Hi Paul! Thanks for the quick update. This change removed the explicit link to draft-dong-i2nsf-asf-config. However, now the document has a number of undocumented elements of the YANG model under advanced-nsf-capability. Citing RFC8329 is helpful to link them to NSF capabilities, but this doesn’t explain the differences between these YANG elements. I thinking there are a couple of options:
(1) remove advanced-nsf-capabilities entirely (2) leave only a “top-level container” named advanced-nsf-capabilities and specify this no further. Some text is required to explain that the advanced-nsf-capabilities is an extension point. (3) leave the text as is in -07, and add rudimentary text explaining each of the leaves in advanced-nsf-capabilities as being extension points for particular advanced capabilities (and explain the differences between them) As a separate matter and I should have noticed it earlier, I see the use of the language “whitelist”. In the spirit of reconsidering language that some consider exclusionary, could you please (i.e., s/whitelist/allow-list/): OLD: identity whitelists { base anti-virus-capability; description "Identity for advanced NSF Anti-Virus Whitelists capability"; reference "RFC 8329<https://tools.ietf.org/html/rfc8329>: Framework for Interface to Network Security Functions - Advanced NSF Anti-Virus Whitelists capability"; } NEW: identity allow-list { base anti-virus-capability; description "Identity for advanced NSF Anti-Virus Allow List capability"; reference "RFC 8329<https://tools.ietf.org/html/rfc8329>: Framework for Interface to Network Security Functions - Advanced NSF Anti-Virus Allow List capability"; } Regards, Roman From: I2nsf <i2nsf-boun...@ietf.org> On Behalf Of Mr. Jaehoon Paul Jeong Sent: Tuesday, August 25, 2020 8:18 AM To: Roman Danyliw <r...@cert.org> Cc: i2nsf@ietf.org; skku-iotlab-members <skku-iotlab-memb...@googlegroups.com>; Mr. Jaehoon Paul Jeong <jaehoon.p...@gmail.com>; Susan Hares <sha...@ndzh.com> Subject: Re: [I2nsf] AD Review of draft-ietf-i2nsf-capability-data-model-05 Hi Roman, I have addressed your two comments in the revision: https://tools.ietf.org/html/draft-ietf-i2nsf-capability-data-model-07 - Addition of RFC 3688 in Normative References - Removal of the references for draft-dong-i2nsf-asf-config from the draft Please move our draft forward. Thanks. Best Regards, Paul On Mon, Aug 24, 2020 at 9:08 PM Roman Danyliw <r...@cert.org<mailto:r...@cert.org>> wrote: Hi Paul! (my apologies. These email got stuck in my outbox and was intended to go out when I made the state change in the data tracker) Thanks for the extensive changes you made in -06 and my apologizes in the delay in responding. All feedback but the following has been addressed: (1) IDNits returned the following valid comment about references (many of the issue is noted were in the YANG module) == Missing Reference: 'RFC3688' is mentioned on line 1764, but not defined [Paul] => There is no reference to RFC3688 (The IETF XML Registry). Could you doublecheck your comment to let me follow it? [Roman] See Section 7 --[ snip ]-- 7. IANA Considerations This document requests IANA to register the following URI in the "IETF XML Registry" [RFC3688]: … --[ snip ]-- (10) Section 4. Per "Note that the NSF-Facing Interface ... and the NSF Monitoring Interface is used to ...", does this text need additional precision based on the definitions in RFC8329. Per RFC8329, the "NSF-Facing Interfaces" consists of the "NSF Operational and Administrative Interface" and a "Monitoring Interface". If draft-dong-i2nsf-asf-config is on the "Monitoring Interface", on which "sub-interface" of the "NSF-Facing Interface" does draft-ietf-i2nsf-nsf-facing-interface-dm belong? (28) Section 6.1.. In the advanced-nsf-capability section, there are multiple normative references to draft-dong-i2nsf-asf-config-01, an expired, individual draft. Additionally, Section 4 notes how it supports the advanced capabilities. This draft is a substantial portion of the YANG module added in -03. What's the plan on resolving this dependency? [Paul] => This draft will be developed by I2NSF WG later. I still have the same question. It doesn’t appear to me that the WG is currently positioned to do anything with draft-dong-i2nsf-asf-config . Practically, it isn’t even a WG product, but an individual submission that wasn’t adopted. It was last updated 22 months ago and expired