IETF Logo Mail Archive

Re: [yang-doctors] Yangdoctors early review of draft-ietf-opsawg-nat-yang-06

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Wed, 01 November 2017 10:05 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC05B1395F0; Wed, 1 Nov 2017 03:05:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IWC6Zs7gqLuS; Wed, 1 Nov 2017 03:05:40 -0700 (PDT)
Received: from atlas5.jacobs-university.de (atlas5.jacobs-university.de [212.201.44.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62BF2139567; Wed, 1 Nov 2017 03:05:40 -0700 (PDT)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas5.jacobs-university.de (Postfix) with ESMTP id 67F2DF6B; Wed, 1 Nov 2017 11:05:38 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas5.jacobs-university.de ([10.70.0.217]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10032) with ESMTP id rAHxX4n1KQnp; Wed, 1 Nov 2017 11:05:38 +0100 (CET)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas5.jacobs-university.de (Postfix) with ESMTPS; Wed, 1 Nov 2017 11:05:38 +0100 (CET)
Received: from localhost (demetrius3.jacobs-university.de [212.201.44.48]) by hermes.jacobs-university.de (Postfix) with ESMTP id 53B7220111; Wed, 1 Nov 2017 11:05:38 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius3.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 6zRSuJVdOp6v; Wed, 1 Nov 2017 11:05:37 +0100 (CET)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 2D64B20110; Wed, 1 Nov 2017 11:05:37 +0100 (CET)
Received: by elstar.local (Postfix, from userid 501) id 03D2D4146993; Wed, 1 Nov 2017 11:04:09 +0100 (CET)
Date: Wed, 01 Nov 2017 11:04:09 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: mohamed.boucadair@orange.com
Cc: "yang-doctors@ietf.org" <yang-doctors@ietf.org>, "draft-ietf-opsawg-nat-yang.all@ietf.org" <draft-ietf-opsawg-nat-yang.all@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Message-ID: <20171101100409.n6sycvnj5km4jrdk@elstar.local>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: mohamed.boucadair@orange.com, "yang-doctors@ietf.org" <yang-doctors@ietf.org>, "draft-ietf-opsawg-nat-yang.all@ietf.org" <draft-ietf-opsawg-nat-yang.all@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
References: <150912805550.22087.2939629492652644040@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93300A060DB1@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <20171030162210.ni72dxxmc45o3cak@elstar.local> <787AE7BB302AE849A7480A190F8B93300A063187@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <787AE7BB302AE849A7480A190F8B93300A063187@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
User-Agent: NeoMutt/20170714 (1.8.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/PydTiVDtN5tJgdSYivgNBT8JcWc>
Subject: Re: [yang-doctors] Yangdoctors early review of draft-ietf-opsawg-nat-yang-06
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Nov 2017 10:05:43 -0000

On Tue, Oct 31, 2017 at 09:55:46AM +0000, mohamed.boucadair@orange.com wrote:
> > >  That said, there are a number of details where I doubt
> > > > the model is correct and things where I believe things are incomplete.
> > > > Given that there are many different NAT functions, I also expected to
> > > > see usage of YANG features.
> > >
> > > [Med] We used to make use of "features", but there was a comment during
> > the WG call for adoption that requested us to make use of identities,
> > instead.
> > 
> > But these are not the same thing.
> 
> [Med] You are right. Sorry for not being clear. 
> 
> What I meant is that the module used, for example, "if-feature nat64" and so on to refer to NAT flavors. We replaced those with "when" statements that points to the actual capabilities of an implementation. 
> Another change we made, is that we used to have "Boolean" to indicate the support of a given tarnation scheme (e.g., nat64-support, nat44-support), but we updated those to make use of identities. 

I do not recall having seen these when expressions. But even if there
were when expressions, this does not the same as features. A when
expression puts a constraint on a valid configuration, a feature
expresses that not all parts of a model may be implemented. This is
implementation time partitioning vs. configuration time partitioning.
 
