Re: [yang-doctors] Yangdoctors early review of draft-ietf-opsawg-nat-yang-06
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Sun, 29 October 2017 08:38 UTC
Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85F9413F937; Sun, 29 Oct 2017 01:38:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JJCtm11Vz7Hg; Sun, 29 Oct 2017 01:38:12 -0700 (PDT)
Received: from atlas5.jacobs-university.de (atlas5.jacobs-university.de [212.201.44.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3CC113F93C; Sun, 29 Oct 2017 01:38:07 -0700 (PDT)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas5.jacobs-university.de (Postfix) with ESMTP id 3912565B; Sun, 29 Oct 2017 09:38:05 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas5.jacobs-university.de ([10.70.0.217]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10032) with ESMTP id 3UZgDZ8BvpOH; Sun, 29 Oct 2017 09:38:03 +0100 (CET)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas5.jacobs-university.de (Postfix) with ESMTPS; Sun, 29 Oct 2017 09:38:05 +0100 (CET)
Received: from localhost (demetrius4.jacobs-university.de [212.201.44.49]) by hermes.jacobs-university.de (Postfix) with ESMTP id 21F2B2010F; Sun, 29 Oct 2017 09:38:05 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius4.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 44WrmblLqYGu; Sun, 29 Oct 2017 09:38:02 +0100 (CET)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id E23222010E; Sun, 29 Oct 2017 09:38:02 +0100 (CET)
Received: by elstar.local (Postfix, from userid 501) id DCBA841418EF; Sun, 29 Oct 2017 09:36:36 +0100 (CET)
Date: Sun, 29 Oct 2017 09:36:36 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: yang-doctors@ietf.org
Cc: draft-ietf-opsawg-nat-yang.all@ietf.org, opsawg@ietf.org
Message-ID: <20171029083636.35fhzpj5i5zqb7of@elstar.local>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: yang-doctors@ietf.org, draft-ietf-opsawg-nat-yang.all@ietf.org, opsawg@ietf.org
References: <150912805550.22087.2939629492652644040@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
Content-Transfer-Encoding: 8bit
In-Reply-To: <150912805550.22087.2939629492652644040@ietfa.amsl.com>
User-Agent: NeoMutt/20170714 (1.8.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/4A_OBgZiBNEL_U1UD2m2ZdssFDI>
Subject: Re: [yang-doctors] Yangdoctors early review of draft-ietf-opsawg-nat-yang-06
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Oct 2017 08:38:17 -0000
One additional nit: You may want to think about the name of the toplevel node. Here is what is currently published: +--rw interfaces ietf-interfaces RFC 7223 +--rw ipfix ietf-ipfix-psamp RFC 6728 +--rw key-chains ietf-key-chain RFC 8177 +--rw lmap ietf-lmap-control RFC 8194 +--ro modules-state ietf-yang-library RFC 7895 +--rw nacm ietf-netconf-acm RFC 6536 +--ro netconf-state ietf-netconf-monitoring RFC 6022 +--rw routing ietf-routing RFC 8022 +--rw snmp ietf-snmp RFC 7407 +--rw system ietf-system RFC 7317 +--ro system-state ietf-system RFC 7317 +--ro interfaces-state ietf-interfaces RFC 7223 (to be deprecated) +--ro routing-state ietf-routing RFC 8022 (to be obsoleted) Calling the toplevel node simply 'nat' may be more inline with the existing names (which are not all perfect but if we ignore the -state nodes there is a certain level of consistency - a not toplevel node uses 'module'). /js On Fri, Oct 27, 2017 at 11:14:15AM -0700, Jürgen Schönwälder wrote: > Reviewer: Jürgen Schönwälder > Review result: Not Ready > > Summary > > >From a YANG modeling point of view, the module is rather straight > forward and I did not discover anything that seems fundamentally > problematic. That said, there are a number of details where I doubt > the model is correct and things where I believe things are incomplete. > Given that there are many different NAT functions, I also expected to > see usage of YANG features. > > One fundamental question one could raise is whether this model should > have been broken down into a generic NAT core model plus extensions of > the core model for the different types of NATs. Well, a single model > with YANG features is an inline version of that as this still requires > to mark clearly which parts are specific to certain types or NATs. > > I did not compile the module myself since the IETF tracker says no > errors using pyang and yanglint (and I would not have run anything > different). (Is it OK for YANG doctors to trust the tracker tools? > Well, since this is labelled as an early review and I expect more > updates, I assume this is fine.) > > I can't tell whether the model makes sense from a NAT point of view. I > am not an expert in the various types of NATs and surely more reviews > of NAT experts would be good (and they would have likely spotted some > things I have spotted, so I guess the usual problem of getting enough > substantial reviews). > > Details > > - We use revision statements only for published modules. Hence, please > replace the revision statements with > > // RFC Ed. update to match the date of the