Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipsec-flow-protection-05.txt

Yoav Nir <ynir.ietf@gmail.com> Tue, 16 July 2019 17:30 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E155D120B08; Tue, 16 Jul 2019 10:30:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wj1ZmAPqJQQh; Tue, 16 Jul 2019 10:30:17 -0700 (PDT)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B008120B03; Tue, 16 Jul 2019 10:30:17 -0700 (PDT)
Received: by mail-ed1-x52b.google.com with SMTP id k8so21139298edr.11; Tue, 16 Jul 2019 10:30:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=S7RpZ3jAfo8/B/KVVZeORSzwjjUzE+aTL5NVQ0UZmi4=; b=Btlxf/jf6IwAeD5XgR2gl0i7o3INdeH1KckddLTnswMfkY/UYhHw+ovsSQWz0mJpFn sKI+REMRpQx8hnJp4S4fGS4p07u0VlOrhYbjh3iIyhIo6YYH9yjrV1vNBM1rNXiYbb7Q 0mpVTnwMgKJFDDw0PHnguPRL+DDc2udD+igmMvJKUYfOJr2XTU7bXgxLN0RWkPDrsdaJ jlkQRbcNaVEkOYiROEp8fkk80umCBcetN3yQwG3RC3pcbvx29niex9sD7O2Sl+SoIgxF v1AkVmVMYgT4vEWAFrs1RBa3fLjoLM+VNkS+udob0IXI0Fa7CntpatoK7fYlmBavZpDe 2RyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=S7RpZ3jAfo8/B/KVVZeORSzwjjUzE+aTL5NVQ0UZmi4=; b=LbM23YrNRd7ct5YbOQcwXrXrr6+YRgtGMijErbtgfpylzVP4lrcZ20SkkwdAF951mx kWNhKqSXDpKbjSlWcKSSvQJsAo3e+APlaplJHeqgb9vN/IRhjlMsfGbs59QC7VtfDPtn pqBTCIfCbaAdbANsiyJxFnN9fH5IaTqatDJW9QtqkgiEHgPBds8SGRA1Jf7wR+3W0kmx wYEfjFn2VvvmxKb/UXpfYUPUWXol0bpFqSxK81fiTSNTfAbTfb9i+HI33655LL3uLDWP lkg5Xmxb3OS0k7h9n8UVqc21qG/G3uHobz90GVlh6HWbAtYM4Wo+/cMgSWS35zlFNbPg kgaA==
X-Gm-Message-State: APjAAAVXgqlnaFzpqJX8/Fe8P48q0OeAFcdmgtScz36JPzFGfcaKezFf 5AaPeoBoFSDmvYBrIteYGGk=
X-Google-Smtp-Source: APXvYqwheCvwCfz8j3JNlF0ysCVCMo+A/msC14Grgxo8BFaT1mZuMRAzfygLv7XahagmQzzaqM72TQ==
X-Received: by 2002:a50:b554:: with SMTP id z20mr30288328edd.296.1563298215457; Tue, 16 Jul 2019 10:30:15 -0700 (PDT)
Received: from [192.168.1.12] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id g7sm6133295eda.52.2019.07.16.10.30.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Jul 2019 10:30:13 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <5758F23C-087D-49AB-87E0-FE7E0F6D15A1@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3BB12C0A-463C-4E2C-B445-F961C82A5059"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 16 Jul 2019 20:30:10 +0300
In-Reply-To: <4E36A715-3B6C-4BDF-A149-9E10574E3F96@um.es>
Cc: i2nsf@ietf.org, "ipsec@ietf.org WG" <ipsec@ietf.org>, =?utf-8?B?RmVybmFuZG8gUGVyZcOxw61ndWV6IEdhcmPDrWE=?= <fernando.pereniguez@cud.upct.es>, Gabriel Lopez <gabilm@um.es>, mbj@tail-f.com
To: Rafa Marin-Lopez <rafa@um.es>
References: <156253524318.473.14686910090362577746@ietfa.amsl.com> <4E36A715-3B6C-4BDF-A149-9E10574E3F96@um.es>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/c1zRoU5Yu7s_7ROxb9f5s-1Jojw>
Subject: Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipsec-flow-protection-05.txt
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 17:30:20 -0000

Thanks for getting this done and published.

We will wait with requesting publication until the I2NSF session next week.  Between now and then, please re-read the draft and send a message to the list is something is seriously wrong.

Barring any such shouting, we will request publication right after the meeting.

