Re: [I2nsf] Request for WGLC on I2NSF YANG Data Models
"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Mon, 01 April 2019 13:31 UTC
Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4345512011D for <i2nsf@ietfa.amsl.com>; Mon, 1 Apr 2019 06:31:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_HK_NAME_FM_MR_MRS=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pBds8qJnZXji for <i2nsf@ietfa.amsl.com>; Mon, 1 Apr 2019 06:31:21 -0700 (PDT)
Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CD741200A4 for <i2nsf@ietf.org>; Mon, 1 Apr 2019 06:31:21 -0700 (PDT)
Received: by mail-wm1-x32f.google.com with SMTP id w15so11459829wmc.3 for <i2nsf@ietf.org>; Mon, 01 Apr 2019 06:31:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ykzwm118ezFl8LTuDtxTQJq9y3W4kNrA2vf3dkAHQvc=; b=t29Yvn6ZJRYnt0uVwEDSpdAT/87f6qMlVcCDOuPqrpIHXB8vXVISR9P2Zd0JWE7lpf nG0einBuSeYfn+wfg8oehWoH8+aJv20hjlQf63pYgIdrttOSo+00wt3e2QW/WTv6uqIh pciLGEvrbyPsIXHuzepZApTamcxm0B4cPP9EwaVksYHA1HbnqzLhAUtuwWekCVyCFDPT KTbyUocN4cvvNv8jgNCqG/F7Hchtb6UMNrhtZxlKqxfLr7n9bXhThQOwPS4CWtrjJ27m eZw+NyLHhAa5tREFo2P8YUCRIAwwJfOarfIyjfQ3rqFJDaYzyqokizp1nlKPix9asXju yRNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ykzwm118ezFl8LTuDtxTQJq9y3W4kNrA2vf3dkAHQvc=; b=mY0lq3LwsxIwrZ7E1zVBHMoBpZK8K2AXXX22UvuNho1iwhGiPeLctZJDuvEUEd/fc6 MwrzQY7gS/BpsppMvZYsb4FYrEphvyt1mCkMmZYl2bfcCalGbvSmmSdezJQEhXAUN0mL gFSWWBNpF9lKdxclW0SEjMqOYU5DEM/mff0f1snuakAXdnz5h7LSgGiTyw1T7Y3NJbfA NzFpnVLw1cAShNkTtYWU3GFUd96eIag8QLTq1aqJ+S432k2JWl1JJfMhQxmdrq38QlWC Bl12Wc+2pq3US5sMPAAjOX/m+NIOTIVmTuNyAV2/lLvuwQcw/5sk2ppSt/QU8nK94gkv rxIQ==
X-Gm-Message-State: APjAAAXieR3ilvgbEpvjWA3SqaWz/8cuxTy/uBMvV6S74LAhtr6jG8Kq 6voj6M5TJQrW6vHzHmvfy6kTdTEGNFbdVb7vcXc=
X-Google-Smtp-Source: APXvYqzDsRM/HD6aXmoCZXSgQj6/FdigFZBFvYVECsg2evBvNNwt+6b53ASSO1caHdKQnmWPTvVdIq8INBN31p6zG4k=
X-Received: by 2002:a7b:c7d0:: with SMTP id z16mr13113331wmk.136.1554125479662; Mon, 01 Apr 2019 06:31:19 -0700 (PDT)
MIME-Version: 1.0
References: <CAPK2Dewtg++h1-xugHV2RJp1hKszkfJOZLwm7Ydr8MKPg8MR_w@mail.gmail.com> <3C267A4E-8340-4774-9321-BFC2B33D81A6@um.es>
In-Reply-To: <3C267A4E-8340-4774-9321-BFC2B33D81A6@um.es>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Mon, 01 Apr 2019 22:30:42 +0900
Message-ID: <CAPK2Dex31CJ_OYuVBW5abujNSVYHSr0U5p1NKmz2XxmO6bc-Tg@mail.gmail.com>
To: Gabriel Lopez <gabilm@um.es>
Cc: Linda Dunbar <linda.dunbar@huawei.com>, Yoav Nir <ynir.ietf@gmail.com>, "i2nsf@ietf.org" <i2nsf@ietf.org>, Chris Shen <shenyiwen7@gmail.com>, skku_secu-brain_all@googlegroups.com, "Jingyong (Tim) Kim" <wlsdyd0930@nate.com>, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000026d7d20585780984"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/LhZMoub_rSABiJx13JMarITMbVc>
Subject: Re: [I2nsf] Request for WGLC on I2NSF YANG Data Models
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2019 13:31:24 -0000
Hi Gabriel, I will answer your questions inline below. On Mon, Apr 1, 2019 at 7:18 PM Gabriel Lopez <gabilm@um.es> wrote: > Hi Paul. > > Just a few comments about the drafts: > > El 28 mar 2019, a las 8:39, Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com> > escribió: > > Hi Linda and Yoav, > As we discussed this I2NSF WG meeting, my SKKU team reflected the data > convergence > including I2NSF IPsec (such as ipsec-ike case and ipsec-ikeless case) on > the three data model drafts, and then > uploaded them into the IETF repository this morning: > - NSF