Skip to main content

Last Call Review of draft-ietf-i2nsf-consumer-facing-interface-dm-26

Request Review of draft-ietf-i2nsf-consumer-facing-interface-dm
Requested revision No specific revision (document currently at 31)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2023-03-16
Requested 2023-03-02
Authors Jaehoon Paul Jeong , Chaehong Chung , Tae-Jin Ahn , Rakesh Kumar , Susan Hares
I-D last updated 2023-03-16
Completed reviews Yangdoctors Last Call review of -05 by Jan Lindblad (diff)
Yangdoctors Last Call review of -07 by Jan Lindblad (diff)
Secdir Early review of -20 by Charlie Kaufman (diff)
Genart Last Call review of -26 by Roni Even (diff)
Tsvart Last Call review of -26 by Dr. Joseph D. Touch (diff)
Secdir Last Call review of -26 by Charlie Kaufman (diff)
Intdir Telechat review of -27 by Dirk Von Hugo (diff)
Assignment Reviewer Charlie Kaufman
State Completed
Request Last Call review on draft-ietf-i2nsf-consumer-facing-interface-dm by Security Area Directorate Assigned
Posted at
Reviewed revision 26 (document currently at 31)
Result Ready
Completed 2023-03-15
Reviewer: Charlie Kaufman
Review result: Ready

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
Document editors and WG chairs should treat these comments just like any other
last call comments.

This document specifies a syntax for specifying security policies that apply in
a networked environment. It is intended that general policies would be fed into
the system in this syntax and then some policy engine would determine which
policies need to be enforced by which nodes in the system and appropriate
subsets would be distributed. The syntax takes the form of a YANG data model.

The review result I wanted to give was "Mostly Harmless". I am skeptical as to
whether the collection of policies specifiable is flexible enough to be usable
to manage a real network, but the syntax is easily extensible and this seems as
good a place to start as any. If it encourages experimentation with management
systems that distribute policies this way, that would be a good thing, and any
deficiencies found could be fixed later. I could imagine other groups having
very different visions as to how to manage this information, but I would not
expect the presence of this document as an RFC would discourage them from
experimenting with those visions.

I'm not sufficiently familiar with YANG or with Network Functions
Virtualization to have a useful opinion as to how good this design is.

One point I found slightly suspicious was this text from section 3.2:

"Also note that QUIC protocol [RFC9000] is excluded in the data model as it is
not considered in the initial I2NSF documents [RFC8329]. The QUIC traffic
should not be treated as UDP traffic and will be considered in the future I2NSF

I would think that an implementation that was oblivious to the existence of
QUIC would treat it as UDP traffic (contrary to what this says), and could
regulate it through that mechanism. As written, the text seems to say that this
protocol lacks any ability to control QUIC. But perhaps I misunderstand.