Protocol Action: 'Software-Defined Networking (SDN)-based IPsec Flow Protection' to Proposed Standard (draft-ietf-i2nsf-sdn-ipsec-flow-protection-14.txt)

The IESG <iesg-secretary@ietf.org> Thu, 15 April 2021 21:38 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Subject: Protocol Action: 'Software-Defined Networking (SDN)-based IPsec Flow Protection' to Proposed Standard (draft-ietf-i2nsf-sdn-ipsec-flow-protection-14.txt)
Auto-Submitted: auto-generated
Precedence: bulk
Cc: The IESG <iesg@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>, draft-ietf-i2nsf-sdn-ipsec-flow-protection@ietf.org, i2nsf-chairs@ietf.org, i2nsf@ietf.org, rdd@cert.org, rfc-editor@rfc-editor.org, ynir.ietf@gmail.com
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-ID: <161852270704.14419.2915941079548183706@ietfa.amsl.com>
Date: Thu, 15 Apr 2021 14:38:27 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-announce/ghrIO-pt6a7E7NdWGJ3LT0wvgXE>

The IESG has approved the following document:
- 'Software-Defined Networking (SDN)-based IPsec Flow Protection'
(draft-ietf-i2nsf-sdn-ipsec-flow-protection-14.txt) as Proposed Standard

This document is the product of the Interface to Network Security Functions
Working Group.

The IESG contact persons are Benjamin Kaduk and Roman Danyliw.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/

Technical Summary

This document describes how to provide IPsec-based flow protection
(integrity and confidentiality) by means of an Interface to Network
Security Function (I2NSF) controller. It considers two main well-
known scenarios in IPsec: (i) gateway-to-gateway and (ii) host-to-
host. The service described in this document allows the
configuration and monitoring of IPsec Security Associations (SAs)
from a I2NSF Controller to one or several flow-based Network Security
Functions (NSFs) that rely on IPsec to protect data traffic.

The document focuses on the I2NSF NSF-facing interface by providing
YANG data models for configuring the IPsec databases (SPD, SAD, PAD)
and IKEv2. This allows IPsec SA establishment with minimal
intervention by the network administrator. It does not define any
new protocol.

Working Group Summary

The document describes two modes of configuration, or "cases" as they're called in the document: IKE and IKE-less. The "IKE" case involves configuring the NSFs with policies, identities, and credentials so that the IKE protocol can set up traffic keys. The "IKE-less" case involves configuring the NSFs with policies and traffic keys directly. The "IKE-less" case was controversial at first, with people from the IPsecME group objecting to it. Over time some usage scenarios were described where the IKE-less case may be more efficient, and the document now represents the consensus of the working group. Substantial and helpful feedback was provided by the YANG doctors -- the most notable were changes in namespace and notifications to support reuse out of of I2NSF.

The YANG model in this document raised early issues with the of embedding IANA registries in YANG models. In this case, it was the list of algorithms used for IKE or IPsec. Different versions of the document had different schemes, but the final design settled on embedding the algorithm number from the IANA registry as an integer.

Document Quality

The document received WG review. Additional, these reviews included IPsec SMEs such as Tero Kivinen and Paul Wouters.

The authors have an incomplete implementation that is open source.

Personnel

The document shepherd is Yoav Nir.

The responsible AD is Roman Danyliw.

Protocol Action: 'Software-Defined Networking (SD… The IESG