almost 18 months ago. Correct me where I have it wrong, but this draft provides a generic model for the capabilities and draft-dong-i2nsf-asf-config appears to be acting as an extension for more advancing NSF capabilities. I think we have (at least) two options: (a) Remove references to the capabilities derived from draft-dong-i2nsf-asf-config; if there is energy, consider adopting it in the WG at some point in the future, and it could update this document (draft-ietf-i2nsf-capability-data-model); in the meantime this document gets published (b) Continue advancing this document and stall awaiting a missing reference (MISREF) in the RFC Editor queue (just like draft-ietf-i2nsf-applicability) for something to happen to draft-dong-i2nsf-asf-config I have a preference for (a) because I don’t see value in blocking the publication of a named deliverable of the WG for an unadopted (individual), expired draft; and this approach doesn’t preclude future enhancements (as proposed by draft-dong-i2nsf-asf-config). What does everyone else think? Regards, Roman From: Mr. Jaehoon Paul Jeong <jaehoon.p...@gmail.com<mailto:jaehoon.p...@gmail.com>> Sent: Monday, July 13, 2020 9:04 AM To: Roman Danyliw <r...@cert.org<mailto:r...@cert.org>> Cc: i2nsf@ietf.org<mailto:i2nsf@ietf.org>; Susan Hares <sha...@ndzh.com<mailto:sha...@ndzh.com>>; skku-iotlab-members <skku-iotlab-memb...@googlegroups.com<mailto:skku-iotlab-memb...@googlegroups.com>>; Mr. Jaehoon Paul Jeong <jaehoon.p...@gmail.com<mailto:jaehoon.p...@gmail.com>> Subject: Re: [I2nsf] AD Review of draft-ietf-i2nsf-capability-data-model-05 Hi Roman, I (as an editor) have revised the I2NSF Capability Data Model Draft and posted it into the IETF repository: https://tools.ietf.org/html/draft-ietf-i2nsf-capability-data-model-06 Here is the revision letter to explain how to address your comments. If you are satisfied with this revision, could you move this draft to the IESG evaluation? Thanks for your valuable comments and help.. Best Regards, Paul -- =========================== Mr. Jaehoon (Paul) Jeong, Ph.D. Associate Professor Department of Computer Science and Engineering Sungkyunkwan University Office: +82-31-299-4957 Email: jaehoon.p...@gmail.com<mailto:jaehoon.p...@gmail.com>, paulje...@skku.edu<mailto:paulje...@skku.edu> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php<http://cpslab.skku.edu/people-jaehoon-jeong.php> On Wed, May 13, 2020 at 7:11 AM Roman Danyliw <r...@cert.org<mailto:r...@cert.org>> wrote: Hi! I conducted an AD review of draft-ietf-i2nsf-capability-data-model-05. Thanks for the work in getting this document written. My most significant items are around aligning of the text in Section 4 with RFC8329 and the dependency on draft-dong-i2nsf-asf-config-01. My detailed feedback is below. (1) IDNits returned the following valid comment about references (many of the issue is noted were in the YANG module) == Missing Reference: 'RFC3688' is mentioned on line 1764, but not defined (2) Section 1. Typo. s/[draft-ietf-i2nsf-capability]../ [draft-ietf-i2nsf-capability]./ (3) Section 3. Is there a reason to rely on two expired drafts for terminology -- [draft-ietf-i2nsf-terminology] and [draft-ietf-supa-generic-policy-info-model]? In particular, couldn't RFC3444 provide the needed definitions of data and information models? (4) Section 4. I would have expected somewhere in this overview section an explicit enumeration of which I2NSF interfaces use this YANG module. (5) Section 4. Per "Figure 1 shows the capabilities of NSFs in I2NSF Framework." -- Thanks for reusing the diagram from RFC8329 and annotating it with more detail. It helps connect the documents -- It wasn't clear to me where the "capabilities" are on the diagram -- Is all of the detail under the NSFs (i.e., E, C and A) needed in the diagram? Text doesn't explain it or reference it. If kept, it should be explained and E, C and A should be defined (i.e., saying these correspond to Event, Condition and Action) (6) Global. Editorial. Is there a reason to abbreviate "Mgmt" in "Developer's Mgmt System in the text? Recommend s/Developer's Mgmt System/Developer's Management System/g (7) Section 4. Per "To register NSFs in this way, the Developer's Mgmt System utilizes this standardized capabilities YANG data model through its registration interface.", this confused me a bit. Doesn't the Developer Management System use the model described