Telechat Review of draft-ietf-i2nsf-nsf-facing-interface-dm-21
review-ietf-i2nsf-nsf-facing-interface-dm-21-secdir-telechat-melnikov-2022-02-15-00
review-ietf-i2nsf-nsf-facing-interface-dm-21-secdir-telechat-melnikov-2022-02-15-00
Reviewer: Alexey Melnikov
Review result: Has Minor Issues
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area directors.
Document editors and WG chairs should treat these comments just like any other
last call comments.
This document defines a YANG data model for configuring security
policy rules on Network Security Functions (NSF) in the Interface to
Network Security Functions (I2NSF) framework. The YANG data model in
this document corresponds to the information model for NSF-Facing
Interface in the I2NSF framework.
Overall the document reads well and YANG specific security considerations that
talk about access control for various elements look sufficient to me. However
the document lacks some details important for implementations, specific cases
listed below.
Issues.
identity transformation {
base egress-action;
description
"Identity for transformation. The transformation action is used
to transform the packet by modifying its protocol header such
as HTTP-to-CoAP translation.";
reference
"RFC 8075: Guidelines for Mapping Implementations: HTTP to the
Constrained Application Protocol (CoAP) - Translation between
HTTP and CoAP.";
}
This is not listed as a choice (in a comment) in "leaf egress-action". Should
it be? If it is listed, is this enough to define algorithmic transformations?
identity imaps {
base application-protocol;
description
"The identity for Internet Message Access Protocol (IMAP) over
TLS";
reference
"RFC 9051: Internet Message Access Protocol (IMAP) - Version
4rev2
RFC 2595: Using TLS with IMAP, POP3 and ACAP";
}
Thank you for splitting "imap" from "imaps" in -21.
In regards to references: please don't reference RFC 2595 for IMAPS here. IMAPS
is fully described by RFC 9051, so having a reference to RFC 2595 is misleading.
typedef time {
type string {
pattern '(0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9](\.\d+)?'
+ '(Z|[\+\-]((1[0-3]|0[0-9]):([0-5][0-9])|14:00))?';
}
description
"The time type represents an instance of time of zero-duration
that recurs every day.";
}
I think you should also clarify in the description that this includes timezone,
for example:
"The time type represents an instance of time of zero-duration in the
specified timezone that recurs every day."
leaf session-aging-time {
type uint16;
units "second";
description
"This is session aging time.";
}
I can't figure out from the description what this means. Can you give an
example?
container long-connection {
description
"A container for long connection. A long connection is a
connection that is maintained after the socket connection
is established, regardless of whether it is used for data
traffic or not.";
leaf enable {
type boolean;
description
"If true, the rule is enabled and enforced.
If false, the rule is configured but disabled
and not enforced.";
}
leaf duration {
type uint16;
units "second";
description
"This is the duration of the long-connection.";
Is this max connection duration or the current duration?
}
}
container url-category {
description
"Condition for url category";
leaf description {
type string;
description
"This is description for the condition of a URL's
category such as SNS sites, game sites, ecommerce
sites, company sites, and university sites.";
}
leaf-list pre-defined {
type string;
description
"This is pre-defined-category. To specify the name of
URL database.";
}
leaf-list user-defined {
type string;
description
"This user-defined-category. To allow a users manual
addition of URLs for URL filtering.";
}
}
I think "user-defined" is supposed to be an URL. This needs a Normative
Reference. Please use RFC 3986.
leaf alert-flow-rate {
type uint32;
description
"The alert rate of flood detection for
flows per second of an IP address.
If the flows per second of an IP address
exceeds the alert rate threshold, an alert
will be generated.";
}
I assume you mean the rate of flow creation requests? E.g. new TCP connection
establishment. Please clarify this.
container anti-virus {
description
"Condition for antivirus";
leaf-list profile {
type string;
description
"The security profile for antivirus. This is used to
update the security profile for improving the
security. The security profile is used to scan
the viruses.";
}
leaf-list exception-files {
type string;
description
"The type or name of the files to be excluded by the
anti-virus. This can be used to keep the known
harmless files.";
Is this the list of filesystem paths? Of File patterns, like "*.exe"?
}
}
container payload {
description
"Condition for packet payload";
leaf description {
type string;
description
"This is description for payload condition.";
}
leaf-list content {
type string;
description
"This is a condition for packet payload content.";
What does this mean? Can you give some examples?
}
}
In "container users":
leaf security-group {
type string;
description
"security-group.";
}
What does this mean? How is it different from "group"?
Thank you,
Alexey