IETF Logo Mail Archive

Re: [I2nsf] [Last-Call] Fwd: New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt

tom petch <daedulus@btconnect.com> Tue, 27 October 2020 12:43 UTC

Return-Path: <daedulus@btconnect.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E1513A0062; Tue, 27 Oct 2020 05:43:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.147
X-Spam-Level:
X-Spam-Status: No, score=-2.147 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.247, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eOVvSIzyLeUf; Tue, 27 Oct 2020 05:43:06 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150132.outbound.protection.outlook.com [40.107.15.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EF493A005F; Tue, 27 Oct 2020 05:43:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iufj6p1Mf/3KdZtrSQXHkwAeAuMItz8UTI/ye2iO4wTO8tIR6gyBbY6Qs0peOoeMZqzo64qpXWXPu91rAts1L6ZcMtInEtmIYrWb8iq5IaTuuf5yhJi6U9P8opWDY2CuuiEbbp2UKHHqnwuoNz4d1f40KJyeMEpl+nmb2Rw9PjSs8C0F3ynE9yuBx+zWnnP8KIkNfI+UFYeVWoWl8BCH+4Hr9h+e3Si4NGwvAQG+ulpBwLWUf+z9THulJtPeoDwxvOPJA2un2MqSQE/sV1UgWHG7lhsKE2HoWeVXIf7loKkFZnGAdDWAfP5dfu7qhNjOoetS3a9sRyjAbwLYWJ1sAg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ltQExuvXMAWg54ruttv6nJ4db80ijisYxuO+lROvI/M=; b=BLlzC46nF4L9PPH5FaZRg5otKUr4JIRCh5ShTu+OnDP6mGRHU/J8tmjlkuXBVyFAB6edHWV+tjpuPA6ZakYr733epYy/9I6JHptoL0cvhpLVuIEk8ki0oSZFTlt7eEoz70czrgVdkYHrAHYMZKjMKt9xF4ov7pAjpyY6cDX/oqVcku2H7GOh7Bkv/kCLL4QFFW0BusIHQStTW2w3snS0ElypxUWErvddhTQpTKKmN/dp1+fa8+N3hpbOOlahJWh/N9ro38TVdPvcHdsxqI+nl+TKqoFsRd/Oio9nLSlOdPWqrEHy0lxJfX8g+sgVvg1u40NNAgH2GWDRe65RMsB1Hg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ltQExuvXMAWg54ruttv6nJ4db80ijisYxuO+lROvI/M=; b=vLunXBowJHNEPa3/+5fmEhnAPH9dGCJsh5MvU79uzjIx4WZXfvgrRKjqoyhE6LidMwEONSWDYym9UUMsqqx6X99h3ztDrRbkAZGIe3szdTCihRdOfCCup7NtSvMfwO+f/1BjJCQJ6kEgUiMEkSJCDPBLQDUOR7NJ/Xwp9k5Rhz8=
Authentication-Results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=btconnect.com;
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8) by VI1PR0701MB6861.eurprd07.prod.outlook.com (2603:10a6:800:19b::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.7; Tue, 27 Oct 2020 12:43:03 +0000
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::6165:9c1c:e5b1:15db]) by VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::6165:9c1c:e5b1:15db%4]) with mapi id 15.20.3477.021; Tue, 27 Oct 2020 12:43:03 +0000
To: Rafa Marin-Lopez <rafa@um.es>, i2nsf@ietf.org
References: <160337357077.29083.9236626834026808055@ietfa.amsl.com> <EE5AB669-73BB-4517-A6F4-23B7807FB36E@um.es>
Cc: Gabriel Lopez <gabilm@um.es>, Fernando Pereniguez-Garcia <fernando.pereniguez@cud.upct.es>, last-call@ietf.org, ynir.ietf@gmail.com
From: tom petch <daedulus@btconnect.com>
Message-ID: <5F9815D1.9010303@btconnect.com>
Date: Tue, 27 Oct 2020 12:42:57 +0000
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
In-Reply-To: <EE5AB669-73BB-4517-A6F4-23B7807FB36E@um.es>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [86.146.121.140]
