Re: [I2nsf] [yang-doctors] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
Martin Björklund <mbj+ietf@4668.se> Tue, 22 September 2020 13:48 UTC
Return-Path: <mbj+ietf@4668.se>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60D933A0DE6; Tue, 22 Sep 2020 06:48:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.121
X-Spam-Level:
X-Spam-Status: No, score=-0.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, PDS_NAKED_TO_NUMERO=1.999, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=4668.se header.b=V94Y4zYV; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Nx3hnHap
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Rt6BIq4DYI8; Tue, 22 Sep 2020 06:48:00 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69C453A0DE4; Tue, 22 Sep 2020 06:48:00 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id EFFFEDE5; Tue, 22 Sep 2020 09:47:58 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Tue, 22 Sep 2020 09:47:59 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=4668.se; h=date :message-id:to:cc:subject:from:in-reply-to:references :mime-version:content-type:content-transfer-encoding; s=fm2; bh= 9QUscQPBupSb/Ze7GVafs5+iK9Ujoc/8sS8hMhpcN4U=; b=V94Y4zYVi0W+kVHF ZTZcGJbUVfIzHGYY2fmQGlhpVM1bGY3SBh64D4uH07hAGZrXdVAGG80PrmApNfA7 pfNQU7QnYleSFHqulf0GQlFpKK+4ASbu0RxNH/SuqRuNawbmcmp365Uxa7vUI+y1 2ftfDejalmq9/CzgFUaZ9OFFK5fDP3/Vm3ffT+PMdcnjQNM3HlQ04GL4GGw5WqdG AL3oLufBm2C4KmoNAP2o7hUPjHBKR8RWDAz8PidO9HUbn6CCCHbUAfTLl/ZKVI7C mVroNymMhUlj+0gP5sAvQ2BLn6r+WdgqEKaFm4PE1u4uYYySJKPI0SHfAsouZ+dx dWj5/g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=9QUscQPBupSb/Ze7GVafs5+iK9Ujoc/8sS8hMhpcN 4U=; b=Nx3hnHapS9cA0w1Ze9eJp6nlZBw71mgFtFLfvQ2oX0VwIkLpOBVS6p30n 6+Ptb8Em32JJJPeI5rDRhO7Z2v02fej9r/iffWG2a54QLDsjHhsHOtrzdRpuE81l 0GJ/dPhkuYCJGgu89USdnaw0/XoNp5Xi7iHXZz3wpsxmBd2uBbfmcRyzo9zwBEMJ 0vBOQ9r3xtQ4Un22lmYIeNdkIMMzrq5BL4lNiV8nrQVaZwy3zwIB2FfuJMIuPnkU rcBZkLg43ZDVYUxsR6Cw8A1ydI/kuKC1b2t5ltTmbzb7MRYxazF/HSmZfP6BHEqC 8ONGMD/gVs2YkhWAEyuVEDl+ladLw==
X-ME-Sender: <xms:jQBqX2k-GelWaf5BGTHXSu02tE7Agp-5MGekKmJqz726lkIVB9in3w> <xme:jQBqX90ElMz2mg6XhfHvxv_Exmsc5-MH6spladMz5TkB1cDaY9wcGJ-LNRxROUPpY NefdU66Vpxyj0jPzWs>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudeggdeilecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffkvffuhfgjfhfogggtgfesthgsre dtredtjeenucfhrhhomhepofgrrhhtihhnuceujhpnrhhklhhunhguuceomhgsjhdoihgv thhfseegieeikedrshgvqeenucggtffrrghtthgvrhhnpeefheekgfdukeefheeihefhke egvdffheetvefgfeefgefhvdefueeluddvvdfgheenucffohhmrghinhepihgvthhfrdho rhhgnecukfhppeduheekrddujeegrdegrdeggeenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpehmsghjodhivghtfhesgeeiieekrdhsvg
X-ME-Proxy: <xmx:jQBqX0r4gDC1_AQ6Hxxhum7eqk2I4GYekoe2fT54OqIPCWKBBghjJA> <xmx:jQBqX6mfF9vlir9toaXEHhGoHzalAMOz8_A1LjLDNABHsfdeMJl8iA> <xmx:jQBqX02VkHz8KKb4xT2JjV5xSsIEJJKPdR9JFHKLPH4HZpExWgs_GQ> <xmx:jgBqX49Qzv_9sZLGWqpxUO1ya5fYradiuMcbDIvravIn50Ms5L85Bg>
Received: from localhost (unknown [158.174.4.44]) by mail.messagingengine.com (Postfix) with ESMTPA id 9C24B3064683; Tue, 22 Sep 2020 09:47:56 -0400 (EDT)
Date: Tue, 22 Sep 2020 15:47:55 +0200
Message-Id: <20200922.154755.1642280401151653825.id@4668.se>
To: chopps@chopps.org
Cc: rwilton@cisco.com, gabilm@um.es, draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org, i2nsf@ietf.org, ipsec@ietf.org, last-call@ietf.org, yang-doctors@ietf.org
From: Martin Björklund <mbj+ietf@4668.se>
In-Reply-To: <FE7633E2-624F-4E91-8BC1-66047EC87204@chopps.org>
References: <MN2PR11MB43668FA513A764EA0514790BB53B0@MN2PR11MB4366.namprd11.prod.outlook.com> <20200922.141953.1142814413326145014.id@4668.se> <FE7633E2-624F-4E91-8BC1-66047EC87204@chopps.org>
X-Mailer: Mew version 6.8 on Emacs 26.3
Mime-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/pFxYtXCOZEUAO42QT6XM7NTHPJ8>
X-Mailman-Approved-At: Tue, 22 Sep 2020 07:48:41 -0700
Subject: Re: [I2nsf] [yang-doctors] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2020 13:48:02 -0000
Christian Hopps <chopps@chopps.org> wrote: > > > > On Sep 22, 2020, at 8:19 AM, Martin Björklund <mbj+ietf@4668.se> > > wrote: > > > > Hi, > > > > Sorry I missed this question. > > > > I think it probably can be solved; but see below. > > > > > > "Rob Wilton (rwilton)" <rwilton@cisco.com <mailto:rwilton@cisco.com>> > > wrote: > >> Hi draft authors, Chris, > >> > >> Can we also please try and close on this issue raised by Chris. > >> > >> Chris, I don’t think that there is any great way to solve this issue > >> using YANG features, but presumably the constraint could be enforced > >> with a must statement, or groupings could be used to copy parts of the > >> ipsec structure into an sdn specific ipsec tree structure. > >> > >> I understand that there isn't any great desire to delay these drafts > >> by trying to generalize the ipsec YANG model contained within it. > >> However, I think that means that the modules should have "-sdn-" in > >> their names to indicate that they are intended specifically for the > >> SDN use case, and should not be confused with the more generic ipsec > >> YANG modules that have been proposed. > >> > >> Regards, > >> Rob > >> > >> > >>> -----Original Message----- > >>> From: yang-doctors <yang-doctors-bounces@ietf.org> On Behalf Of > >>> Christian > >>> Hopps > >>> Sent: 24 August 2020 18:08 > >>> To: Martin Björklund <mbj+ietf@4668.se> > >>> Cc: i2nsf@ietf.org; draft-ietf-i2nsf-sdn-ipsec-flow- > >>> protection.all@ietf.org; ipsec@ietf.org; last-call@ietf.org; yang- > >>> doctors@ietf.org > >>> Subject: Re: [yang-doctors] Yangdoctors last call review of > >>> draft-ietf- > >>> i2nsf-sdn-ipsec-flow-protection-08 > >>> > >>> [adding in ipsec@] > >>> > >>> Hi, > >>> > >>> This draft was discussed in ipsecme at the last IETF, and there was a > >>> desire to look closer at a couple changes that would make these models > >>> usable by ipsec generally rather than only for SDNs. Otherwise we will > >>> end > >>> up with 2 models that look very similar and duplicate almost all the > >>> functionality. This was going to be done during the next yang doctor > >>> review, but it looks like that happened in the meantime (ships in the > >>> night). > >>> > >>> At minimum the module names should include "-sdn-" if no other changes > >>> are > >>> made to indicate that they are only for sdn use; however, this is not > >>> the > >>> optimal solution. > >>> > >>> A better solution would be to move the containers currently under > >>> ikeless > >>> (for SA and Policy databases) under ipsec-common. > > > > Are we talking about /ipsec-ikeless/spd and /ipsec-ikeless/sad? If > > these are moved to another module, ipsec-ikeless becomes empty (if > > also the related notifs