Re: [I2nsf] YANG module update when new algorithms added to IPsec, RE: Reviewing sdn-ipsec-flow-protection
Rafa Marin Lopez <rafa@um.es> Thu, 06 December 2018 09:38 UTC
Return-Path: <rafa@um.es>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 292E0131123 for <i2nsf@ietfa.amsl.com>; Thu, 6 Dec 2018 01:38:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id olpb7CiRaiSb for <i2nsf@ietfa.amsl.com>; Thu, 6 Dec 2018 01:38:30 -0800 (PST)
Received: from xenon42.um.es (xenon42.um.es [IPv6:2001:720:1710:601::42]) by ietfa.amsl.com (Postfix) with ESMTP id C699913111D for <i2nsf@ietf.org>; Thu, 6 Dec 2018 01:38:29 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by xenon42.um.es (Postfix) with ESMTP id 88027201D0; Thu, 6 Dec 2018 10:38:28 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon42.um.es
Received: from xenon42.um.es ([127.0.0.1]) by localhost (xenon42.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id GWkyk9m9sWjI; Thu, 6 Dec 2018 10:38:28 +0100 (CET)
Received: from [192.168.1.39] (73.red-2-138-17.dynamicip.rima-tde.net [2.138.17.73]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa) by xenon42.um.es (Postfix) with ESMTPSA id 299A32048A; Thu, 6 Dec 2018 10:38:26 +0100 (CET)
Content-Type: multipart/alternative; boundary="Apple-Mail=_477E673E-C439-4423-8D23-9400CCB51A21"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Rafa Marin Lopez <rafa@um.es>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B1F61FE@SJCEML521-MBB.china.huawei.com>
Date: Thu, 06 Dec 2018 10:38:36 +0100
Cc: Rafa Marin Lopez <rafa@um.es>, Yoav Nir <ynir.ietf@gmail.com>, "i2nsf@ietf.org" <i2nsf@ietf.org>, Paul Wouters <paul@nohats.ca>
Message-Id: <B964B976-957F-4824-9A18-576C683159FC@um.es>
References: <4A95BA014132FF49AE685FAB4B9F17F66B1F61FE@SJCEML521-MBB.china.huawei.com>
To: Linda Dunbar <linda.dunbar@huawei.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/4zZJaWTpSxHo3qeaODdzgeV4gEQ>
Subject: Re: [I2nsf] YANG module update when new algorithms added to IPsec, RE: Reviewing sdn-ipsec-flow-protection
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 09:38:35 -0000
Hi Linda: That was also suggested. In fact, our doubt is whether we should refer to something like: https://tools.ietf.org/html/draft-ietf-netconf-crypto-types-02 In fact you can see in this reference things like: identity hmac-sha2-256-128 { base "mac-algorithm"; description "Generating a 256 bits MAC using SHA2 hash function and truncate it to 128 bits"; reference " RFC 4868 : Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPSec"; Although I think that the content of this reference should be expanded. As another example, besides yours, they follow the model of importing: https://tools.ietf.org/html/draft-ietf-netconf-tls-client-server-08 Best Regards. > El 5 dic 2018, a las 21:48, Linda Dunbar <linda.dunbar@huawei.com> escribió: > > Yoav asked: > “What is our plan for future expansions? Suppose there’s some hot, new algorithm that everyone is implementing. How do you update the YANG model in the future when you add new values to the enumerations? Is it up to the administrator to make sure that the controller and NSFs are all on the “same page”?” > > We can use “import” and “augment” to add new attributes as demonstrated by <>https://datatracker.ietf.org/doc/draft-lee-ccamp-optical-impairment-topology-yang/?include_text=1 <https://datatracker.ietf.org/doc/draft-lee-ccamp-optical-impairment-topology-yang/?include_text=1> > > > Linda > From: I2nsf [mailto:i2nsf-bounces@ietf.org <mailto:i2nsf-bounces@ietf.org>] On Behalf Of Yoav Nir > Sent: Wednesday, November 14, 2018 12:33 PM > To: Rafa Marin-Lopez <rafa@um.es <mailto:rafa@um.es>> > Cc: i2nsf@ietf.org <mailto:i2nsf@ietf.org>; Paul Wouters <paul@nohats.ca <mailto:paul@nohats.ca>> > Subject: Re: [I2nsf] Reviewing sdn-ipsec-flow-protection > > Thanks, Rafa. > > Just one response below. > > > On 14 Nov 2018, at 11:30, Rafa Marin-Lopez <rafa@um.es <mailto:rafa@um.es>> wrote: > > Hi Yoav: > > > El 8 nov 2018, a las 17:11, Yoav Nir <ynir.ietf@gmail.com <mailto:ynir.ietf@gmail.com>> escribió: > > Hi, all > > As discussed in the room, we need some reviewers for the sdn-ipsec-flow-protection draft ([1]) > > Thanks for these comments. Please see our response below. > > > While any comments on any part of the document are welcome, I would like people to concentrate on the following issues: > The YANG model in Appendix A > Some of the crypto seems obsolete (example: DES). We would get into trouble in SecDir review. OTOH ChaCha20-Poly1305 is missing.. > > Agree. We will remove DES and add the algorithm you mention. > > The TLS working group went quite far with TLS 1.3. Only 2 ciphers remain: AES-GCM with 16-byte ICV, and ChaCha20-Poly1305. That’s it. Specifically, they’ve deprecated everything that isn’t an AEAD. > > The IPsecME working group hasn’t gone that far yet. But in practice pretty much nothing is used except 3DES, AES-CBC, and AES-GCM. Perhaps ChaCha20-Poly1305 is starting to see some use by now. We have RFC 8221, especially sections 5 and 6. I think (although it’s up to the working group) that we should be fine defining only the MUSTs and the SHOULDs in those sections. > > That brings another question. What is our plan for future expansions? Suppose there’s some hot, new algorithm that everyone is implementing. How do you update the YANG model in the future when you add new values to the enumerations? Is it up to the administrator to make sure that the controller and NSFs are all on the “same page”? > > Thanks > > Yoav > _______________________________________________ > I2nsf mailing list > I2nsf@ietf.org <mailto:I2nsf@ietf.org> > https://www.ietf.org/mailman/listinfo/i2nsf <https://www.ietf.org/mailman/listinfo/i2nsf>
- [I2nsf] YANG module update when new algorithms ad… Linda Dunbar
- Re: [I2nsf] YANG module update when new algorithm… Rafa Marin Lopez
- Re: [I2nsf] YANG module update when new algorithm… Linda Dunbar