latest edits > revision 2017-xx-yy { > description > "Initial revision."; > reference > "RFC XXXX: A YANG Data Model for Network Address Translation > (NAT) and Network Prefix Translation (NPT)"; > } > > - We usually follow a different template for the contact statement > that has more context and just a list of names and email addresses. > > - We usually write > > reference > "RFC 3022: Traditional IP Network Address Translator > (Traditional NAT)"; > > instead of just > > reference > "RFC 3022."; > > since not everybody remembers all the numbers equally well. > > - Is there a reference for dst-nat? > > - What is the vrf-routing-instance identity good for? Its used only in > the leaf external-vrf-instance and the description of that leaf is > not telling me how this is going to be used. Who is going to derive > identities? I fear you are trying to achieve something where using > identities is really the wrong approach. Section 2.10 does not tell > how this is supposed to work either. I assume this needs to be > checked by the routing area experts to make sure things fit with > their modeling of VRFs. > > - s/start-port-numbert/start-port-number/ > > - Are comments like > > // port numbers: single or port-range > > necessary given that there are description statements? Note that > comments may be removed by tools while description statements > usually are preserved. So it is important to have anything important > covered in description statements. > > - What is a PSID algorithm? Spell out acronyms on first usage. > > - The leafs start-port-number and end-port-number are commented out in > port-range, probably in favour of the uses port-number. If they are > not needed anymore, they should be removed. > > - I do not understand port-set-algo from the descriptions. What is the > psid-offset applied? What is a 'sharing ration for an IPv4 address'? > Is this stuff IPv4 specific? Is the psid something that has a > certain meaning outside of this YANG module? If so, where do I find > more details (missing reference statement?)? > > - mapping-entry/index: is this an arbitrary identifier? how are these > identifiers allocated? Are they created by the NAT or are they created > via configuration? Or even both? Well, I guess it is both given the > mapping-entry/type leaf. > > - mapping-entry/type: instead 'manually configured', I would write > 'explicitly configured' (configuration does not have to be a manual > process). I also find the other enum labels at least a bit confusing. > > enum "dynamic-explicit" { > description > "This mapping is created by an > outgoing packet."; > } > > enum "dynamic-implicit" { > description > "This mapping is created by an > explicit dynamic message."; > } > > Note the 'implicit' vs 'explicit' clash here. Perhaps this should be > aligned with the definition of dynamic and implicit mappings: > > o Dynamic implicit mapping: is created implicitly as a side effect > of traffic such as an outgoing TCP SYN or an outgoing UDP packet. > A validity lifetime is associated with this mapping. > > o Dynamic explicit mapping: is created as a result of an explicit > request, e.g., PCP message [RFC6887]. A validity lifetime is > associated with this mapping. > > But then it seems you really messed things up here. I would even > write these definitions differently since 'outgoing' is unclear and > potentially confusing. > > o Dynamic implicit mapping: is created implicitly as a side effect > of processing a packet (e.g., an initial TCP SYN packet) that > requires a new mapping. A validity lifetime is associated with > this mapping. > > o Dynamic explicit mapping: is created as a result of an explicit > request, e.g., PCP message [RFC6887]. A validity lifetime is > associated with this mapping. > > Similarly, I would change the description of > > enum "dynamic-implicit" { > description > "This mapping is created implicitely as a side effect > of processing a packet that requires a new mapping."; > } > > enum "dynamic-explicit" { > description > "This mapping is created as a result of an explicit > request, e.g., a PCP message."; > } > > - We should perhaps have a type for an IP protocol number, ideally in > inet-types. (Just a reminder to myself.) That said, I do not > understand what this sentence means: > > No transport protocol is indicated if a mapping applies for > any protocol. > > Perhaps you wanted to say this: > > If this leaf is not instantiated, then the mapping applies to any > protocol. > > - container internal-src-port: > - container external-src-port: > - container internal-dst-port: > - container external-dst-port: > > It is used also to carry the internal > source ICMP identifier."; > > I think details are lacking here. What is the ICMP identifier? What > does 'carry' mean and how does this relate to the port-number > grouping? > > See above, I do not understand the ICMP identifier statement. > > - lifetime: > > Spell out 3WHS. I think there should be a units statement. And is > this a ticking lifetime, i.e., this