijnen, Bert (Bert)
> Sent: donderdag 4 januari 2007 16:05
> To: baerm@tislabs.com; rcharlet@alumni.calpoly.edu;
> hardaker@tislabs.com; rstory@sparta.com; cliffwangmail@yahoo.com
> Cc: Russ Housley; dromasca@avaya.com; MIB Doctors
> \\\(E-mail\\\); Keith McCloghrie
> Subject: MIB Doctor review: mib content:
> draft-ietf-ipsp-ikeaction-mib-02.txt
>
> [I have copied Keith, because I understand he did partially
> review this MIB module].
>
> I have included Keith's comments (some are generic, some are
> specific T11 or IETF IMSS WG requirements and desires, yet I
> think they make a lot of sense) as well, so you have a complete set.
>
> Also, Keith and I are not (yet) in complete agreement on some
> aspects of MIB modules. I know that Keith has written to you
> about (for example) the IPSEC-SPD-MIB after I had done MIB
> doctor (and I guess at the time OPS AD review).
> These are the two issues:
>
> - I have advised, for objects of SYNTAX STorageType,
> to use some tekst aka
>
> For a storage type of permanent, none of the columns have
> to be writable."
>
> That is, I had interpreted the DESCRIPTION clause of the
> StorageType TC in RFC2579 to mandate that the use of the TC
> requires to specify which writable objects in the associated
> row must be writable (if any).
>
> Keith thinks this belongs in the MODULE-COMPLIANCE. We are
> still discussing this and so I cannot give any new advise yet.
> This explanation is to warn that I may revise my earlier
> advise as a result of our discussions (OPS AD will be
> consulted as well before I want to change my earlier advise.
> In fact, Dan is at least being copied on our email exhanges).
>
> - I have advised to write text aka
>
> An attempt to set this object to a value that does not
> exist in the ipiaSaNegotiationParametersTable MUST result
> in an inconsistentValue error."
>
> Keith believes that this is incorrect, because sometimes an
> other error can be returned. That is if in the Elements of
> Procedure in RFC3416 (sect 4.2.5, page 19, but specifcally
> pages 20 and 21) another error would be detected BEFORE you
> check the consistency of the value (i.e. step 10 on page 21).
> I had just assumed that that makes common sense (so if you
> detect a noAccess as per step 1 on page 20), then OF COURSE
> you return a noAccess error. Again I am not sure that Keith
> and I yet agree on how to word this.
>
> There are also others in the MIB doctors team (I believe our
> current OPS AD is one of them) who think that we should NEVER
> list specific snmpErrorCodes in the DESCRIPTION clauses. This,
> because (at least in theory, we're not aware of any practice)
> a MIB could be used with non-SNMP management protocols.
> If that were the only issue, then we can solve it by using
> text aka
>
> An attempt to set this object to a value that does not
> exist in the ipiaSaNegotiationParametersTable would cause
> an inconsistency (and for example for SNMP could result
> in an inconsistentValue error)."
>
> Anyway, I again have to warn that I may change my earlier
> advise once this discussion closes on MIB doctors team.
>
> General remark
> I am not well enough versed/skilled in the security protocols
> and mechanisms/algorithms that are being modeled in this MIB
> module/document. So I have done a review with a SNMP/MIB
> view, but I have not (and cannot) review it from a
> security-point of view. In fact, after having spend more than
> a day on this MIB module, I cannot say that I really
> understand it all.
>
> So I am assuming that real security folk will do the securiy
> review and check if this indeed correctly models the
> management information as intended (or maybe already have done that).
> Also the grouping of Objects and the two MODULE-COMPLIANCE
> statements are outside my competency to determine if they
> make sense or not.
>
> The MIB documents are nearly clean (from a SYNTAX point of
> view) and also many of the issues I had brought up in the
> review if the IPSEC-SPD-MIB and also were rpesent in an
> earlier version of this MIB document, have been resolved.
> So a more detailed review made sense this time. Lots of
> comments and questions still remain though.
>
> Here are my comments on the IPSEC-IKEACTION-MIB module.
>
> 1. ipiaIkePhase1Filter and ipiaIkePhase2Filter
> are stated to be static filters.
> So just by pointing to it the filter is activated?