Thanks again,

Linda and Yoav

> On 16 Jul 2019, at 15:42, Rafa Marin-Lopez <rafa@um.es>; wrote:
> 
> Dear all:
> 
> We submitted a new version of the I-D (v05) where we have applied several changes. In the following you have a summary of the main changes, which we will expand/explain during our presentation: 
> 
> - We have dealt with YANG doctors’ review (Martin's)
> 
> - We have dealt with Paul Wouters’ comments and Tero’s comments.
> 
> - We have added more specific text in the descriptions.
> 
> - Notifications have a simpler format now since most of the information that contained in the past is already handled by the Security Controller.
> 
> - State data has been reduced. For example, in IKE case, most of the information is related with IKE and not with the specific details about IPsec SAs that IKE handles (after all, IKE can abstract this information from the Security Controller).
> 
> - We have included text in the security section to discuss about the default IPsec policies that should be in the NSF when it starts before contacting with the SC such as the IPsec policies required to allow traffic between the SC and the NSF.
> 
> - We have added a subsection 5.3.4 about NSF discovery by the Security Controller.
> 
> - In order to specify the crypto-algorithms we have used a simple approach by including an integer and adding a text pointing the IANA in the reference clause. For example:
> 
> typedef encryption-algorithm-type {
>            type uint32;
>            description 
>                "The encryption algorithm is specified with a 32-bit
>                number extracted from IANA Registry. The acceptable
>                values MUST follow the requirement levels for
>                encryption algorithms for ESP and IKEv2.";
>            reference 
>                 "IANA Registry- Transform Type 1 - Encryption
>                 Algorithm Transform IDs. RFC 8221 - Cryptographic
>                 Algorithm Implementation Requirements and Usage
>                 Guidance for Encapsulating Security Payload (ESP)
>                 and Authentication Header (AH) and RFC 8247 -
>                 Algorithm Implementation Requirements and Usage
>                 Guidance for the Internet Key Exchange Protocol
>                 Version 2 (IKEv2).";
>        }
> 
> - We have included three additional Annexes with examples in about the usage of the YANG model.
> 
> - We have performed pyang --lint --lint-ensure-hyphenated-names and pyang -f yang --yang-line-length 69 in our model without warnings.
> 
> Best Regards.
> 
>> Inicio del mensaje reenviado:
>> 
>> De: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
>> Asunto: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipsec-flow-protection-05.txt
>> Fecha: 7 de julio de 2019, 23:34:03 CEST
>> Para: <i-d-announce@ietf.org <mailto:i-d-announce@ietf.org>>
>> Cc: i2nsf@ietf.org <mailto:i2nsf@ietf.org>
>> Responder a: i2nsf@ietf.org <mailto:i2nsf@ietf.org>
>> 
>> 
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the Interface to Network Security Functions WG of the IETF.
>> 
>>        Title           : Software-Defined Networking (SDN)-based IPsec Flow Protection
>>        Authors         : Rafa Marin-Lopez
>>                          Gabriel Lopez-Millan
>>                          Fernando Pereniguez-Garcia
>> 	Filename        : draft-ietf-i2nsf-sdn-ipsec-flow-protection-05.txt
>> 	Pages           : 81
>> 	Date            : 2019-07-07
>> 
>> Abstract:
>>   This document describes how providing IPsec-based flow protection by
>>   means of a Software-Defined Network (SDN) controller (aka.  Security
>>   Controller) and establishes the requirements to support this service.
>>   It considers two main well-known scenarios in IPsec: (i) gateway-to-
>>   gateway and (ii) host-to-host.  The SDN-based service described in
>>   this document allows the distribution and monitoring of IPsec
>>   information from a Security Controller to one or several flow-based
>>   Network Security Function (NSF).  The NSFs implement IPsec to protect
>>   data traffic between network resources.
>> 
>>   The document focuses on the NSF Facing Interface by providing models
>>   for configuration and state data required to allow the Security
>>   Controller to configure the IPsec databases (SPD, SAD, PAD) and IKEv2
>>   to establish Security Associations with a reduced intervention of the
>>   network administrator.
>> 
>> 
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/ <https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/>
>> 
>> There are also htmlized versions available at:
>> https://tools.ietf.org/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection-05
>> https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection-05
>> 
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-i2nsf-sdn-ipsec-flow-protection-05
>> 
>> 
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>> 
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>> 
>> _______________________________________________
>> I2nsf mailing list
>> I2nsf@ietf.org
>> https://www.ietf.org/mailman/listinfo/i2nsf
> 
> -------------------------------------------------------
> Rafa Marin-Lopez, PhD
> Dept. Information and Communications Engineering (DIIC)
> Faculty of Computer Science-University of Murcia
> 30100 Murcia - Spain
> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es <mailto:rafa@um.es>
> -------------------------------------------------------
> 
> 
> 
> 
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org
> https://www.ietf.org/mailman/listinfo/i2nsf