[secdir] Secdir review of draft-ietf-i2nsf-consumer-facing-interface-dm-26
Charlie Kaufman <charliekaufman@outlook.com> Wed, 15 March 2023 04:38 UTC
Return-Path: <charliekaufman@outlook.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC548C14CE3F; Tue, 14 Mar 2023 21:38:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outlook.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AzcERHYyCsqu; Tue, 14 Mar 2023 21:38:18 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02olkn20817.outbound.protection.outlook.com [IPv6:2a01:111:f400:7ea9::817]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B6BEC14CF1F; Tue, 14 Mar 2023 21:38:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VSMLQMhVe20Ov4XYUYSxdSahGm6qNCWXHtyWn1Dt7mQwcMKw8OUnifrlexnF+7q2/WTO+JpjJrkvISAp8dsjndBcixaeJ1w2QlKzGrUAZNDAotu2wdsFo2QrqAs7WimoBxqZ+HGQFZl8vfuQg+QBHmOem16p682l4FNghzppdp2qSadHCSUN7RhrwpYtHtj73TrcDxLDWe8Af7omv4M6nET84Dkwt030L4K5qm/BSksiwvmXKZlgHtDG1gK3cUvnD36B84A8SUSlOiZVPDREkw7t0bSGln8ftHVfwXz87JZlE8KcCkNTolHk26sY+eMuuusQIRDwI2sOC3Eu1FEEoQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mlhh0WZdB0bAE86LKvcYJSAERCAWuZ1Nn7M2xebbtXs=; b=EuQ9H8PjLfm8EwAz49lUR2IdHfPVW1Ac3RVtRRJseL3IMNCL25+6cvxnnlh8bzK6wzDbIsf5gcf+SDm4/quarXi52VZ2KQIW9b9G83T8lgDIwfXDheCqbmSnM9gW+C+KhisjsmFS1KwP0wMj6Ck8oL1sIDm5op73eOcjN5U7YUab5zNDRBiPPEdRLSQH6rIGlo2WSrePcvyb9PgW8E9UTkkLivZAJrLav//giirrEmFNQr6TM9oIrfuaOOa3ra77D2DSZepcMVju27vedX/uRmAc2lxxN049VEQYM1jQmNL6sGkoaXDwSxpCakSCOxaGa/hBxtyibtLCLpSLtyr3ZQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mlhh0WZdB0bAE86LKvcYJSAERCAWuZ1Nn7M2xebbtXs=; b=RS3kErhtmmzzVfkw44f+V6ueZF5iDJwv0cYl2S5otesZqn+i5ukPfeGe8zSUi4J9YSqyI7A2auFXPPIgoR/A0LkfjnHloFoU3ldF++o9Mlf2XcUxYOTf2l4IxlqE9psjlBcS9U5nNXjP2c1wdqz1bRHFsh01fNoSVip1eGMwLr6iGCqdmWNAXMfRZEF8B1t+kITylDQPv5o+rIbq3q1G6ad7tEQrE0Ny7o54056E3RtFDWgDPbBvy4hVvKC34xHPjyFNHOiNiZOVB50lLJa/8M8A/Qv32UjDBHjWipfcW5Xm1VVfug+inhDP+Dc+CcYcuBPJZ1+yXvDuFLVfXH9Emg==
Received: from MW2PR1901MB4683.namprd19.prod.outlook.com (2603:10b6:302:6::28) by BLAPR19MB4289.namprd19.prod.outlook.com (2603:10b6:208:27a::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.24; Wed, 15 Mar 2023 04:38:07 +0000
Received: from MW2PR1901MB4683.namprd19.prod.outlook.com ([fe80::6a36:ec09:676b:9e11]) by MW2PR1901MB4683.namprd19.prod.outlook.com ([fe80::6a36:ec09:676b:9e11%4]) with mapi id 15.20.6086.024; Wed, 15 Mar 2023 04:38:07 +0000
From: Charlie Kaufman <charliekaufman@outlook.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-i2nsf-consumer-facing-interface-dm.all@ietf.org" <draft-ietf-i2nsf-consumer-facing-interface-dm.all@ietf.org>
Thread-Topic: Secdir review of draft-ietf-i2nsf-consumer-facing-interface-dm-26
Thread-Index: AQHZVvdkq3zxwigrUkySiVLxjV4zig==
Date: Wed, 15 Mar 2023 04:38:07 +0000
Message-ID: <MW2PR1901MB4683E88FB1627802686C8EDDDFBF9@MW2PR1901MB4683.namprd19.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-tmn: [dU4s6JsZ7O7NjEjZiziaX+O2xkb1npps]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW2PR1901MB4683:EE_|BLAPR19MB4289:EE_
x-ms-office365-filtering-correlation-id: 2a3f2ea5-7df6-4d39-41a8-08db250f130c
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xCxf21nJ2IL20ZaOJ+sKqwRo4aPkK16NAIPo0DwLnOYPcEsnAIcS3ADMEH4kqbo2WkP87NXww8/xVsODNLvMdrS0mYYPsDnlQZ+wNWBDveUW8KDE1YfdOZk83LTN0rBafLse/4X1olcLV+z5gQyJwRkAK46wxM7UyDvdATPLGcJxD/BsZAd3rGhgiMMsiyh+sDccGd0WUFVnL8BaZLzaemF4LDFqZ5YO/b03BfI9UpWfq33u/qVM42hNbdREmSwqZ+KNnDjGhxY5VMQNMAnaMMDOFSdv2up3qFvuVvzflXXihiZkWLnZMmIasprHzbByxvR2Ta8sgHVdUR26485SGELapvdf3xXlqKl9/k2BGKzGZaROvrxZA2pO3JutvsjXSHUn76t+z4FqpyiV5BgGMGeAvgAoNjloCqQd/ydbWZlU8VDROgiS64o8Nd9+S2zQj9Vs3N214ZrOqIEWiDISIDp6xfU/VGOu3+PBtb0ziCp0ZedyUxY4PfdgOa2D432g32uWNmPF9mUbS3hGMDDKr6DIfDkeb6Jw8Wvd/Ss+1RUqMb+j8Ic8qG+L+4KVj3GR+YPLZ+MSMErpTSX2QOGncg==
