IETF Logo Mail Archive

Re: [I2nsf] [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt

Roman Danyliw <rdd@cert.org> Fri, 30 October 2020 19:40 UTC

Return-Path: <rdd@cert.org>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 179883A11A9; Fri, 30 Oct 2020 12:40:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yqFsUPLdWAXP; Fri, 30 Oct 2020 12:40:24 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 624A83A11B0; Fri, 30 Oct 2020 12:40:23 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 09UJe80Y005018; Fri, 30 Oct 2020 15:40:08 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 09UJe80Y005018
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1604086809; bh=UXDd4RoHBYuuWWCfC+/yfzH/Km+xpEg4xIRf0Vs4SPs=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=QsQzA/RE1sglvo7WF/J12BFxKDRQFwy+9ztjW3BJfPeD2dOUnhgJ30c59KT0zv6kk I1ks2O6AKrJsfOpnIjtWGaBg6tHRVOATSf0mh1O5746giUOPUFiwCrIrMjBSuv09iF zZyNvO1M165z6fQk1k84pOvOQPOFaj4jvV+8R2rY=
Received: from MORRIS.ad.sei.cmu.edu (morris.ad.sei.cmu.edu [147.72.252.46]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 09UJe4Ev031668; Fri, 30 Oct 2020 15:40:04 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MORRIS.ad.sei.cmu.edu (147.72.252.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Fri, 30 Oct 2020 15:40:04 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.2106.002; Fri, 30 Oct 2020 15:40:03 -0400
From: Roman Danyliw <rdd@cert.org>
To: tom petch <daedulus@btconnect.com>
CC: "i2nsf@ietf.org" <i2nsf@ietf.org>, Fernando Pereniguez-Garcia <fernando.pereniguez@cud.upct.es>, Gabriel Lopez <gabilm@um.es>, "ynir.ietf@gmail.com" <ynir.ietf@gmail.com>, "last-call@ietf.org" <last-call@ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>, Rafa Marin-Lopez <rafa@um.es>
Thread-Topic: [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
Thread-Index: AQHWreX0c88acJXFBk2yYgVjsJF2bKmvCuOA///cU0CAAVuUAP//zZ2A
Date: Fri, 30 Oct 2020 19:40:03 +0000
Message-ID: <834a668ac559460a9f356bbb6c16b8fd@cert.org>
References: <160337357077.29083.9236626834026808055@ietfa.amsl.com> <EE5AB669-73BB-4517-A6F4-23B7807FB36E@um.es> <5F9815D1.9010303@btconnect.com> <DDE550B1-9A9E-4954-B6F9-C0A33ECE1275@um.es> <5F99B221.3040504@btconnect.com> <56155C91-BFE8-4BA9-A55C-46B12E59CD94@um.es> <5F9AEFD3.90903@btconnect.com> <059aaae84a354411ad1023afa2a837ba@cert.org> <5F9BF578.6000101@btconnect.com>
In-Reply-To: <5F9BF578.6000101@btconnect.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.202.126]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/DO-fJq2XmuIrgpNw3dooQiTlQiw>
Subject: Re: [I2nsf] [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2020 19:40:28 -0000

Hi Tom!

> -----Original Message-----
> From: tom petch <daedulus@btconnect.com>
> Sent: Friday, October 30, 2020 7:14 AM
> To: Roman Danyliw <rdd@cert.org>; Rafa Marin-Lopez <rafa@um.es>
> Cc: i2nsf@ietf.org; Fernando Pereniguez-Garcia
> <fernando.pereniguez@cud.upct.es>; Gabriel Lopez <gabilm@um.es>;
> ynir.ietf@gmail.com; last-call@ietf.org
> Subject: Re: [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-
> flow-protection-11.txt
> 
> Roman  not this I-D but see below
> 
> On 29/10/2020 18:46, Roman Danyliw wrote:
> > Hi Tom!
> >
> >> -----Original Message-----
> >> From: last-call <last-call-bounces@ietf.org> On Behalf Of tom petch
> >> Sent: Thursday, October 29, 2020 12:38 PM
> >> To: Rafa Marin-Lopez <rafa@um.es>
> >> Cc: i2nsf@ietf.org; Fernando Pereniguez-Garcia
> >> <fernando.pereniguez@cud.upct.es>; Gabriel Lopez <gabilm@um.es>;
> >> ynir.ietf@gmail.com; last-call@ietf.org
> >>
> >> Top posting a new, related issue that may need Security AD or WG
> >> Chair to act on.
