[sacm] Early AD review of draft-ietf-sacm-arch-07
Roman Danyliw <rdd@cert.org> Mon, 19 October 2020 21:57 UTC
Return-Path: <rdd@cert.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F3E63A0BD6 for <sacm@ietfa.amsl.com>; Mon, 19 Oct 2020 14:57:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rXU1xDnNnDqp for <sacm@ietfa.amsl.com>; Mon, 19 Oct 2020 14:57:21 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30DDE3A0BCF for <sacm@ietf.org>; Mon, 19 Oct 2020 14:57:20 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 09JLvJ1v045127 for <sacm@ietf.org>; Mon, 19 Oct 2020 17:57:19 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 09JLvJ1v045127
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1603144639; bh=YMVAlyVK/07RBj2ioesIrN9KYuQjkrPbHisyV96Z/1c=; h=From:To:Subject:Date:From; b=bwdUfzCmQx2rvIyYBi62QkJhWv7qFay2x0GzOLOa8gA1P1d6xrVjUjpcrBNuZSuWf Oy9l62+y3yBGy3ks3QKhte3yZz3TXyYyeo+PkcdtDKBc2citIG1O5hZypzcbuanhcE xPyyesO8sPuisjsbAzBycA9JUY40PaSNj6tCxrw4=
Received: from MURIEL.ad.sei.cmu.edu (muriel.ad.sei.cmu.edu [147.72.252.47]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 09JLvHqM005669 for <sacm@ietf.org>; Mon, 19 Oct 2020 17:57:17 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MURIEL.ad.sei.cmu.edu (147.72.252.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Mon, 19 Oct 2020 17:57:16 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Mon, 19 Oct 2020 17:57:16 -0400
From: Roman Danyliw <rdd@cert.org>
To: "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: Early AD review of draft-ietf-sacm-arch-07
Thread-Index: AdamYb3drkhyEmItTH2NR6UA8JUydw==
Date: Mon, 19 Oct 2020 21:57:16 +0000
Message-ID: <bcf79439e3c0478db55c3a9eaf4b783f@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.203.69]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/_xyWm13lx1gpa8_Hrx0XclDH4aI>
Subject: [sacm] Early AD review of draft-ietf-sacm-arch-07
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Oct 2020 21:57:23 -0000
Hi!
I performed on an early AD review on draft-ietf-sacm-arch-07. As this is an early review, my feedback and questions are primarily about what is current written in -07, and likely doesn't capture the ongoing WG discussions (and open issues, etc). I caught a few editorial nits along the way, and documented them here because I happen to notice.
==[ Top level feedback
** It seems very late in the WG lifecycle for an architecture to be published. What work and who will implement this architecture? Who is the audience of this document?
** How is the architecture described here related to the one described in draft-ietf-sacm-epcp?
** It wasn't clear if this document is intended to specify architecture/requirements, or also get into protocol details. I followed the specifics of the high-level architecture in Section 3. I found parts of Section 4 and 5; and the hints in Section 8 containing getting into the details of what I'd consider the protocol without providing enough details to actually implement the behavior in an interoperable way.
For a proposed standard, the current text seems underspecified. As an architecture/requirements document, it would fit better as an informational document. It might be helpful to be clearer on what is in vs. out of scope.
==[ More detailed feedback
** Section 3.1. Why aren't there "orchestrator sub-architectures" and "repository sub-architectures" just like the Collection and Evaluation sub-architectures?
** Section 3.1. How is a "sub-architecture" component different from a component which isn't labeled as a "sub-architecture" (i.e., is "sub-architecture" a special designation)?
** Section 3.2.2. Why is the notion of repositories abstracted when this architecture seems to only use three - Posture Attribute, Evaluation Results and Policy Repos
** Section 3.3. Per "Each notional SACM component represents distinct sub-architectures which will exchange information via the integration services, using interactions described in this draft", this sentence didn't make sense to me in the content of explaining "Downstream uses".
** Section 4.*. Several sections make explicit references to topics (e.g., /orchestrator/registration) where is that topic syntax defined?
** Section 4.2.1. Per "The Orchestrator MUST have ... unique identifiers", unique to what scope?
** Section 4.2.1. Per "The Orchestrator MUST support making directed requests to registered components over the component's administrative interface ...", is that interface connected to the integration service?
** Section 4.* Several sections make reference to registering and reading topics. Where are the properties of this "topic queue" specified?
** Section 5.*. There appear to be snippet of what looks like machine readable code (i.e., "component-registration-request: ..."), what formal language is that?
** Section 7.
-- What are the expected security properties of the interactions/integration services?
-- Are there any requirements on the authentication/authorization model?
** Scope clarification
-- Is the expectation that the WG would define a data model + protocol for all interactions between all components listed in this architecture?
-- How much of the interface(s) into to the repositories is in scope?
-- Is the "policy feed" in scope? What is the relationship between the policy feed and orchestrator?
-- How do elements of the architecture discovery themselves?
-- The exact properties and requirements for the integration service aren't clear
==[ Nits
** Abstract. The abstract contains references, it should not.
** Section 2. ietf-sacm-terminology is a unpublished, and expired I-D. This will be a DOWNREF.
** Section 3.2.1. The discussion of "topic authorization policies" seems abrupt as the notion of subscribing to topics wasn't established yet.
** Section 3.4.1.1.1. Typo. s/colletion/collection/
** Section 3.4.1.1. YANG Push needs a reference.
** Section 4.2. Typo. s/mangement/Management/
** Section 5.* Typo. s/hearbeat/heartbeat/
** Section 5.4.1.1. There is inline XML in the value column of the topic row.
** Section 5.4.2.1.1. There is inline XML markup in the Value column of the topic row.
** Section 9. Please address the following feedback from idnits:
== Missing Reference: 'TBD' is mentioned on line 1414, but not defined
== Unused Reference: 'I-D.ietf-sacm-ecp' is defined on line 1435, but no
explicit reference was found in the text
== Unused Reference: 'RFC8412' is defined on line 1447, but no explicit
reference was found in the text
== Unused Reference: 'RFC8600' is defined on line 1453, but no explicit
reference was found in the text
== Unused Reference: 'HACK100' is defined on line 1471, but no explicit
reference was found in the text
== Unused Reference: 'HACK101' is defined on line 1475, but no explicit
reference was found in the text
== Unused Reference: 'HACK102' is defined on line 1478, but no explicit
reference was found in the text
== Unused Reference: 'HACK103' is defined on line 1482, but no explicit
reference was found in the text
== Unused Reference: 'HACK104' is defined on line 1485, but no explicit
reference was found in the text
== Unused Reference: 'HACK105' is defined on line 1488, but no explicit
reference was found in the text
== Unused Reference: 'HACK99' is defined on line 1492, but no explicit
reference was found in the text
== Unused Reference: 'NIST800126' is defined on line 1504, but no explicit
reference was found in the text
== Unused Reference: 'NISTIR7694' is defined on line 1512, but no explicit
reference was found in the text
== Unused Reference: 'RFC5023' is defined on line 1518, but no explicit
reference was found in the text
== Unused Reference: 'RFC8322' is defined on line 1532, but no explicit
reference was found in the text
== Unused Reference: 'XMPPEXT' is defined on line 1537, but no explicit
reference was found in the text
** Section A.3.1.3. Typo. s/neeeded/needed/
Regards,
Roman
- [sacm] Early AD review of draft-ietf-sacm-arch-07 Roman Danyliw