X-ClientProxiedBy: LO2P265CA0113.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:c::29) To VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.1.65] (86.146.121.140) by LO2P265CA0113.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:c::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.3499.18 via Frontend Transport; Tue, 27 Oct 2020 12:43:02 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 10e419b0-b0e2-47c1-2743-08d87a75d835
X-MS-TrafficTypeDiagnostic: VI1PR0701MB6861:
X-Microsoft-Antispam-PRVS: <VI1PR0701MB6861C42A607B0343F33499DCC6160@VI1PR0701MB6861.eurprd07.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:5516;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: RUI5V3ZmnwjYhIWPRVCdFnsK2iphVxITi1UFliS2zRvExNXOwi8FnEuFyW8mdg2TLE4QFZg52gGpiDX5vUyoGnwueGKdCl/33RU8d5mkPrTGXMrY5LrfyoBZ918bN4paJi5VVIlQBMXYRapnBYNSoSckBsP3iKdOrtvtt2zD512mG+2uWAeuGNrRy6QCv+76ozR5zHMOoareI+YsxazM1kZHO28E/82KALwQ5WqULyt7P2XH4KrAABKywGjNjiV0svb2Ltnld73e6u/MycX2YoH1h0ktFhIPpOK1tHfSDdV6Ya4QtldO6UDIl/Go4tWimqSQW/X2hpa7rvqZS1Cn8WOnUxEJteTT/jxxvToVZayNEizdjIWNbBqngmuDZnxhaxKkaUal861oDS/JM0/whQ==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB6704.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(136003)(376002)(366004)(346002)(39860400002)(87266011)(53546011)(33656002)(5660300002)(2906002)(8676002)(83380400001)(52116002)(54906003)(66574015)(16576012)(316002)(66946007)(4326008)(478600001)(15650500001)(36756003)(8936002)(956004)(86362001)(6666004)(66476007)(4001150100001)(26005)(966005)(186003)(16526019)(6486002)(2616005)(66556008); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData: gZiL0CVPEXH9TnW6yxrbKndzzIsDPeGD+CkfGaoKURxxv/eamoUd2v6yzAh6StEA8GYwON+SaVRRLchefJ3oT04QQ5tH24ahlvxuJQqmEVXmg6LlTzkJ0E185gxenntEapKLUgHwj4QOqOGScpzQboyIXP/2GNKW2OLRULmpkcJhTQXpM2bViOHJ8/8XvBnCe3Y4o7bOopd7SBPoqaieeL+aHC3ogqdYBM0SJ1ga33ekfCf/qGReo5T3ftpTaGg55K0OBc906LVquiWrxGzeUkOTUhuHVd3OOr2H2orzXzfpHK06w1/Jxo/oYnRr/eC0TZakf3DbSusOPT0u6wFkccnHDwGwRn5nPJqEETr4udyMpZc47gmSCWWMahoFifsQmttBSOlFBGRCixUCPiIj2RWt8PvAuHr97P+fsrMacgEbyjgtWdknx7lZoEJaX4Uewf2bDY1D6v9/UmU6k6uijZXAV5W1ZQFtpgXXqJHXxBYodLevWq/IyufKnaQxbvqNjtyHC334jgmCwN8znyBGwFDvVQmCFjcM4/g0FrKgxwz6fz/5i32c7QGaYLsLtb91LS2I5CVHBtPHONHYOpPzP7hUPnrEc6bLBseQQb8AjGIFLTSjh9ov4Uh441c85pn7t1SN+VmA2AweKT5KHnSrmQ==
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 10e419b0-b0e2-47c1-2743-08d87a75d835
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB6704.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Oct 2020 12:43:03.2608 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: zIgAfLV25PtUnjMNpKPlRgUurxqnDFc5aU/2ry23ylBprI002ituCWHzVTK204YTOki3homK7MhdFgA6WV4haA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB6861
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/DTH_CTHXu9_I0s5K5QydpqiUusM>
Subject: Re: [I2nsf] [Last-Call] Fwd: New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2020 12:43:09 -0000

I think that the IESG will find a number of problems with this I-D.

