Re: [I2nsf] WGLC and IPR poll for draft-ietf-i2nsf-sdn-ipsec-flow-protection-04

Linda Dunbar <dunbar.ll@gmail.com> Tue, 21 May 2019 21:02 UTC

Return-Path: <dunbar.ll@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C8981200D6 for <i2nsf@ietfa.amsl.com>; Tue, 21 May 2019 14:02:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hQzF01tgk5Kh for <i2nsf@ietfa.amsl.com>; Tue, 21 May 2019 14:02:15 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DA521200A4 for <i2nsf@ietf.org>; Tue, 21 May 2019 14:02:15 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id n17so426644edb.0 for <i2nsf@ietf.org>; Tue, 21 May 2019 14:02:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8LlLULHNZdPHRtjdI1tA6cZG7ALSPBKHCRMcggajm7E=; b=ojnlat0yne/EnhQue8dpRwzc6s5hnW5vTYkyH6tPkf5z2SHgkWzgCGwU+03rG+VJdQ 2dv69w+jzwqcNkOpT1+aJgHSmrbiZTuAj9vsgltR21z51CJd+PgVScW9WFUeLGPNvQHS PfXhiX9DL5oAx5Rf4rLlcfJpLeCK8smkR88j1wWfXt0Xk3MiNpW7PUOQUBDUZPRdKhs3 CGB0JsmAjfryo0ILn4xzZxz9pDIXOopFolTNyK7NDYDbAjlt7K0VYJwa4v14BVjvoVKd ZVtCGgNjp10C15zS8Wii2IJ+aTkTJ+OmZ/zCgSlIUtx6lpu4rBl+M3MtZYDuPD9NAXNh fgXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8LlLULHNZdPHRtjdI1tA6cZG7ALSPBKHCRMcggajm7E=; b=fL8FTeBnJLaeE23411DtZGA/B/cO8pHVm9/LDqXi3BL+ClzB+4vdH6bd/CTSeH5A2u Zk7CCVwAjX4Tn1YTO00Rg5PETyDaPYdNwhauXOGpU8X7WECfwUkpnQxyV7Coege5vRou 0dCPCncYLbDljgB6rH1fD4glL1Jhk6vxKkfv3FPS3o6UPxJZtldgl3BpdqNHtu2g8Gv7 cASL/o2546QIlwC/tNL516x60/jswWqObEHY5RhOqHBb4OpV4+5BC5wJO2JzilWcyhti uvIIjLBKf4bsRq6xkzKQetPGZKBB9SAbb1fyzMdbMYUiU5RfjHqwlQ4Ewgx0v04WQ9Nv 956A==
X-Gm-Message-State: APjAAAX5t44GEV33eOio153WGilJAeO5KplNLIB5j8Cbl2LZ3bdyaw+i fkViYwJ/j1fP29JiP8BdSLZ1HjvxADt9y++3Y9Y=
X-Google-Smtp-Source: APXvYqzntM953zq3M5emmi/JiCftYbqoxuxXHNa3XIaG3gtDlZuxdTsXayjStyrzRldm7Qg1ByHusOZqL/MNwFG3uWM=
X-Received: by 2002:a17:906:4599:: with SMTP id t25mr40320443ejq.197.1558472533782; Tue, 21 May 2019 14:02:13 -0700 (PDT)
MIME-Version: 1.0
References: <CAP_bo1ZoLxYMfxXk12sngYAgcp7SgkmzZhawQY66ZNNVFbkp2A@mail.gmail.com> <CAEC30DB-DC8E-4B6F-897D-FB40244BD6D4@um.es>
In-Reply-To: <CAEC30DB-DC8E-4B6F-897D-FB40244BD6D4@um.es>
From: Linda Dunbar <dunbar.ll@gmail.com>
Date: Tue, 21 May 2019 16:02:01 -0500
Message-ID: <CAP_bo1Z1TBWsLjFqCY3UYpywVk6YWB=o+J3CunHTXEuOJDs_jQ@mail.gmail.com>
To: Gabriel Lopez <gabilm@um.es>
Cc: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>, Rafa Marin Lopez <rafa@um.es>, =?UTF-8?B?RmVybmFuZG8gUGVyZcOxw61ndWV6IEdhcmPDrWE=?= <fernando.pereniguez@cud.upct.es>, i2nsf@ietf.org, Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000c4b44b05896c29df"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/xcpnlWyWHkhkvzSUK-ruwO0ae2s>
Subject: Re: [I2nsf] WGLC and IPR poll for draft-ietf-i2nsf-sdn-ipsec-flow-protection-04
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 May 2019 21:02:18 -0000

Gabriel and Rofa,

Just to clarify: the purpose of asking you changing from "container.." to
"grouping.." is for  "i2nsf-nsf-facing-interface-dm"  to the "ikev2" and
"ietf-ipsec" structure defined in
draft-ietf-i2nsf-sdn-ipsec-flow-protection.
Not other way around, i.e. not asking
draft-ietf-i2nsf-sdn-ipsec-flow-protection to import other properties.

