Re: [netmod] WG Last Call for draft-ietf-netmod-syslog-model-15
"Clyde Wildes (cwildes)" <cwildes@cisco.com> Mon, 14 August 2017 14:47 UTC
Return-Path: <cwildes@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E620413232C for <netmod@ietfa.amsl.com>; Mon, 14 Aug 2017 07:47:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bDGh1Rjn602v for <netmod@ietfa.amsl.com>; Mon, 14 Aug 2017 07:47:19 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EB43132250 for <netmod@ietf.org>; Mon, 14 Aug 2017 07:47:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8224; q=dns/txt; s=iport; t=1502722039; x=1503931639; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=mEAEKEDMO35YZHulmCV9NoS4NDO5C5XpjLH120/J4xw=; b=NtVvOqwkXaxqSlWjCyl0eNcFhzcH97zjuNMCqdKvgwjdqm1WjjsN/JhR K0lmxbpm//K/4D87szRe6V1Lf9Xvjct6h3fDJ1qx9mJ667cQ9RYbj+sXj J6O6JA/BLNF54h9T2VkNnBu05MhPCPKLT5BCipKUnTDK+BctT6aM7tgoI Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BcAQD4tpFZ/4MNJK1dGgEBAQECAQEBAQgBAQEBg1qBHFwHjgqQDoFMIpYYghKFRwIahF4/GAECAQEBAQEBAWsohRkBBAEdBgQNVQIBCA4MAiYCAgIwFRACBAESiicIrFKBbDqLXwEBAQEBAQEBAQEBAQEBAQEBAQEBAR2BC4IdggKBTIFjKwuBZYEMhF0WF4J8MIIxAQSRC48mApQ6gg+FXYN6hm+WFAEfOIEKdxVJEgGHB3aJPoEPAQEB
X-IronPort-AV: E=Sophos;i="5.41,373,1498521600"; d="scan'208";a="466388478"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 14 Aug 2017 14:47:18 +0000
Received: from XCH-ALN-011.cisco.com (xch-aln-011.cisco.com [173.36.7.21]) by alln-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id v7EElIPq028709 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 14 Aug 2017 14:47:18 GMT
Received: from xch-aln-015.cisco.com (173.36.7.25) by XCH-ALN-011.cisco.com (173.36.7.21) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 14 Aug 2017 09:47:18 -0500
Received: from xch-aln-015.cisco.com ([173.36.7.25]) by XCH-ALN-015.cisco.com ([173.36.7.25]) with mapi id 15.00.1210.000; Mon, 14 Aug 2017 09:47:17 -0500
From: "Clyde Wildes (cwildes)" <cwildes@cisco.com>
To: Kent Watsen <kwatsen@juniper.net>, "netmod@ietf.org" <netmod@ietf.org>
Thread-Topic: [netmod] WG Last Call for draft-ietf-netmod-syslog-model-15
Thread-Index: AQHS+qgfFNU1WyBT406RudsboUthDKKD0SUAgAAwdQA=
Date: Mon, 14 Aug 2017 14:47:17 +0000
Message-ID: <3660A72B-4169-4577-8AE3-F9DB6EADC0CF@cisco.com>
References: <A9577A53-2B74-49E5-B87A-118C4AC4E2ED@juniper.net> <0558E64E-2CE7-4C3E-94C8-1CA7CE78171E@cisco.com> <A4CCB5EA-263B-480A-905D-B4D1992BF32A@juniper.net>
In-Reply-To: <A4CCB5EA-263B-480A-905D-B4D1992BF32A@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.154.131.0]
Content-Type: text/plain; charset="utf-8"
Content-ID: <ADCF0DCC7EAC8042A92996974FC8963D@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/bdMbU8JfZUP6xRzKq5P-Sn8w5mU>
Subject: Re: [netmod] WG Last Call for draft-ietf-netmod-syslog-model-15
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 14:47:22 -0000
Kent, Comments inline as [clyde]… On 8/14/17, 6:53 AM, "Kent Watsen" <kwatsen@juniper.net> wrote: > 5. S1 as a whole. I'm a bit unclear what this section is doing. It > seems to be a general summary of Syslog (RFC5424). Do we need this here? > > [clyde] Suggestions appreciated. I wanted to provide a high level overview > of the syslog process. I cleaned it up a little. Move Section 2 text to Section 1, replacing the text that's there? [clyde] will do > 12. S3, P8: I'm having trouble understanding the pseudocode. What > happens if S and/or F are not present? Can S or F ever not be > present? - looking at the tree diagram, it seems like they might > always be set to something in the model. > > [clyde] S or F might not be present. In the YANG module, facility-list is keyed by [facility severity], which means the values are always present, right? [clyde] There are two paths specifying a facility-filter in which case S or F are present, or specifying a pattern-match in which case they might not be present if facility-filter is not specified. > 14. S3.1: is /syslog/actions/remote/destination/tls/ missing an > 'address' leaf? > > [clyde] not as far as I know > Looking at the tree-diagram, the 'tls' case doesn't seem to have the address or port fields. FWIW, the ietf-tls-client module doesn't provide these fields so that consuming modules can configure a normal client versus a client listening for call-home connections... +--:(tcp) | +--rw tcp | +--rw address? inet:host | +--rw port? inet:port-number +--:(udp) +--rw udp +--rw address? inet:host +--rw port? inet:port-number +--:(tls) +--rw tls <address/port missing here, right?