IETF Logo Mail Archive

Re: [OPSAWG] AD Review of " A YANG Module for Network Address Translation (NAT) and Network Prefix Translation (NPT)" draft-ietf-opsawg-nat-yang-13

Warren Kumari <warren@kumari.net> Fri, 23 March 2018 11:16 UTC

Return-Path: <warren@kumari.net>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E0DC12D873 for <opsawg@ietfa.amsl.com>; Fri, 23 Mar 2018 04:16:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.401
X-Spam-Level:
X-Spam-Status: No, score=-1.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, THIS_AD=1.199, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WXCHBpANnSkr for <opsawg@ietfa.amsl.com>; Fri, 23 Mar 2018 04:16:45 -0700 (PDT)
Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC64F12D86F for <opsawg@ietf.org>; Fri, 23 Mar 2018 04:16:44 -0700 (PDT)
Received: by mail-wm0-x229.google.com with SMTP id e194so2857034wmd.3 for <opsawg@ietf.org>; Fri, 23 Mar 2018 04:16:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=2es726t9VYr8zm2cMQYGsFK8lAi8NGvSDSrhaDlJ3FU=; b=OL3gu62/pHDVNTv99QqSehG1N1HAzJ66tLIjVfnZ6LBMxXdrAAgNOw8L7RC3YxXYdw er9NUdF0vbCzdoEZ/Dz35nIkXjh/KwyLkZkwoUMsagbGgnNOYTi1eYsLKw9B+uDPUHrt by7oUmWiV2pC6WjGaBDR2us3zQ57luY3AKUKR96Hr7WOScayGONiJpReqRZMSohAiAvN 89l7bj2YxAEa1vK3eZlBgADZMgES7g80Bz1ExIv+sw6UieHRnuv9sqwebJrn1Xe4WuN0 RvV8y6j1JKE/904FMqBbLK/5BPez+v0i0uMPea0CfmqghZSQnrDfdc+x9x2g4JPi3UdS NqCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=2es726t9VYr8zm2cMQYGsFK8lAi8NGvSDSrhaDlJ3FU=; b=h9AbpiTHjk2D5UFP8cLJcPxWO+jHMO2Yk46ANFqgEmkG9g6Pqip81Rri0CYKW6b28F y54D3bIWgVRAQkoYFPQylbdZ+K/0dNDHtrQdWHJevWbGhpxwKzb2cMZON/WCqmbx+03i YKC4gbronEic22tZCTUivryfzkGCSZlqG55HMmdyM3wR+eNN/FbKjXWTpfY6N0M+3m+8 5FU6fc9RSCodzOR4LSBFH5cNVPzGGqaaNH3bpDoTPb9wGOOq4WIMIrEYD7cu720mOD8G c0Mo3CJJImOR9y0/BO7n8gMpwy8nvizwopQl+onR9EPr2TBzWaaXPtxQyXtfVqQM+Xr6 e99g==
X-Gm-Message-State: AElRT7EuEaYOtednrz6dsXrhF3AtXZeIopRmtF++boVIXM0bRWl/gMi2 ZGJjOY/6wrFVPTdc4KE7Q/YZu0xGbN5PwFd6l9Zqyg==
X-Google-Smtp-Source: AG47ELv4SqBJ8BYU2dOxd05Xb4bFBe6qaJWz2o3by46cTNBHcSLb9JAIqHxBVjRc26QjGFNG4+FgWXMF22nmIGYj9UM=
X-Received: by 10.28.55.4 with SMTP id e4mr7674489wma.7.1521803802686; Fri, 23 Mar 2018 04:16:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.226.76 with HTTP; Fri, 23 Mar 2018 04:16:02 -0700 (PDT)
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302DEE6A43@OPEXCNORMAD.corporate.adroot.infra.ftgroup>
References: <CAHw9_iLf+od4LyeUOO2E8Nn2O2FB4R+=LXArZ6K74aWb5RHkJA@mail.gmail.com> <787AE7BB302AE849A7480A190F8B93302DEE6A43@OPEXCNORMAD.corporate.adroot.infra.ftgroup>
From: Warren Kumari <warren@kumari.net>
Date: Fri, 23 Mar 2018 11:16:02 +0000
Message-ID: <CAHw9_iLPXArKGBLzQSLJezESb6KQMwpLcMKUDDwebL+a0zy7zg@mail.gmail.com>
To: mohamed.boucadair@orange.com
Cc: "opsawg@ietf.org" <opsawg@ietf.org>, "draft-ietf-opsawg-nat-yang.all@ietf.org" <draft-ietf-opsawg-nat-yang.all@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/7UOjeey_H6hiDzFNGAz7yh8Ut9k>
Subject: Re: [OPSAWG] AD Review of " A YANG Module for Network Address Translation (NAT) and Network Prefix Translation (NPT)" draft-ietf-opsawg-nat-yang-13
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Mar 2018 11:16:46 -0000

