IETF Logo Mail Archive

Re: [I2nsf] [yang-doctors] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08

Christian Hopps <chopps@chopps.org> Tue, 22 September 2020 13:27 UTC

Return-Path: <chopps@chopps.org>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6A503A0DCA; Tue, 22 Sep 2020 06:27:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SXqSfO7xQiYh; Tue, 22 Sep 2020 06:27:18 -0700 (PDT)
Received: from smtp.chopps.org (smtp.chopps.org [54.88.81.56]) by ietfa.amsl.com (Postfix) with ESMTP id 138933A074B; Tue, 22 Sep 2020 06:27:18 -0700 (PDT)
Received: from stubbs.int.chopps.org (047-050-069-038.biz.spectrum.com [47.50.69.38]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by smtp.chopps.org (Postfix) with ESMTPSA id 22D4A6020E; Tue, 22 Sep 2020 13:27:17 +0000 (UTC)
From: Christian Hopps <chopps@chopps.org>
Message-Id: <FE7633E2-624F-4E91-8BC1-66047EC87204@chopps.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_47034DC4-BD7D-4C84-95C1-B45CA7B6B2E5"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Date: Tue, 22 Sep 2020 09:27:15 -0400
In-Reply-To: <20200922.141953.1142814413326145014.id@4668.se>
Cc: Christian Hopps <chopps@chopps.org>, "Rob Wilton (rwilton)" <rwilton@cisco.com>, gabilm@um.es, draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org, i2nsf@ietf.org, ipsec@ietf.org, last-call@ietf.org, yang-doctors@ietf.org
To: Martin Björklund <mbj+ietf@4668.se>
References: <159827985531.30993.17722282912726281276@ietfa.amsl.com> <D25A15B0-B714-407C-B119-F83B634099D4@chopps.org> <MN2PR11MB43668FA513A764EA0514790BB53B0@MN2PR11MB4366.namprd11.prod.outlook.com> <20200922.141953.1142814413326145014.id@4668.se>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/jChm2e2kqLofuRvNan3FJxHViTk>
Subject: Re: [I2nsf] [yang-doctors] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2020 13:27:21 -0000


> On Sep 22, 2020, at 8:19 AM, Martin Björklund <mbj+ietf@4668.se> wrote:
> 
> Hi,
> 
> Sorry I missed this question.
> 
> I think it probably can be solved; but see below.
> 
> 
> "Rob Wilton (rwilton)" <rwilton@cisco.com <mailto:rwilton@cisco.com>> wrote:
>> Hi draft authors, Chris,
>> 
>> Can we also please try and close on this issue raised by Chris.
>> 
>> Chris, I don’t think that there is any great way to solve this issue
>> using YANG features, but presumably the constraint could be enforced
>> with a must statement, or groupings could be used to copy parts of the
>> ipsec structure into an sdn specific ipsec tree structure.
>> 
>> I understand that there isn't any great desire to delay these drafts
>> by trying to generalize the ipsec YANG model contained within it.
>> However, I think that means that the modules should have "-sdn-" in
>> their names to indicate that they are intended specifically for the
>> SDN use case, and should not be confused with the more generic ipsec
>> YANG modules that have been proposed.
>> 
>> Regards,
>> Rob
>> 
>> 
>>> -----Original Message-----
>>> From: yang-doctors <yang-doctors-bounces@ietf.org> On Behalf Of
>>> Christian
>>> Hopps
>>> Sent: 24 August 2020 18:08
>>> To: Martin Björklund <mbj+ietf@4668.se>
>>> Cc: i2nsf@ietf.org; draft-ietf-i2nsf-sdn-ipsec-flow-
>>> protection.all@ietf.org; ipsec@ietf.org; last-call@ietf.org; yang-
>>> doctors@ietf.org
>>> Subject: Re: [yang-doctors] Yangdoctors last call review of
>>> draft-ietf-
>>> i2nsf-sdn-ipsec-flow-protection-08
>>> 
>>> [adding in ipsec@]
>>> 
>>> Hi,
>>> 
>>> This draft was discussed in ipsecme at the last IETF, and there was a
>>> desire to look closer at a couple changes that would make these models
>>> usable by ipsec generally rather than only for SDNs. Otherwise we will
>>> end
>>> up with 2 models that look very similar and duplicate almost all the
>>> functionality. This was going to be done during the next yang doctor
>>> review, but it looks like that happened in the meantime (ships in the
>>> night).
>>> 
>>> At minimum the module names should include "-sdn-" if no other changes
>>> are
>>> made to indicate that they are only for sdn use; however, this is not
>>> the
>>> optimal solution.
>>> 
>>> A better solution would be to move the containers currently under
>>> ikeless
>>> (for SA and Policy databases) under ipsec-common.
> 
> Are we talking about /ipsec-ikeless/spd and /ipsec-ikeless/sad?  If
> these are moved to another module, ipsec-ikeless becomes empty (if
> also the related notifs are moved).

It will still contain the notification, which is used for managing ikeless ipsec in the SDN controller case.

> 
> Why do you want to move them?  It is b/c they are under
> "ipsec-ikeless"?  If so, perhaps a simpler solution is to use another
> (more generic) name for the module and top-level container.

Yes, b/c IPsec always has an SA database (both ike or ikeless). The reason, according to the authors, it was not put in common and was only included in ikeless was b/c the authors felt that for SDNs the SDN controller didn't care about the SA database since IKE was managing it. That doesn't mean it doesn't exist, just that their use case didn't care, and didn't want to force people to implement the YANG for it if they only supported the IKE module for SDN use.

I don't see why the want to not implement the SA database YANG for SDN+IKE couldn't be handled with a feature (or some other YANG mechanism) instead and then have a more correct model organization

The problem is that this common ipsec module (and the ikeless and ike even) are easily augmented and usable by IPsec in general if the SA and policy database were moved to common and out of ikeless. The only other way to re-use it would be to augment a duplicate SA database under the IKE module, but there is only a single SA database on a server, so now we have 2 SA databases in YANG (under ikeless and ike namespaces) to represent the same SA database. It seems wrong to go this route since the change I was suggesting seems pretty trivial.

In my case we have an ipsec extension in development along with a YANG module (https://tools.ietf.org/html/draft-fedyk-ipsecme-yang-iptfs-00) that want's to augment the SA database (for operational state like packet counters among other things), but of course we want this to be for IKE and IKE-less -- in particular IKE is the vastly common use case for IPsec.

Thanks,
Chris.

> 
> If they are moved to ietf-ipsec-common, an implementation that
> implements ietf-ipsec-ike can still import ietf-ipsec-common, but
> choose to not implement it (it will show up as an 'import-only-module'
> in yang library).
> 
> 
> /martin
> 
> 
>>> The feedback I received from the authors was that the SDN controllers
>>> didn't care about the actual SAs and policies when using IKE so they
>>> didn't want to require someone implementing ike+common modules to have
>>> to
>>> support them.
>>> 
>>> The YANG question I suppose is, is there an easy way to move these
>>> containers from ipsec-ikeless to ipsec-common, but still allow for
>>> them to
>>> be empty and/or unimplemented for the SDN IKE use case? If they were
>>> made
>>> features, is there a proper YANG way to indicate that if the ikeless
>>> module is present then those features must also be supported thus
>>> matching
>>> the functionality as defined by the current draft?
>>> 
>>> Thanks,
>>> Chris.
>>> 
>>> 
>>> 
>>>> On Aug 24, 2020, at 10:37 AM, Martin Björklund via Datatracker
>>> <noreply@ietf.org> wrote:
>>>> 
>>>> Reviewer: Martin Björklund
>>>> Review result: Ready with Nits
>>>> 
>>>> I did an early YANG Doctor's review of this draft.  Most of my
>>>> comments then have been addressed in this version.
>>>> 
>>>> Comments:
>>>> 
>>>> o  As I wrote in my early review, the RFC editor enforces a common
>>>>  format of YANG modules, so it is better to adhere to this format
>>>>  before sending the draft to the RFC editor.  Use
>>>> 
>>>>    pyang -f yang --yang-line-length 69 <FILE>
>>>> 
>>>>  to get a consistent look-and-feel for your module.
>>>> 
>>>>  (You will have to manually re-flow description statements after
>>>>  this.)
>>>> 
>>>> 
>>>> o  There are some leafs that are optional in the model, but w/o a
>>>>  default value and w/o an explanation of what happens if that leaf
>>>>  is not set.  You should find those and either make them mandatory,
>>>>  add a default value, or explain what it means when it isn't set.
>>>>  As an example,
>>>>  /ipsec-ike/pad/pad-entrypeer-authenticatin/pre-shared/secret
>>>>  is optional.  I suspect that this leaf needs to be mandatory.
>>>>  Another example is the leaf espencap.
>>>> 
>>>> 
>>>> /martin
>>>> 
>>>> 
>>>> _______________________________________________
>>>> yang-doctors mailing list
>>>> yang-doctors@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/yang-doctors

v2.23.0 | Report a Bug | By Email