Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data Model for NTP) to Proposed Standard
Dhruv Dhody <dhruv.ietf@gmail.com> Thu, 11 February 2021 09:40 UTC
Return-Path: <dhruv.ietf@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35AF73A122C; Thu, 11 Feb 2021 01:40:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fPuhp0T8DCXr; Thu, 11 Feb 2021 01:40:00 -0800 (PST)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41B753A1228; Thu, 11 Feb 2021 01:40:00 -0800 (PST)
Received: by mail-io1-xd30.google.com with SMTP id e24so5016275ioc.1; Thu, 11 Feb 2021 01:40:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8jvbjr7Y66uYwfUV0nMDGzOOZxCDlYc8a9cJz3bT/Rg=; b=q7SvgaU9dg+NKOclRy+P8JMk2ngJWfbQLlejUYp45SUBRO5dzsON18+tr+D8MmGmfJ g471qePoGTz3POktziDygZOEmFrtXB8R1bMeKIq3A8GIbEImuWUXzKlefZP87YnXJk/R aEoHehIQKYDt1lMFDkpCtQkQn+xYehd5p0vfSR/7WWzvM0twpCIwBu1oItOEkKfL75N4 FP2heX8e04JD5MrCaPzL5vxG/9tDHH2nB57sCN6wnHzSp0W8WLHGj2ikw7w1oBn8F65T 8VZcNeGHHBdkG/2tqssdQz7uTh3aoguc/fX3x8fgv+T9pgoQ2Jeby/OVeawm9XjhMpsd MJVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8jvbjr7Y66uYwfUV0nMDGzOOZxCDlYc8a9cJz3bT/Rg=; b=feto/7TPW/qGMxUrVMpwTEPKYsh4xb2OfP0XTjvCSt4UHkIdcHb6bRdzKF9e8u5V26 YPrlS1pItOV5iZlH6t5oZYTfQtxlthUZebPplDTmR5vnvHguBqs1uIPJrkWrYRQSbSEJ Hnhhop+LPgOr9+52ABvrd3BbjfSXvMtNsMYbD5FJVexXJjkCJknGPt6blSmUqXgWdhB3 8hEdaR1eFDRmyp2cDGu9yk1tt/MjOExhZQUZJEmYXCfRnokr+PLXkJ+CAp0tByFtlSVu 40lsHeP9ubiQfKWGR69qw8KGrJnn3JE6TkpzlCarf+q9Lx2BVWpq6XcHBjbd3S+2MPkq bvvw==
X-Gm-Message-State: AOAM532xsbnODiBa8RI2AtYzl6I+AyZWy7fbXo6J1DSEuMtUp2lp3HRf vO0he59rBeTdfZ69prmpGAD1ZaFHjS2NtsBFPpQ=
X-Google-Smtp-Source: ABdhPJxbGeiICiIFq/w95VBw21QIwm3WF8aWG5Y5p6To1GEkxPfGtQJcj7hodiu7gVqkzwDqToEqYUWg3jn6xXocHi8=
X-Received: by 2002:a5d:940d:: with SMTP id v13mr4790840ion.193.1613036397781; Thu, 11 Feb 2021 01:39:57 -0800 (PST)
MIME-Version: 1.0
References: <161195994417.2651.6499166797756243533@ietfa.amsl.com>
In-Reply-To: <161195994417.2651.6499166797756243533@ietfa.amsl.com>
From: Dhruv Dhody <dhruv.ietf@gmail.com>
Date: Thu, 11 Feb 2021 15:09:21 +0530
Message-ID: <CAB75xn5CQr2yg7wWZHj-sJM7WaaTJK5NF0pzzLhqmx5hHf8GiQ@mail.gmail.com>
To: tom petch <ietfc@btconnect.com>
Cc: IETF-Announce <ietf-announce@ietf.org>, Dieter Sibold <dsibold.ietf@gmail.com>, draft-ietf-ntp-yang-data-model@ietf.org, ek.ietf@gmail.com, ntp-chairs@ietf.org, NTP WG <ntp@ietf.org>, last-call@ietf.org, Ankit Kumar Sinha <ankit.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/M8rAUE1ZFF6MBC-f9VIkJSTG9oo>
Subject: Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data Model for NTP) to Proposed Standard
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 09:40:04 -0000
Hi Tom, Thanks for your review. I have posted an updated version of the YANG. https://datatracker.ietf.org/doc/draft-ietf-ntp-yang-data-model/ https://www.ietf.org/rfcdiff?url1=draft-ietf-ntp-yang-data-model-10&url2=draft-ietf-ntp-yang-data-model-12 Please find my consolidated response below - Email 1: ======== On Mon, Feb 8, 2021 at 5:52 PM tom petch <daedulus@btconnect.com> wrote: > > I have two main problems and a lot of lesser ones with this I-D; given > the number, about 50, I am not optimistic that a single cycle of > revision will see them addressed. > > I see a potential loophole in the security which I will post separately > since the audience is likely to be different. > > References are missing or not specific enough so when I try to compare > values in the I-D with those of the protocol, either I cannot find them > or they seem to be different. Giving values to enumerations is unusual > in YANG, since NETCONF does not transmit them, and their presence > suggests that they are protocol values, in which case I want to see what > the protocol says. A reference to a 110 page I-D, with two updating > I-D, is inadequate IMO - section numbers are needed in every case. > I have added section numbers in most of the cases. I have changed enums to identity. > Introduction > should mention support, or lack thereof, for NMDA > Its present in Section 1.1 already, I have added keyword NMDA as well now. > 1.4. Prefixes in Data Node Names > | ianach | iana-crypt-hash | [RFC7317] | > the reference is wrong; this is an IANA- maintained module so the > reference must be to the IANA website > No longer using ianach in this update. > 1.5. Refrences in the Model > /Refrences/References/ > /refrenced in /referenced in / > Updated > 2. NTP data model > > I do not see the value of a condensed model followed immediately by a > full model. Perhaps the full model should be an Appendix although at > less than three pages, this is quite small and would be ok on its own > IMHO. > Updated > 4. Relationship with RFC 7317 > /supports per-interface configurations / > support per-interface configuration/ > Updated > 5. Access Rules > /refer access-mode) and attach different acl-rule/ > see access-mode) and attach a different acl-rule/ > Updated > 6. Key Management > /32-bits unsigned /32-bit unsigned/ > > /this YANG modules/this YANG module/ > Updated > NTP association (for example unicast-server), > /specefied/specified/ > Updated > 7. NTP YANG Module > > import iana-crypt-hash { > reference "RFC 7317: A YANG Data Model for System > Management"; > wrong reference - this module is IANA-maintained so the reference must > be to the IANA website > Not using iana-crypt-hash anymore! > contact > WG List: <mailto: ntpwg@lists.ntp.org > this is not the address I see on the datatracker > > the I-D has five editors but there are only two here > There are 2 co-authors marked as editors. RFC 8407 says the document author or editor contact information needs to be present. > typedef access-mode { > I cannot find this in RFC5905 > Section 9.2 and Appendix A.5.4. I have added section number in reference. > typedef association-mode { > this I can find but it ranges from 0 to 7 whereas the I-D has 0 to 4 - is > this intended? > Changed to identity. > typedef ntp-sync-state { > this I cannot find; a search for 'spike' yields a value of 2 in the > RFC, 5 here - is this intended? > Instead of enum and values, changed to identity. > effect in XXX seconds."; > for what value of XXX? > Removed. > leaf packet-sent { > leaf packet-received { > leaf packet-dropped { > discontinuities in the value of sysUpTime."; > those who have been involved with network management for ten years or > less will likely not recognise this object. You could add a reference > but I suggest you replace it with a YANG-based approach; see for example > how draft-ietf-ospf-yang handles discontinuities > Updated as suggested. > leaf access-mode { > /defination/definition/ > Updated > leaf clock-refid { > ... reference clock of the peer to > which clock is synchronized."; > > I do not understand this. Presumably this corresponds to > type string { > length "4"; > from the three type union but what object is this? > I created a typedef and cleaned it up. This is as described in Section 7.3 of RFC5905 under Reference ID. > leaf clock-offset { > examples could do with units to make it clear that it is '1.232mS' and > not '1.232s' > Updated > leaf address { > type inet:host; > this includes the domain name, which I see no mention of in the RFC > Changed to inet:ip-address > list associations { > /and isconfigured is required/and isconfigured are required/ > > leaf address { > type inet:host; > as above, the description seems to ignore the option of the domain name > > leaf refid { > same union as for leaf clock-refid, but a completely different > description, neither of which I understand. > Updated (all of the above). > '20.1.1.1' > this address would appear to be assigned to Microsoft, not an > affiliation I see among the authors. Is the company ok with this? > Updated to 203.0.113.1 > leaf reach { > type uint8; > is this the 8-bit p.reach shift register? reference needed (again:-) > > leaf unreach { > ditto > Added. > leaf poll { > type uint8; > units "seconds"; > description > "The polling interval for current association"; > is there a useful default? 2s appears in the RFC in places > No default in this case. > leaf offset { > as above, the example values would be clearer with units > Updated > leaf transmit-time { > type yang:date-and-time; > description > "This is the local time, in timestamp format, > at which the NTP packet departed the peer(T3). > If the peer becomes unreachable the value is set to zero."; > I think, but am not sure, that a yang:date-and-time can never be set to > zero, the syntax does not allow it; the usual approach with YANG is a > union with another type which can indicate a special condition - int, > boolean, etc > > leaf input-time { > type yang:date-and-time; > ditto > Thanks, updated as per your