Re: [IPsec] New Version Notification for draft-tran-ipsecme-ikev2-yang-00.txt
Gabriel Lopez <gabilm@um.es> Tue, 29 March 2016 10:38 UTC
Return-Path: <gabilm@um.es>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E60B12D658 for <ipsec@ietfa.amsl.com>; Tue, 29 Mar 2016 03:38:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.23
X-Spam-Level:
X-Spam-Status: No, score=-4.23 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i8uiI-ZNHD9N for <ipsec@ietfa.amsl.com>; Tue, 29 Mar 2016 03:38:17 -0700 (PDT)
Received: from xenon24.um.es (xenon24.um.es [155.54.212.164]) by ietfa.amsl.com (Postfix) with ESMTP id 5240012D656 for <ipsec@ietf.org>; Tue, 29 Mar 2016 03:38:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon24.um.es (Postfix) with ESMTP id 5DAD3354C; Tue, 29 Mar 2016 12:30:13 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon24.um.es
Received: from xenon24.um.es ([127.0.0.1]) by localhost (xenon24.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id cCMZ+FeVKZ2H; Tue, 29 Mar 2016 12:30:13 +0200 (CEST)
Received: from [192.168.1.3] (106.Red-81-36-109.dynamicIP.rima-tde.net [81.36.109.106]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: gabilm) by xenon24.um.es (Postfix) with ESMTPSA id 4B96E587; Tue, 29 Mar 2016 12:30:05 +0200 (CEST)
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: multipart/signed; boundary="Apple-Mail=_8575B213-0D88-467A-B464-F0E58B4D0F25"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail 2.6b2
From: Gabriel Lopez <gabilm@um.es>
In-Reply-To: <CADZyTknb4091XGMatPCH7sVwhaAvMC9qUZ1spDQvWas4QomAww@mail.gmail.com>
Date: Tue, 29 Mar 2016 12:30:03 +0200
Message-Id: <2A869DA3-B068-4B95-A214-6B2B263898EA@um.es>
References: <20160318180059.2743.10884.idtracker@ietfa.amsl.com> <2D1BA3CFD799FD44A1F3650A84C4000F1231AFBC@eusaamb107.ericsson.se> <2DD56D786E600F45AC6BDE7DA4E8A8C11222B1D5@eusaamb108.ericsson.se> <B738A952-EA5F-4292-AF1B-97CE55872E25@um.es> <CADZyTknb4091XGMatPCH7sVwhaAvMC9qUZ1spDQvWas4QomAww@mail.gmail.com>
To: Daniel Migault <daniel.migault@ericsson.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/6dM0qo1rOgtae8qvg4I0JjzOWTo>
Cc: "Nagendran Ramalingam (Nagendran.Ramalingam@huawei.com)" <Nagendran.Ramalingam@huawei.com>, Xufeng Liu <xliu@kuatrotech.com>, IPsecME WG <ipsec@ietf.org>, "Wanghonglei (A) (stonewater.wang@huawei.com)" <stonewater.wang@huawei.com>, "Chenxia (D) (jescia.chenxia@huawei.com)" <jescia.chenxia@huawei.com>, "Wunan (Eric) (eric.wu@huawei.com)" <eric.wu@huawei.com>, Khanh Tran <khanh.x.tran@ericsson.com>, Ing-Wher Chen <ichen@kuatrotech.com>, "Lizhenbin (lizhenbin@huawei.com)" <lizhenbin@huawei.com>, "vijay kn (vijay.kn@huawei.com)" <vijay.kn@huawei.com>
Subject: Re: [IPsec] New Version Notification for draft-tran-ipsecme-ikev2-yang-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2016 10:38:21 -0000
Hi Daniel, > El 29 mar 2016, a las 1:39, Daniel Migault <daniel.migault@ericsson.com> escribió: > > Hi Gabriel, > Thanks for the feed back. > > For IKEv2 the document to consider is draft-tran-ipsecme-ikev2-yang-00. > > ok, then I suggest the authors to remove the IKEv2 model from draft-tran-ipsecme-yang-01 > > I agree that it would be usefull to have some basic example. This is in our plane. > However i am wondering if the basic scenaos should rather concern ipsec confirurations than ikev2. > Please let us know what are the scenario you would like us to document. > > Let’s suppose a very basic, manually defined, end-to-end ipsec configuration for ipsec-tools. #SAD info (1) add 192.168.56.1 192.168.56.2 ah 0x200 -A hmac-md5 0x12345…. (2) add 192.168.56.2. 