By the way, i2nsf-nsf-facing-interface-dm only imported two other data
structure "ietf-inet-types" & "ietf-yang-types" besides the "ikev2" and
"ietf-ipsec".

It has nothing to do with other modules for TTL, SSL, etc.

Thanks, Linda


On Tue, May 21, 2019 at 3:42 AM Gabriel Lopez <gabilm@um.es>; wrote:

> Hi Linda, Paul.
>
> El 20 may 2019, a las 19:52, Linda Dunbar <dunbar.ll@gmail.com>; escribió:
>
> Gabriel,
>
> Thanks for the explanation.
>
> Agree with you that *"it does not imply to extend the NSF client
> interface to include all the available yang models for every security
> service a NSF can support.". *
> But a network function that supports I2NSF should be allowed to your IPsec
> module, should it?
>
>
> Sure.
>
> Regards, Gabi.
>
> P.D. Linda, be aware you have included other email destination addresses
> in the “subject” field of our email.
>
>
>
>
>
> what does it mean by you saying the following?
> "the Actual IPsec Configuration" is not same as "our I2NSF interface"?
>
> *That is, our data models assume that the actual IPsec configuration will
> be handled by Rafa's IPsec module through NETCONF, and*
> *our I2NSF interfaces will do nothing related to the IPsec configuration.*
>
>
> Thanks, Linda
>
>
> ----------------------
>
> Hi Paul, Linda.
>
>
> Thanks again for your comments.
>
>
> El 18 may 2019, a las 7:11, Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com>;
> escribió:
>
>
> Hi Linda,
> For your first question,
> it seems like Gabriel does not like to modify their code to let NSF-Facing
> Interface data module import ikev2 and ietf-ipsec (i.e., ike-less)
> according to IETF YANG conventions such as TLS, SSH, IDS, and ACL.
> In our data models, we will specify whether an NSF supports an IPsec
> configuration mechanism (IKEv2 or IKEless),
> or does not support any IPsec configuration mechanism.
> That is, our data models assume that the actual IPsec configuration will
> be handled by Rafa's IPsec module through NETCONF, and
> our I2NSF interfaces will do nothing related to the IPsec configuration.
>
>
>
>
>
>
> The question is not whether I (we) like or don't like to modify the model.
> The question is whether it is the best technical approach or not.
> As said before, the ipsec model has been designed to work in a standalone
> mode in a NSF, so the controller can configure ipsec on NSFs without any
> other module.
>
>
> You mention the consensous on the last meeting, but what I get from this
> consensous is to study how, making use of the capability model, the
> controller can learn if the NSF node supports IKE case or IKE-less case,
> and then in the discussion there is a mention to a "reference" to the
> corresponding data model implementing these capabilities (our model) (here
> the "reference" clause could be used). But it does not imply to extend the
> NSF client interface to include all the available yang models for every
> security service a NSF can support.
>
>
> Our main concerns is if the objective of the nsf-client-dm is:
>
>
> - To import all other models (SSH, TLS, ALCs, etc...) just for sake of
> having all of them gathered in a single model (nsf-client-dm). But I don't
> see the benefit. In fact, SSH or TLS yang models are designed to be used by
> other yang model for especific applications, such as a model for HTTPS
> importing the TLS model or a model for a SSH server importing the SSH
> model. What is the service in this case?. In the case of the ACL yang
> module, it is also defined to work in a standalone mode (no main grouping
> based). In the case of IDS, could you point out the yang module?
>
>
> - To adapt them in some way to the ECA model. The ECA model is the
> keystone of the nsf-client-dm, as described in section 4. If it is the
> case, then it is difficult to see examples of how they can be adapted.
>
>
>
>
> Said that, the draft is a WG item and the WG has to decide what is the
> right way to proceed.
>
>
> Regards, Gabi.
>
>
> -----------------------------------------------------------
> Gabriel López Millán
> Departamento de Ingeniería de la Información y las Comunicaciones
> University of Murcia
> Spain
> Tel: +34 868888504
> Fax: +34 868884151
> email: gabilm@um.es <gabilm@um.es>;
>
>
>
>