Re: [I2nsf] [yang-doctors] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08

"Rob Wilton (rwilton)" <rwilton@cisco.com> Tue, 22 September 2020 15:38 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6E903A1004; Tue, 22 Sep 2020 08:38:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.619
X-Spam-Level:
X-Spam-Status: No, score=-9.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=O3+LbHNh; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=cnGZt5i8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id noQZwbH2YY-s; Tue, 22 Sep 2020 08:38:53 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C4783A0FDF; Tue, 22 Sep 2020 08:38:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=25216; q=dns/txt; s=iport; t=1600789133; x=1601998733; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=MPkQ7mzH/b7EmZhXZU2tngwUb0yulgAX2Ezso38EFTw=; b=O3+LbHNhzWUJ0+JP741m7k1i0gQwAIWGYwvCDP7+0bgQmEZ73cnR85Rx 0am7tOG4N7tdP2drK63ac0Xe0GM5NXFh1nEm0gT7M4BNJR0gMcMEd3276 dSIDuumHi3CB0zSkrrnppFeeuT1PgDvoWG/LgSh+RdropUcJ4ivDmRaRD k=;
IronPort-PHdr: 9a23:4stfQRyUIBIC4rzXCy+N+z0EezQntrPoPwUc9psgjfdUf7+++4j5ZRSBt+hoylLSDs3X6PNB3uzRta2oGWkN+o2Iv31KdptQHwQEhsMbk01FYoaFBET3IeSsY3k8G8JPB0JguXygYgBZHc/kbAjUpXu/pTcZBhT4M19zIeL4Uo7fhsi6zaa84ZrWNg5JnzG6J7h1KUa7
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BfCABKGWpf/4MNJK1fHQEBAQEJARIBBQUBgg+BIy8jLgdwWS8sCoQwg0YDjXmUB4RugUKBEQNVCwEBAQ0BARgBCgoCBAEBhEsCF4IOAiQ4EwIDAQELAQEFAQEBAgEGBG2FXAyFcgEBAQEDAQEQEQoTAQEsCwELBAIBCBEEAQEoAwICAiULFAkIAgQOBQgTB4MFgX5NAy4BAwuqLwKBOYhhdoEygwEBAQWFLxiCEAMGgTiCcYNphlIbgUE/gRFDgU9+PoJcAQGBJTwFBwkWCQKCXzOCCyKPbySCZjyGfSaLUpELCoJnlUqFJoMMiXmTfrJ6AgQCBAUCDgEBBYFrIyqBLXAVO4JpUBcCDY4fCgIXFIM6hRSFQnQ3AgYBCQEBAwl8jFIBgRABAQ
X-IronPort-AV: E=Sophos;i="5.77,291,1596499200"; d="scan'208,217";a="818738634"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 22 Sep 2020 15:38:51 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 08MFcpof006671 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 22 Sep 2020 15:38:51 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 22 Sep 2020 10:38:50 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 22 Sep 2020 10:38:50 -0500
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 22 Sep 2020 10:38:50 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=czReKwOvakkiiGmeQDZAspwDhD3lk20g7GmF/qywwIpeDx4K9RuurQf+Pd2ENDarpyLp0kVhPsyi538x5bkQ3eIVTAx5cUuKsCAJJagGst/mgN9znxwgxLBWh6FHJrKSgL7zbUojSKTaJasPnFy2kXUTDGUQ1PN+TNsztwm/KVipcxWzhGYy6aM0tBCLth9rctXjf95McaNjrA89xSYE5V4olx9dhyoYzvqqRnQJ+4T/UFQT72ZRHsad+NiSHp/hIktDmltkl8+K4eroRI1vlMzKsxCaGTAcBiQM17AThZBEF4yEQRUvKBUktsG/SvyyMtXEH3T0hMMNWccwSb2F8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MPkQ7mzH/b7EmZhXZU2tngwUb0yulgAX2Ezso38EFTw=; b=STOaS52Ajt88vApaUcvClNt+qpIn04u1K3fAmEuWIhVZO2igiKZaNI9mzvBNPR4QYuhxkJUO6HQJdLQng6/2BTqfXyBl5FzFDfieqQHsQ5cD7CXUMaDc6dFBEgO00WHeQlhlKXZdGTarp2Mmoc6fbve0IbpiTvSXH/cF5F3oQGYvQWNVejyMr8xx4BCSLA2kB17NeUPu+pUAbxP2T49EfJNFj4NuebwMR1Y3Cm6h/0IDtlXUP3t2bv5QIZuBupJjE/GGSx62BK00f1lio43qhirb+aFIx+XPAqo1PNiwCgv8CJSLyRQKheYQgYCzDZJarlVCD2xBsbPkDX3HBKpDhA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MPkQ7mzH/b7EmZhXZU2tngwUb0yulgAX2Ezso38EFTw=; b=cnGZt5i8iap7W0TQXtds+tSNEaKh1Uwl0OiM90/0UDZQD7IQHWqLdmY5ICTesHcIOWMqKxO0ZwJBZ5vZsAjPOlIgnIma82z7cd92DcfGln/A6OnNdyRI+QbWS4h3rW7CYCvYtNM05TmatGxoBz9UHpS6lGb2zEBjRcBmF6//GjI=
Received: from MN2PR11MB4366.namprd11.prod.outlook.com (2603:10b6:208:190::17) by BL0PR11MB3265.namprd11.prod.outlook.com (2603:10b6:208:6a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.14; Tue, 22 Sep 2020 15:38:46 +0000
Received: from MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::d84a:115:9ce0:8241]) by MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::d84a:115:9ce0:8241%4]) with mapi id 15.20.3391.026; Tue, 22 Sep 2020 15:38:45 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: Rafa Marin-Lopez <rafa@um.es>
