Re: [I2nsf] Request for WGLC on I2NSF YANG Data Models
Linda Dunbar <linda.dunbar@huawei.com> Wed, 17 April 2019 14:56 UTC
Return-Path: <linda.dunbar@huawei.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C622C1200C4 for <i2nsf@ietfa.amsl.com>; Wed, 17 Apr 2019 07:56:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8JHhxP9RXJ_W for <i2nsf@ietfa.amsl.com>; Wed, 17 Apr 2019 07:56:41 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86E2F120021 for <i2nsf@ietf.org>; Wed, 17 Apr 2019 07:56:40 -0700 (PDT)
Received: from lhreml704-cah.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id B8E91B02ADE77C8365D5 for <i2nsf@ietf.org>; Wed, 17 Apr 2019 15:56:38 +0100 (IST)
Received: from lhreml702-chm.china.huawei.com (10.201.108.51) by lhreml704-cah.china.huawei.com (10.201.108.45) with Microsoft SMTP Server (TLS) id 14.3.408.0; Wed, 17 Apr 2019 15:56:38 +0100
Received: from lhreml702-chm.china.huawei.com (10.201.108.51) by lhreml702-chm.china.huawei.com (10.201.108.51) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Wed, 17 Apr 2019 15:56:37 +0100
Received: from SJCEML702-CHM.china.huawei.com (10.208.112.38) by lhreml702-chm.china.huawei.com (10.201.108.51) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256) id 15.1.1713.5 via Frontend Transport; Wed, 17 Apr 2019 15:56:37 +0100
Received: from SJCEML521-MBS.china.huawei.com ([169.254.2.31]) by SJCEML702-CHM.china.huawei.com ([169.254.4.74]) with mapi id 14.03.0439.000; Wed, 17 Apr 2019 07:56:34 -0700
From: Linda Dunbar <linda.dunbar@huawei.com>
To: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>, Gabriel Lopez <gabilm@um.es>
CC: Yoav Nir <ynir.ietf@gmail.com>, "i2nsf@ietf.org" <i2nsf@ietf.org>, Chris Shen <shenyiwen7@gmail.com>, "skku_secu-brain_all@googlegroups.com" <skku_secu-brain_all@googlegroups.com>, "Jingyong (Tim) Kim" <wlsdyd0930@nate.com>
Thread-Topic: [I2nsf] Request for WGLC on I2NSF YANG Data Models
Thread-Index: AQHU5Tlz4uMlbGUtiE+JdmdXnbJCW6Ynk3AAgAA1qgCABIdygIAUQANg
Date: Wed, 17 Apr 2019 14:56:33 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B3869F7@sjceml521-mbs.china.huawei.com>
References: <CAPK2Dewtg++h1-xugHV2RJp1hKszkfJOZLwm7Ydr8MKPg8MR_w@mail.gmail.com> <3C267A4E-8340-4774-9321-BFC2B33D81A6@um.es> <CAPK2Dex31CJ_OYuVBW5abujNSVYHSr0U5p1NKmz2XxmO6bc-Tg@mail.gmail.com> <CAPK2DewX+rRhOP7aRO2xRLmhYvo45WmC_mv8nbEDYP6fHStScA@mail.gmail.com>
In-Reply-To: <CAPK2DewX+rRhOP7aRO2xRLmhYvo45WmC_mv8nbEDYP6fHStScA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.155.96]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F66B3869F7sjceml521mbschi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/Cs49Iz1DKS_WXoqZlqy9Wsgk2y4>
Subject: Re: [I2nsf] Request for WGLC on I2NSF YANG Data Models
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2019 14:56:44 -0000
Paul, et al, We will start the WGLC after closing the i2nsf-capability WGLC and i2nsf-sdn-ipsec-flow-protection. Should start the WGLC by May 8. Thanks for being patient. Linda & Yoav. From: Mr. Jaehoon Paul Jeong [mailto:jaehoon.paul@gmail.com] Sent: Thursday, April 04, 2019 5:41 AM To: Gabriel Lopez <gabilm@um.es> Cc: Linda Dunbar <linda.dunbar@huawei.com>; Yoav Nir <ynir.ietf@gmail.com>; i2nsf@ietf.org; Chris Shen <shenyiwen7@gmail.com>; skku_secu-brain_all@googlegroups.com; Jingyong (Tim) Kim <wlsdyd0930@nate.com>; Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com> Subject: Re: [I2nsf] Request for WGLC on I2NSF YANG Data Models Hi Gabriel, I have submitted a revision of the Consumer-Facing Interface Data Model draft supporting your IPsec method for IKE and IKEless cases: https://tools.ietf.org/html/draft-ietf-i2nsf-consumer-facing-interface-dm-04 Thanks. Best Regards, Paul On Mon, Apr 1, 2019 at 10:30 PM Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com<mailto:jaehoon.paul@gmail.com>> wrote: Hi Gabriel, I will answer your questions inline