Capability Data Model > - NSF-Facing Interface Data Model > - Registration Interface Data Model > > The update of each draft is described in Changes section per draft. > > There is no change in Consumer-Facing Interface Data Model draft. > > Could you start WGLC for the following four data model drafts? > - NSF Capability Data Model > https://tools.ietf.org/html/draft-ietf-i2nsf-capability-data-model-04 > > > > This draft specifies whether IKE/ IKE-less cases are supported by the NSF > or not, in the same way that it specifies if the NSF supports IPS or not. > But the details about capabilities for ipsec or IDS are moved now to > another draft (dong-i2nsf-asf-config). Is it right? > => Yes. For the detailed configuration of ipsec, we will be able to use your data model by letting it be referenced by our NSF-facing interface YANG module. We will let you know how to modify your YANG module this week so that it can be used by our NSF-facing interface data model. > > - NSF-Facing Interface Data Model > https://tools.ietf.org/html/draft-ietf-i2nsf-nsf-facing-interface-dm-05 > > > How does it align with the security-policy-translation draft? > => The security policy translator translates a high-level security policy XML file (based on Consumer-facing interface data model) into a low-level security policy XML file (based on NSF-facing interface data model). In the security-policy-translation draft, there is exemplary XML code as follows: - High-level security policy XML Code https://tools.ietf.org/html/draft-yang-i2nsf-security-policy-translation-03#page-7 - Low-level security policy XML Code https://tools.ietf.org/html/draft-yang-i2nsf-security-policy-translation-03#page-18 > > - Registration Interface Data Model > > https://tools.ietf.org/html/draft-ietf-i2nsf-registration-interface-dm-03 > > > > > > - Consumer-Facing Interface Data Model > > https://tools.ietf.org/html/draft-ietf-i2nsf-consumer-facing-interface-dm-03 > > > > Import of the ipsec draft should not be included here. Both drafts (ipsec > and this one) should stay both like nsf facing interface models, but not > one integrated into the other. > > => This statement is not clear to me. Could you clarify this more clearly if you have a better way? For Registration interface data model, we use ipsec-method (either IKE or IKEless) that is defined in I2NSF Capability data model draft: https://tools.ietf.org/html/draft-ietf-i2nsf-capability-data-model-04#page-7 To use this ipsec-method in Registration interface data model, we import I2NSF Capability data model as follows: ############################################################ 6.1.3. NSF Capability Information - p. 11 https://tools.ietf.org/html/draft-ietf-i2nsf-registration-interface-dm-03#page-11 ---------------------------------------------------------------------------------------------------- 6.2. YANG Data Modules - p. 12 https://tools.ietf.org/html/draft-ietf-i2nsf-registration-interface-dm-03#page-12 import ietf-i2nsf-capability{ prefix capa; reference "draft-ietf-i2nsf-capability-data-model-04"; } ---------------------------------------------------------------------------------------------------- grouping i2nsf-nsf-capability-info - p. 15-16 https://tools.ietf.org/html/draft-ietf-i2nsf-registration-interface-dm-03#page-16 group i2nsf-nsf-capability-info { description "Detail information of an NSF"; container i2nsf-capability { description "ietf i2nsf capability