> No matter what the value is?
> I see that in the IPSEC-SPD-MIB we made it a fixed
> value of 1. Would it be wise to be consistent and do
> that here as well?
>
> Same for ipiaRejectIKEAction and ipiaRejectIKEActionLog
>
> 2. I am confused by:
>
> ipiaCredFiltCredentialType OBJECT-TYPE
> SYNTAX IpsaCredentialType
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "The credential type that is expected for this filter to
> succeed."
> DEFVAL { x509 }
> ::= { ipiaCredentialFilterEntry 2 }
>
> The reason is that the IpsaCredentialType TC states:
>
> IpsaCredentialType ::= TEXTUAL-CONVENTION
> STATUS current
> DESCRIPTION
> "IpsaCredentialType identifies the type of credential
> contained in a corresponding IpsaIdentityFilter object."
> SYNTAX INTEGER { reserved(0),
> unknown(1),
> sharedSecret(2),
> x509(3),
> kerberos(4) }
>
> So I am left wondering how I find the corresponding
> IpsaIdentityFilter object ??
>
> 3. I see:
>
> ipiaCredFiltMatchFieldName OBJECT-TYPE
>
> SYNTAX OCTET STRING (SIZE(0..256))
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "The piece of the credential to match against. Examples:
> serialNumber, signatureAlgorithm, issuerName or
> subjectName.
>
> For credential types without fields (e.g. shared secret),
> this field SHOULD be left empty, and the entire credential
> will be matched against the ipiaCredFiltMatchFieldValue."
> ::= { ipiaCredentialFilterEntry 3 }
>
> So I wonder about a few things.
>
> - What is an empty field? I guess you mean the zero-length string.
> Pls be specific
> - What happens if some-one does not live up to the SHOULD
> requirement for exampel for a shared secret Credential Type?
>
> 4. I see:
>
> ipiaCredFiltAcceptCredFrom OBJECT-TYPE
> SYNTAX OCTET STRING(SIZE(1..117))
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "This value is used to look up a row in the
> ipiaIpsecCredMngServiceTable for the Certificate Authority
> (CA) Information. This value is empty if there is no CA
> used for this filter."
> ::= { ipiaCredentialFilterEntry 5 }
>
> And wonder what "empty" means here. Gievne the
> SIZE(1..117) it seems
> to me that it cannot mean zero-length string. So I have no idea
> how to determine if this "value" is "empty" ??
>
> I also wonder how to look up a row in the
> ipiaIpsecCredMngServiceTable
> since in that table I see no column that has a similar
> SYNTAX. Well, I
> see some of SYNTAX OCTET STRING, but they have different
> SIZE ranges.
> So I guess I am (at least) confused.
>
> 5. I see:
>
> ipiaCredFiltStorageType OBJECT-TYPE
> SYNTAX StorageType
> MAX-ACCESS read-create
> STATUS current
>
> DESCRIPTION
> "The storage type for this row. Rows in this table which
> were created through an external process MAY have
> a storage
> type of readOnly or permanent.
>
> For a storage type of permanent, none of the columns have
> to be writable."
> DEFVAL { nonVolatile }
> ::= { ipiaCredentialFilterEntry 7 }
>
> I do not see why you would use capitalized MAY. I assume
> one may also
> create readOnly or permanent rows via SNMP?
> This issue occurs in many (all) StorageType objects
>
> The last sentence in the DESCRIPTION clause probably better reads:
>
> For conceptual rows having the value of 'permanent',
> none of the writable columns in the row need to allow
> write-access."
>
> I.e. there is a difference of a column to has a MAX-ACCESS of
> read-create and the "allowed to actually get write access to
> an instance".
>
> This issue occurs in many (all) StorageType objects
>
> 6. I see
>
> ipiaPeerIdFiltIdentityValue OBJECT-TYPE
> SYNTAX IpsaIdentityFilter
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "The string representation of the value that the peer ID
> payload value MUST match against. Wildcard mechanisms MUST
> be supported such that:
>
> - a ipiaPeerIdFiltIdentityValue of '*@example.com' will
> match a userFqdn ID payload of 'JDOE@EXAMPLE.COM'
>
> - a ipiaPeerIdFiltIdentityValue of '*.example.com' will
> match a fqdn ID payload of 'WWW.EXAMPLE.COM'
>
>
> So it seems that matching is case-insensitive?