> >>
> >> It seems to me that the IANA entries for IKEv2 are incomplete.
> >> RFC8247 does a fine job of specifying algorithms and adding
> >> information such as status (MUST/SHOULD+), IoT, AEAD and so on,
> >> information which is not present on IANA.  The policy for, e.g.
> >> Transform Type 1, is expert review and entries have been added via
> >> draft-smyslov-esp-gont but the IANA entries lack this information
> >> and, looking at the I-D, I see no such information (nor is there any
> >> reason for it to be there).  Yet draft-ietf-i2nsf-sdn... needs this information
> as references in the YANG module show.
> >>
> >> It seems to me that this is a similar situation to that which the TLS
> >> WG found itself in and which led to a revision of the TLS IANA
> >> entries to provide what was needed via additional columns.
> >
> > Please help me understand.  In particular, I'm not following why this
> document should modify IKE IANA registries.  In my view, this document is
> provides a data model to encode an "IKEv2 configuration" of sorts.  Certainly,
> there are valid/invalid/incomplete/not recommended ways to provide a
> configuration with this data model if one relied solely on the pointers to the
> IANA registries from the YANG module definition.  However, as you noted,
> RFC8247 already provides guidance on specifying a configuration (albeit this
> guidance isn't fully encoded in the registries).  Furthermore, this document
> states:
> >
> > Section 8.1
> >     o  IKEv2 configurations should adhere to the recommendations in
> >        [RFC8247].
> >
> > so there is guidance on producing a configuration.  What is missing?
> >
> >> I think that the IANA pages for IKEv2 need revising so that that
> >> additional information that RFC8247 provides is required as
> >> additional columns in the IANA entries at least for Type 1, Type 2,
> >> Type 3, Type 4 and Authentication Method.
> >
> > While things could be clearer, I'm unsure of why _this YANG document_
> should do a registry reengineering.  Did you mean it should be done in general?
> 
> Not this I-D but another I-D from a WG with closer links to IKEv2; I don't know
> which WG that would be but a Security AD would:-)

Thanks for clarifying.  IPSECME (https://datatracker.ietf.org/wg/ipsecme/about/) (who has been cross-posted with this note)  is likely the best place to handle IPsec maintenance and the kind of registry modifications you describe below.

Regards,
Roman

> This I-D, as you quote, points to RFC8247 for guidance and that is fine.
>   But security moves on and new algorithms will be needed and this I-D also
> points to the IANA registry, which is Expert Review, where new entries have
> been added already; and for those the IANA Registry gives no guidance and the
> I-D that IANA references for the new entries - written by the Expert Reviewer! -
> also gives no guidance. Over time we are likely to accrue algorithms with no
> guidance unless and until an RFC8247-bis appears or we require IANA to have
> columns for guidance.
> Currently the new algorithms are GOST and so perhaps of limited interest but
> on the TLS list I am always seeing new algorithms appear and there the new
> IANA entry is required to give guidance.  My sense is that IKEv2 is a bit slower
> to take up new ones but, as with RFC8247, it does eventually.
> 
> I think that users need those extra columns that RFC8247 provides on the IANA
> website so that when new algorithms are added by Expert Review, then that
> guidance must be added as well.  This is what the TLS WG came round to and I
> think that IKEv2 needs to do the same.
> 
> Tom Petch
> 
> 
> > Regards,
> > Roman
> >
> >> Tom Petch
> >>
> >> On 29/10/2020 11:23, Rafa Marin-Lopez wrote:
> >>> Hi Tom:
> >>>
> >>>> El 28 oct 2020, a las 19:02, tom petch <daedulus@btconnect.com>
> escribió:
> >>>>
> >>>> On 28/10/2020 10:42, Rafa Marin-Lopez wrote:
> >>>>> Hi Tom:
> >>>>>
> >>>>> Thank you very much for your insight. It is very helpful. Please
> >>>>> see our
> >> comments/questions inline.
