Re: [I2nsf] WGLC and IPR poll for draft-ietf-i2nsf-sdn-ipsec-flow-protection-04

Gabriel Lopez <gabilm@um.es> Mon, 20 May 2019 15:12 UTC

Return-Path: <gabilm@um.es>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16A261201C9 for <i2nsf@ietfa.amsl.com>; Mon, 20 May 2019 08:12:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GDgN2nAX1QNq for <i2nsf@ietfa.amsl.com>; Mon, 20 May 2019 08:12:24 -0700 (PDT)
Received: from xenon43.um.es (xenon43.um.es [IPv6:2001:720:1710:601::43]) by ietfa.amsl.com (Postfix) with ESMTP id CD4B91201D0 for <i2nsf@ietf.org>; Mon, 20 May 2019 08:12:23 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon43.um.es (Postfix) with ESMTP id C351920303; Mon, 20 May 2019 17:12:21 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon43.um.es
Received: from xenon43.um.es ([127.0.0.1]) by localhost (xenon43.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id eYHO763HuXSG; Mon, 20 May 2019 17:12:21 +0200 (CEST)
Received: from inf-205-237.inf.um.es (inf-205-237.inf.um.es [155.54.205.237]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: gabilm@um.es) by xenon43.um.es (Postfix) with ESMTPSA id BC544202F6; Mon, 20 May 2019 17:12:19 +0200 (CEST)
From: Gabriel Lopez <gabilm@um.es>
Message-Id: <AAC9B42B-250A-4A81-BDAF-D3C41E25BF46@um.es>
Content-Type: multipart/alternative; boundary="Apple-Mail=_17AE4104-598B-45C8-8C96-3495DE36A76C"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Date: Mon, 20 May 2019 17:12:19 +0200
In-Reply-To: <CAPK2DezV6eE4-ooDC_RHNxSqK+NpX3R0uckUv7B8et=Ui5fyjw@mail.gmail.com>
Cc: Gabriel Lopez <gabilm@um.es>, Linda Dunbar <linda.dunbar@huawei.com>, "i2nsf@ietf.org" <i2nsf@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>, "fernando.pereniguez@cud.upct.es" <fernando.pereniguez@cud.upct.es>, "skku_secu-brain_all@googlegroups.com" <skku_secu-brain_all@googlegroups.com>, Rafa Marin Lopez <rafa@um.es>
To: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B3869DE@sjceml521-mbs.china.huawei.com> <CAPK2DeyWU8gyQd+cEMg3bef-CybJvVRr1eF2br1h-LPAy34=Xw@mail.gmail.com> <4A95BA014132FF49AE685FAB4B9F17F66B3DCF04@sjceml521-mbs.china.huawei.com> <CAPK2DezV6eE4-ooDC_RHNxSqK+NpX3R0uckUv7B8et=Ui5fyjw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/rQNAlPdNymAAovYjQRFKsNvgl-E>
Subject: Re: [I2nsf] WGLC and IPR poll for draft-ietf-i2nsf-sdn-ipsec-flow-protection-04
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2019 15:12:28 -0000

Hi Paul, Linda.

Thanks again for your comments.

> El 18 may 2019, a las 7:11, Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com> escribió:
> 
> Hi Linda,
> For your first question,
> it seems like Gabriel does not like to modify their code to let NSF-Facing Interface data module import ikev2 and ietf-ipsec (i.e., ike-less)
> according to IETF YANG conventions such as TLS, SSH, IDS, and ACL.
> In our data models, we will specify whether an NSF supports an IPsec configuration mechanism (IKEv2 or IKEless), 
> or does not support any IPsec configuration mechanism. 
> That is, our data models assume that the actual IPsec configuration will be handled by Rafa's IPsec module through NETCONF, and
> our I2NSF interfaces will do nothing related to the IPsec configuration.
> 


The question is not whether I (we) like or don't like to modify the model. The question is whether it is the best technical approach or not.
As said before, the ipsec model has been designed to work in a standalone mode in a NSF, so the controller can configure ipsec on NSFs without any other module.

You mention the consensous on the last meeting, but what I get from this consensous is to study how, making use of the capability model, the controller can learn if the NSF node supports IKE case or IKE-less case, and then in the discussion there is a mention to a "reference" to the corresponding data model implementing these capabilities (our model) (here the "reference" clause could be used). But it does not imply to extend the NSF client interface to include all the available yang models for every security service a NSF can support.

Our main concerns is if the objective of the nsf-client-dm is:

- To import all other models (SSH, TLS, ALCs, etc...) just for sake of having all of them gathered in a single model (nsf-client-dm). But I don't see the benefit. In fact, SSH or TLS yang models are designed to be used by other yang model for especific applications, such as a model for HTTPS importing the TLS model or a model for a SSH server importing the SSH model. What is the service in this case?. In the case of the ACL yang module, it is also defined to work in a standalone mode (no main grouping based). In the case of IDS, could you point out the yang module?

- To adapt them in some way to the ECA model. The ECA model is the keystone of the nsf-client-dm, as described in section 4. If it is the case, then it is difficult to see examples of how they can be adapted. 


Said that, the draft is a WG item and the WG has to decide what is the right way to proceed. 

Regards, Gabi. 


