Re: [yang-doctors] [I2nsf] Yangdoctors early review of draft-ietf-i2nsf-nsf-monitoring-data-model-04
"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Wed, 07 October 2020 03:04 UTC
Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 406D63A15C8; Tue, 6 Oct 2020 20:04:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_HK_NAME_FM_MR_MRS=0.01, URIBL_BLOCKED=0.001, URI_DOTEDU=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iy7bzinkp849; Tue, 6 Oct 2020 20:04:55 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63B193A15C7; Tue, 6 Oct 2020 20:04:54 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id g2so558790lfr.10; Tue, 06 Oct 2020 20:04:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HKbC1NXKY7aOGlZc2iSAXCBW7lQ4n+Wb3WMQ/AyXnb8=; b=ZGDIA34UqY4NavFBJCf/hPzuwHE8ztqtiuQ2cnR1DJBu1CA3mGns7x0Uzz0HAAyDt4 za6kdJ4wN95kW/ar+qyisQM81Q9bu1BTV/oql7N/0gPOQw4RSPtt1dyOLm/E8cPXzcvk bLMe6vcOmKzpHbuZ1RG/tBleldggZMiavxWp8AfBogNw2gQS1YnRdd1ZqSMTbWmYy4mO 1D5aXtepeIL+sknbVsqIRjNO0eN3Xxpwz8oGc9lYZy7b+iJITyWJLI3YLMLpqyFgQObk 5ROBtipM+rHyTqHXwPmrxaMLkdNuYZfuB9e8JYarAKC1SSPsLq68L/Nu3QG/63dumMbF fJ7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HKbC1NXKY7aOGlZc2iSAXCBW7lQ4n+Wb3WMQ/AyXnb8=; b=CE2DZbYtv3oIJmnypUb7fdX1E+AvYvlYIvmhX4cY1YGwJrGK2qF2649bBIIgxLvVFD pgIIAyr8K0YY3t/RGo2/aaUU7yl5jer0u+vUyRFzCW5ac1e15yQkya1wDtYiKLT0ENQN ZXTjp4HBWbuMcQ1nQrbdWiCxozYRfe+bwnYDjEofhT/ggBQPip8joX/L3gSvuoUvtqbX 4MYAcg8ELdn6LGrQUc9J9Ijm0LfdHW6j6i0NCntuxJcezhIgI2MQd+4gyavIHUenPP36 y5oIE5aGTeAYvXq2tCUB6Nd9e5XvCMkpSLiEoNHdc/UhLI4lBx5NpHdeBZrhl2iivxOc MPNQ==
X-Gm-Message-State: AOAM530DMmh9kScfXFSFjxg5t7GLy+u8wpU7OKxKE3m19WCuuvTiaOC+ qc7+68hRqggk1LwpnadtjexdAx//DJdq4n4reNo=
X-Google-Smtp-Source: ABdhPJwkfe7coiv2VQGFABGySpJNtgPn8dRdODTKzg9d28KJTLpVlDW0xxM2AGgiUhNsPykQ04kOfM07Vqvq4QD9ZYE=
X-Received: by 2002:a19:7108:: with SMTP id m8mr265972lfc.335.1602039892269; Tue, 06 Oct 2020 20:04:52 -0700 (PDT)
MIME-Version: 1.0
References: <160192102291.6633.15935674903085952087@ietfa.amsl.com> <CAPK2DewOF7QcTD8UdFYdoGUvnJz_fxb53OOn-KmYQgNA38xLoA@mail.gmail.com> <CABCOCHQsxFVNdBgL9fyZHV+Bevs1D8d5B=+KJAgoVBVekz+VtQ@mail.gmail.com> <CAPK2DewNDq2_DtZhtxitTsavHczwiSKur9+yQPLR+18UbV-QHg@mail.gmail.com> <CABCOCHT-0mKbYBDtZHnANRLqMtSsT1ijhoe1znoS2_pDHn4WNA@mail.gmail.com>
In-Reply-To: <CABCOCHT-0mKbYBDtZHnANRLqMtSsT1ijhoe1znoS2_pDHn4WNA@mail.gmail.com>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Wed, 07 Oct 2020 12:04:15 +0900
Message-ID: <CAPK2Dexfpfgt730k5Zn3Aq34946Q5go4TuRrekA2hbbm_Wj_Jg@mail.gmail.com>
To: Andy Bierman <andy@yumaworks.com>
Cc: YANG Doctors <yang-doctors@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>, draft-ietf-i2nsf-nsf-monitoring-data-model.all@ietf.org, Patrick Lingga <patricklink888@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000b1dedb05b10bfad3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/5jt8n-J9qNysUrPoscXTnHr7Qew>
Subject: Re: [yang-doctors] [I2nsf] Yangdoctors early review of draft-ietf-i2nsf-nsf-monitoring-data-model-04
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2020 03:04:57 -0000