> >>>>>
> >>>>>> El 27 oct 2020, a las 13:42, tom petch <daedulus@btconnect.com>
> >> escribió:
> >>>>>>
> >>>>>> I think that the IESG will find a number of problems with this I-D.
> >>>>>>
> >>>>>> YANG module references RFC822 which is several years out of date
> >>>>
> >>>> Rafa
> >>>>
> >>>> On boiler plate, I mean the reference to RFC2119 which now must use
> >>>> the
> >> language from RFC8174 in the body of the I-D; sorry for the confusion.
> >>>
> >>> Ah ok. I guess you are referring to change that paragraph with this:
> >>>
> >>>
> >>> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
> >>> "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
> >> "MAY", and
> >>> "OPTIONAL" in this document are to be interpreted as described in
> >>> BCP
> >>> 14 RFC2119 RFC8174 when, and only when, they appear in all capitals,
> >>> as shown here.
> >>>
> >>>>
> >>>> On XXXX, you have XXXX standing in for more than one RFC-to-be
> >>>> which
> >> confuses.  The convention is to use XXXX for this I-D and then AAAA
> >> BBBB etc for any others such as the netconf I-D in this instance.
> >>>
> >>> Ah ok. In any case, we have now only XXXX for our RFC-to-be so
> >>> problem
> >> fixed.
> >>>>
> >>>> Two big issues, for me (perhaps not for others).  The convention
> >>>> with YANG
> >> is for each successive line to be indented two characters, you have
> >> four, which creates a lot of white space and pushes the text to the
> >> right hand margin.  I think that two characters is the default when
> >> you use pyang to format a YANG module.
> >>>
> >>> We can try to reduce it to two characters.
> >>>
> >>>>
> >>>> And references.  I have had to work harder than I want to to make
> >>>> sense of the IANA references.  I think you should have five
> >>>> separate references in the I-D for IANA for Transform Type 1
> >>>> Transform Type 3 Transform Type 4 Authentication Method Protocol
> >>>> Numbers and each reference in the I-D should have a URL pointing to
> >>>> the specific section of
> >> IANA web site.
> >>>
> >>> Ok, good. This follows what we thought.
> >>>
> >>>> In the YANG, it is harder to know what to do.  Those first three
> >>>> references
> >> are in the third tier i.e.
> >>>> Group - Internet Key Exchange V2 (IKEv2) Parameters Registry
> >>>> -Transform Attribute Types and then Type 1, 3, 4 as the third tier
> >>>> as I am calling it and I think that every reference in the YANG
> >>>> should give me all three tiers after IANA in that order perhaps
> >>>> IANA; IKEv2 Parameters; Transform Atribute Types; Transform Type 1
> >>>
> >>> Great. We also considered this as a possible solution after sending our e-
> mail.
> >> Let’s do it.
> >>>
> >>>> If the syntax needs tweeking, then the RFC Editor will do a good
> >>>> job of that
> >> but at present the references are inconsistent in which elements are
> >> specified in what order and that is something the RFC Editor probably
> cannot cope with.
> >>>> Authentication Method is a registry so that just needs Group name
> >>>> and
> >> Registry name after IANA.
> >>>
> >>> Ok, good.
> >>>>
> >>>> Some minor glitches.
> >>>> I-D appears twice in the body of the I-D - perhaps document or memo.
> >>>
> >>> Ok.
> >>>
> >>>> objetives/objectives/
> >>>
> >>> Fixed.
> >>>> end port number perhaps /must/MUST/
> >>>
> >>>> and YANG is very good at including such checks with a must ....
> >>>> 'If AEAD is used .. where? this occurs in several places and I
> >>>> think that you
> >> need to specify the leaf where AEAD will be specified or implied.
> >>>
> >>> Ok we have changed it to:
> >>>
> >>> If Authenticated Encryption with Associated Data (AEAD) is used
> >>> (leaf
> >>> esp-algorithms/encryption/algorithm-type)
> >>> this flag MUST be false."
> >>>
> >>>> And is it possible to make that a YANG 'must' statement - looking
> >>>> at the
> >> IKEv2 registries it is not obvious which are AEAD so that might be
> >> more complexity than it is worth.
> >>>> 'only available on linux kernels' Um implementation detail, you may
> >>>> get
> >> asked to remove that altogether or at least to a Informative Appendix
> >> - I would leave it in for now.
