Re: [I2nsf] YANG module update when new algorithms added to IPsec, RE: Reviewing sdn-ipsec-flow-protection
Linda Dunbar <linda.dunbar@huawei.com> Thu, 06 December 2018 15:38 UTC
Return-Path: <linda.dunbar@huawei.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECDFC12F1A2 for <i2nsf@ietfa.amsl.com>; Thu, 6 Dec 2018 07:38:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id howDZBifpeJZ for <i2nsf@ietfa.amsl.com>; Thu, 6 Dec 2018 07:38:42 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8122F12F18C for <i2nsf@ietf.org>; Thu, 6 Dec 2018 07:38:41 -0800 (PST)
Received: from lhreml707-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 9A7415F59737A for <i2nsf@ietf.org>; Thu, 6 Dec 2018 15:38:35 +0000 (GMT)
Received: from SJCEML701-CHM.china.huawei.com (10.208.112.40) by lhreml707-cah.china.huawei.com (10.201.108.48) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 6 Dec 2018 15:38:36 +0000
Received: from SJCEML521-MBB.china.huawei.com ([169.254.6.33]) by SJCEML701-CHM.china.huawei.com ([169.254.3.198]) with mapi id 14.03.0415.000; Thu, 6 Dec 2018 07:38:35 -0800
From: Linda Dunbar <linda.dunbar@huawei.com>
To: Rafa Marin Lopez <rafa@um.es>
CC: Yoav Nir <ynir.ietf@gmail.com>, "i2nsf@ietf.org" <i2nsf@ietf.org>, Paul Wouters <paul@nohats.ca>
Thread-Topic: [I2nsf] YANG module update when new algorithms added to IPsec, RE: Reviewing sdn-ipsec-flow-protection
Thread-Index: AQHUjUd8RTSeyIfDg0q9NNgvvBIq0qVx2M3A
Date: Thu, 06 Dec 2018 15:38:35 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B1F6A75@SJCEML521-MBB.china.huawei.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B1F61FE@SJCEML521-MBB.china.huawei.com> <B964B976-957F-4824-9A18-576C683159FC@um.es>
In-Reply-To: <B964B976-957F-4824-9A18-576C683159FC@um.es>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.218.180.231]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F66B1F6A75SJCEML521MBBchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/5p5QkWh8M3wRBa5sP1QcjxFfvis>
Subject: Re: [I2nsf] YANG module update when new algorithms added to IPsec, RE: Reviewing sdn-ipsec-flow-protection
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 15:38:47 -0000
Rafa, Thanks for getting a better reference. I like your approach. Linda From: Rafa Marin Lopez [mailto:rafa@um.es] Sent: Thursday, December 06, 2018 3:39 AM To: Linda Dunbar <linda.dunbar@huawei.com> Cc: Rafa Marin Lopez <rafa@um.es>; Yoav Nir <ynir.ietf@gmail.com>; i2nsf@ietf.org; Paul Wouters <paul@nohats.ca> Subject: Re: [I2nsf] YANG module update when new algorithms added to IPsec, RE: Reviewing sdn-ipsec-flow-protection Hi Linda: That was also suggested. In fact, our doubt is whether we should refer to something like: https://tools.ietf.org/html/draft-ietf-netconf-crypto-types-02 In fact you can see in this reference things like: identity hmac-sha2-256-128 { base "mac-algorithm"; description "Generating a 256 bits MAC using SHA2 hash function and truncate it to 128 bits"; reference " RFC 4868 : Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPSec"; Although I think that the content of this reference should be expanded. As another example, besides yours, they follow the model of importing: https://tools.ietf.org/html/draft-ietf-netconf-tls-client-server-08 Best Regards. El 5 dic 2018, a las 21:48, Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>> escribió: Yoav asked: “What is our plan for future expansions? Suppose there’s some hot, new algorithm that everyone is implementing. How do you update the YANG model in the future when you add new values to the enumerations? Is it up to the administrator to make sure that the controller and NSFs are all on the “same page”?” We can use “import” and “augment” to add new attributes as demonstrated byhttps://datatracker.ietf.org/doc/draft-lee-ccamp-optical-impairment-topology-yang/?include_text=1 Linda From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Yoav Nir Sent: Wednesday, November 14, 2018 12:33 PM To: Rafa Marin-Lopez <rafa@um.es<mailto:rafa@um.es>> Cc: i2nsf@ietf.org<mailto:i2nsf@ietf.org>; Paul Wouters <paul@nohats.ca<mailto:paul@nohats.ca>> Subject: Re: [I2nsf] Reviewing sdn-ipsec-flow-protection Thanks, Rafa. Just one response below. On 14 Nov 2018, at 11:30, Rafa Marin-Lopez <rafa@um.es<mailto:rafa@um.es>> wrote: Hi Yoav: El 8 nov 2018, a las 17:11, Yoav Nir <ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>> escribió: Hi, all As discussed in the room, we need some reviewers for the sdn-ipsec-flow-protection draft ([1]) Thanks for these comments. Please see our response below. While any comments on any part of the document are welcome, I would like people to concentrate on the following issues: * The YANG model in Appendix A * Some of the crypto seems obsolete (example: DES). We would get into trouble in SecDir review. OTOH ChaCha20-Poly1305 is missing.. Agree. We will remove DES and add the algorithm you mention. The TLS working group went quite far with TLS 1.3. Only 2 ciphers remain: AES-GCM with 16-byte ICV, and ChaCha20-Poly1305. That’s it. Specifically, they’ve deprecated everything that isn’t an AEAD. The IPsecME working group hasn’t gone that far yet. But in practice pretty much nothing is used except 3DES, AES-CBC, and AES-GCM. Perhaps ChaCha20-Poly1305 is starting to see some use by now. We have RFC 8221, especially sections 5 and 6. I think (although it’s up to the working group) that we should be fine defining only the MUSTs and the SHOULDs in those sections. That brings another question. What is our plan for future expansions? Suppose there’s some hot, new algorithm that everyone is implementing. How do you update the YANG model in the future when you add new values to the enumerations? Is it up to the administrator to make sure that the controller and NSFs are all on the “same page”? Thanks Yoav _______________________________________________ I2nsf mailing list I2nsf@ietf.org<mailto:I2nsf@ietf.org> https://www.ietf.org/mailman/listinfo/i2nsf
- [I2nsf] YANG module update when new algorithms ad… Linda Dunbar
- Re: [I2nsf] YANG module update when new algorithm… Rafa Marin Lopez
- Re: [I2nsf] YANG module update when new algorithm… Linda Dunbar