IETF Logo Mail Archive

[I2nsf] Reviewing sdn-ipsec-flow-protection

Yoav Nir <ynir.ietf@gmail.com> Thu, 08 November 2018 16:11 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C247128766 for <i2nsf@ietfa.amsl.com>; Thu, 8 Nov 2018 08:11:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23V0JHvvZ6t7 for <i2nsf@ietfa.amsl.com>; Thu, 8 Nov 2018 08:11:13 -0800 (PST)
Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49260129619 for <i2nsf@ietf.org>; Thu, 8 Nov 2018 08:11:13 -0800 (PST)
Received: by mail-pl1-x635.google.com with SMTP id o19-v6so9728216pll.12 for <i2nsf@ietf.org>; Thu, 08 Nov 2018 08:11:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:message-id:date:cc:to; bh=NQ/AfYqqvNEQoKJfaK/9HYhvmRT8UXLX2Y7HrmS0q/Y=; b=PhvXYTLfnEUn2S6A7L2JY/gBpLh2q2qekK3pv15HY7GxaAekHSHWWaCcCyHAHpa/F0 q7rdH1cqdl40bOEiKig7j6z2vfj/KojLU+hZH45S65eJMRgay/04dvgIOFIVhH6EUmdA 8iiOX5n8bF6f1X4CjllRZDKAjd+X5ZntRWPPq3Dnus8B5JehR2yd/2RmjGnlAUZTuCxJ OkVyhw1oLY5JhquVzZv2o+QnAzx70iQgOKxQVvLGrkT5sPK+tMuedYeHD3yLkCsfMjUj DkAu6Udini3lEYcxMRmIUCd9ooYfLwIT/AcPCEV0x2KpeynhWfqn7IHIoS9zSKPMkvrq hlyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:cc:to; bh=NQ/AfYqqvNEQoKJfaK/9HYhvmRT8UXLX2Y7HrmS0q/Y=; b=mI2SGkLX2vyk8JFD89Fs1BNvcNUBwtXTgMUgluKcGSfxQAFRkDSs8dw6z4tipOstWG 76kJUSqQnRy2+/Lb6g2c0mGwiTXMlOrWpPF6jQYuMalclk5QfiD4wqYwHr1GPtO/rn2x zQz62e4ovoBU34NuxaKQ9tDoWVUnyaDjtOqspZbQJMAgRUB4lmTOWJ5LrIdtOxXJbvko kSPHyrPIOy/H9ID4ZBeSXwmAlSRUelrqrWYSc8+FELIM7E+CI2lwVvWhnIN8AirRqsxK ESlX8NR1iBdGq+g/mmswHxGEOLc58b2LJYClZ5YU6XPWc0/POgbJ3mo3mYAuUgEpXlTo sz0Q==
X-Gm-Message-State: AGRZ1gIdZwnpfO0i+pLqCfPEdPLB6HkKEXXKnMF5t4GSK0eXqmQtTg0i HqQb3vbU6D7wB8t545W75rZ+2qnp
X-Google-Smtp-Source: AJdET5cEqoDknWbOADU/wJpfpZ1lNo5cKOnX3ZfiTinU2AXjv2/ntHWY5PHib9EnRSGr6qltaZ/X0Q==
X-Received: by 2002:a17:902:9b83:: with SMTP id y3-v6mr4989540plp.113.1541693472537; Thu, 08 Nov 2018 08:11:12 -0800 (PST)
Received: from ?IPv6:2001:67c:1232:144:2004:fbb8:d091:45b6? ([2001:67c:1232:144:2004:fbb8:d091:45b6]) by smtp.gmail.com with ESMTPSA id r8-v6sm6138112pfk.157.2018.11.08.08.11.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Nov 2018 08:11:11 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A6DB9540-B885-4554-BA35-D9B2DD90100F"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
Message-Id: <A881C135-9BF7-4E93-BB7A-75EB3D1FF605@gmail.com>
Date: Thu, 08 Nov 2018 23:11:09 +0700
Cc: Paul Wouters <paul@nohats.ca>
To: i2nsf@ietf.org
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/_Fhezgs-F9ZY4JJWIQD0SvuDUXc>
Subject: [I2nsf] Reviewing sdn-ipsec-flow-protection
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2018 16:11:16 -0000

Hi, all

As discussed in the room, we need some reviewers for the sdn-ipsec-flow-protection draft ([1])

While any comments on any part of the document are welcome, I would like people to concentrate on the following issues:
The YANG model in Appendix A
Some of the crypto seems obsolete (example: DES). We would get into trouble in SecDir review.  OTOH ChaCha20-Poly1305 is missing..
Some of the modes are obsolete (BEET)
KINK & IKEv1
The YANG model in Section 6
I think there’s a bit of TMI in there:  Not all fields in an IPsec implementation need to be sent from the controller (SA state, like “larval")
The interaction between Controller and NSF
There’s no way for the controller to retrieve NSF capabilities. What if the NSF does not implement rc5?  It’s fine if we say that the Controller knows in advance what the capabilities of each NSF are, but it should be stated.
ISTM like the Controller sends the private key and the certificate to the NSF. While this is a possible model, it is also quite common for private keys to be generated in the NSF and never leave the cryptographic boundary. I think this should be at least allowed.

Thanks to Paul Wouters and two others who volunteered to review. Substantive reviews will be rewarded with a beer in Prague.

Yoav

[1] https://tools.ietf.org/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection-03 <https://tools.ietf.org/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection-03>

v2.23.0 | Report a Bug | By Email