> >>>
> >>> Ok.
> >>>
> >>>> 'import ietf-i2nsf-ikec' the reference needs to be to a RFC and if
> >>>> it is not yet an RFC then RFC XXXX <title> in both Appendix B and C
> >>>
> >>> Yes, we have changed that to:
> >>>
> >>> RFC XXXX: Software-Defined Networking
> >>>                  (SDN)-based IPsec Flow Protection.
> >>>
> >>>> leaf-list pfs-groups could do with a reference - Transform Type 4?
> >>>
> >>> The leaf list is referring to type pfs-group and we have now
> >>>
> >>> typedef pfs-group {
> >>>               type uint16;
> >>>               description
> >>>                   "DH groups for IKE and IPsec SA rekey.";
> >>>               reference
> >>>                   "IANA; Internet Key Exchange V2 (IKEv2) Parameters;
> >>> 				Transform Atribute Types; Transform Type 4 -
> >>>                   Diffie-Hellman Group Transform IDs.
> >>> 				Section 3.3.2 in RFC 7296.";
> >>>           }
> >>>
> >>>
> >>>>
> >>>> I am still working my way through the YANG so may have some more
> >> comments tomorrow.
> >>>
> >>> Ok, do not worry we will work in -12 with these comments so far to
> >>> have a
> >> quick response. We can prepare a another version later with the rest of
> them.
> >>>
> >>> Thank you very much for your effort.
> >>>>
> >>>> Tom Petch
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>> We have realized that we missed to change this, even though we
> >>>>> discussed
> >> it. We will change it right away in the following way (bold):
> >>>>>
> >>>>> case rfc822-address-string {
> >>>>>        leaf rfc822-address-string {
> >>>>>             type string;
> >>>>>             description
> >>>>>                 "Specifies the identity as a
> >>>>>                  fully-qualified RFC5322 email
> >>>>>                  address string. An example is,
> >>>>>                  jsmith@example.com. The string
> >>>>>                  MUST NOT contain any
> >>>>>                  terminators e.g., NULL, CR,
> >>>>>                  etc.).";
> >>>>>              reference
> >>>>>                     "RFC 5322.";
> >>>>>        }
> >>>>> }
> >>>>>
> >>>>> Btw, we already used in the past “case rfc822-address-string” and
> >>>>> “leaf
> >> rfc822-address-string” since this is coming from IKEv2 standard. Do
> >> you think we should change that name as well?
> >>>>>
> >>>>>
> >>>>>>
> >>>>>> YANG module references IANA Protocol Numbers which is not in the
> >>>>>> I-D references
> >>>>>
> >>>>> We have included the following reference:
> >>>>>
> >>>>> [IANA-Protocols-Number]
> >>>>>                 Internet Assigned Numbers Authority (IANA), "Protocol
> >>>>>                 Numbers", January 2020.
> >>>>>
> >>>>>
> >>>>>>
> >>>>>> s.2 boiler plate is out of date
> >>>>>
> >>>>> What we see is the I-D has the second choice stated in
> >>>>> https://www.ietf.org/standards/ids/guidelines/
> >>>>>
> >>>>> This Internet-Draft is submitted in full conformance with the
> >>>>>      provisions of BCP 78 and BCP 79.
> >>>>>
> >>>>>      Internet-Drafts are working documents of the Internet Engineering
> >>>>>      Task Force (IETF).  Note that other groups may also distribute
> >>>>>      working documents as Internet-Drafts.  The list of current Internet-
> >>>>>      Drafts is at https://datatracker.ietf.org/drafts/current/.
> >>>>>
> >>>>>      Internet-Drafts are draft documents valid for a maximum of six
> months
> >>>>>      and may be updated, replaced, or obsoleted by other documents at
> any
> >>>>>      time.  It is inappropriate to use Internet-Drafts as reference
> >>>>>      material or to cite them other than as "work in progress."
> >>>>>
> >>>>> Could you refer what is out of date?
> >>>>>
> >>>>>>
> >>>>>> XXXX is standing in for more than one RFC
> >>>>>
> >>>>> Yes, XXXX has been used because we do not know the future number
> >> assigned to our I-D.