> For your second question,
> "ietf-ipsec" is the same as "ipsec-ikeless".
> 
> Thanks.
> 
> Best Regards,
> Paul
> 
> On Sat, May 18, 2019 at 6:28 AM Linda Dunbar <linda.dunbar@huawei.com <mailto:linda.dunbar@huawei.com>> wrote:
> Paul,
> 
>  
> 
> If you simply want to import the “ikev2” and “ietf-ipsec” to  NSF-Facing Interface data model,  can the new code be the following?
> 
>  
> 
>  
> 
> ########### Modified Code #############
> 
>  
> 
> grouping ikev2 {
> 
>    ...
> 
> }
> 
>  
> 
> grouping ietf-ipsec {
> 
>    ...
> 
> }
> 
> ########
> 
>  
> 
>   <>
> By the way “ietf-ipsec” is not same as  “ipsec-ikeless”, is it?
> 
>  
> 
>  
> 
> Linda
> 
>  
> 
> From: Mr. Jaehoon Paul Jeong [mailto:jaehoon.paul@gmail.com <mailto:jaehoon.paul@gmail.com>] 
> Sent: Thursday, May 09, 2019 9:02 AM
> To: rafa@um.es <mailto:rafa@um.es>; Gabriel Lopez <gabilm@um.es <mailto:gabilm@um.es>>; fernando.pereniguez@cud.upct.es <mailto:fernando.pereniguez@cud.upct.es>
> Cc: Linda Dunbar <linda.dunbar@huawei.com <mailto:linda.dunbar@huawei.com>>; Yoav Nir <ynir.ietf@gmail.com <mailto:ynir.ietf@gmail.com>>; i2nsf@ietf.org <mailto:i2nsf@ietf.org>; skku_secu-brain_all@googlegroups.com <mailto:skku_secu-brain_all@googlegroups.com>; Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com <mailto:jaehoon.paul@gmail.com>>
> Subject: Re: [I2nsf] WGLC and IPR poll for draft-ietf-i2nsf-sdn-ipsec-flow-protection-04
> 
>  
> 
> Hi Authors: Rafa, Gabriel, and Fernando,
> 
>  
> 
> I have a request to let your authors revise i2nsf ipsec draft
> 
> (draft-ietf-i2nsf-sdn-ipsec-flow-protection-04) 
> 
> in order to conform to our i2nsf interface data models.
> 
> For your YANG data module to be used in our NSF-Facing Interface data model through import, 
> 
> your YANG data module needs some modification as follows.
> 
>  
> 
> ########### Original Code #############
> 
> container ikev2 {
> 
>    ....
> 
> }
> 
>  
> 
> container ietf-ipsec {
> 
>    ....
> 
> }
> 
>  
> 
> ########### Modified Code #############
> 
>  
> 
> grouping ipsec-ike {
> 
>    ...
> 
> }
> 
>  
> 
> grouping ipsec-ikeless {
> 
>    ...
> 
> }
> 
>  
> 
> container ikev2 {               
> 
>  description "Configure the IKEv2 software";
> 
>  uses ipsec-ike;
> 
> }
> 
>  
> 
> container ietf-ipsec {
> 
>  description "IPsec configuration";
> 
>  uses ipsec-ikeless;
> 
> }
> 
>  
> 
> With your modification, my SKKU team will modify our YANG data models 
> 
> to accommodate your ipsec data model.
> 
>  
> 
> If you have any questions, please let me know.
> 
>  
> 
> Thank you.
> 
>  
> 
> Best Regards,
> 
> Paul
> 
>  
> 
> On Wed, Apr 17, 2019 at 11:54 PM Linda Dunbar <linda.dunbar@huawei.com <mailto:linda.dunbar@huawei.com>> wrote:
> 
> Hello Working Group,
> 
>  
> 
> This email starts a four weeks Working Group Last Call on draft-ietf-i2nsf-sdn-ipsec-flow-protection-04.
> 
> This poll runs until May 15, 2019.
> 
>  
> 
> Authors: please update the draft per the comments and suggestions from YANG Doctors.
> 
>  
> 
> We are also polling for knowledge of any undisclosed IPR that applies to this Document, to ensure that IPR has been disclosed in compliance with IETF IPR rules (see RFCs 3979, 4879, 3669 and 5378 for more details).
> 
> If you are listed as an Author or a Contributor of this Document please respond to this email and indicate whether or not you are aware of any relevant undisclosed IPR. The Document won't progress without answers from all the Authors and Contributors.
> 
>  
> 
> If you are not listed as an Author or a Contributor, then please explicitly respond only if you are aware of any IPR that has not yet been disclosed in conformance with IETF rules.
> 
>  
> 
>  
> 
> Thank you.
> 
>  
> 
> Yoav & Linda
> 
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org <mailto:I2nsf@ietf.org>
> https://www.ietf.org/mailman/listinfo/i2nsf <https://www.ietf.org/mailman/listinfo/i2nsf>
> 
>  
> 
> --
> 
> ===========================
> Mr. Jaehoon (Paul) Jeong, Ph.D.
> Associate Professor
> Department of Software
> Sungkyunkwan University
> Office: +82-31-299-4957
> Email: jaehoon.paul@gmail.com <mailto:jaehoon.paul@gmail.com>, pauljeong@skku.edu <mailto:pauljeong@skku.edu>
> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php <http://cpslab.skku.edu/people-jaehoon-jeong.php>
> 
> -- 
> ===========================
> Mr. Jaehoon (Paul) Jeong, Ph.D.
> Associate Professor
> Department of Software
> Sungkyunkwan University
> Office: +82-31-299-4957
> Email: jaehoon.paul@gmail.com <mailto:jaehoon.paul@gmail.com>, pauljeong@skku.edu <mailto:pauljeong@skku.edu>
> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php <http://cpslab.skku.edu/people-jaehoon-jeong.php>
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org
> https://www.ietf.org/mailman/listinfo/i2nsf

-----------------------------------------------------------
Gabriel López Millán
Departamento de Ingeniería de la Información y las Comunicaciones
University of Murcia
Spain
Tel: +34 868888504
Fax: +34 868884151
email: gabilm@um.es