Re: [I2nsf] [yang-doctors] Need YANG Doctor reviewing the YANG module of draft-ietf-i2nsf-sdn-ipsec-flow-protection which I2NSF is about to call WGLC

Andy Bierman <andy@yumaworks.com> Fri, 05 April 2019 17:43 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 173841205CE for <i2nsf@ietfa.amsl.com>; Fri, 5 Apr 2019 10:43:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C7Ao4AereLFY for <i2nsf@ietfa.amsl.com>; Fri, 5 Apr 2019 10:43:09 -0700 (PDT)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A70711205D1 for <i2nsf@ietf.org>; Fri, 5 Apr 2019 10:43:07 -0700 (PDT)
Received: by mail-lf1-x132.google.com with SMTP id v24so1982298lfe.9 for <i2nsf@ietf.org>; Fri, 05 Apr 2019 10:43:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ddy1plDRnISP4Lw//QyA4HBp5NfnMhZ6CDMQZ/jS4NU=; b=ov9T5uH1XabjT/UmicgzqP26W8sobZqLplKR1qAM6NjBz8RqbWMxpYWX3nEeFDUFng 752gBzhRAu7lbHKbJIy0+Gy04eMBtQ4LG0AhV7Os2RDk9K1WWHMp5a9owGdL6d+0uiA3 Eks8hJqy4A+CLr1czlBXgj645+z2LPb/ocw5TZVHF3W99s27o8WulH2rtjqTaoYWDBXU DcvnKy9LC2tGHeZER6Bz2WdMsPtUtSfeWnb2I8hO1vtpRbXIos5/5VtRasMmQZ6yYGg5 gOA/d+VBLwPBccID1Zx28MZikrwVHHb9eaQCeL3DTjV+E0LRlnOYjKLLNOwx1gO4nE/a oIbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ddy1plDRnISP4Lw//QyA4HBp5NfnMhZ6CDMQZ/jS4NU=; b=RIgw2kXjUSEYES+fIpoUzZGEC29j4s6T3qk8LlMD4XXmF/pwHAEAtyL62a0YmWHEQc +F6GPl07qRSfl7gO3gMHfg2T+4dnvB3vnhDrvBa37gac1JHufHm5W2ItRLpEB3lapSsF G0tlQJNfBy5VSCN4OQzG3Kf2g2XeS/3TBtLhMKGmdT48dsrLFJkXTuX5f3/JjtCFJpxI CJI2AoK3RKQ3+4u6MBLyK70Ng9IRAU8Mb9RXPIh171uscMv0Zj8bjGCdwHp84uw8Rmyr zFPCgGgWbzmzcVetU/fo9N0aPJBg4t77wdWFBT3IRb2jN/kTT7I6WwsaTqX8oM/qGqUd 701Q==
X-Gm-Message-State: APjAAAWfvHiE0JiRSkDFKfVhGp9BxHeNvD9bKRBYl5p8fiERS4cemM24 CY63cgGQozr1YqVKtxFaNqVgthbLezXejS2zR4n58Q==
X-Google-Smtp-Source: APXvYqzkIpxF2KPaCkqnvQXoJWUp1MqyaMFhmQ9BI8aAfvuHOqiqroZZ9pZoQKvpGQ18T+/g6TWaJdsYElW0UyUdlbI=
X-Received: by 2002:ac2:4561:: with SMTP id k1mr7182891lfm.95.1554486185734; Fri, 05 Apr 2019 10:43:05 -0700 (PDT)
MIME-Version: 1.0
References: <4A95BA014132FF49AE685FAB4B9F17F66B363EB2@sjceml521-mbs.china.huawei.com> <420D3E9A-9E3C-4575-9C92-200CAA0B868C@gmail.com>
In-Reply-To: <420D3E9A-9E3C-4575-9C92-200CAA0B868C@gmail.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Fri, 5 Apr 2019 10:42:54 -0700
Message-ID: <CABCOCHRf3iGUt9wb3htpDYGJ+pAKErvq8OrozndgELUVKYT4Kg@mail.gmail.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Cc: Linda Dunbar <linda.dunbar@huawei.com>, "i2nsf@ietf.org" <i2nsf@ietf.org>, "yang-doctors@ietf.org" <yang-doctors@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e8d05a0585cc04b1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/OsZ9KUgJfS_BetoxHlv0cRic2BE>
Subject: Re: [I2nsf] [yang-doctors] Need YANG Doctor reviewing the YANG module of draft-ietf-i2nsf-sdn-ipsec-flow-protection which I2NSF is about to call WGLC
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2019 17:43:11 -0000