in draft-ietf-i2nsf-registration-interface-dm for registration? (8) Section 4. Editorial. Per "... those security devices can be easily managed, ...", I might have used "more easily managed". (9) Section 4. Per "The use cases are described below.", where are those use cases described? Is this text a reference to the "Configuration Examples" in Appendix A? (10) Section 4. Per "Note that the NSF-Facing Interface ... and the NSF Monitoring Interface is used to ...", does this text need additional precision based on the definitions in RFC8329. Per RFC8329, the "NSF-Facing Interfaces" consists of the "NSF Operational and Administrative Interface" and a "Monitoring Interface". If draft-dong-i2nsf-asf-config is on the "Monitoring Interface", on which "sub-interface" of the "NSF-Facing Interface" does draft-ietf-i2nsf-nsf-facing-interface-dm belong? (11) Figure 1. Editorial Nit. Is there are reason that the Registration interface has a bidirectional arrow between the network operator management system and the developer management system, but the there is no directionality on the consumer or NSF facing interface? (12) Section 4. The bulleted list under Figure 1 is helpful in describing Figure 1. However, I'd recommend explicitly saying this is an example. Explain the use case up front and then narrate the flow clearly delineating what is in and out of scope of I2NSF. IMO, the text describes a number of internal processing functions which are in scope for standardization - please let me know if I'm reading it wrong. (13) Section 4. Per "If network manager wants to block malicious users with IPv6, the network manager sends the security policy rules to block the users to the Network Operator Mgmt System using I2NSF user ....", can you please clarify "malicious users with IPv6"; is the intent that the network manager is concerned about malicious IPv6 traffic? (14) Section 4. Bullet 1 under Figure 1. Per "a web browser or a software", what's the difference between a browser and software? (15) Section 4. Editorial. Per the second bullet under Figure 1, "If NSFs encounter the malicious packets, it is a tremendous burden for the network manager to apply the rule to block the malicious packets to NSFs one-by-one. This problem can be resolved by managing the capabilities of NSFs.", delete this text. It is a duplicate of what was stated in the first bullet. (16) Section 4. Per the paragraph, "If NSFs encounter the suspicious IPv4 packets, they can ask the Network Operator Mgmt System for information about the suspicious IPv4 packets in order to alter specific rules and/or configurations. When the Network ...", how much of that signaling is in scope for I2NSF? (17) Section 4. Typo. s/suspiciou/suspicious/ (18) Section 5.1. Editorial. s/The model includes NSF capabilities/The model describes NSF capabilities/ (19) Section 5.1. Editorial. "specify" is used twice in the sentence. OLD Time capabilities are used to specify the capabilities to specify when to execute the I2NSF policy rule. NEW Time capabilities are used to specify the capabilities which describe when to execute the I2NSF policy rule. (20) Section 5.1. Editorial. This sentence didn't parse for me. The second contains duplicate text. OLD Event capabilities are used to specify capabilities how to trigger the evaluation of the condition clause of the I2NSF Policy Rule. The defined event capabilities are defined as system event and system alarm. NEW Event capabilities are used to specify the capabilities that describe the event that would trigger the evaluation of the condition clause of the I2NSF Policy Rule. The defined event capabilities are system event and system alarm. (21) Section 5.1. A number of capabilities note that they can be extended which is a helpful feature. For example, "The condition capability can be extended according to specific vendor condition features." However, where is the guidance on doing that? Likewise, it might not be necessary to repeat this statement five times if the extension mechanism is the same. (22) Section 5.1. A number of the described capability types state that they are described in detail in draft-ietf-i2nsf-capability.. For example, "The condition capability is described in detail in [draft-ietf-i2nsf-capability]." I had difficulty locating which specific section to review. Also, for the default action capabilities, no described of "pass, drop .. mirror" was