[I2nsf] Benjamin Kaduk's No Objection on draft-ietf-i2nsf-sdn-ipsec-flow-protection-13: (with COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Mon, 01 March 2021 17:43 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: i2nsf@ietf.org
Delivered-To: i2nsf@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 546283A203D; Mon, 1 Mar 2021 09:43:58 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-i2nsf-sdn-ipsec-flow-protection@ietf.org, i2nsf-chairs@ietf.org, i2nsf@ietf.org, Yoav Nir <ynir.ietf@gmail.com>, ynir.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.26.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <161462063831.30243.18332876088052265307@ietfa.amsl.com>
Date: Mon, 01 Mar 2021 09:43:58 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/G_HL0WYBsuSvA3hew8tfwXY8Ues>
Subject: [I2nsf] Benjamin Kaduk's No Objection on draft-ietf-i2nsf-sdn-ipsec-flow-protection-13: (with COMMENT)
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2021 17:43:58 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-i2nsf-sdn-ipsec-flow-protection-13: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- A huge thanks for the many thoughtful updates in the -13; they do a great job of resolving my discuss and comment points from the -12 and have really improved the document a lot. Section 5 In terms of security, IKE case provides better security properties than IKE-less case, as discussed in section Section 8. The main reason is that the NSFs generate the session keys and not the I2NSF Controller. nit: s/section Section/Section/ Section 5.2 In the IKE case, the I2NSF Controller MAY need to configure the affected NSF with the new IKEv2, SPD and PAD information. nit: s/MAY/may/ imply avoiding contact with the I2NSF Controller. Finally, the I2NSF Controller MAY also need to send new parameters (e.g., a new fresh PSK for authentication) to the NSFs which had IKEv2 SAs and IPsec SAs with the affected NSF. nit: s/MAY/may/ Section 6.1.2 grouping lifetime { [...] leaf bytes { type yang:counter64; default 0; description "If the IPsec SA processes the number of bytes expressed in this leaf, the IPsec SA expires and SHOULD be rekeyed. The value 0 implies infinite."; Since this is the *limit*, it should just be a uint64; the counter type should be used for the statistics, not the configured limit. My apologies for being sloppy in in writing my earlier comment; I can see how you thought that I was suggesting to use the "counter64" type here, but that was not my intent. list dscp-mapping { [...] leaf inner-dscp { type inet:dscp; description "The DSCP value of the inner IP packet. If this leaf is not defined it means ANY inner DSCP value"; } We should probably specify one way or the other if it's allowed to have (e.g.) one element of this list that has both inner+outer DSCP values, and another element that has only the outer value (to match "everything else"). That is, is the "ANY inner DSCP value" really "any", or "any not matching other configuration"? Section 6.2.3 typedef autostartup-type { [...] enum start { description "IKE/IPsec configuration is loaded and transferred to the NSF's kernel, and the IKEv2 based IPsec SAs are established immediately without waiting any packet."; nit: "waiting for" container eap-method { when "../auth-method = 'eap'"; leaf eap-type { type uint64 {range "1 .. 4294967295"; } [I don't really understand why we need uint64 vs uint32 with the explicit range limit like that, but it's not harmful.] Section 6.3.3 container tunnel { when "../mode = 'tunnel'"; uses nsfikec:tunnel-grouping; leaf-list dscp-values { type inet:dscp; description "DSCP values allowed for packets carried over this IPsec SA. If no values are specified, no DSCP-specific filtering is applied"; nit: It might be worth a couple more words to clarify that this is for ingress packets received, and thus the value that would be the "inner" DSCP value in the other configuration we have for the DSCP mapping. container replay-window { If I understand correctly, the 'w', 't', and 'b' paremeters herein are related, with the gap t-b usually (always?) being of value w. I don't know enough about YANG constraints to say whether they should be used to recognize this relationship, but even if not, some prose might be in order. Section 8.2 When people say that "encryption algorithms [...] MUST have, at least, the same strength as the algorithms used [...]" we like to see clarity on how the "strength" is measured. In this case it's probably fairly clear to most readers, but spelling out the bit strength of the symmetric cipher is probably still worthwhile.
- [I2nsf] Benjamin Kaduk's No Objection on draft-ie… Benjamin Kaduk via Datatracker
- Re: [I2nsf] Benjamin Kaduk's No Objection on draf… Rafa Marín López