Hi,

I think conformance for identities is handled very poorly in YANG.
There is an if-feature-stmt allowed inside an identity in YANG 1.1.
This implies that any identity without if-feature is mandatory-to-implement.

If the identities are in a separate module, the server can list it as an
imported module,
which tells the client the server does not implement any of the identities.

There is no standard way for the server to inform the client which
identities it supports
for a given identityref data node.

The common implementation strategy is to completely ignore YANG conformance
for identities
(as Mahesh explained). You just try setting the leaf and see if the server
accepts it.

Andy


On Fri, Apr 5, 2019 at 10:33 AM Mahesh Jethanandani <mjethanandani@gmail.com>;
wrote:

> Hi Linda,
>
>
> On Apr 5, 2019, at 9:51 AM, Linda Dunbar <linda.dunbar@huawei.com>; wrote:
>
> Dear YANG Doctor:
>
> We need your help in reviewing the YANG model in
> draft-ietf-i2nsf-sdn-ipsec-flow-protection which I2NSF WG is about to call
> WGLC.
>
> In particular, we need your advice on the following issue:
>
> draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 imports from
> draft-ietf-netconf-crypto-types, which appears to be a generic list of
> algorithms.
> The problem is that the list in draft-ietf-netconf-crypto-types could
> contain algorithms that are not suitable for IPsec (such as secp192r1 for
> key agreement), and right now it seems to lack some older algorithms that
> have fallen out of fashion (3DES) but is still needed in IPsec.
>
>
> All the algorithms in draft-ietf-netconf-crypto-types are defined as
> identities. If you do not find the algorithm you are looking for in the
> list of defined algorithms, you can go ahead and define your own in your
> own draft, using the same base identity from the ietf-crypto-types module.
>
>
>
> Questions to the YANG Doctor:
> 1.       Is it better to list the IPsec specific algorithms in
> draft-ietf-i2nsf-sdn-ipsec-flow-protection (which is a subset of
> draft-ietf-netconf-crypto-types? Or to import all crypto algorithms many of
> which are not relevant to IPsec? What is the common practice?
>
>
> Importing ietf-crypto-types does not mean you have to implement every
> algorithm listed in the module. You can import the module and chose to
> implement the algorithms you want to implement, including defining any new
> ones.
>
> 2.      If we do import from draft-ietf-netconf-crypto-types, does it
> mean draft-ietf-i2nsf-sdn-ipsec-flow-protection cannot be published until
> draft-ietf-netconf-crypto-types is published?
>
>
> Yes. The i2nsf draft will hit the state of MISSREF in the RFC Editor
> queue. But that should not prevent anyone from starting implementation of
> the module. As a side note, the NETCONF WG is planning on sending the
> crypto-types draft to IESG shortly. What you do not want is to duplicate
> the definition of the algorithms in your own draft.
>
> HTH.
>
>
>
> Thank you very much,
>
> Linda & Yoav
>
> _______________________________________________
> yang-doctors mailing list
> yang-doctors@ietf.org
> https://www.ietf.org/mailman/listinfo/yang-doctors
>
>
> Mahesh Jethanandani
> mjethanandani@gmail.com
>
>
>
> _______________________________________________
> yang-doctors mailing list
> yang-doctors@ietf.org
> https://www.ietf.org/mailman/listinfo/yang-doctors
>