What: Joint OpsAWG / OpsArea When: 09:30-11:30, Wednesday Session I, Nov 9, 2022 Where: Mezzanine 10-11 OpsAWG Section -------------------- Administrivia - scribes, minutes, etc. Tianran / Joe / Henk 5 minutes * Rob will review tlstm after this IETF. He's working on SBOM now * On add-encrypted-dns, chairs were hoping for some more reviews since the incorporation of 4014 updates. Things have been quiet; will work with dhc WG to get shepherd and progress from LC MUD Updates Michael Richardson 10min https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud-iot-dns-considerations/ https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud-acceptable-urls/ * Slides missing; likely a chairs confusion over the PCAP/MUD slides * MCR presented sans slides; (slides now in Data Tracker) * Two documents on MUD * Acceptable URLs * DNS Considerations * Acceptable URLs updates 8520, but non-controversial. Been through a number of reviews * Changes processing rules for one of the MUD file attributes * Around for more than a year * Has had deep review * Ready for WG LC * DNS Considerations * Deep review from Ben Swartz * Should be using SOCKSv5 to apply name-based filtering * Doing so would revise 8520 * Don't think it's practical * IoT devices cannot bypass local DNS but can use DOH, DOQ, etc. * Home devices should talk to home DNS/home router * Long and short: use local DNS * Ready for WG LC * Tiru: Don't agree with Ben's comments that you need root certs on each device; should filter DNS traffic with local routers doing forwarding * Michael: Nothing against encrypted DNS, but make sure you use local DNS * Henk: Can go into last call; just a metter of timing * Action Item: Move to WG LC IPFIX Proposals Thomas Graf 15min https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-ipfix-srv6-srh 5min https://datatracker.ietf.org/doc/html/draft-tgraf-opsawg-ipfix-inband-telemetry IPFIX-SRv6-SRH: * Joe: request WG members to review the draft * Benoit: we got feedback from IANA already, we have two interoperable implementation. Anything else we should be doing? * Joe: We can do a WG LC; implementation (both OSS and commercial) are present/forth coming; IANA feedback present IPFIX-Inband-Telemetry: * About six hands in room have read; AI: will call for adoption post 115 to see what the broader WG feels An Update to the tcpControlBits IP Flow Information Export (IPFIX) Information Element Mohamed Boucadair 5min https://datatracker.ietf.org/doc/draft-boucadair-opsawg-rfc7125-update/ * Benoit: I feel that this should be taken up and worked; and there may be more than just tcpFlags that needs updating. It may be that we require to review all parts of the registry and update all that are required * Show of hands: 14 responsed all showing interest in solving this problem * Rob: It is better for this work to go through the WG if possible, better consensus and less overload. * Joe: we will look at this work, but perhaps we can push forward with a broader look at the registries. * * Benoit: can you go through the IANA registry and have a look. If there is a just a few, then it might be simple, if there is lots then it might be a bigger job. * Based on that AI to call for adoption on list post 115 Asserting Wireless Network Connections Using DNS Revolvers' Identities Tirumal Reddy 10min https://datatracker.ietf.org/doc/draft-wing-opsawg-authenticating-network/ Warren: Might need to forget 802.1X ID (e.g., joining IETF network). What happens if DNS changes? Will users know enough to say, "yes, this is valid". There needs to be a mechanism to allow users to switch from using old encrypted DNSes or know that a change in DNS is legit. A Data Manifest for Contextualized Telemetry Data Benoit Claise 10min https://datatracker.ietf.org/doc/draft-claise-opsawg-collected-data-manifest/ * Alex Clemm: What is different from using the subscription ID from YANG Push? * Benoit: If you lose access to the device, how will you backtrack to get that information? This is where the manifest comes in * Alex: The client should still store the subscription data and/or subscribe to the subscription details as well * Benoit: Indeed * Rob: How is this different than what we have today? You can read YANG Library today. * Benoit: There is already YANG library, but how will you know if the device has changed? You want to know the context from the platform to know it changed so you can identify when, for example, a bug has been fixed (i.e., the before and after) * Rob: I think this is a good problem to be working on, but I have not read this draft to know if this is the right way to solve that problem * Henk: Huge domain of metadata; if you look at integrity, there will need to be a lot of extensions to attest things like platform. This could turn into a large amount of metadata as other groups layer their work into this; this has the potential to be a very broad extension point * Benoit: I agree. That may be needed to solve the closed-loop automation problem. * Henk: Make sure that your scheme has fore-thought on extensibility * Diego Lopez: We are starting to scratch the surface on integrity * Many people in the room have read the document; AI: cal for adoption after 115 * Creating an extension point here, that will be used. * Benoit: I agree that we will need more and more of these to solve the closed loop, and I would agree with you statement. * Henk: Plesae try and cross-polinate this idea and make sure that we considering these extensions. * Diego: We are just starting at scratching services, have been discussing with (Jean) on how we can do this efficiently (i.e, in a compact way). External Transaction ID for Configuration Tracing Jean Quilbeuf 15min https://datatracker.ietf.org/doc/draft-quilbeuf-opsawg-configuration-tracing/ Jan: Definitely a problem to be solved, I already have two drafts in this area. Removed form the transaction-id becase that was the consensus at the time. In the light of these other drafts perhaps we'll add it back in. Definitely should include NETCONF and RESTCONF. The other solution aligns with existing technology. Interested in working together. Some areas are the same, some are different. Rob: Good that both sides are willing to work together; where to do this work? Would NETCONF be a better place for this? Joe: As abitrary string with no coordination, clients could choose the same string? Need a unique id. Jean: We do need unique IDs and persistence. This is hard problem to solve, but we will look at this Rob: In terms of conflicting client IDs, push this downstream (i.e., out of scope but advice can be given) Joe: As chair, think that NETCONF might be a better area for this work. On poll, 18 people raised hand in support of working on this problem space, no hands not raised; though NETCONF seems like perhaps a btter place for this given other related work Data Model for Lifecycle Management and Operations Camilo Cardona 10min https://datatracker.ietf.org/doc/html/draft-palmero-opsawg-dmlmo Olga Havel: Kind of confusing to have "lifecycle operation" in the name as this does not have to be in scope; there seems to be a missing YANG module on ietf-dmlmo in the latest revision that was present in -05 Alex Clemm: Not quite sure why this is separate work from inventory; this would be things you'd likely want to aggregate at the OSS level; does this need to be instrumented in the network? Camilo: This is highly dependent on inventory, and then we will use that Alex: But you are talking about aggregate metrics across the network, but why instrument at the device level? This should be at the OSS/controller level not in individual NEs, right? Camilo: That is an open question as to whether or not this should be centralized at a controller or on individual devices Rob: (as AD) Different groups interested in inventory models; interest to compare/contrast and bring those together; next step to create a mailing list to bring all parties together; interesting to decouple inventory from use; perhaps there is an idea to spin up a spec interest or WG group to coordinate a cohesive set of modules/models; AI on Rob to create mailing list Qin: Had side meeting, like the idea of a mailing list Henk: (no hats) on the license front: there are a lot of work going on into licenses in other groups (specially on software); [Michael] might be confusing things on licensing (might want entitlements, not licenses) Camilo: Might not be able to answer directly. Here we are defining licences in the ability to run a feature or product. E.g., how many users can use that feature. Not like software licenses. Henk: The exact scope of licenses should be obvious, everyone else will jump on this. Michael: The term that you want is entitlements Diego: Reaching the point that everything to do with the operational behaviour of the device, including inventory. I think that it is worth considering a group to help coordiante. Rob: (as AD) create the mailing list, then see what comes from that Bo: What is the scope of asset (it just mentions physical or virtual/software); what about Enterprise IT assets? Camilo: There can be software assets, but haven't thought through to the Enterprise assets Had to lock the queue; told Marisol to take comment to the list (or to the new mailing list) An Inventory Management Model for Enterprise Networks Bo Wu 10min https://datatracker.ietf.org/doc/draft-wzwb-opsawg-network-inventory-management/ * Rob: We will work to coordinate with the other efforts in this area A Policy-based Network Access Control Qiufang Ma 10min https://datatracker.ietf.org/doc/draft-ma-opsawg-ucl-acl/ Rob: Should we have something more generic that time period as condition to enable ACLs? Joe: netmod gave ospawg first right of refusal; running a poll to see if there is interest here to work on this Poll resulted in 14 raised hands and 8 no hands raised Joe to provide feedback on list David Sommer-Haris: You have user groups. Are you assuming that some other system is tracking the other IPs. I wasn't sure that I saw how this tracks the use case. Qin: This has been discussed in netmod. Can use this to restrict access for particular groups. David: Didn't define domains here. No definition of a domain (e.g. youtube.com is a domain). How is this done here? Qin: Could add more attributes to cover your usecases. Good point, we can think about it. Qin: Also been discussed in NETMOD, also a proposal for ACL extensions. Time based could be considered in generic ACL model. (Bill Fenner [in netmod] raised that ical work on time might be useful to import and use here) If Time Allows: PCAP and PCAPng and PCAP Link Types Michael Richardson 5min https://datatracker.ietf.org/doc/draft-richardson-opsawg-pcaplinktype/ Rob: (no hats) Try to get it through a WG; we should try to get this done Michael: Would like to see all three documents adopted and move quickly AI: Call for adoption post 115 Ops-Area Section --------------------- Administrivia - scribes, minutes, etc. Warren / Rob 5 minutes * Rob: Please consider joining OPS DIR as we have had people drop out recently; please provide feedback on NOMCOM * Warren: OPS DIR is a great way to get your feet wet as a leadership-like role without being a chair Requirements DetNet in large scale networks Toerless Eckert 10min * Toerless: Please come to DetNet with your large network performance needs * Rob: Thanks for presenting! Open Mic * Warren: Please throw tomatoes at us (no tomatoes) * Warren: Please join OPS DIR and please provide NOMCOM feedback; many candidates running EOM