> If so, pls be specific about that.
> Is it true for all IpsecDoiIdentTypes ??
>
> 7. Not sure I understand this:
>
> ipiaIkeActThresholdDerivedKeys OBJECT-TYPE
> SYNTAX Integer32 (0..100)
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "ipiaIkeActThresholdDerivedKeys specifies what percentage
> of the derived key limit (see the LifetimeDerivedKeys
> property of IKEProposal) can expire before IKE SHOULD
> attempt to renegotiate the IKE phase 1 security
> association."
> DEFVAL { 100 }
> ::= { ipiaIkeActionEntry 3 }
>
>
> For example, is zero a valid value? If so, does that not mean that
> the system would always be renegotiating?
> And is this not making the system overly complex?
> You can see I am not a security expert,
> based on the last question I guess
>
> 8. I see:
> ipiaIkeActIdentityType OBJECT-TYPE
> SYNTAX IpsecDoiIdentType
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "This column along with ipiaIkeActIdentityContext and
>
> endpoint information is used to refer an
> ipiaIkeIdentityEntry in the ipiaIkeIdentityTable."
> ::= { ipiaIkeActionEntry 6 }
>
> ipiaIkeActIdentityContext OBJECT-TYPE
> SYNTAX SnmpAdminString (SIZE(1..32))
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "This column, along with ipiaIkeActIdentityType
> and endpoint
> information, is used to refer to an
> ipiaIkeIdentityEntry in
> the ipiaIkeIdentityTable."
> ::= { ipiaIkeActionEntry 7 }
>
> These two objects refer to the ipiaIkeIdentityTable, which
> I cannot find.
> I do find a ipiaIkeIdentityTable (which I don't think is
> about PEERs?)
> and a ipsaPeerIdentityTable (in the
> IPSEC-IPSECACTION-MIB). Possibly the
> latter is intended? Pls correct or explain.
>
> 9. I see:
> ipiaIkeActPeerName OBJECT-TYPE
> SYNTAX SnmpAdminString(SIZE(0..32))
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "This object indicates the peer id name of the IKE peer.
> This object can be used to look up the peer id value,
> address, credentials and other values in the
> ipiaPeerIdentityTable."
> ::= { ipiaIkeActionEntry 8 }
>
> Is it valid to have a zero-length string?
> If so, what does a zero length string mean?
>
> 10. I see:
> ipiaIkeActVendorId OBJECT-TYPE
> SYNTAX OCTET STRING (SIZE(0..65535))
>
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "Vendor ID Payload. A value of NULL means that Vendor ID
> payload will be neither generated nor accepted.
> A non-NULL
> value means that a Vendor ID payload will be generated
> (when acting as an initiator) or is expected (when acting
> as a responder)."
> DEFVAL { "" }
> ::= { ipiaIkeActionEntry 11 }
>
> I think I would rename this object to ipiaIkeActVendorIdPayload.
> I believe that VendorId is often understood to be an
> enterprise-number
> and so the descriptor here may confuse people.
>
> More importantly, the "NULL" value is unclear to me. I think you
> mean "zero-length string" ??
>
> Similar suggestion to rename ipiaIpsecActVendorId to
> ipiaIpsecActVendorGroupId or some such.
>
> Similar issue with ipiaIkePropVendorId
>
> 11. I see:
> ipiaIpsecActPeerGatewayIdName OBJECT-TYPE
> SYNTAX OCTET STRING (SIZE(0..116))
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "This object indicates the peer id name of the peer
> gateway. This object can be used to look up the peer id
> value, address and other values in the
> ipiaPeerIdentityTable. This object is used when
> initiating
> a tunnel SA. This object is not used for transport SAs.
> If no value is set and ipiaIpsecActMode is
> tunnel, the peer
> gateway is determined from the source or destination
> address of the packet."
> ::= { ipiaIpsecActionEntry 7 }
>
> Pls be specific in "If no value is set". I guess you mean the
> zero-length octet string.
>
> It also mentions ipiaPeerIdentityTable, which I cannot find.
> Which table is intended? Is it ipsaPeerIdentityTable ??