192.168.56.1 ah 0x300 -A hmac-md5 0x98765…. #SPD info (3) spdadd 192.168.56.1 192.168.56.2 any -P out ipsec ah/transport//require; (4) spdadd 192.168.56.2 192.168.56.1 any -P in ipsec ah/transport//require; From draft-tran-ipsecme-yang-01, let’s try to model the first sentence (1): ipsec/sad/sad-entries/ ipsec/sad/sad-entries/spi=0x200 ipsec/sad/sad-entries/anti-replay-window= ipsec/sad/sad-entries/ip-comp= ipsec/sad/sad-entries/local-peer=192.168.56.1 ipsec/sad/sad-entries/local-remote=192.168.56.2 ipsec/sad/sad-entries/sa-mode=transport ipsec/sad/sad-entries/security-protocol=ah ipsec/sad/sad-entries/sequence-number= ipsec/sad/sad-entries/sequence-number-overflow-flag= ipsec/sad/sad-entries/path-mtu= ipsec/sad/sad-entries/life-time= ipsec/sad/sad-entries/upper-protocol= <——Why upper-protocol in the SAD entry? ipsec/sad/sad-entries/direction= <— ¿? ipsec/sad/sad-entries/source-address= <— For tunnel mode? ipsec/sad/sad-entries/destination-address= <— " ipsec/sad/sad-entries/nat-traversal-flag= ipsec/sad/sad-entries/ah/authentication-algorithm=hmac-md5-96/0x12345….. <—Why key-str is defined like 16/40 string/hex? for the second sentence (2): ipsec/sad/sad-entries/spi=0x300 ipsec/sad/sad-entries/local-peer=192.168.56.2 ipsec/sad/sad-entries/local-remote=192.168.56.1 ipsec/sad/sad-entries/sa-mode=transport ipsec/sad/sad-entries/security-protocol=ah ipsec/sad/sad-entries/ah/authentication-algorithm=hmac-md5-96/0x98765….. … (omitted) .. for the third sentence (3): ipsec/spd/spd-entries/ ipsec/spd/spd-entries/name=foo ipsec/spd/spd-entries/description=foo desc ipsec/spd/spd-entries/anti-replay-windows= <— already used in sad, RFC4301 allocates this value in the SAD entry ipsec/spd/spd-entries/perfect-forward-secrecy= ipsec/spd/spd-entries/seq ipsec/spd/spd-entries/seq/seq-id <— ¿? can be define more than one proposal per spd entry? ipsec/spd/spd-entries/seq/proposal —> /ipsec/proposal/ ipsec/spd/spd-entries/seq/proposal —> /ipsec/proposal/name=foo ipsec/spd/spd-entries/seq/proposal —> /ipsec/proposal/ah=auth-hmac-md5-96 <—Why do you make use here of the type ike-integrity-algorithm-t using a different name than in the sad entry? ipsec/spd/spd-entries/seq/proposal —> /ipsec/proposal/esp= ipsec/spd/spd-entries/seq/proposal —> /ipsec/proposal/ip-comp= <— already used in sad? ipsec/spd/spd-entries/seq/proposal —> /ipsec/proposal/lifetime= However, the spd entry model does not contain values such as local and remote IP address (as described in RFC4301), ipsec mode (transport/tunnel), direction, Next Layer Protocol, PFP flags, etc. Best regards, Gabi. > BR > Daniel > > > Hi, > > Documents draft-tran-ipsecme-yang-01 and draft-tran-ipsecme-ikev2-yang-00 have been submitted the same date (2016-03-18) and most of the authors coincide. Both documents describe a Yang IKEv2 configuration data model. The latter is focused on IKEv2, the former includes IPSec and IKEv1 data models. > > Sorry, I’m a bit confused, what is the right document to check the IKEv2 yang model? > > In both cases, it would be useful to include examples for basic IPSec/IKE scenarios. > > Regards, Gabi. > > >> El 27 mar 2016, a las 1:04, Daniel Migault <daniel.migault@ericsson.com <mailto:daniel.migault@ericsson.com>> escribió: >> >> Hi, >> >> Please find our first version for the YANG model for IKEv2. Feel free to post comments. I would be also happy to have face-to-face discussions on the draft - especially from IKEv2 implementers. >> >> BR, >> Daniel >> >> -----Original Message----- >> From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> [mailto:internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>] >> Sent: Friday, March 18, 2016 11:01 AM >> To: Xia Chen; Honglei Wang; Khanh Tran; Khanh Tran; Vijay Kumar Nagaraj; Daniel Migault >> Subject: New Version Notification for draft-tran-ipsecme-ikev2-yang-00.txt >> >> >> A new version of I-D, draft-tran-ipsecme-ikev2-yang-00.txt >> has been successfully submitted by Khanh Tran and posted to the IETF repository. >> >> Name: draft-tran-ipsecme-ikev2-yang >> Revision: 00 >> Title: Yang Data Model for IKEv2 >> Document date: 2016-03-18 >> Group: Individual Submission >> Pages: 76 >> URL: https://www.ietf.org/internet-drafts/draft-tran-ipsecme-ikev2-yang-00.txt <https://www.ietf.org/internet-drafts/draft-tran-ipsecme-ikev2-yang-00.txt> >> Status: https://datatracker.ietf.org/doc/draft-tran-ipsecme-ikev2-yang/ <https://datatracker.ietf.org/doc/draft-tran-ipsecme-ikev2-yang/> >> Htmlized: https://tools.ietf.org/html/draft-tran-ipsecme-ikev2-yang-00 <https://tools.ietf.org/html/draft-tran-ipsecme-ikev2-yang-00> >> >> >> Abstract: >> This document defines a YANG data model that can be used to >> configure and manage Internet Key Exchange version 2 (IKEv2). The >> model covers the IKEv2 protocol configuration and operational state. >> >> >> >> >> >> >> Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>. >> >> The IETF Secretariat >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org <mailto:IPsec@ietf.org> >> https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec> > > > > ----------------------------------------------------------- > Gabriel López Millán > Departamento de Ingeniería de la Información y las Comunicaciones > University of Murcia > Spain > Tel: +34 868888504 <tel:%2B34%20868888504> > Fax: +34 868884151 <tel:%2B34%20868884151> > email: gabilm@um.es <mailto:gabilm@um.es> > > > > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org <mailto:IPsec@ietf.org> > https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec> > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec ----------------------------------------------------------- Gabriel López Millán Departamento de Ingeniería de la Información y las Comunicaciones University of Murcia Spain Tel: +34 868888504 Fax: +34 868884151 email: gabilm@um.es <mailto:gabilm@um.es>
- [IPsec] FW: New Version Notification for draft-tr… Daniel Migault
- Re: [IPsec] FW: New Version Notification for draf… Paul Wouters
- Re: [IPsec] New Version Notification for draft-tr… Gabriel Lopez
- Re: [IPsec] FW: New Version Notification for draf… Daniel Migault
- Re: [IPsec] FW: New Version Notification for draf… Paul Wouters
- Re: [IPsec] FW: New Version Notification for draf… Daniel Migault
- Re: [IPsec] New Version Notification for draft-tr… Tommy Pauly
- Re: [IPsec] New Version Notification for draft-tr… Daniel Migault
- Re: [IPsec] New Version Notification for draft-tr… Gabriel Lopez
- [IPsec] FW: New Version Notification for draft-tr… Khanh Tran
- Re: [IPsec] New Version Notification for draft-tr… Tommy Pauly