IETF Logo Mail Archive

Re: [I2nsf] Last Call: <draft-ietf-i2nsf-sdn-ipsec-flow-protection-08.txt> (Software-Defined Networking (SDN)-based IPsec Flow Protection) to Proposed Standard

Fernando Pereñíguez García <fernando.pereniguez@cud.upct.es> Tue, 22 September 2020 05:18 UTC

Return-Path: <fernando.pereniguez@cud.upct.es>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E2543A1400; Mon, 21 Sep 2020 22:18:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=upct.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e4YMZ6ybHBYY; Mon, 21 Sep 2020 22:18:47 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20059.outbound.protection.outlook.com [40.107.2.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A42683A139A; Mon, 21 Sep 2020 22:18:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=I9BKuUQf3In5TL1DTyhU0FFSQimZQZ0i2os6EBfmDRqB6iAYMA7/8Z4Di78HM23cK5py5z0+130nuDceLy6hti9kfrMpear6bbTlfD0JJ2K4GRDTV8nfyEh3lG9wB8S3+7mJDzBRSyoCmS6LBmso5/II/CHPlm2np1W9nLNKXxOiN3mNTt4gyg4cK87HMNCRqqzC0jQ8sKVb1GqS4yHgCyiufp4INn9dzGtkEtfv9EATbeXIeQPwbmqWm0YKoJpkarWX8rBVU1xEPGDZdx3NFhzFGDie6O9JcVOlxlkLrzqlD6urer+XRz+ZwR5Si8PUrppTr6xVBtSVbczMly9C5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=073fq2fukmQxseTNiAYtnxsd6ejQf0XOo42KLYvEBbU=; b=P+8FPa55Gn8dJXhw+vhvEARJNfQao4fVUof4MTV5JEmkz6/OhIcQV5TsGgGyglhZubQptFtzTeVYHIAyAxCFKeEsGFdRY7EiZR4QJ/Y1Q//Uca0xn8Sfcac3q2jc7WCm+wvYgCmHU6gk/5k3BZCQW5RBhwbjfS2EYrY9aoZ4PZkhsl+EleN2Js46tZJt5u54KoA1o3gNT+efp2I8UsmRiNRnx3R1+ZF+FVK05hwIXOOdGuYzMtVK+xMOQ570tLl8vl4wDzltLSdNz9pu8WFiG50ixMpJZKj7Gx5YqjtatK/1SHXDpKy72qLmaGowi8SdkOOn4MAh8cckKMOjMmjBXA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cud.upct.es; dmarc=pass action=none header.from=cud.upct.es; dkim=pass header.d=cud.upct.es; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=UPCT.onmicrosoft.com; s=selector2-UPCT-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=073fq2fukmQxseTNiAYtnxsd6ejQf0XOo42KLYvEBbU=; b=PLsHx4XpgYqsyqwTHRRRv1d9L5eNJqkwZEE8SQEq6qljxjf+V6u1C0xQRRP28kBNe9Hgz+PJ/kxW2+wve1Jzdgdtp6Zh5SX/XvOTWnteTB12Yyubc3v54FrJGvSt6+0Kgif/O14mt80aj8rqkheahlvHNL58h9DveIfzbP1hA6I=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cud.upct.es;
Received: from AM6PR08MB4936.eurprd08.prod.outlook.com (2603:10a6:20b:eb::14) by AM7PR08MB5319.eurprd08.prod.outlook.com (2603:10a6:20b:dc::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.15; Tue, 22 Sep 2020 05:18:39 +0000
Received: from AM6PR08MB4936.eurprd08.prod.outlook.com ([fe80::ed14:ea08:3412:88eb]) by AM6PR08MB4936.eurprd08.prod.outlook.com ([fe80::ed14:ea08:3412:88eb%6]) with mapi id 15.20.3391.024; Tue, 22 Sep 2020 05:18:38 +0000
X-Gm-Message-State: AOAM533l2BQzIZAeM5EMpyN/ESL2741jverzGIQvpn28UnGiqFuSCXVL UiJij/UocsWvptjHVytPLNDeKa9LhK1tpUMd2/s=
X-Google-Smtp-Source: ABdhPJzGfgWxs4N1UcionYJ1qPg7ndtyesSI5EhM4WOSUF6SmPo8YYayiFzv2Ic1VsL/xgHm5KIRDVsNH1NXvfFY/uY=
X-Received: by 2002:a05:6402:17b1:: with SMTP id j17mr1791713edy.253.1600751915509; Mon, 21 Sep 2020 22:18:35 -0700 (PDT)
References: <5F44E66D.6080408@btconnect.com>
In-Reply-To: <5F44E66D.6080408@btconnect.com>
From: Fernando Pereñíguez García <fernando.pereniguez@cud.upct.es>
Date: Tue, 22 Sep 2020 07:17:00 +0200
X-Gmail-Original-Message-ID: <CAB=gXc6UmJm4cUi2eFqVjvy2MgpMvCupnHKwAju50WvNfs2n6g@mail.gmail.com>
Message-ID: <CAB=gXc6UmJm4cUi2eFqVjvy2MgpMvCupnHKwAju50WvNfs2n6g@mail.gmail.com>
To: tom petch <daedulus@btconnect.com>
Cc: LAST-CALL@ietf.org, i2nsf@ietf.org, Roman Danyliw <rdd@cert.org>, draft-ietf-i2nsf-sdn-ipsec-flow-protection@ietf.org, i2nsf-chairs@ietf.org, "ipsec@ietf.org WG" <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004c302605afe01947"