are moved). > > It will still contain the notification, which is used for managing > ikeless ipsec in the SDN controller case. Ok. > > Why do you want to move them? It is b/c they are under > > "ipsec-ikeless"? If so, perhaps a simpler solution is to use another > > (more generic) name for the module and top-level container. > > Yes, b/c IPsec always has an SA database (both ike or ikeless). The > reason, according to the authors, it was not put in common and was > only included in ikeless was b/c the authors felt that for SDNs the > SDN controller didn't care about the SA database since IKE was > managing it. That doesn't mean it doesn't exist, just that their use > case didn't care, and didn't want to force people to implement the > YANG for it if they only supported the IKE module for SDN use. Then I agree w/ you that moving them to common and adding a feature would work. If they don't want to implement them just don't implement the feature. /martin > I don't see why the want to not implement the SA database YANG for > SDN+IKE couldn't be handled with a feature (or some other YANG > mechanism) instead and then have a more correct model organization > > The problem is that this common ipsec module (and the ikeless and ike > even) are easily augmented and usable by IPsec in general if the SA > and policy database were moved to common and out of ikeless. The only > other way to re-use it would be to augment a duplicate SA database > under the IKE module, but there is only a single SA database on a > server, so now we have 2 SA databases in YANG (under ikeless and ike > namespaces) to represent the same SA database. It seems wrong to go > this route since the change I was suggesting seems pretty trivial. > > In my case we have an ipsec extension in development along with a YANG > module (https://tools.ietf.org/html/draft-fedyk-ipsecme-yang-iptfs-00) > that want's to augment the SA database (for operational state like > packet counters among other things), but of course we want this to be > for IKE and IKE-less -- in particular IKE is the vastly common use > case for IPsec. > > Thanks, > Chris. > > > > > If they are moved to ietf-ipsec-common, an implementation that > > implements ietf-ipsec-ike can still import ietf-ipsec-common, but > > choose to not implement it (it will show up as an 'import-only-module' > > in yang library). > > > > > > /martin > > > > > >>> The feedback I received from the authors was that the SDN controllers > >>> didn't care about the actual SAs and policies when using IKE so they > >>> didn't want to require someone implementing ike+common modules to have > >>> to > >>> support them. > >>> > >>> The YANG question I suppose is, is there an easy way to move these > >>> containers from ipsec-ikeless to ipsec-common, but still allow for > >>> them to > >>> be empty and/or unimplemented for the SDN IKE use case? If they were > >>> made > >>> features, is there a proper YANG way to indicate that if the ikeless > >>> module is present then those features must also be supported thus > >>> matching > >>> the functionality as defined by the current draft? > >>> > >>> Thanks, > >>> Chris. > >>> > >>> > >>> > >>>> On Aug 24, 2020, at 10:37 AM, Martin Björklund via Datatracker > >>> <noreply@ietf.org> wrote: > >>>> > >>>> Reviewer: Martin Björklund > >>>> Review