Hi Andy, I will investigate the event stream with information you sent me below. Thanks for your help and advice. Best Regards, Paul On Tue, Oct 6, 2020 at 1:51 PM Andy Bierman <andy@yumaworks.com> wrote: > > > On Mon, Oct 5, 2020 at 9:05 PM Mr. Jaehoon Paul Jeong < > jaehoon.paul@gmail.com> wrote: > >> Andy, >> What do you mean by the event stream? >> >> > https://tools.ietf.org/html/rfc8639#section-2.1 > > > >> Actually, I am thinking that the NETCONF can deliver the monitoring data >> of a system or an NSF in an XML file. >> >> Do you think that we need another way to convey the monitoring data? >> >> Thanks. >> >> Best Regards, >> Paul >> >> On Tue, Oct 6, 2020 at 12:30 PM Andy Bierman <andy@yumaworks.com> wrote: >> >>> >>> >>> On Mon, Oct 5, 2020 at 7:30 PM Mr. Jaehoon Paul Jeong < >>> jaehoon.paul@gmail.com> wrote: >>> >>>> Hi Andy, >>>> Thanks for your valuable comments on our NSF Monitoring YANG Data Model >>>> Draft. >>>> We authors will reflect your comments on the revision and come back to >>>> you with >>>> the revised draft and revision letter. >>>> >>>> >>> I forgot 1 comment: >>> >>> - the draft is not that explicit about the event stream to use for >>> these notifications >>> Perhaps a new standard event stream (I2NSF) would be better than the >>> standard (NETCONF) >>> The draft should be more clear wrt/ the NETCONF stream. >>> >>> >>> Andy >>> >>> >>> >>>> Thanks. >>>> >>>> Best Regards, >>>> Paul >>>> >>>> >>>> On Tue, Oct 6, 2020 at 3:03 AM Andy Bierman via Datatracker < >>>> noreply@ietf.org> wrote: >>>> >>>>> Reviewer: Andy Bierman >>>>> Review result: Almost Ready >>>>> >>>>> >>>>> >>>>> Major Issues: >>>>> >>>>> - None >>>>> >>>>> Moderate Issues: >>>>> >>>>> - top-level 'counters' container does not follow naming conventions. >>>>> Should start with 'i2nsf', probably 'i2nsf-state' >>>>> >>>>> - There do not seem to be any writable objects in the /counters >>>>> subtree so this container should have a 'config false' statement >>>>> >>>>> - top-level typedef and grouping description-stmts are >>>>> self-referential >>>>> and not useful. Need to rewrite description-stmts and/or add >>>>> reference-stmts as needed. >>>>> >>>>> - grouping common-monitoring-data/time-stamp >>>>> Is this a different time stamp than the one in the NETCONF >>>>> notification? >>>>> The 'message generation time' sounds like the standard timestamp. >>>>> Does this object represent the event detection time? >>>>> >>>>> - grouping i2nsf-system-alarm-type-content/usage >>>>> - grouping i2nsf-system-alarm-type-content/threshold >>>>> These are uint8 leafs with unclear descriptions. >>>>> Not sure why uint8 is the appropriate type. >>>>> Needs 1 or more of (reference, units, better description) >>>>> >>>>> - grouping traffic-rates >>>>> Add a units statement to each leaf. Not sure what units to use >>>>> but it should be consistent. (e.g, pps, bps used in descriptions >>>>> should also be in a units-stmt) >>>>> >>>>> - grouping i2nsf-system-counter-type-content >>>>> These counters should use the yang:counter32 type instead of uint32 >>>>> >>>>> - container counters/system-interface >>>>> - container counters/nsf-firewall >>>>> - container counters/nsf-policy-hits >>>>> The descriptions are too terse and confusing, and need a rewrite. >>>>> >>>>> - container counters/nsf-firewall >>>>> - container counters/nsf-policy-hits >>>>> - uses i2nsf-nsf-counters-type-content; >>>>> Many of the fields expanded from this grouping