X-ClientProxiedBy: AM0P190CA0030.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:190::40) To AM6PR08MB4936.eurprd08.prod.outlook.com (2603:10a6:20b:eb::14)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from mail-ed1-f47.google.com (209.85.208.47) by AM0P190CA0030.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:190::40) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.14 via Frontend Transport; Tue, 22 Sep 2020 05:18:38 +0000
Received: by mail-ed1-f47.google.com with SMTP id n13so14901524edo.10; Mon, 21 Sep 2020 22:18:38 -0700 (PDT)
X-Gm-Message-State: AOAM533l2BQzIZAeM5EMpyN/ESL2741jverzGIQvpn28UnGiqFuSCXVL UiJij/UocsWvptjHVytPLNDeKa9LhK1tpUMd2/s=
X-Google-Smtp-Source: ABdhPJzGfgWxs4N1UcionYJ1qPg7ndtyesSI5EhM4WOSUF6SmPo8YYayiFzv2Ic1VsL/xgHm5KIRDVsNH1NXvfFY/uY=
X-Received: by 2002:a05:6402:17b1:: with SMTP id j17mr1791713edy.253.1600751915509; Mon, 21 Sep 2020 22:18:35 -0700 (PDT)
X-Gmail-Original-Message-ID: <CAB=gXc6UmJm4cUi2eFqVjvy2MgpMvCupnHKwAju50WvNfs2n6g@mail.gmail.com>
X-Originating-IP: [209.85.208.47]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 9f8bbb57-6149-4466-2fb9-08d85eb6f635
X-MS-TrafficTypeDiagnostic: AM7PR08MB5319:
X-Microsoft-Antispam-PRVS: <AM7PR08MB5319C47D643EB6FF5283D63DB13B0@AM7PR08MB5319.eurprd08.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:989;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: EfZ/OymFUF2/zbvuuj2X/4EFOscTXv8YkSTQOAgjyVVVqrtdLgguHB9je8SppiKCoooOATHcoDWlX/NfT62PtUmpjQm2F3+hmCHvXMBL2ETk95AjkdkTHVrreNP3Q/MxtEASg05NALWYBddHdrfe9tdDsJ1eZqXNolJ2x4OjpeoyRYNaWe//+rRL4xNh0dwoPkU2/jqjXpmf/Up/4VV2O/LXzWGtYFl/J1e83b6VQTLBXK9qLPfWD3upaASFw9f7Qxs7kdLf91X6U1K1DzVFlF8MzlVb0ZLoOGmf388KSjy4DIHaG9upe4wMZJFu4r0vqzJaSdvVmdrAyyYHdRg2DQmGg6/bVqB0AzjfBHiPchalR9XGT1CahT06BfoXkrNpjLn90+Xvh4etMZ9AbrOUHA==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB4936.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(39840400004)(366004)(376002)(346002)(396003)(136003)(85182001)(66946007)(6862004)(55446002)(8676002)(86362001)(33964004)(26005)(66556008)(186003)(6666004)(52116002)(5660300002)(450100002)(83380400001)(54906003)(9686003)(316002)(66574015)(66476007)(2906002)(42186006)(8936002)(478600001)(85202003)(966005)(166002)(4326008)(786003)(30864003); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: XqN5T3M4SOa7v6+uZginCJKNYW1ljXF4kxUZ139L8mjMzkD3ZO7heAogYvnlvlo3cI6nUhciGxj2K+g1RHMHF1fQ2K4o0Js7r1UpIOLc4S1w4DRmJMDyzuJ2tCPwofZ5glL4v2u552C/026uHJDPSyIQs/7oNglp++J5odkMiwDzTy6djaApkM3QMjVyvapkUy1IhDvBnnTPa/prxLEnXtY/bhISGGjgQJzmQht9I/SCltNPNMKbbmP6xX1w4hXWJ/1w0nG5psvPmv3wN4Z/T/YPwGuG+Avenu17dOtJQHhNiZdwT05e4JrGdYc0/fa42PnIwHjoz7rmfsiT2ADI3OKbfiGmX+CY7NZhP0L/7aPpLW1E66emJW4esXA6TKmobotvUM/3PbA7Nr1VWmxQqxNvW6wBPMqhVMH3OQt8dZd/p0uqxHELLUwwu9ESKEVymKzkt1goqAd7WSMuiJrcmy9Qmap3gTl3NBkaEqNsvj9q7P/+w7OE4F3s+Mul0cHsFptejk1D/TlnxQVcZdKSKGE11l8dQr45WHxKUSD5aTEQq9sBh048r5mgPwhj51dyYDQ/p9fNU/nL9M5KVkomomUQZmuHlD4VZu5RC6AB5He5/2aXnEst7oWTruUEZMQ3xKjjPGwUfhQ0aqdHMOmuig==
X-OriginatorOrg: cud.upct.es
X-MS-Exchange-CrossTenant-Network-Message-Id: 9f8bbb57-6149-4466-2fb9-08d85eb6f635
X-MS-Exchange-CrossTenant-AuthSource: AM6PR08MB4936.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Sep 2020 05:18:38.7430 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 967e1b81-5cf6-4b03-bb60-d71bf48069f9
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: pm27Sxq6zZAgYhemUByrhGKhNNp5ym+8YP5xL8sglUkF+XE6/XdYokl+KgiP+q1fnAE7p2yaVc+trSgQYzG+DG9maUxmYQFb7WuF2yc0a4c=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR08MB5319
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/jdIm0PUzLTGrkblWUEgafcNZD6s>
Subject: Re: [I2nsf] Last Call: <draft-ietf-i2nsf-sdn-ipsec-flow-protection-08.txt> (Software-Defined Networking (SDN)-based IPsec Flow Protection) to Proposed Standard
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2020 05:18:59 -0000

