Re: [I2nsf] Reviewing sdn-ipsec-flow-protection
Yoav Nir <ynir.ietf@gmail.com> Wed, 14 November 2018 18:33 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF664130DEF for <i2nsf@ietfa.amsl.com>; Wed, 14 Nov 2018 10:33:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d3r0u3r6Uwxl for <i2nsf@ietfa.amsl.com>; Wed, 14 Nov 2018 10:33:14 -0800 (PST)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 911A812F1AC for <i2nsf@ietf.org>; Wed, 14 Nov 2018 10:33:14 -0800 (PST)
Received: by mail-wr1-x432.google.com with SMTP id j26-v6so18423289wre.1 for <i2nsf@ietf.org>; Wed, 14 Nov 2018 10:33:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=cIK7VCTZiKa/SIVR4uHy49CSwFzOo8MKycd6aPqiuY0=; b=iQk78YcZ0fql6Rlu//F6v6wJUrYZbOmS821oycjS/dmTXJxiuan+uCcPEDQvKqyTIn CpG/+9/0r4YsLvl/LBfMDPBrkW+93okcNfSZU+Y8d/6pNAU1S8I+iGoJC1hDK84/PxdH 48fGGD1xqRpngeM4YTDpD/OAMhOZjFLSBnwaZkYILQAW72B5fCFWmW8hk8rfNjoIrKx5 9u0QlcoxODePN5fiVr8rYj3ZR2F1NFB+BENzR7m+y1AoRu7361xwPKal54QogUMkguBy vte/gOlHCazxesKG3YDr4bANlCKvxVcm+2QYKJQUUysma4p2AFayTT3l5GLILZqCvQfm 6wqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=cIK7VCTZiKa/SIVR4uHy49CSwFzOo8MKycd6aPqiuY0=; b=dD5TpeTzhmQJgvWTI2uwf0imksAj+ZwTV8uZLMHc8cSU2S+nzeHvmamjMt4Uuj7o9a bkx64YAW+JgyM9DGxdwUNhXN3LNnm5jxds25q240D6VVTPiNy8QrXMCyZe1wOpHxROaD v3XTf0BIZPBByRdN4d4ot7Mnqn8WqB8rJGl3tzUbIlwV5yQVXLkOtZ3EBCJ7gYOgBE21 C9jQJDLMuTq0Vy1Kb9Md0UrcBYlZtDDBaJEbBY/PiHTHLPPUhORDdQP6f/dMdhwoI19z 6SGM9E8Bd9O6YL36w/fagxUD1Qp6Y+mG7E2ZJAhH2jBugtPclkK5JrhkykiQH9TNom23 elGg==
X-Gm-Message-State: AA+aEWbrQte2opDqVc6KKPb1KRpuD7lOCByIDFKDgOCiPrvNpvhnhtpy bffnitZcoMwC4Jp4okVyyUQ=
X-Google-Smtp-Source: AFSGD/WEqLuo90zfSG/3lEqgwnr8RjwI6VnVFtwjtaODfxRa7l4sFm6ilsSfFY4BsnPzX0hcf664QA==
X-Received: by 2002:adf:fe11:: with SMTP id n17mr814094wrr.329.1542220393065; Wed, 14 Nov 2018 10:33:13 -0800 (PST)
Received: from [192.168.1.12] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id b9sm22186064wrx.85.2018.11.14.10.33.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Nov 2018 10:33:11 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <DAE14995-8504-4134-B021-93D56A4994FB@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1807820C-BCF4-4428-98B0-08CDCF849C3E"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
Date: Wed, 14 Nov 2018 20:33:08 +0200
In-Reply-To: <6839D47C-4074-486F-9350-8EB7B378036C@um.es>
Cc: i2nsf@ietf.org, Paul Wouters <paul@nohats.ca>
To: Rafa Marin-Lopez <rafa@um.es>
References: <A881C135-9BF7-4E93-BB7A-75EB3D1FF605@gmail.com> <6839D47C-4074-486F-9350-8EB7B378036C@um.es>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/LifiSIl5q961ZHUx1SGt0xMREb0>
Subject: Re: [I2nsf] Reviewing sdn-ipsec-flow-protection
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2018 18:33:17 -0000