all say >>>>> they refer to 'the packet'. Why are they in this global >>>>> container of counters? E.g. (src-ip, dst-ip, src-port, dst-port) >>>>> Not clear at all how the server is supposed to apply this >>>>> grouping to these containers. >>>>> >>>>> - many leafs use "uint32" type for a rate. >>>>> Should add a units-stmt >>>>> >>>>> - leaf counters/nsf-policy-hits/hit-times >>>>> The purpose and type are confusing and generic. >>>>> If this is a counter then use counter32 >>>>> >>>>> - cut-and-paste for notification-stmt content should be replaced >>>>> with grouping/uses instead. Applies to the nsf-detection-* >>>>> and the various logging notifications. Even a grouping that >>>>> has 1 object in it is better than cut-and-paste 5+ times >>>>> >>>>> Minor Issues: >>>>> >>>>> - top-level identifiers are too generic >>>>> should have 'i2nsf-' prefix to be more reusable outside this module >>>>> >>>>> - quite a lot of identities that an implementation is required to >>>>> support. >>>>> If this set of identities might change a lot faster than the >>>>> notifications and counter objects, then consider putting them >>>>> in a separate module >>>>> >>>>> - leaf with same type named differently; both intrusion-attack-type >>>>> - nsf-detection-intrusion/sub-attack-type >>>>> - nsf-log-intrusion/attack-type >>>>> >>>>> - quite a lot of notification event types for a server to implement >>>>> and a user to manage. All are mandatory (no if-feature statements). >>>>> Some such as nsf-detection-* subset are very similar. >>>>> A section or table would be useful that showed the YANG notification >>>>> names and their purpose -- maybe a reference to another RFC >>>>> with more details >>>>> >>>>> - there seems to be notifications for intrusion events and then >>>>> again for the logging of those events. This seems excessive >>>>> but >>>>> >>>>> >>>>> - grouping common-monitoring-data/time-stamp >>>>> Is this a different time stamp than the one in the NETCONF >>>>> notification? >>>>> The 'message generation time' sounds like the standard timestamp. >>>>> Is this event detection time? >>>>> >>>>> - grouping common-monitoring-data/module-name >>>>> Is this a YANG module or some other type of module? >>>>> >>>>> - there is no way to configure which notifications should be generated >>>>> or maybe how often. YANG Push has its own dampening-period. >>>>> Since these are event stream subscriptions, not datastore >>>>> subscriptions, >>>>> YANG-Push does not apply to this document at all. >>>>> >>>>> If there are a lot of notifications then a server implementation >>>>> might drop some >>>>> >>>>> - grouping i2nsf-nsf-event-type-content-extend/src-zone >>>>> - grouping i2nsf-nsf-event-type-content-extend/src-zone >>>>> These use type 'string'. Consider using a typedef that constrains >>>>> the string. General comment where unconstrained string is used: >>>>> The corner-case values such as empty string are often not allowed >>>>> in implementations. >>>>> >>>>> >>>>> - grouping i2nsf-nsf-event-type-content-extend/rule-id >>>>> - grouping i2nsf-nsf-event-type-content-extend/rule-name >>>>> - grouping i2nsf-nsf-event-type-content-extend/profile >>>>> These objects seem to reference objects in another YANG module. >>>>> If so, then