> +--rw server-auth <more ietf-tls-client grouping here> [clyde] Here is what the tree looks like in the latest draft… | +--:(tls) | +--rw tls | +--rw server-auth | | +--rw trusted-ca-certs? -> /ks:keystore/trusted-certificates/name | | +--rw trusted-server-certs? -> /ks:keystore/trusted-certificates/name | +--rw client-auth | | +--rw (auth-type)? | | +--:(certificate) | | +--rw certificate? -> /ks:keystore/keys/key/certificates/certificate/name | +--rw hello-params {tls-client-hello-params-config}? | | +--rw tls-versions | | | +--rw tls-version* identityref | | +--rw cipher-suites | | +--rw cipher-suite* identityref | +--rw address? inet:host | +--rw port? inet:port-number Address and port are there. Please clarify on what you think is missing. This is what it looks like in the model: case tls { container tls { description "This container describes the TLS transport options."; reference "RFC 5425: Transport Layer Security (TLS) Transport Mapping for Syslog "; uses tlsc:tls-client-grouping; leaf address { type inet:host; description "The leaf uniquely specifies the address of the remote host. One of the following must be specified: an ipv4 address, an ipv6 address, or a host name."; } leaf port { type inet:port-number; default 6514; description "TCP port 6514 has been allocated as the default port for syslog over TLS."; } } } > 19. S4.1, in the 'severity-filter' grouping, why does leaf 'severity' > have values set for enums 'none' and 'all'? When would these values > be used, as opposed to the enum's name string? If you do need values, > then shouldn't 'none' be 2147483647 (so nothing can be greater than it) > and 'all' be -2147483648 (so everything is greater than it)? > > [clyde] ‘none’ and ‘all’ are set to values that are not defined in > RFC 5424. These values were previously suggested by Martin Björklund Fine, but let's re-evaluate the values now. Image having a variable x and stepping through the selector list: if x >= facility-list/severity then foo. Now imagine it read: if x >= 'all' then foo. What integer value for 'all' would always ensure True? MIN-INT Likewise, you can see that MAX-INT is the best value for 'none'. [clyde] I will be change these to: 'none' 2147483647 (so nothing can be greater than it) 'all' -2147483648 (so everything is greater than it)? > 20. S7: can you indent the two blocks of details so the whole thing > reads better? > > [clyde] I searched for an example that shows how to do this in XML > and couldn’t find the keyword. Assuming xml2rfc XML, then you could convert the contents to a figure, or a list with style='empty' [clyde] ok I will follow this advice Thanks again for all your review comments! Clyde Thanks, Kent
- [netmod] WG Last Call for draft-ietf-netmod-syslo… Kent Watsen
- Re: [netmod] WG Last Call for draft-ietf-netmod-s… Kent Watsen
- Re: [netmod] WG Last Call for draft-ietf-netmod-s… Alex Campbell
- Re: [netmod] WG Last Call for draft-ietf-netmod-s… Juergen Schoenwaelder
- Re: [netmod] WG Last Call for draft-ietf-netmod-s… Clyde Wildes (cwildes)
- Re: [netmod] WG Last Call for draft-ietf-netmod-s… Clyde Wildes (cwildes)
- Re: [netmod] WG Last Call for draft-ietf-netmod-s… t.petch
- Re: [netmod] WG Last Call for draft-ietf-netmod-s… Clyde Wildes (cwildes)
- Re: [netmod] WG Last Call for draft-ietf-netmod-s… Kent Watsen
- Re: [netmod] WG Last Call for draft-ietf-netmod-s… Kent Watsen
- Re: [netmod] WG Last Call for draft-ietf-netmod-s… t.petch
- Re: [netmod] WG Last Call for draft-ietf-netmod-s… Clyde Wildes (cwildes)
- Re: [netmod] WG Last Call for draft-ietf-netmod-s… Kent Watsen
- Re: [netmod] WG Last Call for draft-ietf-netmod-s… Clyde Wildes (cwildes)
- Re: [netmod] WG Last Call for draft-ietf-netmod-s… t.petch
- Re: [netmod] WG Last Call for draft-ietf-netmod-s… Kent Watsen