IETF Logo Mail Archive

Re: [I2nsf] [yang-doctors] [IPsec] [Last-Call] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08

"Rob Wilton (rwilton)" <rwilton@cisco.com> Mon, 12 October 2020 16:02 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E68153A1590; Mon, 12 Oct 2020 09:02:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=nFVudMF6; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=EsTOEfR9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eZ1LvKF2Ns08; Mon, 12 Oct 2020 09:02:32 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49DB33A158C; Mon, 12 Oct 2020 09:02:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=23128; q=dns/txt; s=iport; t=1602518552; x=1603728152; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=R45xVfktmefBwhhK0WzB6liNpJ2XnaFJxl77VtlHXNY=; b=nFVudMF67vrUJe0K3yXtae1AtfmHQM2DUTyityP1pbITv321eGZkWINN AhptBLhVBKa96RawmNicSjLIri4qtNMegN55kT344zVWsouE1bEsP8XLJ jwnH0TGKP4DUZFi5i7F5gAl3yIP4JDqB0LEcgIhkOa7iqReBft+t4+WwC g=;
IronPort-PHdr: 9a23:c9/q4BcErTcNbEOI8s7gxFVVlGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwaQB9fa5u5Kze3MvPOoVW8B5MOHt3YPONxJWgQegMob1wonHIaeCEL9IfKrCk5yHMlLWFJ/uX3uN09TFZX/akHc5Hqo4m1aFhD2LwEgIOPzF8bbhNi20Obn/ZrVbk1IiTOxbKk0Ig+xqFDat9Idhs1pLaNixw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DrCQBcfYRf/4kNJK1gHgEBCxIMgzIvUQdwWS8sCoQzg0YDjVCUDIRvglMDVQsBAQENAQEYAQoKAgQBAYRKAheBfwIlOBMCAwEBCwEBBQEBAQIBBgRthVwMhXIBAQEEAQEQEQoTAQEsCwEPAgEIEQQBASQEAwICAiULFAkIAgQBDQUIEweDBYF+TQMuAQMLnEkCgTmIYXaBMoMBAQEFhQYYghADBoE4gnKDboZWG4FBP4FUgk0+glwBAQKBXxUWCYJhM4ILIpBagjQ8hwYmi1qRFAqCaI9bizChOpMioCUCBAIEBQIOAQEFgWsjKoEtcBU7gmlQFwINjh83gzqFFIVCdAI1AgYBCQEBAwl8jDsBgRABAQ
X-IronPort-AV: E=Sophos;i="5.77,367,1596499200"; d="scan'208,217";a="580392982"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 12 Oct 2020 16:01:37 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by alln-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 09CG1beJ027057 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 12 Oct 2020 16:01:37 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 12 Oct 2020 11:01:37 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 12 Oct 2020 11:01:37 -0500
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 12 Oct 2020 12:01:36 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XaooTw1ffAT/ca8NF5bng5L4Ntj41HQIjj+nI9gxVSCO3KUiHItd1CaMyQvFscf8IbwrgiAF/Q9AXgVwABiTpMZNas47KpEKcSXG8+2+9PZYo5LCW185vywxVEPvvlLm+vhzzQ78LCSRvuhxZEjEiVKsm6fwgYzBe/OUtqoNKLj3pCRfzVe2XBVEHK9B5zWj5gYKCdToPkKc+dA55UvfoZpjzGhR4NK8f9U0oSZX25ji9NxQJBeWkh8oQFfph3/OwNgDFfQwzdBARoCJBshO0QSLck4/95gACaTlGKJFhAxe5kAmTgnPcshDVWmbfdzkSl0uR2YrlgponrTOK3A3UQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R45xVfktmefBwhhK0WzB6liNpJ2XnaFJxl77VtlHXNY=; b=RH9Pnk/jo3bkRDVYEz/J3fo+ca/BLyryTvobCINpfCVOEFwJ1FiCjp/94eJ64OD6LsBLydjpgPzBQnlZDXbkEd8mI0/5KM7WOWnU/CVXuqlVJzBVjauMm0IYGdxmGBOcQE36nnQIH0YE1/RY00AYJFjXOaXBpL54M5dEPMoCCn8A/lKSO/+yEdF1BzT1fxr6KdA5Ku6tj+UU/3SwB5zMVi4Vr7wbPA8/cEJle+gl1YU3Bft1Dec42ycLuWQ8LLxkcmTIAN1Z/HeLwQMzDcgAHs46XxoH/MFNO6Rgfo5OH/0Il/GJsLvT6f5T3DVeI5RslB/a3JzpE4nCJt6NHQAvUw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R45xVfktmefBwhhK0WzB6liNpJ2XnaFJxl77VtlHXNY=; b=EsTOEfR9eQuTCo1j0PFQ6AvxqNc1NmKNVxvVJdz5NQ3Tv4mdVdqp6iXsXgntPGFcBKol/FrGTeScb6Df7Q+XKOEksedsFXcRICnMYCQzIykrrzTWNK04pGDENPIwO98n5g5tvvRyofzA76Ee1whsoZQMZoc7ap34gj8lRqiEbmM=
Received: from MN2PR11MB4366.namprd11.prod.outlook.com (2603:10b6:208:190::17) by MN2PR11MB4479.namprd11.prod.outlook.com (2603:10b6:208:17b::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.21; Mon, 12 Oct 2020 16:01:35 +0000
Received: from MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::d84a:115:9ce0:8241]) by MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::d84a:115:9ce0:8241%4]) with mapi id 15.20.3455.030; Mon, 12 Oct 2020 16:01:35 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: "draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org" <draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org>, Rafa Marin-Lopez <rafa@um.es>
