Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-03 (Sections 8 - 9)

Fernando Pereñíguez García <fernando.pereniguez@cud.upct.es> Tue, 11 December 2018 18:52 UTC

Return-Path: <fernando.pereniguez@cud.upct.es>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AEFA130F17; Tue, 11 Dec 2018 10:52:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.62
X-Spam-Level:
X-Spam-Status: No, score=-1.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qpBoF7vFfhYI; Tue, 11 Dec 2018 10:52:46 -0800 (PST)
Received: from telmad-lavadora-l1mail1v.puc.rediris.es (te-l1mail1v-out02a.puc.rediris.es [IPv6:2001:720:418:ca03::76]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDD07130F20; Tue, 11 Dec 2018 10:52:45 -0800 (PST)
X-IPAS-Result: A2EXAACEBhBcjNMUgNRkHAEBAQQBAQcEAQGBUQcBAQsBg2uEIoEdhnxfl0iNSoF6DYRsAoMPNAkNAQMBAQEBAQECAgIQAQEBJliFPgMDI1YQCQIEBzcCAiISAQUBHIM6ggIEiimQBzyLDYEviSGBDo5RgRGDEogFglcCiSkSjDuLBQcCkVEYgVyFF4pNgwGWIw8hgSU3gVgzgT4GgjaCNBuODD6MHQEB
X-IronPort-AV: E=Sophos;i="5.56,343,1539640800"; d="scan'208,217";a="244847433"
Received: from mail.upct.es (HELO relay1.si.upct.es) ([212.128.20.211]) by smtpout.puc.rediris.es with ESMTP/TLS/DHE-RSA-AES256-SHA; 11 Dec 2018 19:52:43 +0100
Received: from mail-it1-f177.google.com (mail-it1-f177.google.com [209.85.166.177]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay1.si.upct.es (Postfix) with ESMTPSA id 5DDF21CD25; Tue, 11 Dec 2018 19:52:37 +0100 (CET)
Received: by mail-it1-f177.google.com with SMTP id m8so11588070itk.0; Tue, 11 Dec 2018 10:52:37 -0800 (PST)
X-Gm-Message-State: AA+aEWZe0yo4M+RVnRJ6+TOyFnwvTEBxjLzWh8s7RbeStAgQsE+cKMYS dsCDeb+npD/E8FVK3VvfCIDuJly0zXZhZzC6nVc=
X-Google-Smtp-Source: AFSGD/VAjnAb5tvmGmQ4fh6fg7p7T+Xk+gacHUjx+8rMoJ99FfOwy7fjIsuTnF+qHWAnoksBuE11oqoyLjPDODQC/UA=
X-Received: by 2002:a24:1a90:: with SMTP id 138mr3114739iti.171.1544554346012; Tue, 11 Dec 2018 10:52:26 -0800 (PST)
MIME-Version: 1.0
References: <A881C135-9BF7-4E93-BB7A-75EB3D1FF605@gmail.com> <6839D47C-4074-486F-9350-8EB7B378036C@um.es> <DAE14995-8504-4134-B021-93D56A4994FB@gmail.com> <alpine.LRH.2.21.1811180149220.25604@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1811180149220.25604@bofh.nohats.ca>
From: Fernando Pereñíguez García <fernando.pereniguez@cud.upct.es>
Date: Tue, 11 Dec 2018 19:52:13 +0100
X-Gmail-Original-Message-ID: <CAB=gXc66hBpXBMOzkwXeH-ORrQWO47as4-TPQDe591_Zi=CKDQ@mail.gmail.com>
Message-ID: <CAB=gXc66hBpXBMOzkwXeH-ORrQWO47as4-TPQDe591_Zi=CKDQ@mail.gmail.com>
To: paul@nohats.ca
Cc: ynir.ietf@gmail.com, i2nsf@ietf.org, ipsec@ietf.org, Rafa Marin Lopez <rafa@um.es>, Gabriel López Millán <gabilm@um.es>
Content-Type: multipart/alternative; boundary="000000000000216657057cc395a4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/2i672W_nkoNfAZTBEm_8qT5oVzU>
Subject: Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-03 (Sections 8 - 9)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Dec 2018 18:52:49 -0000

Hi Paul, all,

Next you can find our answers to your comments on sections 8 and 9.


Section 8:

Is this section supposed to be an "Implementation Details" Section as per
RFC 7942? If so, it is missing the required
note to the RFC Editor to remove the entire section before publication as
RFC.

[Authors]

Agree. We will include it.


Section 9.1:

In case 1, add a note to use only strong PSKs, with a minimal length and
strength.

[Authors]
Agree. We will add it.

Section 9.2:

when ESP is used

Hoping my advise is taken to only use ESP and not AH, and to use ESP-null
in the case of encryption being unwanted, please
remove this comment as ESP would always be used.

includes the keys for integrity and encryption

If we only allow AEAD's, maybe rewrite or leave this out.

[Authors]

s/"In the case 2, the controller sends the IPsec SA information to the SAD
that includes the keys for integrity and encryption (when ESP is used)" /
"In the case 2, the controller sends the IPsec SA information to the SAD
that includes the required cryptographic keys for ESP or AH"


Regards,
Fernando.


-- 
----------------------------------------------------------------------------------------------------
Fernando Pereñíguez García, PhD
Department of Sciences and Informatics
University Defense Center, (CUD), San Javier Air Force Base, MDE-UPCT
C/ Coronel Lopez Peña, s/n, 30720, San Javier, Murcia - SPAIN
Tel: +34 968 189 946 Fax: +34 968 189 970
------------------------------------------------------------------------------------------------------