[OPSAWG] AD Review of " A YANG Module for Network Address Translation (NAT) and Network Prefix Translation (NPT)" draft-ietf-opsawg-nat-yang-13
Warren Kumari <warren@kumari.net> Fri, 23 March 2018 10:01 UTC
Return-Path: <warren@kumari.net>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28AA2126CC4 for <opsawg@ietfa.amsl.com>; Fri, 23 Mar 2018 03:01:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.402
X-Spam-Level:
X-Spam-Status: No, score=-1.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, THIS_AD=1.199] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i3vSyviL2FHE for <opsawg@ietfa.amsl.com>; Fri, 23 Mar 2018 03:01:07 -0700 (PDT)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B040C1250B8 for <opsawg@ietf.org>; Fri, 23 Mar 2018 03:01:06 -0700 (PDT)
Received: by mail-wm0-x22f.google.com with SMTP id t6so2433622wmt.5 for <opsawg@ietf.org>; Fri, 23 Mar 2018 03:01:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=L2mE063k6/XnWBY2EmYkjvWr2ddVnvZydW8nBh+tbsg=; b=ofI/E7cYtjvbGvs59IcgF9QHpeP1KeeZjzUkk3kcpE4qKfzR87ZSiCF8l55nVZHPXO gWBDWAeMGhUIadTGhXM12vsu4y7KtO5Zm1qPxniirY+u93D1BbauCW+zi39sQTX7v39P GSnVT1e49aTSBw6CSkEe8iT/A1iPSmFfjadArY15abUr9USA/2T8hdsRHi8kDDYE8oP5 FujeOxTGFTnKxTlWkSXc0cpbxG5F7HBWy0a/CLIpwtZzbmE2pEuOWzdilV0PjX8RtMwB 4k/xgyVSUG5H0F+jtys96MfJAFNYvhI80b2X6NImHXteBxkBiZygOLhkyt5AxYeDL1Y1 PxIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=L2mE063k6/XnWBY2EmYkjvWr2ddVnvZydW8nBh+tbsg=; b=PELvGevSsn/FiCUEDsu1T+RzQ5DenVXu7F7TxQ8AMwkr1dOPn/h2gI511aqoWKa/v9 1TJsuW0QQk+/V9x0dRWc9PSZrX4W9mxHG1qDdjRYf+nukxOHlt5EvrfgDHwVgYCSOuAB ogBcv7gigzAFYIc02MjVT6LfGia4JSl9yuGO0QGi+iMZOMrzXSyoyLOYA/RSuQWoUPM4 +K1wqtIyW3hdUk8BbPzuZU7WGg52+wT7XGa4vsqu4LmedmpTVbY4KUyKonjMCPEXhMjb Qhv1Tw/MC17i6WmW7Ia1IGO3UJAWu+BMSYHft5kelXopZFKx2iGG6o3SQiRc6UJ9Se4+ rEnw==
X-Gm-Message-State: AElRT7GfhkwxMX0/46Bbg+GEMqEPJTMuhp9UP1zKx2mvAJOX/92rSfdw ipKYPcWv06IV7UPBc3JycESvJW2j3j7iPNAt/4GAbCjv1HY=
X-Google-Smtp-Source: AG47ELsWe3lBul+bGxo8cNZWej2/5NrPYw+kVMsGk5GWsmgC2qcv/E7aulqPHBfL3+k3a+pQy0RcmF1ZsabbAuX3cmc=
X-Received: by 10.28.142.1 with SMTP id q1mr8792340wmd.0.1521799264459; Fri, 23 Mar 2018 03:01:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.226.76 with HTTP; Fri, 23 Mar 2018 03:00:23 -0700 (PDT)
From: Warren Kumari <warren@kumari.net>
Date: Fri, 23 Mar 2018 10:00:23 +0000
Message-ID: <CAHw9_iLf+od4LyeUOO2E8Nn2O2FB4R+=LXArZ6K74aWb5RHkJA@mail.gmail.com>
To: opsawg@ietf.org, draft-ietf-opsawg-nat-yang.all@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/9YXExQUsUgPck_9DeVOcePApWfU>
Subject: [OPSAWG] AD Review of " A YANG Module for Network Address Translation (NAT) and Network Prefix Translation (NPT)" draft-ietf-opsawg-nat-yang-13
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Mar 2018 10:01:08 -0000
AD Review of " A YANG Module for Network Address Translation (NAT) and Network Prefix Translation (NPT)" draft-ietf-opsawg-nat-yang-13 Note: I started while I was the Responsible AD for OpsAWG; Igans has taken this over, but these may still be helpful. ------- Hi there, Apologies for how long this AD review took -- various travels got in the way and this got delayed. Thank you to the editors and WG for your efforts on this document, it's a well written and easy to understand draft. I do have a few comments that I’d like addressed before I start IETF LC — addressing these now will avoid issues later in the process. 1: Section Abstract, Terminology "NAT44, Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers (NAT64), ..." NAT44 is not defined, nor is it in the RFC Editor Well Known Acronyms list - I think RFC7857 might work or just add something like "Network Address Translation from IPv4 to IPv4 (NAT44)" to terminology. 