Thanks, Rafa. Just one response below. > On 14 Nov 2018, at 11:30, Rafa Marin-Lopez <rafa@um.es> wrote: > > Hi Yoav: > >> El 8 nov 2018, a las 17:11, Yoav Nir <ynir.ietf@gmail.com <mailto:ynir.ietf@gmail.com>> escribió: >> >> Hi, all >> >> As discussed in the room, we need some reviewers for the sdn-ipsec-flow-protection draft ([1]) > > Thanks for these comments. Please see our response below. >> >> While any comments on any part of the document are welcome, I would like people to concentrate on the following issues: >> The YANG model in Appendix A >> Some of the crypto seems obsolete (example: DES). We would get into trouble in SecDir review. OTOH ChaCha20-Poly1305 is missing.. > > Agree. We will remove DES and add the algorithm you mention. The TLS working group went quite far with TLS 1.3. Only 2 ciphers remain: AES-GCM with 16-byte ICV, and ChaCha20-Poly1305. That’s it. Specifically, they’ve deprecated everything that isn’t an AEAD. The IPsecME working group hasn’t gone that far yet. But in practice pretty much nothing is used except 3DES, AES-CBC, and AES-GCM. Perhaps ChaCha20-Poly1305 is starting to see some use by now. We have RFC 8221, especially sections 5 and 6. I think (although it’s up to the working group) that we should be fine defining only the MUSTs and the SHOULDs in those sections. That brings another question. What is our plan for future expansions? Suppose there’s some hot, new algorithm that everyone is implementing. How do you update the YANG model in the future when you add new values to the enumerations? Is it up to the administrator to make sure that the controller and NSFs are all on the “same page”? Thanks Yoav
- [I2nsf] Reviewing sdn-ipsec-flow-protection Yoav Nir
- Re: [I2nsf] Reviewing sdn-ipsec-flow-protection Rafa Marin-Lopez
- Re: [I2nsf] Reviewing sdn-ipsec-flow-protection Yoav Nir
- [I2nsf] Review of draft-ietf-i2nsf-sdn-ipsec-flow… Paul Wouters
- Re: [I2nsf] Review of draft-ietf-i2nsf-sdn-ipsec-… Rafa Marin Lopez
- Re: [I2nsf] Review of draft-ietf-i2nsf-sdn-ipsec-… Paul Wouters
- Re: [I2nsf] Review of draft-ietf-i2nsf-sdn-ipsec-… Yoav Nir
- Re: [I2nsf] [IPsec] Review of draft-ietf-i2nsf-sd… Paul Wouters
- Re: [I2nsf] [IPsec] Review of draft-ietf-i2nsf-sd… Gabriel Lopez
- Re: [I2nsf] [IPsec] Review of draft-ietf-i2nsf-sd… Paul Wouters
- Re: [I2nsf] Review of draft-ietf-i2nsf-sdn-ipsec-… Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] Review of draft-ietf-i2nsf-sd… Gabriel Lopez
- Re: [I2nsf] [IPsec] Review of draft-ietf-i2nsf-sd… Yoav Nir
- Re: [I2nsf] [IPsec] Review of draft-ietf-i2nsf-sd… Rafa Marin-Lopez
- Re: [I2nsf] Review of draft-ietf-i2nsf-sdn-ipsec-… Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] Review of draft-ietf-i2nsf-sd… Gabriel Lopez
- Re: [I2nsf] [IPsec] Review of draft-ietf-i2nsf-sd… Linda Dunbar
- Re: [I2nsf] [IPsec] Review of draft-ietf-i2nsf-sd… Rafa Marin Lopez
- Re: [I2nsf] Review of draft-ietf-i2nsf-sdn-ipsec-… Rafa Marin-Lopez
- Re: [I2nsf] Review of draft-ietf-i2nsf-sdn-ipsec-… Fernando Pereñíguez García
- Re: [I2nsf] Review of draft-ietf-i2nsf-sdn-ipsec-… Paul Wouters
- Re: [I2nsf] Reviewing sdn-ipsec-flow-protection Gabriel Lopez