changes on every get request? Is > this useful? Have alternatives been considered such as reporting the > point in time when the mapping was established? Or is the idea that > the lifetime reports the time left until the mapping will be garbage > collected? What does "tracks the connection" really mean here? > > - I suggest to remove empty lines in say leaf definitions. Instead > > leaf id { > type uint32; > > description > "NAT instance identifier."; > > reference > "RFC 7659."; > } > > write > > leaf id { > type uint32; > description > "NAT instance identifier."; > reference > "RFC 7659: Definitions of Managed Objects for Network > Address Translators (NATs)"; > } > > - It seems you try to be aligned with the NATV2-MIB module but there > is no explicit discussion about this in the document. I suggest that > you a section (for example before the tree diagram) where you > discuss how this YANG module coexists with the NATV2-MIB module. > > For example, I see that Natv2InstanceIndex in the MIB module > excludes 0 as an instance identifier while your id leaf above allows > the usage of 0. > > - container nat-capabilities: > > Here we find a bunch of "config true" leafs and I wonder how these > work. There are things a NAT implementation is capable to do, and > there are things that are enabled in a NAT deployment and of course > you can't enable something in a deployment that has not been > implemented. So are these 'capabilities' more like NAT features > enabled (since we have "config true" nodes) or are these more > implemented capabilities (but then "config true" may be wrong)? > Depending on the answer, did you consider using YANG features? > > - nat-flavor and nat44-flavor: > > Does it make sense to have two objects here? Can I put basic-nat > into nat-flavor? Are the differences between lets say napt and > basic-nat really nat44 specific? > > Note that you also derive restricted-nat from nat44 but this option > is not mentioned in the description of nat44-flavor. I think the > description should be more open since in principle I can derive even > more identities in the future. > > - boolean capability flags > > Do these need references so one can lookup what the exact meaning of > these 'capabilities' are? It would surely help me and it will help > implementors that need to decide whether a certain vendor feature > fits any of these. > > - nat-pass-through-pref > > Perhaps spell out nat-pass-through-prefix (pref might also be > understood as preference). And perhaps change the wording in the > description > > OLD > "The IP address subnets that match > should not be translated. According to > > NEW > "IP addresses matching this prefix are > not be translated. According to > > - Sometimes you repeat prefixes in leaf definitions (e.g., > nat-pass-through-port) while at other times you do not. > > - nat-pass-through-port > > You seem to have copy pasted the description of > nat-pass-through-pref. Is this a single port? So I need multiple > nat-pass-through entries for multiple ports. Fine. But is there a > special meaning if both nat-pass-through-pref and > nat-pass-through-port are configured in a single list entry? Does > this mean the port is scoped to the prefix? > > - Some nat type specific parameter lists are flat, for others there is > an additional container. Is this by design? > > - I meanwhile think there really should be features. Certain lists > only make sense for implementations that support certain NAT > types. Having features defined allows code generators to easily > generate stubs that actually match the capabilities of an > implementation. And you automatically benefit from feature > announcements. > > - s/attachedto/attached to/ > > - s/prefixs./prefixes./ > > - nat64-prefix > > What is the purpose of //default "64:ff9b::/96"; ?? > > - stateless-enable > > Does this enable leaf make sense on a list entry? Perhaps it does > but the description is fairly general and hence I am asking. > > - external-ip-address-pool/pool-id > > This seems to relate to a Natv2PoolIndex, which again excludes the > value 0. I have not checked all such related things, so please go > and check yourself. > > - external-ip-address-pool > > The description says > > Both contiguous and non-contiguous pools > can be configured for NAT purposes."; > > but it seems more accurate to say that a pool is a set of prefixes > since this is what the model suggests. > > - supported-transport-protocols > > I am again not clear whether you are reporting implementation > capabilities here or enabled features or something else. Is the > configuration of transport-protocol-id and transport-protocol-name > mutually exclusive? If so, should this be a choice? If I can > configure both, I assume they have to be consistent. > > - transport-protocol-name > > Is this restricted to the acronyms that are used in the IANA > protocol numbers registry? > > - s/masck/mask/ > > - subscriber-mask-v6 > > The name seems to indicate that this only applies