>
> Same for DESCRIPTION clause of ipiaIpsecActPeerGatewayIdName
>
> 12. In
> ipiaIpsecActGranularity OBJECT-TYPE
> SYNTAX INTEGER { subnet(1), address(2), protocol(3),
> port(4) }
>
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "This object specifies how the proposed selector for the
> security association will be created. The selector is
> created by using the FilterList information. The selector
> can be subnet, address, porotocol, or port."
> ::= { ipiaIpsecActionEntry 9 }
>
> You may want to be a bit more specific as to what comprises the
> "FilterList" !!??
>
> 13. For
>
> ipiaSaNegParamMinLifetimeSecs OBJECT-TYPE
> SYNTAX Unsigned32
> UNITS "seconds"
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "ipiaSaNegParamMinLifetimeSecs specifies the
> minimum seconds
> lifetime that will be accepted from the peer."
> ::= { ipiaSaNegotiationParametersEntry 2 }
>
> ipiaSaNegParamMinLifetimeKB OBJECT-TYPE
> SYNTAX Unsigned32
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "ipiaSaNegParamMinLifetimeKB specifies the minimum kilobyte
> lifetime that will be accepted from the peer."
> ::= { ipiaSaNegotiationParametersEntry 3 }
>
> I wonder if the values zero mean anything special?
> Or are they not valid?
>
> 14. For
> ipiaIkePropCipherKeyLength OBJECT-TYPE
> SYNTAX Unsigned32
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "This object specifies, in bits, the key length for
> the cipher algorithm used in IKE Phase 1 negotiation."
> ::= { ipiaIkeProposalEntry 3 }
>
> Don't you want to say anything about KeyLength requirements?
> Is a value of zero valid at all? If so, what does that mean?
>
> 15. For ipiaIkePropCipherKeyRounds
> Is zero a valid value? Are there any other constraints?
>
> 16. For
> ipiaIkePropMaxLifetimeSecs OBJECT-TYPE
> SYNTAX Unsigned32
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "ipiaIkePropMaxLifetimeSecs specifies the maximum amount of
> time to propose a security association remain valid.
>
> A value of 0 indicates that the default lifetime of
> 8 hours SHOULD be used."
> ::= { ipiaIkeProposalEntry 10 }
> It would be good to add a UNIX clause "seconds" I guess.
>
> I am a bit surprised that if the default is 8 hours, why you would
> represent that by 0. But I can live with it. However is anything
> wrong using
> DEFVAL { 0 }
> Or possibly even DEFVAL { 28880 } -- 8 hours
>
> 17. For ipiaIkePropMaxLifetimeKB, is a value of zero valid?
> If so what does it mean? Any other constraints?
>
> 18. For
> ipiaIpsecPropProtocolId OBJECT-TYPE
> SYNTAX IpsecDoiSecProtocolId
> MAX-ACCESS not-accessible
> STATUS current
> DESCRIPTION
> "The protocol Id for the transforms for this proposal. The
> protoIsakmp(1) value is not valid for this object. This
> object, along with the ipiaIpsecPropTransformsName, is the
> index into the ipiaIpsecTransformsTable."
> ::= { ipiaIpsecProposalsEntry 3 }
>
> I guess that the value zero is also no valid.
> In that case (assuming all other potential values are valid), one
> could do a
> SYNTAX IpsecDoiSecProtocolId(2..255)
> So that it is also machine-readable that protoIsakmp is not valid.
> If zero is also a valid value, then one can do
> SYNTAX IpsecDoiSecProtocolId(0 | 2..255)
>
> Same for ipiaIpsecTranType
>
> 19. I see:
> ipiaAutoIkePriority OBJECT-TYPE
> SYNTAX Integer32 (0..65535)
> Since this is an INDEX object, I recommend to make it
> SYNTAX Unsigned (0..65535)
> 20. For ipiaAutoIkeAddressType I wonder if DNS is a valid
> type. If so, then you MUST describe at what time name
> resolution is to take place. See RFC4001.
> Mmm... I see in the MODULE-COMPLIANCE that only IPv4/v6
> addresses need to be supported. But does that mean that
> dns cannot be supported?