below. On Mon, Apr 1, 2019 at 7:18 PM Gabriel Lopez <gabilm@um.es<mailto:gabilm@um.es>> wrote: Hi Paul. Just a few comments about the drafts: El 28 mar 2019, a las 8:39, Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com<mailto:jaehoon.paul@gmail.com>> escribió: Hi Linda and Yoav, As we discussed this I2NSF WG meeting, my SKKU team reflected the data convergence including I2NSF IPsec (such as ipsec-ike case and ipsec-ikeless case) on the three data model drafts, and then uploaded them into the IETF repository this morning: - NSF Capability Data Model - NSF-Facing Interface Data Model - Registration Interface Data Model The update of each draft is described in Changes section per draft. There is no change in Consumer-Facing Interface Data Model draft. Could you start WGLC for the following four data model drafts? - NSF Capability Data Model https://tools.ietf.org/html/draft-ietf-i2nsf-capability-data-model-04 This draft specifies whether IKE/ IKE-less cases are supported by the NSF or not, in the same way that it specifies if the NSF supports IPS or not. But the details about capabilities for ipsec or IDS are moved now to another draft (dong-i2nsf-asf-config). Is it right? => Yes. For the detailed configuration of ipsec, we will be able to use your data model by letting it be referenced by our NSF-facing interface YANG module. We will let you know how to modify your YANG module this week so that it can be used by our NSF-facing interface data model. - NSF-Facing Interface Data Model https://tools.ietf.org/html/draft-ietf-i2nsf-nsf-facing-interface-dm-05 How does it align with the security-policy-translation draft? => The security policy translator translates a high-level security policy XML file (based on Consumer-facing interface data model) into a low-level security policy XML file (based on NSF-facing interface data model). In the security-policy-translation draft, there is exemplary XML code as follows: - High-level security policy XML Code https://tools.ietf.org/html/draft-yang-i2nsf-security-policy-translation-03#page-7 - Low-level security policy XML Code https://tools.ietf.org/html/draft-yang-i2nsf-security-policy-translation-03#page-18 - Registration Interface Data Model https://tools.ietf.org/html/draft-ietf-i2nsf-registration-interface-dm-03 - Consumer-Facing Interface Data Model https://tools.ietf.org/html/draft-ietf-i2nsf-consumer-facing-interface-dm-03 Import of the ipsec draft should not be included here. Both drafts (ipsec and this one) should stay both like nsf facing interface models, but not one integrated into the other. => This statement is not clear to me. Could you clarify this more clearly if you have a better way? For Registration interface data model, we use ipsec-method (either IKE or IKEless) that is defined in I2NSF Capability data model draft: https://tools.ietf.org/html/draft-ietf-i2nsf-capability-data-model-04#page-7 To use this ipsec-method in Registration interface data model, we import I2NSF Capability data model as follows: ############################################################ 6.1.3. NSF Capability Information - p. 11 https://tools.ietf.org/html/draft-ietf-i2nsf-registration-interface-dm-03#page-11 ---------------------------------------------------------------------------------------------------- 6.2. YANG Data Modules - p. 12 https://tools.ietf.org/html/draft-ietf-i2nsf-registration-interface-dm-03#page-12 import ietf-i2nsf-capability{ prefix capa; reference "draft-ietf-i2nsf-capability-data-model-04"; } ---------------------------------------------------------------------------------------------------- grouping i2nsf-nsf-capability-info - p. 15-16 https://tools.ietf.org/html/draft-ietf-i2nsf-registration-interface-dm-03#page-16 group i2nsf-nsf-capability-info { description "Detail information of an NSF"; container i2nsf-capability { description "ietf i2nsf