YANG module references RFC822 which is several years out of date

YANG module references IANA Protocol Numbers which is not in the I-D 
references

s.2 boiler plate is out of date

XXXX is standing in for more than one RFC

but the show stopper that makes a proper review of this too costly is 
the references.  Those to IANA of which there are several I want to 
pursue.  The I-D reference is to IKEv2 parameters. Sadly, this is a 
three tier structure and noone agrees on what to call the third tier so 
I will call it tier3 here.  Top level is Group, as per RFC8126, second 
level is Registry.  The I-D reference is to the Group only which is fine 
if the actual reference then specifies the Registry and Tier3 but they 
never do, usually just Tier3 e.g. Transform Type 3 which makes for a lot 
of work for the reader, too much for this one.  You have to go hunting 
in all the second level Registry until you can find a match for the 
Tier3 identifier. And there are no URL.  If you want an example that I 
find easy to use, go look at RFC8407 (as usual).

The reference for import of i2nsf-ikec gives a YANG module name; this 
needs to be the name of the RFC to be

The example IPv6 address in the YANG module has :0:0: which is usually 
just ::

And I have some way to go still.

Tom Petch

On 22/10/2020 18:39, Rafa Marin-Lopez wrote:
> Dear all:
>
> After receiving a suggestion to make things clearer in the feature ikeless-notification description, we have just uploaded a new version -11 with a minor change to add the following text:
>
> feature ikeless-notification {
>              description
>                  "This feature indicates that the server supports
>                  generating notifications in the ikeless module.
>
>                  To ensure broader applicability of this module,
>                  the notifications are marked as a feature.
>                  For the implementation of ikeless case,
>                  the NSF is expected to implement this
>                  feature.";
>          }
>
> Best Regards.
>
>> Inicio del mensaje reenviado:
>>
>> De: internet-drafts@ietf.org
>> Asunto: New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
>> Fecha: 22 de octubre de 2020, 15:32:50 CEST
>> Para: "Fernando Pereniguez-Garcia" <fernando.pereniguez@cud.upct.es>, "Rafael Lopez" <rafa@um.es>, "Gabriel Lopez-Millan" <gabilm@um.es>, "Rafa Marin-Lopez" <rafa@um.es>
>>
>>
>> A new version of I-D, draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
>> has been successfully submitted by Rafa Marin-Lopez and posted to the
>> IETF repository.
>>
>> Name:		draft-ietf-i2nsf-sdn-ipsec-flow-protection
>> Revision:	11
>> Title:		Software-Defined Networking (SDN)-based IPsec Flow Protection
>> Document date:	2020-10-22
>> Group:		i2nsf
>> Pages:		92
>> URL:            https://www.ietf.org/archive/id/draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
>> Status:         https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/
>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection
>> Htmlized:       https://tools.ietf.org/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection-11
>> Diff:           https://www.ietf.org/rfcdiff?url2=draft-ietf-i2nsf-sdn-ipsec-flow-protection-11
>>
>> Abstract:
>>    This document describes how to provide IPsec-based flow protection
>>    (integrity and confidentiality) by means of an Interface to Network
>>    Security Function (I2NSF) controller.  It considers two main well-
>>    known scenarios in IPsec: (i) gateway-to-gateway and (ii) host-to-
>>    host.  The service described in this document allows the
>>    configuration and monitoring of IPsec Security Associations (SAs)
>>    from a I2NSF Controller to one or several flow-based Network Security
>>    Functions (NSFs) that rely on IPsec to protect data traffic.
>>
>>    The document focuses on the I2NSF NSF-facing interface by providing
>>    YANG data models for configuring the IPsec databases (SPD, SAD, PAD)
>>    and IKEv2.  This allows IPsec SA establishment with minimal
>>    intervention by the network administrator.  It does not define any
>>    new protocol.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> The IETF Secretariat
>>
>>
>
> -------------------------------------------------------
> Rafa Marin-Lopez, PhD
> Dept. Information and Communications Engineering (DIIC)
> Faculty of Computer Science-University of Murcia
> 30100 Murcia - Spain
> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
> -------------------------------------------------------
>
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email