On Fri, Mar 23, 2018 at 10:35 AM,  <mohamed.boucadair@orange.com> wrote:
> Hi Warren,
>
> Thank you for the review.
>
> Please see inline.
>
> Cheers,
> Med
>
>> -----Message d'origine-----
>> De : Warren Kumari [mailto:warren@kumari.net]
>> Envoyé : vendredi 23 mars 2018 10:00
>> À : opsawg@ietf.org; draft-ietf-opsawg-nat-yang.all@ietf.org
>> Objet : AD Review of " A YANG Module for Network Address Translation (NAT)
>> and Network Prefix Translation (NPT)" draft-ietf-opsawg-nat-yang-13
>>
>> AD Review of " A YANG Module for Network Address Translation (NAT) and
>> Network Prefix Translation (NPT)"  draft-ietf-opsawg-nat-yang-13
>>
>> Note: I started while I was the Responsible AD for OpsAWG; Igans has
>> taken this over, but these may still be helpful.
>>
>> -------
>> Hi there,
>>
>> Apologies for how long this AD review took -- various travels got in
>> the way and this got delayed.
>>
>> Thank you to the editors and WG for your efforts on this document,
>> it's a well written and easy to understand
>> draft.  I do have a few comments that I’d like addressed  before I
>> start IETF LC — addressing these now will avoid
>> issues later in the process.
>>
>> 1:  Section Abstract, Terminology
>> "NAT44, Network Address and Protocol Translation from IPv6 Clients to
>> IPv4 Servers (NAT64), ..."
>> NAT44 is not defined, nor is it in the RFC Editor Well Known Acronyms
>> list - I think RFC7857 might work or just add something like "Network
>> Address Translation from IPv4
>> to IPv4 (NAT44)" to terminology.
>>
>
> [Med] I added "Network Address Translation from IPv4 to IPv4 (NAT44)"
>
>> 2: Section 2.1.  Overview
>> "This YANG module allows to instruct a NAT function to enable the
>> logging feature"
>> This is missing some words -- perhaps "This YANG module provides a
>> method to instruct a NAT function to enable the logging feature" (or
>> similar)
>>
>
> [Med] Works for me. Fixed.
>
>
>> 3: Section 2.2.  Various Translation Flavors
>> "The NAT YANG module allows to retrieve the capabilities of a NAT
>> instance " -- same as above
>>
>
> [Med] Fixed.
>
>> 4: Section 2.4.  Other Transport Protocols
>> "The module is structured to support other protocols than UDP, TCP, and ICMP.
>> "
>> s/other protocols than/protocols other than/  (readability / flow)
>>
>
>  [Med] OK
>
>> 5: "The mapping table is designed so that it can indicate any
>>    transport protocol.  For example, this module may be used to manage a
>>    DCCP-capable NAT that adheres to [RFC5597].
>>    Future extensions can be defined to cover NAT-related considerations
>>    that are specific to other transport protocols such as SCTP
>>    [I-D.ietf-tsvwg-natsupp]."
>>  The above sounds confusing (to me at least) - the mapping table is
>> designed so it can indicate any transport protocol. Future extensions
>> can be defined to make it do so? (not sure how to word it better, but
>> the above sounds unclear as to if the mapping table can actually
>> indicate any transport protocol or if it itself needed to be extended)
>>
>
> [Med] The mapping table can indicate any transport protocols. Nevertheless, if some transport needs to manipulate some specific information, then the mapping entry needs to be extended.
>