CC: Christian Hopps <chopps@chopps.org>, Gabriel Lopez <gabilm@um.es>, "draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org" <draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "yang-doctors@ietf.org" <yang-doctors@ietf.org>, Martin Björklund <mbj+ietf@4668.se>
Thread-Topic: [yang-doctors] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
Thread-Index: AQHWeiQ1OzamIxEUgUCW76UP8U3vNKlHffqAgC01gyCAABpCAIAAJ6MA
Date: Tue, 22 Sep 2020 15:38:45 +0000
Message-ID: <MN2PR11MB4366E30B3C372D13B391AE07B53B0@MN2PR11MB4366.namprd11.prod.outlook.com>
References: <159827985531.30993.17722282912726281276@ietfa.amsl.com> <D25A15B0-B714-407C-B119-F83B634099D4@chopps.org> <MN2PR11MB43668FA513A764EA0514790BB53B0@MN2PR11MB4366.namprd11.prod.outlook.com> <27C522C8-53E3-40EF-ADD7-5B2F84FFCF83@um.es>
In-Reply-To: <27C522C8-53E3-40EF-ADD7-5B2F84FFCF83@um.es>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: um.es; dkim=none (message not signed) header.d=none;um.es; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [82.12.233.180]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d53cb30b-15a3-4ab3-651c-08d85f0d97d1
x-ms-traffictypediagnostic: BL0PR11MB3265:
x-microsoft-antispam-prvs: <BL0PR11MB32659BCECA058F31AD3A5A12B53B0@BL0PR11MB3265.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: miKYgZQmRzTqxVFMskUSOhteMb3y8U9uG7WoX3DZNAHnD3m1B24f0pvJquyYL62K9MGe1NVibVZKlaGM1KXJxtm3j0kzf0WL2g/gWgJo/KyFyVyAm6KJ9lfo4i7q5h/XRb3kqsymMoXqtxSmR9ZDWDrzQTnn2QJ+l6v4LVy+TQxbGJw8cR3Kjpw9aYJSn8lw4ADpItKSogUJKBKS2BqOP89ZQQ3nrfv1CsGOzlt2CJIgMhZ1q9c4CLxWjjqSh52GKuFeNHxYLnESTRDMXl8h813T4A/Sm9C2ra3c8rLiDuxwK/Au6TrF3yrmuXroMBxlsnCreyJp0g/eCHXhWC4LZFDUvq4S/bQijAjhyEYHWcq09t5A2B/DK5lfmKJCYd45+mVLUq5M1fQTpcLwHvpwQA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4366.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(136003)(376002)(346002)(366004)(39860400002)(2906002)(966005)(71200400001)(4326008)(5660300002)(166002)(186003)(66574015)(83380400001)(55016002)(8936002)(26005)(33656002)(7696005)(86362001)(9686003)(66556008)(64756008)(66446008)(76116006)(54906003)(52536014)(316002)(9326002)(66946007)(6916009)(66476007)(478600001)(6506007)(53546011)(8676002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: u14Zn6bDBuRJVrDi95/aFyJm97R13v7R/Xu4WXm8RZILUF2eqFoj8ww8UjYJgGqlYWVO9TI2sJRoxEAqkapJnaJY/6SLg0jbULUFQXfZiKG3bPquBD37+vnYSBZuuWHT/cMo9tdYVURymTsTHMuJ4Na/6IeH3UIPabSICUCkaJj96L+A8v5nsYHnMRTc3JmYFT6tkYKhSaSKLTWyLqsKRCRu12D4a0YCxx3HxIku0WCdKNEnvv4ghPRgCadiQvesEgaR79QS5DOHkYQklGvv8/XIc+DprMH/QQ22vymmtgDN+u2b+CF0MdpZb3sRZLgk79uNTn9cIKPwS2A2wCnLFncQRUZGIXW3irYpMORfNuoSw9UcEhcimCZWXjfl+yUbPpCTgOmcRIqLjgKLpsNU5/egTJdpkaREPCcR0YtaQAv2rGWxOL0iDZASEUu01SHOtKBHkUSeGfweTJFYpRuHpPhzMO4eGlidr3BFV31tKRlh6P1wI7JE6wWJrc0rXt3FjAisnIZ1SjKO868a39D7G3amT/KPA7ifpLflif8h+NyAXlwrr9HCvL0bTlQSZ72RR2dWwImJeVRdaBOfFsiCtm6eZqzi5HzLAwHjuyH7s8/TsKbsGVNgDpd2tckiL7b5BRXThOqcsB5VyZq8WJ6Meg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR11MB4366E30B3C372D13B391AE07B53B0MN2PR11MB4366namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB4366.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d53cb30b-15a3-4ab3-651c-08d85f0d97d1
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Sep 2020 15:38:45.7852 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kg+nKLV6QV1y4JiyKOXObDGzmScKMnlhDAIGWAtxWLdlsWBRBWBDldiHfwpP/Q3m/FALGZkc7pn9ApMvgXzCpg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3265
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: alln-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/krPMrPJ8RSOaFH4fmYbiNgpbhxo>
Subject: Re: [I2nsf] [yang-doctors] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2020 15:38:56 -0000