suggestion. > leaf ttl { > type uint8; > description > "Specifies the time to live (TTL) > TTL does not exist in IPv6 > This TTL is not related to IP. See section 3.1 for manycast and updated with reference. > uses common-attributes { > description > /attribute like/attributes such as/ > Updated > leaf ttl { > type uint8; > description > "Specifies the maximum time to live (TTL) for > TTL does not exist in IPv6 > As above. > uses common-attributes { > /attributes like/attributes such as/ > Updated > leaf beacon { > what are the units and is there a default? Is there a maximum of 15? As > ever, a reference could tell me. > Added reference > 8. Usage Example > lots of examples but none for IPv6 or JSON > Added one IPv6. I dont think we need add one for JSON as well. > 8.1 > <sys:ntp xmlns:sys="urn:ietf:params:xml:ns:yang:ietf-ntp"> > sys: is a defined prefix and must not be re-used > Oops, updated here and all other instance! > <refid>20.1.1.1</refid> > as above, is Microsoft ok with this? > Updated to 203.0.113.1 > 8.2 > <sys:ntp xmlns:sys="urn:ietf:params:xml:ns:yang:ietf-ntp"> > sys: is a defined prefix and must not be re-used > > 8.3 > <sys:ntp xmlns:sys="urn:ietf:params:xml:ns:yang:ietf-ntp"> > sys: is a defined prefix and must not be re-used > > 8.4 > <sys:ntp xmlns:sys="urn:ietf:params:xml:ns:yang:ietf-ntp"> > sys: is a defined prefix and must not be re-used > > 8.5 > "224.1.1.1" > would appear to be a reserved address. Other RFC used 224.0.1.1 > Updated > <sys:ntp xmlns:sys="urn:ietf:params:xml:ns:yang:ietf-ntp"> > and again, twice > > <address>224.1.1.1</address> > as above > > 8.6 > "224.1.1.1" > as above > > <sys:ntp xmlns:sys="urn:ietf:params:xml:ns:yang:ietf-ntp"> > as above, twice > > 8.7 > <ntp xmlns="urn:ietf:params:xml:ns:yang:ietf-ntp"> > as above > > 8.8 > <ntp xmlns="urn:ietf:params:xml:ns:yang:ietf-ntp"> > as above > > <refid>20.1.1.1</refid> > as above > > 8.9 > <ntp xmlns="urn:ietf:params:xml:ns:yang:ietf-ntp"> > as above > Updated in all cases. > 12.2 > [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model > wrong reference in the wrong place > this is an IANA-maintained module and so the reference must be to the > IANA website; and since the module is imported, the reference must be > Normative. > No longer using iana-crypt-hash. > Tom Petch > > > ----- Original Message ----- > From: "The IESG" <iesg-secretary@ietf.org> > To: "IETF-Announce" <ietf-announce@ietf.org> > Cc: <ek.ietf@gmail.com>; <ntp-chairs@ietf.org>; <ntp@ietf.org>; > <dsibold.ietf@gmail.com>; <draft-ietf-ntp-yang-data-model@ietf.org> > Sent: Friday, January 29, 2021 10:39 PM > Subject: Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data > Model for NTP) to Proposed Standard > Email 2: ======== On Mon, Feb 8, 2021 at 6:07 PM tom petch <daedulus@btconnect.com> wrote: > > This is my second response to this Last Call, about a possible security > issue. > > RFC8573 seems clear that MD5 must not be used to effect security for NTP > but this I-D imports iana-crypt-hash which allows MD5 without any > restriction, so is MD5 allowed or not? > > There are features defined which allow the hash in iana-crypt-hash to be > restricted but this I-D does not use them. > > Probably iana-crypt-hash should be updated - I will raise that on the > NETMOD WG list. > No longer using iana-crypt-hash, instead made this change to allow all sort of key formats - OLD: | +--rw key? ianach:crypt-hash NEW: | +--rw key | | +--rw (key-string-style)? | | +--:(keystring) | | | +--rw keystring? string | | +--:(hexadecimal) {hex-key-string}? | | +--rw hexadecimal-string? yang:hex-string END The comment related to use of MD5 still applies. I have not yet added a check for the algorithm. I have updated the description and security consideration to highligh that MD5 is depricated as per RFC 8573. Lets see what the IESG suggests... > The I-D also uses MD5 in a way that would appear not to be security > related, to hash an IPv6 address. > This is as per RFC 5905 - "If using the IPv6 address family, it is the first four octets of the MD5 hash of the IPv6 address." > In passing, this I-D has three references to RFC7317. This is wrong - > the module is IANA-maintained and so the references should be to the > IANA website. > No longer using iana-crypt-hash. > The secdir reviewer might be interested in my thoughts. > > Tom Petch Email 3: ======== On Tue, Feb 9, 2021 at 4:40 PM tom petch <daedulus@btconnect.com> wrote: > > A separate thought to my previous two. > > Section 4 is very keen that this I-D and the system module which > configures ntp SHOULD NOT coexist but this is not enforced by the YANG. > > It could be. Import the system module and make the presence container > in this I-D dependent on the absence of the presence container in > /system/ntp. > Updated as per your suggestion! ==== Thanks again for your detailed review. It has improved the YANG model significantly! Thanks! Dhruv & Ankit On Sat, Jan 30, 2021 at 4:09 AM The IESG <iesg-secretary@ietf.org> wrote: > > > The IESG has received a request from the Network Time Protocol WG (ntp) to > consider the following document: - 'A YANG Data Model for NTP' > <draft-ietf-ntp-yang-data-model-10.txt> as Proposed Standard > > The IESG plans to make a decision in the next few weeks, and solicits final > comments on this action. Please send substantive comments to the > last-call@ietf.org mailing lists by 2021-02-12. Exceptionally, comments may > be sent to iesg@ietf.org instead. In either case, please retain the beginning > of the Subject line to allow automated sorting. > > Abstract > > > This document defines a YANG data model for Network Time Protocol > (NTP) implementations. The data model includes configuration data > and state data. > > > > > > The file can be obtained via > https://datatracker.ietf.org/doc/draft-ietf-ntp-yang-data-model/ > > > > No IPR declarations have been submitted directly on this I-D. > > > > >
- [Ntp] Last Call: <draft-ietf-ntp-yang-data-model-… The IESG
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Harlan Stenn
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Dhruv Dhody
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… tom petch
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… tom petch
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Dhruv Dhody
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Harlan Stenn
- [Ntp] Antw: [EXT] Re: Last Call: <draft-ietf-ntp-… Ulrich Windl
- Re: [Ntp] Antw: [EXT] Re: Last Call: <draft-ietf-… Harlan Stenn
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Hal Murray
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Dhruv Dhody
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Miroslav Lichvar
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Dhruv Dhody
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… tom petch
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… tom petch
- Re: [Ntp] Antw: [EXT] Re: Last Call: <draft-ietf-… tom petch
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… tom petch
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Salz, Rich
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Dhruv Dhody
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Harlan Stenn
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Benjamin Kaduk
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Hal Murray
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Benjamin Kaduk
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Harlan Stenn
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Hal Murray
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Dhruv Dhody
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Harlan Stenn
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Dhruv Dhody
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Harlan Stenn
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Harlan Stenn
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Hal Murray
- [Ntp] Antw: [EXT] Re: [Last-Call] Last Call: <dra… Ulrich Windl
- Re: [Ntp] Antw: [EXT] Re: [Last-Call] Last Call: … Harlan Stenn
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch
- [Ntp] Antw: [EXT] Re: [Last-Call] Last Call: <dra… Ulrich Windl
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Danny Mayer
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Salz, Rich
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… James Browning
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Christian Huitema
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Salz, Rich
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Martin Burnicki
- [Ntp] Antw: [EXT] Re: [Last-Call] Last Call: <dra… Ulrich Windl
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch