IETF Logo Mail Archive

Re: [I2nsf] question on ipsec YANG model

Rafa Marin-Lopez <rafa@um.es> Mon, 20 July 2020 09:41 UTC

Return-Path: <rafa@um.es>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0443D3A07B7; Mon, 20 Jul 2020 02:41:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=um.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7FsWWqnlW3Y1; Mon, 20 Jul 2020 02:41:42 -0700 (PDT)
Received: from mx01.puc.rediris.es (outbound5mad.lav.puc.rediris.es [130.206.19.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 185C83A07A9; Mon, 20 Jul 2020 02:41:41 -0700 (PDT)
Received: from xenon43.um.es (xenon43.um.es [155.54.212.170]) by mx01.puc.rediris.es with ESMTP id 06K9fcev031696-06K9fcew031696; Mon, 20 Jul 2020 11:41:38 +0200
Received: from localhost (localhost [127.0.0.1]) by xenon43.um.es (Postfix) with ESMTP id F3ECC2137D; Mon, 20 Jul 2020 11:41:37 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon43.um.es
Received: from xenon43.um.es ([127.0.0.1]) by localhost (xenon43.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id xEouSGqbkD9c; Mon, 20 Jul 2020 11:41:37 +0200 (CEST)
Received: from [192.168.2.67] (200.red-2-138-84.dynamicip.rima-tde.net [2.138.84.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa@um.es) by xenon43.um.es (Postfix) with ESMTPSA id 7CD3F203D1; Mon, 20 Jul 2020 11:41:36 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Rafa Marin-Lopez <rafa@um.es>
In-Reply-To: <B1AD1CE0-4961-43F3-AAE7-97E75254B66A@chopps.org>
Date: Mon, 20 Jul 2020 11:41:35 +0200
Cc: Rafa Marin-Lopez <rafa@um.es>, i2nsf@ietf.org, Fernando Pereniguez-Garcia <fernando.pereniguez@cud.upct.es>, draft-ietf-i2nsf-sdn-ipsec-flow-protection@ietf.org, Gabriel Lopez Millan <gabilm@um.es>
Content-Transfer-Encoding: quoted-printable
Message-Id: <39DA0BB1-FC00-4DFC-BD51-594E0B89E134@um.es>
References: <7885C779-7120-469F-A4FC-AADDA71E7474@chopps.org> <06BD06D0-46EF-4C5D-8F5D-44C38971B83B@um.es> <B1AD1CE0-4961-43F3-AAE7-97E75254B66A@chopps.org>
To: Christian Hopps <chopps@chopps.org>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Authentication-Results: mx01.puc.rediris.es; spf=pass (rediris.es: domain of rafa@um.es designates 155.54.212.170 as permitted sender) smtp.mailfrom=rafa@um.es
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=um.es; s=DKIM; c=relaxed/relaxed; h=content-type:mime-version:subject:from:date:cc:message-id:references:to; bh=goY7w5/In6aTdx9zjoat1UoY25UvjWHY8Q6gKFCQcyc=; b=Jxc0TsvMyovQaFg8fbu6/4WSZYlIdCDJRr/t1FHZb3+8g3HRrzV69Td4JVoQ7Vx6fHt7fTw+D/tR iHzcAiPDIDLcGcyPZrL2D0OhjoL3PYtciMh/6YssFVrLYipXRMdjNVX8NP+Wko78LPnDvgr6RA0s rzlLnbrf15okzCyJrvX21lKsuQvHYf3oB6C8Uxla178cZ55kaDQA1HEMEHsVx9hR15s+06qMojYa s6EgLY1Q7UT8JMV2mTK9DcTMnxmHsA33a9/gIeKxdzfgfsci39k6w9z/jCLp1vZTagVWJ+RKOH51 FZHw4+i8qEbmPrHW2gaZ5B//6bzbPuyA4FYJug==
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/rS3Hwe2Lycv3PVn1hfr57cw2MLU>
Subject: Re: [I2nsf] question on ipsec YANG model
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2020 09:41:44 -0000

Hi Christian:

Yes, we think it may be a little bit late at this point of time. I guess we may change the name of the module to include "-i2nsf-“ if the I2NSF WG is ok with that.

Having said that, we would be interested in collaborating with you in the effort in IPsecme, what do you think?

Best regards.