result: Ready with Nits > >>>> > >>>> I did an early YANG Doctor's review of this draft. Most of my > >>>> comments then have been addressed in this version. > >>>> > >>>> Comments: > >>>> > >>>> o As I wrote in my early review, the RFC editor enforces a common > >>>> format of YANG modules, so it is better to adhere to this format > >>>> before sending the draft to the RFC editor. Use > >>>> > >>>> pyang -f yang --yang-line-length 69 <FILE> > >>>> > >>>> to get a consistent look-and-feel for your module. > >>>> > >>>> (You will have to manually re-flow description statements after > >>>> this.) > >>>> > >>>> > >>>> o There are some leafs that are optional in the model, but w/o a > >>>> default value and w/o an explanation of what happens if that leaf > >>>> is not set. You should find those and either make them mandatory, > >>>> add a default value, or explain what it means when it isn't set. > >>>> As an example, > >>>> /ipsec-ike/pad/pad-entrypeer-authenticatin/pre-shared/secret > >>>> is optional. I suspect that this leaf needs to be mandatory. > >>>> Another example is the leaf espencap. > >>>> > >>>> > >>>> /martin > >>>> > >>>> > >>>> _______________________________________________ > >>>> yang-doctors mailing list > >>>> yang-doctors@ietf.org > >>>> https://www.ietf.org/mailman/listinfo/yang-doctors >
- [I2nsf] Yangdoctors last call review of draft-iet… Martin Björklund via Datatracker
- Re: [I2nsf] [yang-doctors] Yangdoctors last call … Christian Hopps
- Re: [I2nsf] Yangdoctors last call review of draft… Gabriel Lopez
- Re: [I2nsf] [yang-doctors] Yangdoctors last call … Rob Wilton (rwilton)
- Re: [I2nsf] [yang-doctors] Yangdoctors last call … Rafa Marin-Lopez
- Re: [I2nsf] [yang-doctors] Yangdoctors last call … Christian Hopps
- Re: [I2nsf] [yang-doctors] Yangdoctors last call … Martin Björklund
- Re: [I2nsf] [yang-doctors] Yangdoctors last call … Martin Björklund
- Re: [I2nsf] [yang-doctors] Yangdoctors last call … Rob Wilton (rwilton)
- Re: [I2nsf] [Last-Call] [yang-doctors] Yangdoctor… tom petch
- Re: [I2nsf] [yang-doctors] Yangdoctors last call … Rafa Marin-Lopez
- Re: [I2nsf] [yang-doctors] Yangdoctors last call … Rob Wilton (rwilton)
- Re: [I2nsf] [Last-Call] [yang-doctors] Yangdoctor… tom petch
- Re: [I2nsf] [yang-doctors] Yangdoctors last call … Christian Hopps
- Re: [I2nsf] [yang-doctors] Yangdoctors last call … Martin Björklund
- Re: [I2nsf] [Last-Call] [yang-doctors] Yangdoctor… Christian Hopps
- Re: [I2nsf] [IPsec] [Last-Call] [yang-doctors] Ya… Lou Berger
- Re: [I2nsf] [Last-Call] [yang-doctors] Yangdoctor… Rafa Marin-Lopez
- Re: [I2nsf] [Last-Call] [yang-doctors] Yangdoctor… tom petch
- Re: [I2nsf] [Last-Call] [yang-doctors] Yangdoctor… Rafa Marin-Lopez
- Re: [I2nsf] [Last-Call] Yangdoctors last call rev… tom petch
- Re: [I2nsf] [yang-doctors] [IPsec] [Last-Call] Ya… Rob Wilton (rwilton)
- Re: [I2nsf] [yang-doctors] [IPsec] [Last-Call] Ya… Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] [yang-doctors] [Last-Call] Ya… Christian Hopps
- Re: [I2nsf] [IPsec] [yang-doctors] [Last-Call] Ya… Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] [yang-doctors] [Last-Call] Ya… Christian Hopps
- Re: [I2nsf] [IPsec] [yang-doctors] [Last-Call] Ya… Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] [yang-doctors] [Last-Call] Ya… Christian Hopps