Hi Rafa,

Thanks for getting back to me.

Yes, changing the name of the module is an okay, if not ideal, resolution.  But I appreciate that you also want to be done with this work.

But I would like to check:  My understanding is that the changes that Chris is proposing are pretty small.  I.e. move the SA structure under ipsec-common, and put it under a YANG feature.  Are you sure that it is impractical to accommodate this change which would allow a single ipsec module to be shared and extended via YANG augmentations?

Thanks,
Rob


From: Rafa Marin-Lopez <rafa@um.es>
Sent: 22 September 2020 14:05
To: Rob Wilton (rwilton) <rwilton@cisco.com>
Cc: Rafa Marin-Lopez <rafa@um.es>; Christian Hopps <chopps@chopps.org>; Gabriel Lopez <gabilm@um.es>; draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org; i2nsf@ietf.org; ipsec@ietf.org; last-call@ietf.org; yang-doctors@ietf.org; Martin Björklund <mbj+ietf@4668.se>
Subject: Re: [yang-doctors] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08

Dear Rob:

Apologies for our delayed answer. We are now working in the revision to submit v09 by compiling all the comments.

As you mentioned, we want to avoid any further delay. As we mentioned to Chris in the past (i2nsf mailing list), we do not have any problem to include some additional text (e.g. “-sdn-" in the module names). Therefore, Rob, we agree with your point of view about this.

In summary, we are working in the next revision v09, and our idea to address Chris’ comments was to include -sdn- to the module names.

We hope this is fine.