capability information"; uses "capa:nsf-capabilities"; reference "draft-ietf-i2nsf-capability-data-model-04"; } container nsf-performance-capability { description "performance capability"; uses i2nsf-nsf-performance-capability; } } ---------------------------------------------------------------------------------------------------- Configuration Example 1~6: p. 19 https://tools.ietf.org/html/draft-ietf-i2nsf-registration-interface-dm-03#page-19 <ipsec-method>ikeless</ipsec-method> ############################################################ For the configuration of IPsec (e.g., SPD and PAD parameters) for an NSF, could you make a YANG code for such configuration for Registration interface YANG code and XML code like our example in Registration interface data model draft? We will be able to include your YANG code to accommodate IPsec configuration in the revision of our Registration interface data model draft. If you have a better way to configure your IPsec configuration into Security Controller, please let me know. => For Consumer-facing interface data model, we will include ipsec-method (either IKE or IKEless) in the revision of Consumer-facing interface data model draft. This configuration will let NSFs for a high-level security policy make an IPsec tunnel between each pair of NSFs along the SFC path (e.g., Firewall -> DPI -> DDoS Attack Mitigator). I think your students can work with my students at SKKU for the test of this integration and test. My Ph.D student, Jinyong (Tim) Kim, is in charge of the implementation and test. If you have questions, please let me know. Thanks. Best Regards, Paul Best regards, Gabi. I hope we can publish them before the IETF-105 Montreal meeting. :-) Thanks. Best Regards, Paul -- =========================== Mr. Jaehoon (Paul) Jeong, Ph.D. Associate Professor Department of Software Sungkyunkwan University Office: +82-31-299-4957 Email: jaehoon.paul@gmail.com<mailto:jaehoon.paul@gmail.com>, pauljeong@skku.edu<mailto:pauljeong@skku.edu> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php<http://cpslab.skku.edu/people-jaehoon-jeong.php> _______________________________________________ I2nsf mailing list I2nsf@ietf.org<mailto:I2nsf@ietf.org> https://www.ietf.org/mailman/listinfo/i2nsf ----------------------------------------------------------- Gabriel López Millán Departamento de Ingeniería de la Información y las Comunicaciones University of Murcia Spain Tel: +34 868888504 Fax: +34 868884151 email: gabilm@um.es<mailto:gabilm@um.es> -- =========================== Mr. Jaehoon (Paul) Jeong, Ph.D. Associate Professor Department of Software Sungkyunkwan University Office: +82-31-299-4957 Email: jaehoon.paul@gmail.com<mailto:jaehoon.paul@gmail.com>, pauljeong@skku.edu<mailto:pauljeong@skku.edu> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php<http://cpslab.skku.edu/people-jaehoon-jeong.php> -- =========================== Mr. Jaehoon (Paul) Jeong, Ph.D. Associate Professor Department of Software Sungkyunkwan University Office: +82-31-299-4957 Email: jaehoon.paul@gmail.com<mailto:jaehoon.paul@gmail.com>, pauljeong@skku.edu<mailto:pauljeong@skku.edu> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php<http://cpslab.skku.edu/people-jaehoon-jeong.php>
- [I2nsf] Request for WGLC on I2NSF YANG Data Models Mr. Jaehoon Paul Jeong
- Re: [I2nsf] Request for WGLC on I2NSF YANG Data M… Gabriel Lopez
- Re: [I2nsf] Request for WGLC on I2NSF YANG Data M… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] Request for WGLC on I2NSF YANG Data M… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] Request for WGLC on I2NSF YANG Data M… Linda Dunbar
- Re: [I2nsf] Request for WGLC on I2NSF YANG Data M… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] Request for WGLC on I2NSF YANG Data M… Linda Dunbar
- Re: [I2nsf] Request for WGLC on I2NSF YANG Data M… Mr. Jaehoon Paul Jeong