Hi Tom,

Thanks for your feedback and help. We are working to address your comments
in the next version of the draft (v09).
Please, see our answers below, identified with the tag  "[Authors]".

El mar., 25 ago. 2020 a las 12:23, tom petch (<daedulus@btconnect.com>)
escribió:

> Looking at the YANG module from a different perspective from that of a
> YANG Doctor or a IPsec WG Chair, there is quite a lot of editing needed.
>
> '2019' appears 10 times and I suspect most should be 2020; one is an
> import by revision which is uncommon because of potential, future,
> compatibility problems.
>
>
*[Authors]* Fixed. The import by revision has been removed.


> Conventionally, Appendices are Informative and YANG modules are
> Normative so if you want the modules to be Normative,I suggest adding to
> Appendices A, B, C
> 'This Appendix is Normative.'
>
>
*[Authors]* Added this text to clarify the normative nature of Appendices.


> YANG is version 1.1 so RFC7950 is required.  I suggest adding [RFC7950]
> to YANG in the Introduction.


*[Authors]* Added RFC7950 and a brief text clarifying we are using YANG 1.1.


> For IANA considerations, RFC6020 is the
> better reference.
>

*[Authors] *We do not understand this comment. The IANA considerations
section has been written following the guidelines provided in RFC 8407
(section 3.8). Consequently, the current text references RFC 6020 when
registering the YANG modules names. The current IANA review state is "IANA
OK - Actions Needed", meaning that the IANA Considerations section
indicates the details of the actions correctly.


>
> NMDA[RFC8342] conformance should be stated as appropriate
>
>
*[Authors]* Clarification added in the introduction.


> YANG'import' need a reference; I see five without
>

*[Authors]* Fixed.


>
> Tree Diagrams need explaining - RFC8340 does that
>

*[Authors]* We will include new text at the end of sections 6.1 and 6.2,
explaining the type of information and how it is structured for each
module.


>
> 'revision' should be 'Initial version' at this stage with a reference to
> this I-D's title
>

*[Authors] *Fixed.