>
> 21. When I see
> ipiaAutoIkeSourcePort OBJECT-TYPE
> SYNTAX InetPortNumber
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "The property ipiaAutoIkeSourcePort specifies the port
> number for the source port for auotstarting IKE SA's.
>
> The value of 0 for this object is illegal."
> ::= { ipiaAutostartIkeEntry 5 }
>
> Then I would use a SYNTAX InertPortNumber (1..65545)
> So that the illegal value is also detectable in machine
> readable form.
>
> 22. For
> ipiaAutoIkeProtocol OBJECT-TYPE
> SYNTAX Unsigned32 (0..255)
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "The property Protocol specifies the protocol number used in
> comparing with policy filter entries and used in any phase
> 2 negotiations."
> ::= { ipiaAutostartIkeEntry 8 }
>
> Are these protocol number maintained by IANA some place maybe?
> If so it woul dbe good to point to it.
>
> 23. I see
> ipiaIcmsPolicyStatement OBJECT-TYPE
> SYNTAX OCTET STRING (SIZE(0..1024))
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "This Value represents the Credential Management Service
> Policy Statement, or a reference describing how to obtain
> it (e.g., a URL). If one doesn't exist, this value can be
> left blank"
> ::= { ipiaIpsecCredMngServiceEntry 3 }
>
> I am not sure what a 'blank value' is for an OCTET STRING.
> I could see/assume that it is the zero-length string.
> If so, better be specific/explicit about it to avoid confusion.
>
> The use of 'empty' and 'blanl' for OCTET STRINGS (or TCs based
> on OCTET STRINGs) occurs many times. Pls check them all
>
> 24. So for
> ipiaIcmsCredentialName OBJECT-TYPE
> SYNTAX SnmpAdminString (SIZE(0..32))
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "This value is used as an index into the
> ipiaCredentialFilterTable to look up the actual credential
> value."
> ::= { ipiaIpsecCredMngServiceEntry 5 }
>
> what does a zero length string mean?
> Pls add that to the DESCRIPTION clause
>
> 25. I see:
> ipiaCmcDistributionPoint OBJECT-TYPE
> SYNTAX OCTET STRING (SIZE(0..256))
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "This Value represents a Distribution Point for a
> Credential
> Revocation List. It can be relative to the Credential
> Management Service or a full name (URL, e-mail, etc...)."
>
> So I wonder what a zero length string means in this object??
>
> 26. I see:
> ipiaCmcThisUpdate OBJECT-TYPE
> SYNTAX OCTET STRING (SIZE(0..32))
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "This value is the issue date of this CRL. This
> SHOULD be in utctime or generalizedtime."
>
> It would be good to have a REFERENCE clause to the
> utctime/generalized
> time, and how you expect this OCTET-STRING to be formatted?
> This occurs multiple times in this MIB module.
>
> 27. Keith had asked:
>
> - ipiaIpsecCredMngServiceTable
> - ipiaCredMngCRLTable
>
> Please could they have consistent descriptors, i.e.,
> remove "Ipsec" from "ipiaIpsecCredMngServiceTable"
> so that they are:
>
> - ipiaCredMngServiceTable
> - ipiaCredMngCRLTable
>
> I think that makes sense. I do not see why the string "Ipsec"
> is needed in the ipiaIpsecCredMngServiceTable; But maybe I am
> missing something.
>
> 28. Keith had suggested (and for the IPSEC-SPD-MIB this have been
> applied) that
>
> xxxLastChanged OBJECT-TYPE
> SYNTAX TimeStamp
> MAX-ACCESS read-only
> STATUS current
> DESCRIPTION
> "The value of sysUpTime when this row was last modified
> or created either through SNMP SETs or by some other
> external means."
>
> Would be changed to something like:
>
> xxxLastChanged OBJECT-TYPE
> SYNTAX TimeStamp
> MAX-ACCESS read-only
> STATUS current
> DESCRIPTION
> "The value of sysUpTime when this row was last modified
> or created either through SNMP SETs or by some other
> external means.
>
> If this row has not been modified since the last
> re-initialization of the network management subsystem,
> this object SHOULD have a zero value."