> >>>>>
> >>>>> Also we realized we also included this to refer to crypto-types
> >>>>> I-D but this
> >> has been solved now in a new version -12 that we are preparing to
> >> include your comments. We noticed we can replace the type of rw
> >> cert-data?, ca-data*, crl- data? for binary without any problem.
> >>>>>
> >>>>> |           |     +--rw cert-data?        binary
> >>>>> |           +--rw private-key?            binary
> >>>>> |           +--rw ca-data*                binary
> >>>>> |           +--rw crl-data?               binary
> >>>>>
> >>>>>>
> >>>>>> but the show stopper that makes a proper review of this too
> >>>>>> costly is the
> >> references.  Those to IANA of which there are several I want to
> >> pursue.  The I-D reference is to IKEv2 parameters. Sadly, this is a
> >> three tier structure and noone agrees on what to call the third tier
> >> so I will call it tier3 here.  Top level is Group, as per RFC8126,
> >> second level is Registry.  The I-D reference is to the Group only
> >> which is fine if the actual reference then specifies the Registry and
> >> Tier3 but they never do, usually just Tier3 e.g. Transform Type 3
> >> which makes for a lot of work for the reader, too much for this one.
> >> You have to go hunting in all the second level Registry until you can
> >> find a match for the Tier3 identifier. And there are no URL.  If you
> >> want an example that I find easy to use, go look at RFC8407 (as usual).
> >>>>>
> >>>>> You’re right. Could you point the exact part at RFC 8407 with that
> >> example? We would really appreciate it.
> >>>>>
> >>>>> On the other hand, would it be enough to include the URL for
> >>>>> Transform
> >> Type 3 https://www.iana.org/assignments/ikev2-parameters/ikev2-
> >> parameters.xhtml#ikev2-parameters-7 ?
> >>>>>
> >>>>> (Same for Transform Type 1, Transform Type 4)
> >>>>>
> >>>>>>
> >>>>>> The reference for import of i2nsf-ikec gives a YANG module name;
> >>>>>> this needs to be the name of the RFC to be
> >>>>>
> >>>>> Fixed.
> >>>>>
> >>>>> import ietf-i2nsf-ikec {
> >>>>>               prefix nsfikec;
> >>>>>               reference
> >>>>>                   "RFC XXXX: Software-Defined Networking
> >>>>>                  (SDN)-based IPsec Flow Protection."; }
> >>>>>
> >>>>> We still use XXXX because we do not know the number assigned to
> >>>>> the RFC
> >> to be.
> >>>>>
> >>>>>>
> >>>>>> The example IPv6 address in the YANG module has :0:0: which is
> >>>>>> usually
> >> just ::
> >>>>>
> >>>>> Fixed.
> >>>>>
> >>>>> If you have any further comments, please let us know so we can
> >>>>> include them in -12
> >>>>>
> >>>>> Best Regards.
> >>>>>>
> >>>>>> And I have some way to go still.
> >>>>>>
> >>>>>> Tom Petch
> >>>>>>
> >>>>>> On 22/10/2020 18:39, Rafa Marin-Lopez wrote:
> >>>>>>> Dear all:
> >>>>>>>
> >>>>>>> After receiving a suggestion to make things clearer in the
> >>>>>>> feature ikeless-
> >> notification description, we have just uploaded a new version -11
> >> with a minor change to add the following text:
> >>>>>>>
> >>>>>>> feature ikeless-notification {
> >>>>>>>               description
> >>>>>>>                   "This feature indicates that the server supports
> >>>>>>>                   generating notifications in the ikeless module.
> >>>>>>>
> >>>>>>>                   To ensure broader applicability of this module,
> >>>>>>>                   the notifications are marked as a feature.
> >>>>>>>                   For the implementation of ikeless case,
> >>>>>>>                   the NSF is expected to implement this
> >>>>>>>                   feature.";
> >>>>>>>           }
> >>>>>>>
> >>>>>>> Best Regards.