>
> Lots of references - good - but they need to appear in the I-D
> References, mostly, probably, Normative.  I see no I-D Reference for
> 822 - ood 2821?
> 2247 -
> 3280 - ood 5280?
> 3947 -
> 4303 -
> 5280 -
> 5915 -
> 7383 -
> 7427 -
> 7619 -
> 8017 -
> 8174 -
> 8221 -
>
> X.690
>
> I-D Common YANG Data Types for Cryptography
>
> IANA Registry Internet Key Exchange Version 2 Parameters
> IANA Registry- Transform Type 1
> IANA Registry- Transform Type 3
> IANA Registry Protocol Numbers
>
>
*[Authors] *Thanks for pointing out this. We have thoroughly revised all
yang data models to identify missing references.


> and they will each need a reference from the body of the I-D such as
> 'The YANG modules make reference to [RFC2247], ....
>
>
*[Authors]* At the beginning of Appendix A, B and C, we have included a
citation to the normative and informative references.


> I note that RFC822 and RFC3280 are Obsoleted which makes their use
> problematic.
>
>
*[Authors]*  Following your recommendation, we have replaced RFC 3280 with
RFC 5280. Regarding RFC 822, we reference it because the IKEv2 protocol
specification (RFC 7296) explicitly defines RFC 822 emails address (see
page 90) as a valid identification type. If we replace RFC 822 with RFC
2821, we don't know its impact on IKEv2.


> s.8.3
> /The YANG module/The YANG modules/
>
>
*[Authors]* Fixed.


> IANA Considerations
> The Registrant contact is usually the IESG
>

*[Authors] *Ok, updated.


>
> The prefix registered for ipsec-common is not the same as appears in
> Appendix A
>

*[Authors]* Fixed. Now the prefix registered in the declaration of module
ietf-ipsec-common is "ic".


>
> For the Web address, it is unusual to have '/about'
>
>
*[Authors]* Fixed.


> grouping port-range
> with a range, it is usual to specify how a single address is specified,
> e.g. the absence of 'end' or 'start'='end' and for a YANG must to
> require end>start or end>=start as appropriate.  The use of key 'start
> end' implies that 'start' and 'end' must both be present.
>
>
*[Authors]* Thanks for your comment. We have updated the description
associated to "leaf end" with the following text:




*End port number. The assigned value must be                      equal or
greater than the start port number.                      To express a
single port, set the same value                     as start and end.*


>
> Tom Petch
>

Best regards,
Fernando.


>
> The IESG has received a request from the Interface to Network Security
> Functions WG (i2nsf) to consider the following document: -
> 'Software-Defined
> Networking (SDN)-based IPsec Flow Protection'
>    <draft-ietf-i2nsf-sdn-ipsec-flow-protection-08.txt> as Proposed Standard
>
> The IESG plans to make a decision in the next few weeks, and solicits final
> comments on this action. Please send substantive comments to the
> last-call@ietf.org mailing lists by 2020-09-04. Exceptionally, comments
> may
> be sent to iesg@ietf.org instead. In either case, please retain the
> beginning
> of the Subject line to allow automated sorting.
>
> Abstract
>
>
>     This document describes how to provide IPsec-based flow protection
>     (integrity and confidentiality) by means of an I2NSF Controller.  It
>     considers two main well-known scenarios in IPsec: (i) gateway-to-
>     gateway and (ii) host-to-host.  The service described in this
>     document allows the configuration and monitoring of IPsec information
>     from a I2NSF Controller to one or several flow-based Network Security
>     Function (NSF) that implement IPsec to protect data traffic.
>
>     The document focuses on the I2NSF NSF-Facing Interface by providing
>     YANG data models for configuration and state data required to allow
>     the I2NSF Controller to configure the IPsec databases (SPD, SAD, PAD)
>     and IKEv2 to establish IPsec Security Associations with a reduced
>     intervention of the network administrator.
>
>
>
>
> The file can be obtained via
>
> https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/
>
>
>
> No IPR declarations have been submitted directly on this I-D.
>
>
>
>
>
> _______________________________________________
> IETF-Announce mailing list
> IETF-Announce@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf-announce
>


-- 
----------------------------------------------------------------------------------------------------
Fernando Pereñíguez García, PhD
Department of Sciences and Informatics
University Defense Center, (CUD), Spanish Air Force Academy, MDE-UPCT
C/ Coronel Lopez Peña, s/n, 30720, San Javier, Murcia - SPAIN
Tel: +34 968 189 946 Fax: +34 968 189 970
------------------------------------------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email