IETF Logo Mail Archive

Re: [I2nsf] [yang-doctors] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08

Martin Björklund <mbj+ietf@4668.se> Tue, 22 September 2020 13:48 UTC

Return-Path: <mbj+ietf@4668.se>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60D933A0DE6; Tue, 22 Sep 2020 06:48:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.121
X-Spam-Level:
X-Spam-Status: No, score=-0.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, PDS_NAKED_TO_NUMERO=1.999, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=4668.se header.b=V94Y4zYV; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Nx3hnHap
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Rt6BIq4DYI8; Tue, 22 Sep 2020 06:48:00 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69C453A0DE4; Tue, 22 Sep 2020 06:48:00 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id EFFFEDE5; Tue, 22 Sep 2020 09:47:58 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Tue, 22 Sep 2020 09:47:59 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=4668.se; h=date :message-id:to:cc:subject:from:in-reply-to:references :mime-version:content-type:content-transfer-encoding; s=fm2; bh= 9QUscQPBupSb/Ze7GVafs5+iK9Ujoc/8sS8hMhpcN4U=; b=V94Y4zYVi0W+kVHF ZTZcGJbUVfIzHGYY2fmQGlhpVM1bGY3SBh64D4uH07hAGZrXdVAGG80PrmApNfA7 pfNQU7QnYleSFHqulf0GQlFpKK+4ASbu0RxNH/SuqRuNawbmcmp365Uxa7vUI+y1 2ftfDejalmq9/CzgFUaZ9OFFK5fDP3/Vm3ffT+PMdcnjQNM3HlQ04GL4GGw5WqdG AL3oLufBm2C4KmoNAP2o7hUPjHBKR8RWDAz8PidO9HUbn6CCCHbUAfTLl/ZKVI7C mVroNymMhUlj+0gP5sAvQ2BLn6r+WdgqEKaFm4PE1u4uYYySJKPI0SHfAsouZ+dx dWj5/g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=9QUscQPBupSb/Ze7GVafs5+iK9Ujoc/8sS8hMhpcN 4U=; b=Nx3hnHapS9cA0w1Ze9eJp6nlZBw71mgFtFLfvQ2oX0VwIkLpOBVS6p30n 6+Ptb8Em32JJJPeI5rDRhO7Z2v02fej9r/iffWG2a54QLDsjHhsHOtrzdRpuE81l 0GJ/dPhkuYCJGgu89USdnaw0/XoNp5Xi7iHXZz3wpsxmBd2uBbfmcRyzo9zwBEMJ 0vBOQ9r3xtQ4Un22lmYIeNdkIMMzrq5BL4lNiV8nrQVaZwy3zwIB2FfuJMIuPnkU rcBZkLg43ZDVYUxsR6Cw8A1ydI/kuKC1b2t5ltTmbzb7MRYxazF/HSmZfP6BHEqC 8ONGMD/gVs2YkhWAEyuVEDl+ladLw==
X-ME-Sender: <xms:jQBqX2k-GelWaf5BGTHXSu02tE7Agp-5MGekKmJqz726lkIVB9in3w> <xme:jQBqX90ElMz2mg6XhfHvxv_Exmsc5-MH6spladMz5TkB1cDaY9wcGJ-LNRxROUPpY NefdU66Vpxyj0jPzWs>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudeggdeilecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffkvffuhfgjfhfogggtgfesthgsre dtredtjeenucfhrhhomhepofgrrhhtihhnuceujhpnrhhklhhunhguuceomhgsjhdoihgv thhfseegieeikedrshgvqeenucggtffrrghtthgvrhhnpeefheekgfdukeefheeihefhke egvdffheetvefgfeefgefhvdefueeluddvvdfgheenucffohhmrghinhepihgvthhfrdho rhhgnecukfhppeduheekrddujeegrdegrdeggeenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpehmsghjodhivghtfhesgeeiieekrdhsvg
X-ME-Proxy: <xmx:jQBqX0r4gDC1_AQ6Hxxhum7eqk2I4GYekoe2fT54OqIPCWKBBghjJA> <xmx:jQBqX6mfF9vlir9toaXEHhGoHzalAMOz8_A1LjLDNABHsfdeMJl8iA> <xmx:jQBqX02VkHz8KKb4xT2JjV5xSsIEJJKPdR9JFHKLPH4HZpExWgs_GQ> <xmx:jgBqX49Qzv_9sZLGWqpxUO1ya5fYradiuMcbDIvravIn50Ms5L85Bg>
Received: from localhost (unknown [158.174.4.44]) by mail.messagingengine.com (Postfix) with ESMTPA id 9C24B3064683; Tue, 22 Sep 2020 09:47:56 -0400 (EDT)
Date: Tue, 22 Sep 2020 15:47:55 +0200
Message-Id: <20200922.154755.1642280401151653825.id@4668.se>
To: chopps@chopps.org
Cc: rwilton@cisco.com, gabilm@um.es, draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org, i2nsf@ietf.org, ipsec@ietf.org, last-call@ietf.org, yang-doctors@ietf.org
From: Martin Björklund <mbj+ietf@4668.se>
In-Reply-To: <FE7633E2-624F-4E91-8BC1-66047EC87204@chopps.org>
References: <MN2PR11MB43668FA513A764EA0514790BB53B0@MN2PR11MB4366.namprd11.prod.outlook.com> <20200922.141953.1142814413326145014.id@4668.se> <FE7633E2-624F-4E91-8BC1-66047EC87204@chopps.org>
X-Mailer: Mew version 6.8 on Emacs 26.3
Mime-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/pFxYtXCOZEUAO42QT6XM7NTHPJ8>
X-Mailman-Approved-At: Tue, 22 Sep 2020 07:48:41 -0700
Subject: Re: [I2nsf] [yang-doctors] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2020 13:48:02 -0000

Christian Hopps <chopps@chopps.org> wrote:
> 
> 
> > On Sep 22, 2020, at 8:19 AM, Martin Björklund <mbj+ietf@4668.se>
> > wrote:
> > 
> > Hi,
> > 
> > Sorry I missed this question.
> > 
> > I think it probably can be solved; but see below.
> > 
> > 
> > "Rob Wilton (rwilton)" <rwilton@cisco.com <mailto:rwilton@cisco.com>>
> > wrote:
> >> Hi draft authors, Chris,
> >> 
> >> Can we also please try and close on this issue raised by Chris.
> >> 
> >> Chris, I don’t think that there is any great way to solve this issue
> >> using YANG features, but presumably the constraint could be enforced
> >> with a must statement, or groupings could be used to copy parts of the
> >> ipsec structure into an sdn specific ipsec tree structure.
> >> 
> >> I understand that there isn't any great desire to delay these drafts
> >> by trying to generalize the ipsec YANG model contained within it.
> >> However, I think that means that the modules should have "-sdn-" in
> >> their names to indicate that they are intended specifically for the
> >> SDN use case, and should not be confused with the more generic ipsec
> >> YANG modules that have been proposed.
> >> 
> >> Regards,
> >> Rob
> >> 
> >> 
> >>> -----Original Message-----
> >>> From: yang-doctors <yang-doctors-bounces@ietf.org> On Behalf Of
> >>> Christian
> >>> Hopps
> >>> Sent: 24 August 2020 18:08
> >>> To: Martin Björklund <mbj+ietf@4668.se>
> >>> Cc: i2nsf@ietf.org; draft-ietf-i2nsf-sdn-ipsec-flow-
> >>> protection.all@ietf.org; ipsec@ietf.org; last-call@ietf.org; yang-
> >>> doctors@ietf.org
> >>> Subject: Re: [yang-doctors] Yangdoctors last call review of
> >>> draft-ietf-
> >>> i2nsf-sdn-ipsec-flow-protection-08
> >>> 
> >>> [adding in ipsec@]
> >>> 
> >>> Hi,
> >>> 
> >>> This draft was discussed in ipsecme at the last IETF, and there was a
> >>> desire to look closer at a couple changes that would make these models
> >>> usable by ipsec generally rather than only for SDNs. Otherwise we will
> >>> end
> >>> up with 2 models that look very similar and duplicate almost all the
> >>> functionality. This was going to be done during the next yang doctor
> >>> review, but it looks like that happened in the meantime (ships in the
> >>> night).
> >>> 
> >>> At minimum the module names should include "-sdn-" if no other changes
> >>> are
> >>> made to indicate that they are only for sdn use; however, this is not
> >>> the
> >>> optimal solution.
> >>> 
> >>> A better solution would be to move the containers currently under
> >>> ikeless
> >>> (for SA and Policy databases) under ipsec-common.
> > 
> > Are we talking about /ipsec-ikeless/spd and /ipsec-ikeless/sad?  If
> > these are moved to another module, ipsec-ikeless becomes empty (if
> > also the related notifs are moved).
> 
> It will still contain the notification, which is used for managing
> ikeless ipsec in the SDN controller case.

Ok.