> >>>>>>>
> >>>>>>>> Inicio del mensaje reenviado:
> >>>>>>>>
> >>>>>>>> De: internet-drafts@ietf.org
> >>>>>>>> Asunto: New Version Notification for
> >>>>>>>> draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
> >>>>>>>> Fecha: 22 de octubre de 2020, 15:32:50 CEST
> >>>>>>>> Para: "Fernando Pereniguez-Garcia"
> >>>>>>>> <fernando.pereniguez@cud.upct.es>, "Rafael Lopez" <rafa@um.es>,
> >>>>>>>> "Gabriel Lopez-Millan" <gabilm@um.es>, "Rafa Marin-Lopez"
> >>>>>>>> <rafa@um.es>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> A new version of I-D,
> >>>>>>>> draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
> >>>>>>>> has been successfully submitted by Rafa Marin-Lopez and posted
> >>>>>>>> to the IETF repository.
> >>>>>>>>
> >>>>>>>> Name:		draft-ietf-i2nsf-sdn-ipsec-flow-protection
> >>>>>>>> Revision:	11
> >>>>>>>> Title:		Software-Defined Networking (SDN)-based IPsec Flow
> >> Protection
> >>>>>>>> Document date:	2020-10-22
> >>>>>>>> Group:		i2nsf
> >>>>>>>> Pages:		92
> >>>>>>>> URL:            https://www.ietf.org/archive/id/draft-ietf-i2nsf-sdn-
> ipsec-
> >> flow-protection-11.txt
> >>>>>>>> Status:         https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-
> ipsec-
> >> flow-protection/
> >>>>>>>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-
> sdn-
> >> ipsec-flow-protection
> >>>>>>>> Htmlized:       https://tools.ietf.org/html/draft-ietf-i2nsf-sdn-ipsec-
> flow-
> >> protection-11
> >>>>>>>> Diff:           https://www.ietf.org/rfcdiff?url2=draft-ietf-i2nsf-sdn-
> ipsec-
> >> flow-protection-11
> >>>>>>>>
> >>>>>>>> Abstract:
> >>>>>>>>     This document describes how to provide IPsec-based flow
> protection
> >>>>>>>>     (integrity and confidentiality) by means of an Interface to Network
> >>>>>>>>     Security Function (I2NSF) controller.  It considers two main well-
> >>>>>>>>     known scenarios in IPsec: (i) gateway-to-gateway and (ii) host-to-
> >>>>>>>>     host.  The service described in this document allows the
> >>>>>>>>     configuration and monitoring of IPsec Security Associations (SAs)
> >>>>>>>>     from a I2NSF Controller to one or several flow-based
> >>>>>>>> Network
> >> Security
> >>>>>>>>     Functions (NSFs) that rely on IPsec to protect data traffic.
> >>>>>>>>
> >>>>>>>>     The document focuses on the I2NSF NSF-facing interface by
> providing
> >>>>>>>>     YANG data models for configuring the IPsec databases (SPD,
> >>>>>>>> SAD,
> >> PAD)
> >>>>>>>>     and IKEv2.  This allows IPsec SA establishment with minimal
> >>>>>>>>     intervention by the network administrator.  It does not define any
> >>>>>>>>     new protocol.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Please note that it may take a couple of minutes from the time
> >>>>>>>> of submission until the htmlized version and diff are available
> >>>>>>>> at
> >> tools.ietf.org.
> >>>>>>>>
> >>>>>>>> The IETF Secretariat
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>> -------------------------------------------------------
> >>>>>>> Rafa Marin-Lopez, PhD
> >>>>>>> Dept. Information and Communications Engineering (DIIC) Faculty
> >>>>>>> of Computer Science-University of Murcia
> >>>>>>> 30100 Murcia - Spain
> >>>>>>> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
> >>>>>>> -------------------------------------------------------
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>
> >>>>> -------------------------------------------------------
> >>>>> Rafa Marin-Lopez, PhD
> >>>>> Dept. Information and Communications Engineering (DIIC) Faculty of
> >>>>> Computer Science-University of Murcia
> >>>>> 30100 Murcia - Spain
> >>>>> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
> >>>>> -------------------------------------------------------
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>
> >>> -------------------------------------------------------
> >>> Rafa Marin-Lopez, PhD
> >>> Dept. Information and Communications Engineering (DIIC) Faculty of
> >>> Computer Science-University of Murcia
> >>> 30100 Murcia - Spain
> >>> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
> >>> -------------------------------------------------------
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >> --
> >> last-call mailing list
> >> last-call@ietf.org
> >> https://www.ietf.org/mailman/listinfo/last-call

v2.23.0 | Report a Bug | By Email