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: v9zHR1S8diYN8ErfJ4m/m/OvM9zZb9ZIrq1VfUZvL7hZok6y7K/PigHg4qyW4D9SSaYYABhgSVhQ7AZxfzny9QXPJAF5TGgG4E3VRzUggX4RAwEJ8bOMpIwDI+Vkhc9R0zg3MJUCW/vt0bNkgbReOVkvv5wlgrAm2+jFAhJ7r9IU8vSxcwD1PNR03XnJu9qvmBDqYsiiFJ+yCfpMuSZpz1hjpQUJm1m/d5pv5ivUml24OGSfdofKhG5fiSTgdlp5MFQ9bJh4bsHSAQHIfQXsdtZNa9uvvfjXCtp9H/hWVFmXlCE1xTcsHxDdzC/lXKZgyRiUR/gYy2iJKckmAby1QKf/iwu5TWTxqmFM6GUy12KoJxJnlQ5qJT1VHGP4qgazZXz9Cn7y0vLhQ4VMG0bWMjFHjotQYzwLFETkD2SANELySQgPJ2t1r22zLTpKRhsDBVLX1/NJj9u5yXi6JbdNdmwVdhBzpE0xaNnsyAldskvku63GK6eiIG+O//j0f0qnZaeXQq4Lewpk4fq2IDSAA039RgVSVBzVP1QjqQ3ck9od0LK4Wu12LOrsx8ukOlJ3PFg77vURJpvr8bka1Xf1obKCb45vt126NofTxAJDIUUGAYZ2r+NTpyFikzEEQ9y2tbhyjbd/NquFW9XaxY87gHKWun4Sp2cM+F1DqrHmrl0yx3LbLMy9QQqMkmDcu4CeyR/X6KRNpQbRBwBE7uEv/6Jz/un+aThj6vRWCuhVHRE4/H/0bbhhEdaU7ysYLCV6O6nKBaHk5S1VENEAWVTA1GPf46PU6iJb50AUCmuQHkZ8BpE2jtLbX+eJfK2uW3G0GAAthdAsM9Bmb3h/QSAmNM5ja31yvoflVirT/BFzxAOmvknnINK/JyS5ti6gz5K0ddAeSE9EFj0P483rWK4ULqY5nBwuzD3dmoUCUuNu7yjsX3CyVCPSvU2+dtU0XcUu1gMSJSKpPqsxh/cHBq5utciblVOBIT/wAVH9TkuZ9vaameLdIOYzWWwkvD5df/iIExr3GMVIka+5S8N8LGe0vQk2T3ebnWxaWc54SlFwpt5omLSxjBbfrSEhYP5yEG6DZSQMaizxYaUuYq1VJ1EYKgL8jd5U2q67gRpR29WFrjSNcFwTJKKU+sD5FjRCnFK3yuI77Z2l0Sgqqhij3yfwbV4ovb5y86OCW2gQwZ8h4T4JADgRYmhi1+k+6twR4EM7nt/K5RET0P8AKMPjuvbKmVii4ewcJGEkhdSbDAjh60S/8rkePDTYf//aVvjlhKGmGtH7Z1pbkvzIo/s114M4aQ==
Content-Type: multipart/alternative; boundary="_000_MW2PR1901MB4683E88FB1627802686C8EDDDFBF9MW2PR1901MB4683_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW2PR1901MB4683.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 2a3f2ea5-7df6-4d39-41a8-08db250f130c
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2023 04:38:07.6739 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR19MB4289
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/xHBb7SAOBmJSi24cYbor2sJUVdY>
Subject: [secdir] Secdir review of draft-ietf-i2nsf-consumer-facing-interface-dm-26
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2023 04:38:20 -0000
Reviewer: Charlie Kaufman Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document specifies a syntax for specifying security policies that apply in a networked environment. It is intended that general policies would be fed into the system in this syntax and then some policy engine would determine which policies need to be enforced by which nodes in the system and appropriate subsets would be distributed. The syntax takes the form of a YANG data model. The review result I wanted to give was "Mostly Harmless". I am skeptical as to whether the collection of policies specifiable is flexible enough to be usable to manage a real network, but the syntax is easily extensible and this seems as good a place to start as any. If it encourages experimentation with management systems that distribute policies this way, that would be a good thing, and any deficiencies found could be fixed later. I could imagine other groups having very different visions as to how to manage this information, but I would not expect the presence of this document as an RFC would discourage them from experimenting with those visions. I'm not sufficiently familiar with YANG or with Network Functions Virtualization to have a useful opinion as to how good this design is. One point I found slightly suspicious was this text from section 3.2: "Also note that QUIC protocol [RFC9000] is excluded in the data model as it is not considered in the initial I2NSF documents [RFC8329]. The QUIC traffic should not be treated as UDP traffic and will be considered in the future I2NSF documents." I would think that an implementation that was oblivious to the existence of QUIC would treat it as UDP traffic (contrary to what this says), and could regulate it through that mechanism. As written, the text seems to say that this protocol lacks any ability to control QUIC. But perhaps I misunderstand. --Charlie
- [secdir] Secdir review of draft-ietf-i2nsf-consum… Charlie Kaufman