> > Why do you want to move them?  It is b/c they are under
> > "ipsec-ikeless"?  If so, perhaps a simpler solution is to use another
> > (more generic) name for the module and top-level container.
> 
> Yes, b/c IPsec always has an SA database (both ike or ikeless). The
> reason, according to the authors, it was not put in common and was
> only included in ikeless was b/c the authors felt that for SDNs the
> SDN controller didn't care about the SA database since IKE was
> managing it. That doesn't mean it doesn't exist, just that their use
> case didn't care, and didn't want to force people to implement the
> YANG for it if they only supported the IKE module for SDN use.

Then I agree w/ you that moving them to common and adding a feature
would work.  If they don't want to implement them just don't implement
the feature.


/martin

> I don't see why the want to not implement the SA database YANG for
> SDN+IKE couldn't be handled with a feature (or some other YANG
> mechanism) instead and then have a more correct model organization
> 
> The problem is that this common ipsec module (and the ikeless and ike
> even) are easily augmented and usable by IPsec in general if the SA
> and policy database were moved to common and out of ikeless. The only
> other way to re-use it would be to augment a duplicate SA database
> under the IKE module, but there is only a single SA database on a
> server, so now we have 2 SA databases in YANG (under ikeless and ike
> namespaces) to represent the same SA database. It seems wrong to go
> this route since the change I was suggesting seems pretty trivial.
> 
> In my case we have an ipsec extension in development along with a YANG
> module (https://tools.ietf.org/html/draft-fedyk-ipsecme-yang-iptfs-00)
> that want's to augment the SA database (for operational state like
> packet counters among other things), but of course we want this to be
> for IKE and IKE-less -- in particular IKE is the vastly common use
> case for IPsec.
> 
> Thanks,
> Chris.
> 
> > 
> > If they are moved to ietf-ipsec-common, an implementation that
> > implements ietf-ipsec-ike can still import ietf-ipsec-common, but
> > choose to not implement it (it will show up as an 'import-only-module'
> > in yang library).
> > 
> > 
> > /martin
> > 
> > 
> >>> The feedback I received from the authors was that the SDN controllers
> >>> didn't care about the actual SAs and policies when using IKE so they
> >>> didn't want to require someone implementing ike+common modules to have
> >>> to
> >>> support them.
> >>> 
> >>> The YANG question I suppose is, is there an easy way to move these
> >>> containers from ipsec-ikeless to ipsec-common, but still allow for
> >>> them to
> >>> be empty and/or unimplemented for the SDN IKE use case? If they were
> >>> made
> >>> features, is there a proper YANG way to indicate that if the ikeless
> >>> module is present then those features must also be supported thus
> >>> matching
> >>> the functionality as defined by the current draft?
> >>> 
> >>> Thanks,
> >>> Chris.
> >>> 
> >>> 
> >>> 
> >>>> On Aug 24, 2020, at 10:37 AM, Martin Björklund via Datatracker
> >>> <noreply@ietf.org> wrote:
> >>>> 
> >>>> Reviewer: Martin Björklund
> >>>> Review result: Ready with Nits
> >>>> 
> >>>> I did an early YANG Doctor's review of this draft.  Most of my
> >>>> comments then have been addressed in this version.
> >>>> 
> >>>> Comments:
> >>>> 
> >>>> o  As I wrote in my early review, the RFC editor enforces a common
> >>>>  format of YANG modules, so it is better to adhere to this format
> >>>>  before sending the draft to the RFC editor.  Use
> >>>> 
> >>>>    pyang -f yang --yang-line-length 69 <FILE>
> >>>> 
> >>>>  to get a consistent look-and-feel for your module.
> >>>> 
> >>>>  (You will have to manually re-flow description statements after
> >>>>  this.)
> >>>> 
> >>>> 
> >>>> o  There are some leafs that are optional in the model, but w/o a
> >>>>  default value and w/o an explanation of what happens if that leaf
> >>>>  is not set.  You should find those and either make them mandatory,
> >>>>  add a default value, or explain what it means when it isn't set.
> >>>>  As an example,
> >>>>  /ipsec-ike/pad/pad-entrypeer-authenticatin/pre-shared/secret
> >>>>  is optional.  I suspect that this leaf needs to be mandatory.
> >>>>  Another example is the leaf espencap.
> >>>> 
> >>>> 
> >>>> /martin
> >>>> 
> >>>> 
> >>>> _______________________________________________
> >>>> yang-doctors mailing list
> >>>> yang-doctors@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/yang-doctors
>

v2.23.0 | Report a Bug | By Email