> El 12 jul 2020, a las 0:32, Christian Hopps <chopps@chopps.org> escribió:
> 
> Yes, I understand that you were going after the SDN functionality; however, the modules doen't actually contain that in their names, and it certainly seems a very good starting point for ipsec in general. The main issues I'm raising are ones that will make it hard to re-use/augment this model for more general use. This is the only ipsec model that exists AFAICT.
> 
> So the question is will we (IETF) have to duplicate all this effort you've made so far for general ipsec use, or can we still make a few changes and get a lot more use out of your work?
> 
> If you believe the ship has sailed, and I do realize this has been pushed to the IESG, then perhaps the modules names (URIs et al) should at minimum include "-sdn-" in their names to make clear they aren't trying to, and can't be the base model for general IPsec use. Right now you are naming your modules "ietf-ipsec-common", "ietf-ipsec-ike", "ietf-ipsec-ikeless" which doesn't indicate the heavy SDN focus that the models have.
> 
> Thanks,
> Chris.
> 
>> On Jul 11, 2020, at 2:09 PM, Rafa Marin-Lopez <rafa@um.es> wrote:
>> 
>> Dear Christian:
>> 
>> Thank you very much for your interest. See our comments inline.
>> 
>>> El 9 jul 2020, a las 18:46, Christian Hopps <chopps@chopps.org> escribió:
>>> 
>>> Hi,
>>> 
>>> We are looking at using the ipsec model defined in "draft-ietf-i2nsf-sdn-ipsec-flow-protection" for augmenting to support IPTFS (https://tools.ietf.org/html/draft-ietf-ipsecme-iptfs-01). This isn't necessarily b/c we have an interest in SDN per-se, but just that it appears to be *the* available IPsec YANG model. :)
>>> 
>>> When we started to augment in our configuration and operations state we encountered some issues.
>>> 
>>> The biggest issue is that the IKE model does not have a SAD. This seems to be a fairly large omission.
>> 
>> 
>> The reason of this omission is the following (please, take into account that we work in a scenario where we have an I2NSF controller): IKE handles IPsec SAs and therefore the SAD. Therefore, there was not strong reason to access the SAD from “outside” (I2NSF controller).  The IKE implementation is in charge of completely handling the SAD.
>> 
>> Having said that, the module should be able to provide certain features for the IPsec SAs that IKE must negotiate. That is included in the container child-sa-info for configuration.
>> 
>> Regarding operational state, we did not see any value from the I2NSF controller standpoint to know the details of the IPsec SAs managed by the IKE implementation since IKE is just a layer that abstract this from “outside”. In fact, we did not see any objection in the I2NSF WG about this.
>> 
>> Unlike the IKE-less case, where the I2NSF controller needs to configure the SAD and to have complete control of it, in the IKE case, the I2NSF controller relies on the IKE implementation to abstract those details.
>> 
>>> 
>>> For example the conn-entry in in the IKE model has a list of encryption algorithms and integrity algorithms etc.. these would be used to make a proposal to the remote IKE; however, eventually something is selected, and an IKE SA, and subsequent CHILD_SA) are created. These SAs will have the specific selected parameters as well as other operational state (e.g., packet and byte counters etc).
>>> 
>>> This SA operational state should be accessible in the YANG model. One obvious way to do this would be to re-use the ikeless SAD by moving it to ipsec-common.
>>> 
>>> The other smaller issue is how the IKE connection entry configuration uses an SPD entry (I think).
>> 
>> Mmmmm, it is a container with a "list spd-entry” so there are several and not only one. But yes, those values are for configuration for the reason we mentioned above.
>> 
>> 
>>> When IKE actually initiates a connection there may be multiple SPD entries that are created in order to support, for example, an IPsec tunnel. I believe the SPD entry under conn-entry in the ipsec-ike model though is being used only to specify the policy for the child SA that will be created. All the actual SPD entries that are created due to an IKE connection being established (with the corresponding child SAs referenced by reqid for the PROTECT versions) should probably be accessible from YANG as well. Otherwise one cannot view things such as BYPASS policy that has been installed.
>> 
>> The dynamic generation of SPD entries is not considered in the model. The question is: how is this useful for the I2NSF controller operation? That was our question taking into account that we do have interest in the SDN model. The conclusion was that we wanted a simple and operative interface (based on YANG model) for IKE case, taking into account we have IKE in the NSF. In fact, that is precisely one of the advantages of having IKE.
>> 
>> 
>>> 
>>> The most obvious fix here would be to move the SPD out of ipsec-ikeless and into ipsec-common.
>>> 
>>> This doesn't leave anything in ipsec-ikeless though. :)  It could be that the IKE created SAs and SPDs also should only be accessible as read-only (operational state), but that would probably have to be determined by the YANG server and not specified in the model if the SAD and SPD would be shared by both IKE and IKE-less operation.
>>> 
>>> Thoughts?
>> 
>> The summary is we wanted a very simple and operable model for IKE case taking into account that IKE implementation does several actions on behalf the I2NSF controller. We hope these clarifications help to understand the motivation of defining the YANG model in this way.
>> 
>> Best Regards and many thanks.
>> 
>>> 
>>> Thanks,
>>> Chris.
>>> 
>> 
>> -------------------------------------------------------
>> Rafa Marin-Lopez, PhD
>> Dept. Information and Communications Engineering (DIIC)
>> Faculty of Computer Science-University of Murcia
>> 30100 Murcia - Spain
>> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
>> -------------------------------------------------------
> 
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org
> https://www.ietf.org/mailman/listinfo/i2nsf

v2.23.0 | Report a Bug | By Email