IETF Logo Mail Archive

[I2nsf] YANG module update when new algorithms added to IPsec, RE: Reviewing sdn-ipsec-flow-protection

Linda Dunbar <linda.dunbar@huawei.com> Wed, 05 December 2018 20:48 UTC

Return-Path: <linda.dunbar@huawei.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30276130EBF for <i2nsf@ietfa.amsl.com>; Wed, 5 Dec 2018 12:48:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vTCroXslYkRq for <i2nsf@ietfa.amsl.com>; Wed, 5 Dec 2018 12:48:46 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70A6A130E7E for <i2nsf@ietf.org>; Wed, 5 Dec 2018 12:48:46 -0800 (PST)
Received: from LHREML710-CAH.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id A49B38E001AF8 for <i2nsf@ietf.org>; Wed, 5 Dec 2018 20:48:40 +0000 (GMT)
Received: from lhreml701-chm.china.huawei.com (10.201.108.50) by LHREML710-CAH.china.huawei.com (10.201.108.33) with Microsoft SMTP Server (TLS) id 14.3.408.0; Wed, 5 Dec 2018 20:48:42 +0000
Received: from lhreml701-chm.china.huawei.com (10.201.108.50) by lhreml701-chm.china.huawei.com (10.201.108.50) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1591.10; Wed, 5 Dec 2018 20:48:42 +0000
Received: from SJCEML702-CHM.china.huawei.com (10.208.112.38) by lhreml701-chm.china.huawei.com (10.201.108.50) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256) id 15.1.1591.10 via Frontend Transport; Wed, 5 Dec 2018 20:48:41 +0000
Received: from SJCEML521-MBB.china.huawei.com ([169.254.6.33]) by SJCEML702-CHM.china.huawei.com ([169.254.4.100]) with mapi id 14.03.0415.000; Wed, 5 Dec 2018 12:48:37 -0800
From: Linda Dunbar <linda.dunbar@huawei.com>
To: Yoav Nir <ynir.ietf@gmail.com>, Rafa Marin-Lopez <rafa@um.es>
CC: "i2nsf@ietf.org" <i2nsf@ietf.org>, Paul Wouters <paul@nohats.ca>
Thread-Topic: YANG module update when new algorithms added to IPsec, RE: [I2nsf] Reviewing sdn-ipsec-flow-protection
Thread-Index: AdSM21S4oJ64UoeTT3W/8PiJXSfgGw==
Date: Wed, 05 Dec 2018 20:48:37 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B1F61FE@SJCEML521-MBB.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.192.11.90]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F66B1F61FESJCEML521MBBchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/Ibpyd7NXHOYimBJTp-Oizqrt4cc>
Subject: [I2nsf] YANG module update when new algorithms added to IPsec, RE: Reviewing sdn-ipsec-flow-protection
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 20:48:49 -0000

Yoav asked:
“What is our plan for future expansions?  Suppose there’s some hot, new algorithm that everyone is implementing. How do you update the YANG model in the future when you add new values to the enumerations?  Is it up to the administrator to make sure that the controller and NSFs are all on the “same page”?”

We can use “import” and “augment” to add new attributes as demonstrated by https://datatracker.ietf.org/doc/draft-lee-ccamp-optical-impairment-topology-yang/?include_text=1


Linda
From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Yoav Nir
Sent: Wednesday, November 14, 2018 12:33 PM
To: Rafa Marin-Lopez <rafa@um.es>
Cc: i2nsf@ietf.org; Paul Wouters <paul@nohats.ca>
Subject: Re: [I2nsf] Reviewing sdn-ipsec-flow-protection

Thanks, Rafa.

Just one response below.


On 14 Nov 2018, at 11:30, Rafa Marin-Lopez <rafa@um.es<mailto:rafa@um.es>> wrote:

Hi Yoav:


El 8 nov 2018, a las 17:11, Yoav Nir <ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>> escribió:

Hi, all

As discussed in the room, we need some reviewers for the sdn-ipsec-flow-protection draft ([1])

Thanks for these comments. Please see our response below.


While any comments on any part of the document are welcome, I would like people to concentrate on the following issues:

  *   The YANG model in Appendix A

     *   Some of the crypto seems obsolete (example: DES). We would get into trouble in SecDir review.  OTOH ChaCha20-Poly1305 is missing..

Agree. We will remove DES and add the algorithm you mention.

The TLS working group went quite far with TLS 1.3.  Only 2 ciphers remain: AES-GCM with 16-byte ICV, and ChaCha20-Poly1305. That’s it.  Specifically, they’ve deprecated everything that isn’t an AEAD.

The IPsecME working group hasn’t gone that far yet.  But in practice pretty much nothing is used except 3DES, AES-CBC, and AES-GCM.  Perhaps ChaCha20-Poly1305 is starting to see some use by now. We have RFC 8221, especially sections 5 and 6.  I think (although it’s up to the working group) that we should be fine defining only the MUSTs and the SHOULDs in those sections.

That brings another question. What is our plan for future expansions?  Suppose there’s some hot, new algorithm that everyone is implementing. How do you update the YANG model in the future when you add new values to the enumerations?  Is it up to the administrator to make sure that the controller and NSFs are all on the “same page”?

Thanks

Yoav

v2.23.0 | Report a Bug | By Email