2: Section 2.1. Overview "This YANG module allows to instruct a NAT function to enable the logging feature" This is missing some words -- perhaps "This YANG module provides a method to instruct a NAT function to enable the logging feature" (or similar) 3: Section 2.2. Various Translation Flavors "The NAT YANG module allows to retrieve the capabilities of a NAT instance " -- same as above 4: Section 2.4. Other Transport Protocols "The module is structured to support other protocols than UDP, TCP, and ICMP. " s/other protocols than/protocols other than/ (readability / flow) 5: "The mapping table is designed so that it can indicate any transport protocol. For example, this module may be used to manage a DCCP-capable NAT that adheres to [RFC5597]. Future extensions can be defined to cover NAT-related considerations that are specific to other transport protocols such as SCTP [I-D.ietf-tsvwg-natsupp]." The above sounds confusing (to me at least) - the mapping table is designed so it can indicate any transport protocol. Future extensions can be defined to make it do so? (not sure how to word it better, but the above sounds unclear as to if the mapping table can actually indicate any transport protocol or if it itself needed to be extended) 6: "Also, the module allows to enable translation for these protocols when required" Similar to #2, #3 -- perhaps "the module allows the operator to enable translation" or "the module enables translation for" (I think the former, or reword). 7: Section 2.6. Port Set Assignment "Port numbers can be assigned by a NAT individually (that is, a single port is assigned on a per session basis). Nevertheless, this port allocation scheme may not be optimal for logging purposes" I would suggest combining these into a single sentence -- "... on a per session basis), but this port..." - purely a readability nit 8: "Therefore, a NAT function should be able to assign port sets (e.g., [RFC7753]) to optimize the volume of the logging data (REQ-14 of [RFC6888])." "Therefore" sounds like it is a new requirement on NATS - can you reword to make it clear it isn't. 9: Section 2.7. Port-Restricted IP Addresses "Some NATs require to restrict the source port numbers" I'd suggest s/require to// 10: Section 2.8. NAT Mapping Entries "A TCP/UDP mapping entry maintains an association between the following information:" It this true for all types of NATs? For example, a 1:1 NAT / rewriting doesn't need to track ports, because 192.0.2.1:xxx -> 10.10.10.10:xxx (internal port == external port, so no need to track port state) 11: "In order to cover both NAT64 and NAT44 flavors in particular, the NAT mapping structure allows to include an IPv4" I think you can drop the "in particular" 12: "In order to cover both NAT64 and NAT44 flavors in particular, the NAT mapping structure allows to include an IPv4" "allows to include an" parses oddly - perhaps "allows for the inclusion of an..." (or similar) 13: Table 5 is formatted oddly / weird justification - presumably the RFC Editor would fix this, but if you can, it would make review easier. 14: "In order to prevent from generating frequent notifications" This is missing a word or words. 15: "The NAT YANG module allows to set parameters to prevent a user from" Similar to #2, #3. 16: "Nevertheless, an attacker who is able to access to the NAT can undertake" s/to// Thank you. W -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [OPSAWG] AD Review of " A YANG Module for Network… Warren Kumari
- Re: [OPSAWG] AD Review of " A YANG Module for Net… mohamed.boucadair
- Re: [OPSAWG] AD Review of " A YANG Module for Net… Warren Kumari
- Re: [OPSAWG] AD Review of " A YANG Module for Net… mohamed.boucadair