CC: "i2nsf@ietf.org" <i2nsf@ietf.org>, Gabriel Lopez <gabilm@um.es>, "ipsec@ietf.org" <ipsec@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "yang-doctors@ietf.org" <yang-doctors@ietf.org>, Christian Hopps <chopps@chopps.org>, Lou Berger <lberger@labn.net>, Martin Björklund <mbj+ietf@4668.se>
Thread-Topic: [yang-doctors] [IPsec] [Last-Call] [I2nsf] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
Thread-Index: AQHWlNo2e9jni2YANkmtZfreFx+hBKmUJBxQ
Date: Mon, 12 Oct 2020 16:01:35 +0000
Message-ID: <MN2PR11MB43662E1711367EDE9A066452B5070@MN2PR11MB4366.namprd11.prod.outlook.com>
References: <MN2PR11MB4366E30B3C372D13B391AE07B53B0@MN2PR11MB4366.namprd11.prod.outlook.com> <2B88888E-A264-4D81-A8DA-9C6225E83E0E@um.es> <70A0A406-0742-4F28-A5A4-8D539B160E24@chopps.org> <20200923.125826.1562347052257995146.id@4668.se> <CBC552B2-6039-48E8-988D-4F2BA3FD6B2E@chopps.org> <023fc27b-f86e-ed71-0c8f-d270c338f08c@labn.net>
In-Reply-To: <023fc27b-f86e-ed71-0c8f-d270c338f08c@labn.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [82.12.233.180]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 197de273-39cd-4ae0-e9f7-08d86ec81877
x-ms-traffictypediagnostic: MN2PR11MB4479:
x-microsoft-antispam-prvs: <MN2PR11MB44790EF4804ACEB8128EBF6CB5070@MN2PR11MB4479.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6108;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RcXF/gJdKhpmR5iMthNMuzv9oG7ByCotzDYUjpLyeMDT1CB6IS4RpQwuBLWNpvcGcNV/IV2huKBS4brfAx7GZHHO/qhUtrCKV6hUTl5orG6zRdG9cnG+R9uA0EUKTib4YtTHu9LEyrq/Z69nZfWQIK50yEJUP0K21S83W9NVO9BTDOIbk1s/2ww6Xu8+9yCW1XJc3MoxZS9kUjkZAYTnzWedk1+e8rhUOvSlf1+emmSqdK0JRRASavafNfdJyv4EWaSpflvew4n8eSX71mWtjeZ/jSeTeajjjFZ2BHYWxr9EeDHWLjX016SfMPvAxomsgLv6GKYV0N9A08h3aw6Ov938wOcXU4ETdRoXbg50Ehk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4366.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(39860400002)(376002)(396003)(366004)(136003)(64756008)(66556008)(316002)(76116006)(54906003)(66476007)(55016002)(66574015)(26005)(478600001)(6506007)(66446008)(2906002)(166002)(7696005)(71200400001)(186003)(66946007)(52536014)(53546011)(33656002)(83380400001)(966005)(5660300002)(7416002)(86362001)(9686003)(4326008)(110136005)(8936002)(8676002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: kxi6eiwaeGAcJG2Eflbgf2SlPlKoJUUadl0MAEIUwtO2eYPmPp/JnC60UIKsqO54DBWGEkdxzX7PNdCCMIlJx7/WG01ibcoVMfrb2HMt3rlEzrVpFjJ1Fqk77ZoXpm7OpvNA3uTXwjTrDhpR+gxUfUXOsKKI2C35fK4/0sgfOkTN2c/270SazQL4pvjLmnpdhRHdjs9iQMSR4SLcNXoFDsXZf3L8Ljz6prnB43hau7zKWNaXmhldOoCZ0lOqlBjUjRXJBRJmVKT9Ia9z2WcApJgAwDPwY75AA2JSKW5YJQh7EOAq8/4j6z8CpzpQ6ME2Hfok9css5wu1o8CKUEiisNfzeGeTFw1+MjhnR6dcL7TKx62jzxCEMgnxCd2IggvaeD4/fVt4FDzWjNdO46zXqTRTB4cc3/RDN6mrjcUKJv/UQNrzORUG5ou2r6jKapZ8GuxtBLKI5PCpHOgO2rvkG2fauc5LgRnODINRH2n/QGD0ayDFAbS4UwEz4aT0ZkxkenvJ615FDfeS4CRWDCzQK3AKHgbw/6pHaZ84Zj/ww6Gmv202DcZj7VAtgV23SHaJ8sxioDT+yeD3Hew4AMySKbmcgrHukK5iol8Gr99iLARfZfVN3du0fOm5pmP4CnLuibcmbxw+CWx0Qdxola7zaQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR11MB43662E1711367EDE9A066452B5070MN2PR11MB4366namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB4366.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 197de273-39cd-4ae0-e9f7-08d86ec81877
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Oct 2020 16:01:35.5132 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hud1L3ceUBFx9J8YF0e/YEf9EbvXwlARqZJ1TaJWUxpy12xHvOhXtosGgVgLNEnuF8kZBGwNwqhSnHVabNI3wg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4479
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: alln-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/OpMm2_iP5_tGvYhPsLCyxWkbzxI>
Subject: Re: [I2nsf] [yang-doctors] [IPsec] [Last-Call] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2020 16:02:35 -0000