>  If I am not a nat64, then apparently
> > several objects to not apply to me.
> 
> [Med] Yes. We tried to cover this by "when" statements. 
> 
>  This is what features allow you to
> > express. Perhaps someone wanted identities for something different, I
> > do not know. I think it is reasonable to assume that not all NAT
> > implementations will support all types of NATs that the model supports
> > and hence the model should reflect this.
> > 
> 
> [Med] The module indicates what a given implementation has to support based on its capabilities. This is handled by means of "when" statements.   

This seems to be a mis-understanding of what when expressions do. See
above for the explanation.

> > > > - What is the vrf-routing-instance identity good for?
> > >
> > > [Med] This is used to bind a NAT function to an external VRF routing
> > instance. Please check https://www.ietf.org/mail-
> > archive/web/opsawg/current/msg05117.html
> > >
> > 
> > I very much doubt that an identity identifies a VRF instance. I am not
> > questioning the need to identify a VRF, I am questioning that the
> > solution put in place achieves this.
> 
> [Med] Thank you for clarifying. This is actually a good point. The options we considered are as follows: 
> 
> (1) Use an Identity to avoid struggling with semantics of how a VRF can be defined.
> (2) Point to draft-ietf-rtgwg-ni-model, likely (?) as a normative reference. 
> (3) Remove the VRF thing from the draft; future extensions can be defined.
> 
> Given that "VRFs" are not required for all NATs and some reviewers asked to add VRFs in addition to interfaces, we went for option (1). Having a dependency on a YANG module under development is not justified for all implementations. 
>

But (1) is broken as far as I can tell. You either work out with the
routing guys how to properly refer to a VRF or you better leave this
out.

> > If leafs are not configurable, then they should be config false.
> 
> [Med] I will revert config to false as we used to have in previous versions. As I said earlier, pyang will cry. I don't know how to fix that. 
>

Then ask for help including the error message. Marking something that
is conceptually "config false" as "config true" is pretty misleading.

> [Med] The current module allows for implementations that support many translation flavors. In particular, it allows for a same NAT instance to enable many features in the same time.
> 
> There is no need to indicate explicitly the translation scheme(s) to enable because this will be implicitly deduced from the configuration parameters. For example: 
> - an implementation supplied with an external IPv4 address pool only, will automatically behave in the base NAT mode.
> - an implementation supplied with an external IPv4 address pool and port-related parameters will behave in the NAPT mode.
> - an implementation supplied with an external IPv4 address pool, port-related parameters, and NAT64 prefixes will behave in the statefull NAT64 mode
> - an implementation supplied with an external IPv4 address pool, port-related parameters, dst-nat-enable=true, and dst-ip-address-pool will behave in the NAPT mode + destination NAT
> 
> and so on. 

As long as this is clear from the specification. One option you may
consider is to use presence containers that can carry the bit when to
enable / disable a specific NAT function. (Although personally, I am
not such a big fan of presence containers, perhaps since I am not a
fan of side effects in general).
 
> > > [Med] Yes.
> > >
> > > >
> > > > - logging-info
> > > >
> > > >   Is this information complete? Perhaps it is for plain syslog
> > > >   (without any security) but I doubt the info is complete for the
> > > >   other transports mentioned, at least not for FTP. And surely, if you
> > > >   want to protect the logging information, then you will neeed way
> > > >   more parameters. And what does 'retrieving' logging entries mean?  I
> > > >   assume with syslog and ipfix you push log messages. I am less sure
> > > >   about FTP. Perhaps less is more and simply provide support for
> > > >   syslog and leave the other options for extensions. You have a choice
> > > >   in place, so not need to go and deal with all possible complexity
> > > >   here.
> > > >
> > >
> > > [Med] It is out of scope of specify the exact logging information. Those
> > considerations are out of scope. We only focus on the protocol and the
> > server information.
> > 
> > I think my comment was saying that the information is not sufficient to
> > talk to a server.
> 
> [Med] It is only about the minimal set of information. The information is not complete on purpose. Protocol-specific information is out of scope of this document. 

I am not sure it is valuable to have a standards-track specification
for something that is incomplete up the point that it can't be used if
implemented without annotations and extensions, i.e., the whole thing
can't be interoperable unless there is a standards-track extension. So
I would rather not standardize this at all and wait until someone is
willing to work out the details.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email