IETF Logo Mail Archive

Re: [I2nsf] Fwd: [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt

Rafa Marin-Lopez <rafa@um.es> Wed, 28 October 2020 10:42 UTC

Return-Path: <rafa@um.es>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35C803A0820; Wed, 28 Oct 2020 03:42:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=um.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zOSKEo5NUe8U; Wed, 28 Oct 2020 03:42:28 -0700 (PDT)
Received: from mx01.puc.rediris.es (outbound6mad.lav.puc.rediris.es [130.206.19.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1E123A0879; Wed, 28 Oct 2020 03:42:27 -0700 (PDT)
Received: from xenon44.um.es (xenon44.um.es [155.54.212.171]) by mx01.puc.rediris.es with ESMTP id 09SAgNPt004918-09SAgNPu004918; Wed, 28 Oct 2020 11:42:24 +0100
Received: from localhost (localhost [127.0.0.1]) by xenon44.um.es (Postfix) with ESMTP id E0C1E20737; Wed, 28 Oct 2020 11:42:23 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon44.um.es
Received: from xenon44.um.es ([127.0.0.1]) by localhost (xenon44.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id yoZzTUL1emfR; Wed, 28 Oct 2020 11:42:23 +0100 (CET)
Received: from [192.168.1.33] (135.red-79-150-250.dynamicip.rima-tde.net [79.150.250.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa@um.es) by xenon44.um.es (Postfix) with ESMTPSA id 05DBE20706; Wed, 28 Oct 2020 11:42:20 +0100 (CET)
From: Rafa Marin-Lopez <rafa@um.es>
Message-Id: <DDE550B1-9A9E-4954-B6F9-C0A33ECE1275@um.es>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1422706B-31A7-438B-91FF-96852D1AD868"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
Date: Wed, 28 Oct 2020 11:42:19 +0100
In-Reply-To: <5F9815D1.9010303@btconnect.com>
Cc: Rafa Marin-Lopez <rafa@um.es>, i2nsf@ietf.org, Gabriel Lopez <gabilm@um.es>, Fernando Pereniguez-Garcia <fernando.pereniguez@cud.upct.es>, last-call@ietf.org, ynir.ietf@gmail.com
To: tom petch <daedulus@btconnect.com>
References: <160337357077.29083.9236626834026808055@ietfa.amsl.com> <EE5AB669-73BB-4517-A6F4-23B7807FB36E@um.es> <5F9815D1.9010303@btconnect.com>
X-Mailer: Apple Mail (2.3445.104.14)
X-FEAS-SPF: spf-result=pass, ip=155.54.212.171, helo=xenon44.um.es, mailFrom=rafa@um.es
Authentication-Results: mx01.puc.rediris.es; spf=pass (rediris.es: domain of rafa@um.es designates 155.54.212.171 as permitted sender) smtp.mailfrom=rafa@um.es
X-FE-Policy-ID: 2:15:0:SYSTEM, 2:15:1:upct.es
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=um.es; s=DKIM; c=relaxed/relaxed; h=from:message-id:content-type:mime-version:subject:date:cc:to:references; bh=SvT8rdrIJaIw+3103dMqkE4CMMAoD6sFaafZjpjPExY=; b=WeMAYRXNAh/irOewEuIpcYpf9lfarEfNKsS8OUUTwqbNett5luFTOwdoK2QTUrmamk8TNeN4si6E P/T/12EsROObvL/jkXy8YYkSNRLvSW4B0kRULm4gTRkawDCFpOcZbZKkOt0Xv0YdYeTJXxqnnt6k o0gvHnHTtBGrimeIPsSCqpoJJYzGzcy94qoCssgbQhw9Oq6EijD1zXx7PUMHB3wGi2RJiZEGtaHo jJJ2ZbcL4NTl+VBbTl1nKRcd5YkvdRwSjb35ddUIOFVmVIkZh+mTMUkEFCrwjrQhjMviU8nwelvy z8yfD6OpYa+kIOZkiUrH+zJQBIzgi/qTyQskAg==
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/nT-tpdxrtycfHZqHCwlv6ewpIqs>
Subject: Re: [I2nsf] Fwd: [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2020 10:42:30 -0000

Hi Tom:

Thank you very much for your insight. It is very helpful. Please see our comments/questions inline.

> El 27 oct 2020, a las 13:42, tom petch <daedulus@btconnect.com> escribió:
> 
> I think that the IESG will find a number of problems with this I-D.
> 
> YANG module references RFC822 which is several years out of date

We have realized that we missed to change this, even though we discussed it. We will change it right away in the following way (bold):

case rfc822-address-string {
     leaf rfc822-address-string { 
          type string; 
          description 
              "Specifies the identity as a
               fully-qualified RFC5322 email
               address string. An example is,
               jsmith@example.com. The string
               MUST NOT contain any
               terminators e.g., NULL, CR,
               etc.)."; 
           reference 
                  "RFC 5322.";
     }
}

Btw, we already used in the past “case rfc822-address-string” and “leaf rfc822-address-string” since this is coming from IKEv2 standard. Do you think we should change that name as well?


> 
> YANG module references IANA Protocol Numbers which is not in the I-D references

We have included the following reference:

[IANA-Protocols-Number]
              Internet Assigned Numbers Authority (IANA), "Protocol
              Numbers", January 2020.


> 
> s.2 boiler plate is out of date

What we see is the I-D has the second choice stated in https://www.ietf.org/standards/ids/guidelines/

This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

Could you refer what is out of date?
 