to IPv6 prefixes > handed out to CPEs. Perhaps this should be stated explicitely (but > yes it is unlike to ever get an IPv4 prefix). But then, the > subscriber-match has an IPv4 prefix example. > > - quota-type > > Is this a good name for the leaf? This seems to indicate for which > transport protocol a port-limit is enforced. And this list is > restricted to TCP, UDP, and ICMP while other parts of the model are > more flexible in supporting additional transport protocols. So is it > consistent to a rather restricted enum here? > > - port-set-timeout > > Needs a units statement. > > - timeouts > > Can I make the timeouts arbitrarily small, in the extreme case 0 > seconds? In some cases I find text like "for at least 6 seconds". > Does this mean that the range is really uint32 { range "6..max"; }? > Or is it still OK to configure the value 3 and the 'must' is really > a 'should'? > > - port-timeout > > I doubt this is of type inet:port-number and there likely needs to > be a units statement. > > - alg-name > > Is there a list of well-known ALG names? IANA? Or is this a random > string that one needs to guess form the vendor's documentation, > i.e., this is potentially not interoperable out of the box? Is there > a way to obtain the number of ALGs supported or is the idea to do > trial and error probing to find out (which is even harder if there > are no well-known ALG names)? > > - all-algs-enable > > This says "Enable/disable all ALGs." but I _assume_ that I set this > to false and to enable specific ALGs. Perhaps this interaction needs > to be spelled out. > > - Is there any throttling mechanism needed in case my NAT is > constantly operating around the notification thresholds? > > - Add units to the mapping limit definitions ("subscribers", > "mappings", ...) > > - limit-per-subnet > > This is type inet:ip-prefix? I guess you wanted something else here. > > - Why are some limits mandatory, others not? > > - If you write 'limit per subscriber', how is a subscriber identified? > I assume these are global per subscriber limits, i.e., all > subscribers receive the same limit. > > - limit-per-subnet > > leaf limit-per-subnet { > type inet:ip-prefix; > > description > "Rate-limit the number of new mappings > and sessions per subnet."; > } > > I do not see how this works. The other limit-per-XXX objects are > numbers - presumably defining the limit. This is a prefix? > > - logging-info > > Is this information complete? Perhaps it is for plain syslog > (without any security) but I doubt the info is complete for the > other transports mentioned, at least not for FTP. And surely, if you > want to protect the logging information, then you will neeed way > more parameters. And what does 'retrieving' logging entries mean? I > assume with syslog and ipfix you push log messages. I am less sure > about FTP. Perhaps less is more and simply provide support for > syslog and leave the other options for extensions. You have a choice > in place, so not need to go and deal with all possible complexity > here. > > - For the statistics, we used to use plural form for counters back in > SNMP land and I think this was good practice. So go with > sent-packets, sent-bytes, rcvd-packets, rcvd-bytes, dropped-packets, > dropped-bytes, ... > > - total-mappings, total-tcp-mappings, total-udp-mappings, > total-icmp-mappings: These may use yang:gauge32. > > - address-allocated, address-free -> addresses-allocated, addresses-free > (may also be yang:gauge32) > > - Some of these gauges might fluctuate fast (maybe consider > exponentially smoothed gauges, but this might also be left for an > extension). > > - The security considerations text should follow the new boilerplate > that also covers RESTCONF. I think it would help to be more specific > about the security aspects of this data model. This text is quite > generic. With a NAT, things even have privacy aspects. If I can > force a specific NAT mapping, I can track a subscriber. > > - At least one example has syntax errors. Examples should ideally be > validated by tools so that the examples are syntactically correct and > valid regarding the data model. > > > _______________________________________________ > yang-doctors mailing list > yang-doctors@ietf.org > https://www.ietf.org/mailman/listinfo/yang-doctors -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
- [yang-doctors] Yangdoctors early review of draft-… Jürgen Schönwälder
- Re: [yang-doctors] Yangdoctors early review of dr… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors early review of dr… mohamed.boucadair
- Re: [yang-doctors] Yangdoctors early review of dr… mohamed.boucadair
- Re: [yang-doctors] Yangdoctors early review of dr… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors early review of dr… mohamed.boucadair
- Re: [yang-doctors] Yangdoctors early review of dr… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors early review of dr… mohamed.boucadair
- Re: [yang-doctors] Yangdoctors early review of dr… mohamed.boucadair