Hi Rafa, authors,

Just to check.

Has there been any closure on the suggestion from Chris on “notifications in the ikeless module as a feature"?  This would seem to be a fairly cheap & easy compromise.

Thanks,
Rob


From: yang-doctors <yang-doctors-bounces@ietf.org> On Behalf Of Lou Berger
Sent: 27 September 2020 15:26
To: Christian Hopps <chopps@chopps.org>; Martin Björklund <mbj+ietf@4668.se>
Cc: Robert Wilton <rwilton=40cisco.com@dmarc.ietf.org>; i2nsf@ietf.org; Gabriel Lopez <gabilm@um.es>; draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org; ipsec@ietf.org; last-call@ietf.org; Rafa Marin-Lopez <rafa@um.es>; yang-doctors@ietf.org
Subject: Re: [yang-doctors] [IPsec] [Last-Call] [I2nsf] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08

This is a sub-optimal compromise b/c all IPsec have SA databases even ones running IKE -- i.e., SA databases are common whether exposed in YANG or not -- but if it can move it forward perhaps good enough.


Speaking as an interested party, I hope that some compromise / good enough solution is followed in the -09 version of  this draft.

Lou
On 9/23/2020 7:20 AM, Christian Hopps wrote:



On Sep 23, 2020, at 6:58 AM, Martin Björklund <mbj+ietf@4668.se<mailto:mbj+ietf@4668.se>> wrote:

Hi,

Christian Hopps <chopps@chopps.org<mailto:chopps@chopps.org>> wrote:




On Sep 23, 2020, at 5:29 AM, Rafa Marin-Lopez <rafa@um.es<mailto:rafa@um.es>> wrote:




But I would like to check: My understanding is that the changes that
Chris is proposing are pretty small.  I.e. move the SA structure under
ipsec-common, and put it under a YANG feature.  Are you sure that it
is impractical to accommodate this change which would allow a single
ipsec module to be shared and extended via YANG augmentations?


In the context of our I-D, if we move SAD structure to ipsec-common,
what we are meaning is that IPsec SA configuration data (setting
values to the SAD structure) are common to the IKE case and the
IKE-less cases, which are not. It is confusing.

Something defined in a common module but marked as a feature does not
imply that that feature has to be implemented by an importing
module. This is not confusing to YANG implementers or users I
think. If we are just talking about document flow here, then a
sentence saying "the SAD feature is not required to implement IKE
functionality" is quite enough to clear that up I think.

Another alternative could be to move these containers to another
(new) module.

It may also be enough to mark the notifications in the ikeless module as a feature I suppose. That is the actual thing I think non-SDN implementations would want to omit. The module name "ikeless" is not great in this case, but perhaps workable.


This is a sub-optimal compromise b/c all IPsec have SA databases even ones running IKE -- i.e., SA databases are common whether exposed in YANG or not -- but if it can move it forward perhaps good enough.


I'm definitely concerned about IETF process and real world usability here. These modules are basically workable for ipsec I think, they could be used by operators today. If we restart the entire process to redo this work for the more generic IPsec case it will probably be years before they are finished and in the field. This new work can be started, but why not have something usable in the meantime?

Thanks,
Chris.



/martin





Thanks,
Chris.


Moreover, the usage of feature means that, after all, this “common” is
not “common” to both cases IKE case and IKE-less. Again, it seems
confusing. In the IKE case, the SDN/I2NSF controller does not
configure the SAD at all but the IKE implementation in the NSF. In our
opinion, in order to properly add this IPsec SA operational state to
the IKE case we should include operational data about the IPsec SAs
(config false) to the ietf-ipsec-ike. Alternatively, we have certain
operational data (ro) in the SAD structure in the IKE-less case. If
only those are moved to the common part should be ok but we think it
does not solve the problem.

--
last-call mailing list
last-call@ietf.org<mailto:last-call@ietf.org>
https://www.ietf.org/mailman/listinfo/last-call




_______________________________________________

IPsec mailing list

IPsec@ietf.org<mailto:IPsec@ietf.org>

https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email