leafref types might be more appropriate. >>>>> >>>>> - grouping i2nsf-nsf-event-type-content/rule-id >>>>> - grouping i2nsf-nsf-event-type-content/rule-name >>>>> - grouping i2nsf-nsf-event-type-content/profile >>>>> - grouping i2nsf-nsf-event-type-content/raw-info >>>>> These objects are cut-and-paste duplicates from >>>>> grouping i2nsf-nsf-event-type-content. They should >>>>> be in a separate grouping used by both. Also applies >>>>> to some other sets of objects >>>>> >>>>> - limits issues (e.g. current-session, maximum-session >>>>> The type is uint8. This is only OK it is impossible for any >>>>> implementation to ever have or want more than 255 of them. >>>>> If some other RFC really does limit the values where uint8 >>>>> is used, then that is OK. If so, a reference-stmt would help. >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> I2nsf mailing list >>>>> I2nsf@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/i2nsf >>>>> >>>> >>>> >>>> -- >>>> =========================== >>>> Mr. Jaehoon (Paul) Jeong, Ph.D. >>>> Associate Professor >>>> Department of Computer Science and Engineering >>>> Sungkyunkwan University >>>> Office: +82-31-299-4957 >>>> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu >>>> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php >>>> <http://cpslab.skku.edu/people-jaehoon-jeong.php> >>>> >>> >> >> -- >> =========================== >> Mr. Jaehoon (Paul) Jeong, Ph.D. >> Associate Professor >> Department of Computer Science and Engineering >> Sungkyunkwan University >> Office: +82-31-299-4957 >> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu >> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php >> <http://cpslab.skku.edu/people-jaehoon-jeong.php> >> > -- =========================== Mr. Jaehoon (Paul) Jeong, Ph.D. Associate Professor Department of Computer Science and Engineering Sungkyunkwan University Office: +82-31-299-4957 Email: jaehoon.paul@gmail.com, pauljeong@skku.edu Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php <http://cpslab.skku.edu/people-jaehoon-jeong.php>
- [yang-doctors] Yangdoctors early review of draft-… Andy Bierman via Datatracker
- Re: [yang-doctors] [I2nsf] Yangdoctors early revi… Mr. Jaehoon Paul Jeong
- Re: [yang-doctors] [I2nsf] Yangdoctors early revi… Andy Bierman
- Re: [yang-doctors] [I2nsf] Yangdoctors early revi… Mr. Jaehoon Paul Jeong
- Re: [yang-doctors] [I2nsf] Yangdoctors early revi… Andy Bierman
- Re: [yang-doctors] [I2nsf] Yangdoctors early revi… Mr. Jaehoon Paul Jeong
- Re: [yang-doctors] [I2nsf] Yangdoctors early revi… Andy Bierman
- Re: [yang-doctors] [I2nsf] Yangdoctors early revi… Mr. Jaehoon Paul Jeong
- Re: [yang-doctors] [I2nsf] Yangdoctors early revi… Andy Bierman
- Re: [yang-doctors] [I2nsf] Yangdoctors early revi… Mr. Jaehoon Paul Jeong
- Re: [yang-doctors] [I2nsf] Yangdoctors early revi… Mr. Jaehoon Paul Jeong
- Re: [yang-doctors] [I2nsf] Yangdoctors early revi… Reshad Rahman
- Re: [yang-doctors] [I2nsf] Yangdoctors early revi… Andy Bierman
- Re: [yang-doctors] [I2nsf] Yangdoctors early revi… Reshad Rahman
- Re: [yang-doctors] [I2nsf] Yangdoctors early revi… Linda Dunbar
- Re: [yang-doctors] [I2nsf] Yangdoctors early revi… Andy Bierman
- Re: [yang-doctors] [I2nsf] Yangdoctors early revi… Linda Dunbar