> 
> XXXX is standing in for more than one RFC

Yes, XXXX has been used because we do not know the future number assigned to our I-D. 

Also we realized we also included this to refer to crypto-types I-D but this has been solved now in a new version -12 that we are preparing to include your comments. We noticed we can replace the type of rw cert-data?, ca-data*, crl-data? for binary without any problem.

|           |     +--rw cert-data?        binary
|           +--rw private-key?            binary
|           +--rw ca-data*                binary
|           +--rw crl-data?               binary

> 
> but the show stopper that makes a proper review of this too costly is the references.  Those to IANA of which there are several I want to pursue.  The I-D reference is to IKEv2 parameters. Sadly, this is a three tier structure and noone agrees on what to call the third tier so I will call it tier3 here.  Top level is Group, as per RFC8126, second level is Registry.  The I-D reference is to the Group only which is fine if the actual reference then specifies the Registry and Tier3 but they never do, usually just Tier3 e.g. Transform Type 3 which makes for a lot of work for the reader, too much for this one.  You have to go hunting in all the second level Registry until you can find a match for the Tier3 identifier. And there are no URL.  If you want an example that I find easy to use, go look at RFC8407 (as usual).

You’re right. Could you point the exact part at RFC 8407 with that example? We would really appreciate it.

On the other hand, would it be enough to include the URL for Transform Type 3 https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-7 ?

(Same for Transform Type 1, Transform Type 4)

> 
> The reference for import of i2nsf-ikec gives a YANG module name; this needs to be the name of the RFC to be

Fixed.

import ietf-i2nsf-ikec {
            prefix nsfikec;
            reference 
                "RFC XXXX: Software-Defined Networking
               (SDN)-based IPsec Flow Protection.";
}

We still use XXXX because we do not know the number assigned to the RFC to be.

> 
> The example IPv6 address in the YANG module has :0:0: which is usually just ::

Fixed. 

If you have any further comments, please let us know so we can include them in -12

Best Regards.
> 
> And I have some way to go still.
> 
> Tom Petch
> 
> On 22/10/2020 18:39, Rafa Marin-Lopez wrote:
>> Dear all:
>> 
>> After receiving a suggestion to make things clearer in the feature ikeless-notification description, we have just uploaded a new version -11 with a minor change to add the following text:
>> 
>> feature ikeless-notification {
>>             description
>>                 "This feature indicates that the server supports
>>                 generating notifications in the ikeless module.
>> 
>>                 To ensure broader applicability of this module,
>>                 the notifications are marked as a feature.
>>                 For the implementation of ikeless case,
>>                 the NSF is expected to implement this
>>                 feature.";
>>         }
>> 
>> Best Regards.
>> 
>>> Inicio del mensaje reenviado:
>>> 
>>> De: internet-drafts@ietf.org
>>> Asunto: New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
>>> Fecha: 22 de octubre de 2020, 15:32:50 CEST
>>> Para: "Fernando Pereniguez-Garcia" <fernando.pereniguez@cud.upct.es>, "Rafael Lopez" <rafa@um.es>, "Gabriel Lopez-Millan" <gabilm@um.es>, "Rafa Marin-Lopez" <rafa@um.es>
>>> 
>>> 
>>> A new version of I-D, draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
>>> has been successfully submitted by Rafa Marin-Lopez and posted to the
>>> IETF repository.
>>> 
>>> Name:		draft-ietf-i2nsf-sdn-ipsec-flow-protection
>>> Revision:	11
>>> Title:		Software-Defined Networking (SDN)-based IPsec Flow Protection
>>> Document date:	2020-10-22
>>> Group:		i2nsf
>>> Pages:		92
>>> URL:            https://www.ietf.org/archive/id/draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
>>> Status:         https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/
>>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection
>>> Htmlized:       https://tools.ietf.org/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection-11
>>> Diff:           https://www.ietf.org/rfcdiff?url2=draft-ietf-i2nsf-sdn-ipsec-flow-protection-11
>>> 
>>> Abstract:
>>>   This document describes how to provide IPsec-based flow protection
>>>   (integrity and confidentiality) by means of an Interface to Network
>>>   Security Function (I2NSF) controller.  It considers two main well-
>>>   known scenarios in IPsec: (i) gateway-to-gateway and (ii) host-to-
>>>   host.  The service described in this document allows the
>>>   configuration and monitoring of IPsec Security Associations (SAs)
>>>   from a I2NSF Controller to one or several flow-based Network Security
>>>   Functions (NSFs) that rely on IPsec to protect data traffic.
>>> 
>>>   The document focuses on the I2NSF NSF-facing interface by providing
>>>   YANG data models for configuring the IPsec databases (SPD, SAD, PAD)
>>>   and IKEv2.  This allows IPsec SA establishment with minimal
>>>   intervention by the network administrator.  It does not define any
>>>   new protocol.
>>> 
>>> 
>>> 
>>> 
>>> Please note that it may take a couple of minutes from the time of submission
>>> until the htmlized version and diff are available at tools.ietf.org.
>>> 
>>> The IETF Secretariat
>>> 
>>> 
>> 
>> -------------------------------------------------------
>> Rafa Marin-Lopez, PhD
>> Dept. Information and Communications Engineering (DIIC)
>> Faculty of Computer Science-University of Murcia
>> 30100 Murcia - Spain
>> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
>> -------------------------------------------------------
>> 
>> 
>> 
>> 
>> 
>> 
>> 

-------------------------------------------------------
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
-------------------------------------------------------

v2.23.0 | Report a Bug | By Email