found in draft-ietf-i2nsf-capability. Please provide a specific section number for the event, condition, action, resolution strategy and default action in draft-ietf-i2nsf-capability. (23) Section 5.1. Editorial. These sentences didn't parse for me. OLD Action capabilities are used to specify capabilities of how to control and monitor aspects of flow-based NSFs when the event and condition clauses are satisfied. NEW Action capabilities are used to specify the capabilities that describe the control and monitoring aspects of flow-based NSFs when the event and condition clauses are satisfied. OLD Resolution strategy capabilities are used to specify capabilities of how to resolve conflicts that occur between the actions of the same or different policy rules that are matched and contained in this particular NSF. NEW Resolution strategy capabilities are used to specify the capabilities that describe conflicts that occur between the actions of the same or different policy rules that are matched and contained in this particular NSF. OLD Default action capabilities are used to specify capabilities of how to execute I2NSF policy rules when no rule matches a packet. NEW Default action capabilities are used to specify the capabilities that describe how to execute I2NSF policy rules when no rule matches a packet. (24) Section 6.1. Update the copyright date and revision date to be in 2020. (25) Section 6.1. Given that draft-ietf-i2nf-monitoring-data-model is referenced in the YANG model for event and system alarm, please make it a normative reference. (26) Section 6.1. identity ingress/egress-action-capability. I found draft-ietf-i2nsf-capability-04 to be an unexpected reference.. There is no mention of ingress or egress in that document. (27) Section 6.1. identity pass, drop, reject, alert, mirror. I found draft-ietf-i2nsf-capability-04 to be an unexpected reference.. There is no mention of pass, drop, reject, alert or mirror in that document. (28) Section 6.1. In the advanced-nsf-capability section, there are multiple normative references to draft-dong-i2nsf-asf-config-01, an expired, individual draft. Additionally, Section 4 notes how it supports the advanced capabilities. This draft is a substantial portion of the YANG module added in -03. What's the plan on resolving this dependency? (29) Section 6.1. Typo. s/Funtion/Function/ (30) Section 6.1. The list of references in generic-nsf-capabilities don't line up with those in the child leaflist(s). For example, RFC 792 is mentioned in the top level reference list but not in any of the child leaflist (specifically not in leaf-list icmp-capability) (31) Section 6.1. Typo. s/smae/same/ (32) Section 8. A few clarifying updates to the template: OLD These data nodes may be considered sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) to these data nodes without proper protection can have a negative effect on network operations. ietf-i2nsf-capability: The attacker may provide incorrect information of the security capability of any target NSF by illegally modifying this. NEW These data nodes may be considered sensitive or vulnerable in some network environments. Write operations to these data nodes could have a negative effect on network and security operations. ietf-i2nsf-capability: An attacker could alter the security capabilities associated with an NSF whereby disabling or enabling the evasion of security mitigations. OLD ietf-i2nsf-capability: The attacker may gather the security capability information of any target NSF and misuse the information for subsequent attacks.. NEW ietf-i2nsf-capability: An attacker could gather the security capability information of any NSF and use this information to evade detection or filtering. Regards, Roman _______________________________________________ I2nsf mailing list I2nsf@ietf.org<mailto:I2nsf@ietf.org> https://www.ietf.org/mailman/listinfo/i2nsf -- =========================== Mr. Jaehoon (Paul) Jeong, Ph.D. Associate Professor Department of Computer Science and Engineering Sungkyunkwan University Office: +82-31-299-4957 Email: jaehoon.p...@gmail.com<mailto:jaehoon.p...@gmail.com>, paulje...@skku.edu<mailto:paulje...@skku.edu> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php<http://cpslab.skku.edu/people-jaehoon-jeong.php>
_______________________________________________ I2nsf mailing list I2nsf@ietf.org https://www.ietf.org/mailman/listinfo/i2nsf