information"; uses "capa:nsf-capabilities"; reference "draft-ietf-i2nsf-capability-data-model-04"; } container nsf-performance-capability { description "performance capability"; uses i2nsf-nsf-performance-capability; } } ---------------------------------------------------------------------------------------------------- Configuration Example 1~6: p. 19 https://tools.ietf.org/html/draft-ietf-i2nsf-registration-interface-dm-03#page-19 <ipsec-method>ikeless</ipsec-method> ############################################################ For the configuration of IPsec (e.g., SPD and PAD parameters) for an NSF, could you make a YANG code for such configuration for Registration interface YANG code and XML code like our example in Registration interface data model draft? We will be able to include your YANG code to accommodate IPsec configuration in the revision of our Registration interface data model draft. If you have a better way to configure your IPsec configuration into Security Controller, please let me know. => For Consumer-facing interface data model, we will include ipsec-method (either IKE or IKEless) in the revision of Consumer-facing interface data model draft. This configuration will let NSFs for a high-level security policy make an IPsec tunnel between each pair of NSFs along the SFC path (e.g., Firewall -> DPI -> DDoS Attack Mitigator). I think your students can work with my students at SKKU for the test of this integration and test. My Ph.D student, Jinyong (Tim) Kim, is in charge of the implementation and test. If you have questions, please let me know. Thanks. Best Regards, Paul > > Best regards, Gabi. > > > I hope we can publish them before the IETF-105 Montreal meeting. :-) > > Thanks. > > Best Regards, > Paul > -- > =========================== > Mr. Jaehoon (Paul) Jeong, Ph.D. > Associate Professor > Department of Software > Sungkyunkwan University > Office: +82-31-299-4957 > Email: jaehoon.paul@gmail.com, pauljeong@skku.edu > Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php > <http://cpslab.skku.edu/people-jaehoon-jeong.php> > _______________________________________________ > I2nsf mailing list > I2nsf@ietf.org > https://www.ietf.org/mailman/listinfo/i2nsf > > > ----------------------------------------------------------- > Gabriel López Millán > Departamento de Ingeniería de la Información y las Comunicaciones > University of Murcia > Spain > Tel: +34 868888504 > Fax: +34 868884151 > email: gabilm@um.es <gabilm@um.es> > > > > -- =========================== Mr. Jaehoon (Paul) Jeong, Ph.D. Associate Professor Department of Software Sungkyunkwan University Office: +82-31-299-4957 Email: jaehoon.paul@gmail.com, pauljeong@skku.edu Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php <http://cpslab.skku.edu/people-jaehoon-jeong.php>
- [I2nsf] Request for WGLC on I2NSF YANG Data Models Mr. Jaehoon Paul Jeong
- Re: [I2nsf] Request for WGLC on I2NSF YANG Data M… Gabriel Lopez
- Re: [I2nsf] Request for WGLC on I2NSF YANG Data M… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] Request for WGLC on I2NSF YANG Data M… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] Request for WGLC on I2NSF YANG Data M… Linda Dunbar
- Re: [I2nsf] Request for WGLC on I2NSF YANG Data M… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] Request for WGLC on I2NSF YANG Data M… Linda Dunbar
- Re: [I2nsf] Request for WGLC on I2NSF YANG Data M… Mr. Jaehoon Paul Jeong