Best regards.


El 22 sept 2020, a las 13:56, Rob Wilton (rwilton) <rwilton@cisco.com<mailto:rwilton@cisco.com>> escribió:

Hi draft authors, Chris,

Can we also please try and close on this issue raised by Chris.

Chris, I don’t think that there is any great way to solve this issue using YANG features, but presumably the constraint could be enforced with a must statement, or groupings could be used to copy parts of the ipsec structure into an sdn specific ipsec tree structure.

I understand that there isn't any great desire to delay these drafts by trying to generalize the ipsec YANG model contained within it.  However, I think that means that the modules should have "-sdn-" in their names to indicate that they are intended specifically for the SDN use case, and should not be confused with the more generic ipsec YANG modules that have been proposed.

Regards,
Rob



-----Original Message-----
From: yang-doctors <yang-doctors-bounces@ietf.org<mailto:yang-doctors-bounces@ietf.org>> On Behalf Of Christian
Hopps
Sent: 24 August 2020 18:08
To: Martin Björklund <mbj+ietf@4668.se<mailto:mbj+ietf@4668.se>>
Cc: i2nsf@ietf.org<mailto:i2nsf@ietf.org>; draft-ietf-i2nsf-sdn-ipsec-flow-
protection.all@ietf.org<mailto:protection.all@ietf.org>; ipsec@ietf.org<mailto:ipsec@ietf.org>; last-call@ietf.org<mailto:last-call@ietf.org>; yang-
doctors@ietf.org<mailto:doctors@ietf.org>
Subject: Re: [yang-doctors] Yangdoctors last call review of draft-ietf-
i2nsf-sdn-ipsec-flow-protection-08

[adding in ipsec@]

Hi,

This draft was discussed in ipsecme at the last IETF, and there was a
desire to look closer at a couple changes that would make these models
usable by ipsec generally rather than only for SDNs. Otherwise we will end
up with 2 models that look very similar and duplicate almost all the
functionality. This was going to be done during the next yang doctor
review, but it looks like that happened in the meantime (ships in the
night).

At minimum the module names should include "-sdn-" if no other changes are
made to indicate that they are only for sdn use; however, this is not the
optimal solution.

A better solution would be to move the containers currently under ikeless
(for SA and Policy databases) under ipsec-common.

The feedback I received from the authors was that the SDN controllers
didn't care about the actual SAs and policies when using IKE so they
didn't want to require someone implementing ike+common modules to have to
support them.

The YANG question I suppose is, is there an easy way to move these
containers from ipsec-ikeless to ipsec-common, but still allow for them to
be empty and/or unimplemented for the SDN IKE use case? If they were made
features, is there a proper YANG way to indicate that if the ikeless
module is present then those features must also be supported thus matching
the functionality as defined by the current draft?

Thanks,
Chris.




On Aug 24, 2020, at 10:37 AM, Martin Björklund via Datatracker
<noreply@ietf.org<mailto:noreply@ietf.org>> wrote:


Reviewer: Martin Björklund
Review result: Ready with Nits

I did an early YANG Doctor's review of this draft.  Most of my
comments then have been addressed in this version.

Comments:

o  As I wrote in my early review, the RFC editor enforces a common
 format of YANG modules, so it is better to adhere to this format
 before sending the draft to the RFC editor.  Use

   pyang -f yang --yang-line-length 69 <FILE>

 to get a consistent look-and-feel for your module.

 (You will have to manually re-flow description statements after
 this.)


o  There are some leafs that are optional in the model, but w/o a
 default value and w/o an explanation of what happens if that leaf
 is not set.  You should find those and either make them mandatory,
 add a default value, or explain what it means when it isn't set.
 As an example,
 /ipsec-ike/pad/pad-entrypeer-authenticatin/pre-shared/secret
 is optional.  I suspect that this leaf needs to be mandatory.
 Another example is the leaf espencap.


/martin


_______________________________________________
yang-doctors mailing list
yang-doctors@ietf.org<mailto:yang-doctors@ietf.org>
https://www.ietf.org/mailman/listinfo/yang-doctors


-------------------------------------------------------
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es<mailto:rafa@um.es>
-------------------------------------------------------