Hi Don,
The section looks pretty good already. I only have a couple minor comments below.
Thanks,
- Xufeng
On Thu, Nov 18, 2021 at 4:34 PM Don Fedyk <dfedyk@xxxxxxxx> wrote:
Hi Xufeng
Thanks, I have updated a preliminary version 15 @ https://github.com/detnet-wg/draft-ietf-detnet-yang.
Most updates were straightforward - the security section I think everything is sensitive on write and anything that shows application is sensitive on read.
Here is how the section reads now: (Please comment if this is OK).
There are a number of data nodes defined in the module that are
writable/creatable/deletable (i.e., config true, which is the
default). These data nodes may be considered sensitive or vulnerable
in some network environments. Write operations (e.g., edit-config)
to these data nodes without proper protection can break or
incorrectly connect DetNet flows. Since this is a configured Data
Plane any changes that are not coordinated with all devices along the
path the whole DetNet module is considered vulnerable and should have
authorized access only.
Similarly, the data nodes in these YANG modules may be considered
sensitive or vulnerable in some network environments. It is thus
important to control read access (e.g., via get, get-config, or
notification) to these data nodes. These are the subtrees and data
node and their sensitivity/vulnerability:
detnet/app-flows:
[Xufeng]: Would it be better to start with the root? If so, we'd have:
/detnet/app-flows
This controls the application details so it could
be considered sensitive.
detnet/traffic-profile/member-app:
[Xufeng]: As above, is it better to have:
/detnet/traffic-profile/member-app:
Since we are here, just realize that "list traffic-profile" is not under a container like "apps". It is not necessarily wrong, but I'd like to mention it to ensure that it is intended.
This links traffic profiles to
applications.
detnet/service/incoming/app-flow: This links applications to
services.
[Xufeng]: Is this under sub-layer? Should "sub-layer" be part of the xpath?
/detnet/service/sub-layer/incoming/app-flow:
detnet/service/outgoing/app-flow: This links applications to
services.
[Xufeng]: Same comment as above.
Cheers
Don
-----Original Message-----
From: Xufeng Liu via Datatracker <noreply@xxxxxxxx>
Sent: Tuesday, November 9, 2021 3:07 PM
To: yang-doctors@xxxxxxxx
Cc: detnet@xxxxxxxx; draft-ietf-detnet-yang.all@xxxxxxxx; last-call@xxxxxxxx
Subject: Yangdoctors last call review of draft-ietf-detnet-yang-14
Reviewer: Xufeng Liu
Review result: Ready with Nits
Thanks to authors for addressing the previous review comments.
The updates look good. The followings are a few additional nits:
1) In the model, “container flow-spec” has been changed to “container traffic-spec”, but the description has not been updated, shown as below:
container traffic-spec {
description
"Flow-specification specifies how the Source transmits
packets for the flow. This is the promise/request of the
Source to the network. The network uses this flow
specification to allocate resources and adjust queue
parameters in network nodes.";
2) Most names of list and leaf-list have been fixes. The following three were
missed: “leaf-list member-apps” should be “leaf-list member-app” “leaf-list member-services” should be “leaf-list member-service” “leaf-list member-fwd-sublayers” should be “leaf-list member-fwd-sublayer”
3) Section 10. Security Considerations would need to include a list of “sensitive or vulnerable” nodes. RFC 8349 shows an example.
Thanks,
- Xufeng
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