> I changed the text to "Future extensions may be needed to cover ..."
>
>>  6: "Also, the module allows to enable translation for these protocols
>> when required"
>>  Similar to #2, #3 -- perhaps "the module allows the operator to
>> enable translation" or "the module enables translation for" (I think
>> the former, or reword).
>>
>
> [Med] Fixed.
>
>>
>> 7: Section 2.6.  Port Set Assignment
>>    "Port numbers can be assigned by a NAT individually (that is, a single
>>    port is assigned on a per session basis).  Nevertheless, this port
>>    allocation scheme may not be optimal for logging purposes"
>>    I would suggest combining these into a single sentence -- "... on a
>> per session basis), but this port..." - purely a readability nit
>>
>
> [Med] Deal.
>
>
>> 8: "Therefore, a NAT function should be able to assign
>>    port sets (e.g., [RFC7753]) to optimize the volume of the logging
>>    data (REQ-14 of [RFC6888])."
>>    "Therefore" sounds like it is a new requirement on NATS - can you
>> reword to make it clear it isn't.
>>
>
> [Med] I deleted "Therefore" to avoid that misinterpretation.
>
>> 9: Section 2.7.  Port-Restricted IP Addresses
>>  "Some NATs require to restrict the source port numbers"
>>  I'd suggest s/require to//
>>
>
> [Med] Fixed.
>
>>  10: Section 2.8.  NAT Mapping Entries
>>    "A TCP/UDP mapping entry maintains an association between the
>> following information:"
>>    It this true for all types of NATs? For example, a 1:1 NAT /
>> rewriting doesn't need to track ports, because 192.0.2.1:xxx ->
>> 10.10.10.10:xxx (internal port == external port, so no need to track
>> port state)
>>
>
> [Med] TCP/UDP mapping does make sense only when ports are rewritten. For the case you cited, mappings are not tracked at the transport level.
>
>>  11: "In order to cover both NAT64 and NAT44 flavors in particular,
>> the NAT mapping structure allows to include an IPv4"
>>   I think you can drop the "in particular"
>>
>
> [Med] Works for me.
>
>> 12: "In order to cover both NAT64 and NAT44 flavors in particular, the
>> NAT mapping structure allows to include an IPv4"
>>   "allows to include an" parses oddly - perhaps "allows for the
>> inclusion of an..." (or similar)
>>
>
> [Med] Fixed.
>
>> 13: Table 5 is formatted oddly / weird justification - presumably the
>> RFC Editor would fix this, but if you can, it would make review
>> easier.
>>
> [Med] Will check and fix as appropriate.
>
>> 14: "In order to prevent from generating frequent notifications"
>> This is missing a word or words.
>>
>
> [Med] I added "...prevent a NAT implementation ... "
>
>> 15: "The NAT YANG module allows to set parameters to prevent a user from"
>> Similar to #2, #3.
>>
>
> [Med] Fixed.
>
>> 16: "Nevertheless, an attacker who is able to access to the NAT can
>> undertake"
>> s/to//
>>
>
> [Med] Fixed.

Win!

Thank you,
W

>
>>
>> Thank you.
>> W
>>
>> --
>> I don't think the execution is relevant when it was obviously a bad
>> idea in the first place.
>> This is like putting rabid weasels in your pants, and later expressing
>> regret at having chosen those particular rabid weasels and that pair
>> of pants.
>>    ---maf



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email