>
> I think that makes sense, and so should be applid to the IKEACTION
> MIB as well. I would even change the SHOULD (you use that
> capitalize
> 2119 termonolo0gy too often). SO I would even say:
>
> xxxLastChanged OBJECT-TYPE
> SYNTAX TimeStamp
> MAX-ACCESS read-only
> STATUS current
> DESCRIPTION
> "The value of sysUpTime when this row was last modified
> or created either through SNMP SETs or by some other
> external means.
>
> If this row has not been modified since the last
> re-initialization of the network management subsystem,
> this object has a zero value."
>
> 29. Comments from Keith (he did send them to (at least a subset) of
> you all.
> I support these comments; I think I also have some of the
> same comments, either above, or below in my NITS section):
>
> Substantive Comments:
>
> 1. None of the MODULE-COMPLIANCE statements apply to FC-SP,
> but that's OK.
> Instead, FC-SP can specify its requirement for compliance to the
> relevant subsets of both IPSP MIBs in the MODULE-COMPLIANCE
> statements
> in FC-SP's own MIB modules. However, in order to do that, the IPSP
> MIB modules need to define object groups with only the relevant
> subsets, i.e., not containing other objects. Specifically,
>
> a) the ipiaCredentialFilterGroup group, which contains the objects
> from the ipiaIpsecCredMngServiceTable & ipiaCredMngCRLTable tables,
> also contains objects from the ipiaCredentialFilterTable and
> ipiaRevokedCertificateTable tables. I request that the
> ipiaCredentialFilterGroup be split up so that there is one object
> group per table.
>
> b) the ipsaSharedGroup group which contains the objects in the
> ipsaCredentialTable & ipsaCredentialSegmentTable tables
> also contains
> objects from the ipsaAhTransformTable, ipsaEspTransformTable,
> ipsaIpcompTransformTable & ipsaPeerIdentityTable tables. I request
> that the ipsaSharedGroup be split up so that there is one
> object group
> per table.
>
> 2. T11.5 has discussed the usefulness of a management application
> being able to use managed objects in these MIB(s) to
> determine whether
> a CRL is still current, and that the simplest way to
> determine this is
> to compare the "CRL signature". To facilitate this, I
> request that an
> object be added to the ipiaCredMngCRLTable to contain the
> CRL-signature. (Note that while such an extension could be
> defined in
> a FC-SP MIB module, it would seem wrong to do so because
> the extension
> is not specific to FC-SP.)
>
> 3. It is necessary that the DESCRIPTION for the
> ipiaIcmsPolicyStatement object explain how the value is formatted
> within the OCTET STRING.
>
> 4. A SIZE clause is needed on the SYNTAX of ipsaCredSegValue.
>
> Clarification/Editorial Comments
>
> 5. It is helpful for a MIB module to contain REFERENCE clauses.
> These MIB modules contain REFERENCE clauses only for TC definitions,
> none for any MIB objects. To pick just one of many potential
> examples, shouldn't ipiaIcmsPolicyStatement's definition have a
> REFERENCE clause pointing to RFC 3280 ??
>
> 6. ipiaCredMngCRLEntry's DECSRIPTION needs to specify (explicitly)
> what is represented by the value of ipiaIcmsName in its
> INDEX clause.
>
> 7. ipiaIpsecCredMngServiceTable's DESCRIPTION says that it is:
>
> "A table of Credential Management Service values. This
> table is usually used for credential/certificate values
> that are used with a management service (e.g. Certificate
> Authorities)."
>
> it would be clearer if it explained (explicitly) that each
> row in this
> table represents one Credential Management Service.
>
> 8. ipiaCmcDistributionPoint's DESCRIPTION says:
>
> "This Value represents a Distribution Point for a
> Credential
> Revocation List. It can be relative to the Credential
> Management Service or a full name (URL, e-mail, etc...)."
>
> a) the format needs to be specified,
> b) "it can be relative to ..." needs to be expanded to
> specify how to
> determine if, and if so, to which of the cited examples it
> is relative.
> c) the DESCRIPTION also needs to explain what it means to have the
> zero-length string as the value of this object.
>
> 9. ipiaCmcNextUpdate's DESCRIPTION says:
>
> "This value indicates the date the next version
> of this CRL
> will be issued. This SHOULD be in utctime or
> generalizedtime."
>
> a) REFERENCEs are needed for "utctime" and "generalizedtime",
> b) how is it determined which format is being used: utctime or
> generalizedtime?
> c) perhaps, it would be better to use the IETF-standardized
> DateAndTime
> as the syntax ??
> d) similarly for ipiaCmcThisUpdate.
>
> 10. Several DESCRIPTIONs use the ambiguous terms: "blank",
> "null string"
> and "empty". One use of "empty" is clarified by appending
> "(0 length)".
> One use of "null string" is also clarified by appending "(0
> length)".
> If "(0 length)" is the intended meaning for all such cases,
> then *all*
> such usages should be changed to be "zero-length string" (with the
> words "blank", "null" and "empty" deleted).
>
> 11. ipiaIcmsCredentialName's DESCRIPTION defines only how
> its value is
> used. From this descripiton of its usage, the definition
> of what the
> value actually means has to be infered. This needsx to be
> changed so
> that both the definition of what the value means and how it can be
> used are explicitly defined. Further, its syntax allows
> the value to
> be the zero-length string which cannot be used in the
> prescribed manner.
> Presumably, having the zero-length string as its value is
> appropriate
> when the value is not intended to be looked up, as will be the case
> for FC=SP. Thus, the DESCRIPTION needs to be expanded to define the
> meaning of the value and explicitly describe the case where
> the value
> is the zero-length string, e.g., similarly to how
> ipiaIkeIdCredentialName's DESCRIPTION does (but with "blank" changed
> to "zero-length string".)
>
> 12. The DESCRIPTION of ipsaCredMngName says:
>
> "This value is used as an index into the
> ipsaIpsecCredMngServiceTable. For IDs that have no
> credential management service, this value is left blank."
>
> Each row in this table is (I think) for a "credential" --
> it would be
> helpful to explain the relationship between "IDs" and a row's
> credential.
>
> 13. The DECSRIPTION of ipsaCredRemoteID says:
>
> "This object represents the Identification (e.g. user name)
> of the user of the key information on the remote site. If
> there is no ID associated with this credential, the value
> of this object SHOULD be the null string."
>
> Is "ID" a reference to "the Identification (e.g. user name)
> ... on the
> remote site", or is it a reference to the same "IDs" as in
> ipsaCredMngName ??
>
> 14. "allowble" in ipiaIcmsMaxChainLength's DESCRIPTION has a typo.
>
>
> Other Comments
>
> 15. ipiaCredFiltAcceptCredFrom's DESCRIPTION says:
>
> ... This value is empty if there is no CA used for this filter.
>
> but its syntax is:
>
> SYNTAX OCTET STRING(SIZE(1..117))
>
> Assuming the word "empty" will be rephrased as "zero-length string",
> then the SYNTAX needs to allow a length of zero.
>
>
> More comments as a result of comments I saw from Keith on the
> draft-ietf-ipsp-spd-mib-xx.txt, some of it has been applied
> to rev 7 of that doc, some not. Anyway....
>
> Keith worried about text in sect 4 (SPD MIB, also for sect 4
> IKEACTION-MIB):
>
> This MIB module is a task specific derivation (i.e. an
> SMIv2 instantiation)
> of the IPCP's IPsec configuration model for use with SNMPv3.
>
> I think it is better to
> s/for use with SNMPv3/that can be used with SNMP/
> Your security Considerations section takes care of any
> possible use with SNMPv2c or SNMPv1, but certainly
> any future SNMPvx migth be able to support it (NO, I am not
> predicting or advocating an SNMPv4). Also an ISMS based usage
> is foreseable.
>
> You may want to re-check the use of SYNTAX Integer32. According to
> RFC4181 in several case use of Unsigned32 is recommended. I don't
> think that your use of Integer32 is fatally flawed, but it is better
> to follow the guidelines/recommendations.
>
> -------- NITS and admins and questions
>
> a. I see that the textual conventions are prefixed with Ike.
> I think I would prefer them to be prefixed with Ipia (same
> as mib module). But it is just a nit. I can live with it.
> b. I see that IpsecDoiSecProtocolId TC does not follow the
> Ike prefix naming. Why is this TC not moved to the
> IPSEC-IPSECACTION-MIB so it sits together with the other
> OpsecDoiXxx TCs?
> c. I do not see why you would use capitalized MAY in the
> DESCRIPTION clause of ipiaCredentialFilterTable. A lower
> case "may" seems more than adequate to me.
> d. In general I think the capitalize RFC2119 terms are OVERUSED
> in various DESCRIPTION clauses.
> e. For ipiaIkeActExchangeMode, I guess you could add some text
> (or better a REFERENCE clause to a document) explaining what
> 'main' and 'aggressive' mean?
> f. Various DESCRIPTION clause are "empty" or useless. For
> example:
>
> ipiaCredMngCRLEntry OBJECT-TYPE
> SYNTAX IpiaCredMngCRLEntry
> MAX-ACCESS not-accessible
> STATUS current
> DESCRIPTION
> "A row in the ipiaCredMngCRLTable."
>
> Sure it is a row in this table. Can you say something about what
> sort of information is recorded/managed in such a row?
>
> g. I see no need for the following. They are just empty placeholders
> --
> --
> -- Notification objects information
> --
> --
>
> ipiaNotificationVariables OBJECT IDENTIFIER ::=
> { ipiaNotificationObjects 1 }
>
> ipiaNotifications OBJECT IDENTIFIER ::=
> { ipiaNotificationObjects 0 }
>
> But... they do not harm, so if you want to keep them, fine.
> It just clutters the MIB module (which is big enough anyway).
>
>
>
>
> ------------- TYPOs
> (appology that they are not always in order as they appear
> in the MIB module; I entered them here as I ran into them
> while jumping around to find references/pointers etc.)
>
> ipiaAutostartIkeTable OBJECT-TYPE
> SYNTAX SEQUENCE OF IpiaAutostartIkeEntry
> MAX-ACCESS not-accessible
> STATUS current
> DESCRIPTION
> "The parameters in the autostart IKE Table are used to
> automatically initiate IKE phaes I and II (i.e. IPsec)
>
> s/phaes/phases/
>
> ipiaIcmsMaxChainLength OBJECT-TYPE
> SYNTAX Integer32 (0..255)
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "This value is the maximum length of the chain
> allowble from
>
> s/allowble/allowable/
>
> ipiaIKECompliance MODULE-COMPLIANCE
> STATUS current
> DESCRIPTION
> "The compliance statement for SNMP entities that include an
> IPsec MIB implementation and supports IKE actions.
>
> -- OBJECT ipiaAutoIkeAddressType
> -- SYNTAX InetAddreessType { ipv4(1), ipv6(2) }
>
> s/InetAddreessType/InetAddressType/
>
> ipiaIkeActAgressiveModeGroupId OBJECT-TYPE
> SYNTAX IkeGroupDescription
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "The values to be used for Diffie-Hellman exchange."
> ::= { ipiaIkeActionEntry 5 }
>
> s/values/value/ ?? I think in the instantiation of one object,
> it represents only one value, no?
>
> ipiaIpsecActDoPacketLogging OBJECT-TYPE
> SYNTAX SpdIPPacketLogging
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
>
> "ipiaIpsecActDoPacketLogging specifies whether or not an
> audit message SHOULD be logged and if there is logging, how
> many bytes of the packet to place in the notification."
>
> s/notification/log record/ ??
>
> ipiaIkeActDoPacketLogging OBJECT-TYPE
> SYNTAX SpdIPPacketLogging
> MAX-ACCESS read-create
> STATUS current
> DESCRIPTION
> "ikeDoPacketLogging specifies whether or not an audit
> message SHOULD be logged and if there is logging, how many
> bytes of the packet to place in the notification."
>
> s/notification/log record/ ??
>
> Bert
>
_______________________________________________
MIB-DOCTORS mailing list
MIB-DOCTORS@ietf.org
https://www1.ietf.org/mailman/listinfo/mib-doctors
- [MIB-DOCTORS] MIB Doctor review: SYNTAX checks: d… Wijnen, Bert (Bert)
- [MIB-DOCTORS] MIB Doctor review: mib content: dra… Wijnen, Bert (Bert)
- [MIB-DOCTORS] RE: MIB Doctor review: mib content:… Wijnen, Bert (Bert)
- [MIB-DOCTORS] MIB Doctor review: mib content: dra… Wijnen, Bert (Bert)