Re: [IPsec] [I2nsf] [yang-doctors] [Last-Call] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08

Christian Hopps <chopps@chopps.org> Thu, 15 October 2020 10:48 UTC

Return-Path: <chopps@chopps.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C7A73A1370; Thu, 15 Oct 2020 03:48:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DePdojSIs790; Thu, 15 Oct 2020 03:48:31 -0700 (PDT)
Received: from smtp.chopps.org (smtp.chopps.org [54.88.81.56]) by ietfa.amsl.com (Postfix) with ESMTP id 8E3CE3A11D1; Thu, 15 Oct 2020 03:48:30 -0700 (PDT)
Received: from stubbs.int.chopps.org (047-050-069-038.biz.spectrum.com [47.50.69.38]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by smtp.chopps.org (Postfix) with ESMTPSA id 624F26166F; Thu, 15 Oct 2020 10:48:27 +0000 (UTC)
From: Christian Hopps <chopps@chopps.org>
Message-Id: <0492AF3E-7A7D-4853-84CE-C13155F3E4D9@chopps.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_71DD0E65-CAB8-4BA2-A065-0E5B1AC62BF0"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Thu, 15 Oct 2020 06:48:26 -0400
In-Reply-To: <1142B610-2D58-4DE5-96F7-773D02C1B42A@um.es>
Cc: Christian Hopps <chopps@chopps.org>, "Rob Wilton (rwilton)" <rwilton@cisco.com>, "last-call@ietf.org" <last-call@ietf.org>, Gabriel Lopez <gabilm@um.es>, "draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org" <draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>, Martin Björklund <mbj+ietf@4668.se>, "yang-doctors@ietf.org" <yang-doctors@ietf.org>, Lou Berger <lberger@labn.net>, Fernando Pereniguez-Garcia <fernando.pereniguez@cud.upct.es>
To: Rafa Marin-Lopez <rafa@um.es>
References: <MN2PR11MB4366E30B3C372D13B391AE07B53B0@MN2PR11MB4366.namprd11.prod.outlook.com> <2B88888E-A264-4D81-A8DA-9C6225E83E0E@um.es> <70A0A406-0742-4F28-A5A4-8D539B160E24@chopps.org> <20200923.125826.1562347052257995146.id@4668.se> <CBC552B2-6039-48E8-988D-4F2BA3FD6B2E@chopps.org> <023fc27b-f86e-ed71-0c8f-d270c338f08c@labn.net> <MN2PR11MB43662E1711367EDE9A066452B5070@MN2PR11MB4366.namprd11.prod.outlook.com> <E827743C-74A1-42CE-9765-7ECD062D8E41@um.es> <10116C35-8FBF-4914-9846-883D2C7F7A11@chopps.org> <B3282660-5C6A-4B69-8CFC-57AFBCE2B544@um.es> <7C422A91-5543-41A0-B907-6AAD9F83E6DA@chopps.org> <1142B610-2D58-4DE5-96F7-773D02C1B42A@um.es>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/KY5NgFgPAcLmtUXkHgGivyTXNX0>
Subject: Re: [IPsec] [I2nsf] [yang-doctors] [Last-Call] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2020 10:48:34 -0000

This is great news, Thanks!

IMO (Rob feel free to chime in here :) I don't think you need to say anything more about the feature in your document (other than what was already mentioned). This is the standard "outside the scope of this document" kind of thing. It's enough to put that text that says they are marked as a feature for greater re-usability, but SDN clients will expect the feature to be implemented.

FWIW, When talking about YANG features I'd use the turn of phrase "to indicate whether notifications are implemented by the server" rather than 'to "activate" notifications'. They don't get turned on or off, they are either implemented or not. You could swap "implemented" with "supported" too here with the same meaning.

Thanks,
Chris.

> On Oct 15, 2020, at 3:12 AM, Rafa Marin-Lopez <rafa@um.es> wrote:
> 
> Hi Christian (,Rob):
> 
> Thanks again for this conversation. Please see our comments inline.
> 
>>> 
>>> As a consequence, the resolution was to move forward with a pragmatic approach at this point of time, by changing the names of the modules (and prefixes) to refer to the I2NSF work.
>> 
>> These are 2 different things. The original discussion was about moving the SAD and SPD from ikeless module to the common one which then would have brought them into the IKE module, and required people just implementing IKE to also implement the SAD and SPD parts.
>> 
>> In comparison this new compromise request is a tiny change, and allows a much larger audience to reap the benefit of your work. The change is the addition of "feature ikeless-notification" and then putting the "if ikeless-notification" under the notifications.
>> 
>> This doesn't change the semantics of your module it just allows people to re-use the ikeless module for supporting SAD and SPD w/o implementing the notifications.
>> 
>> If you feel more clarity is needed for the SDN use-case then adding the text, "To allow for greater re-use of this module, the notifications are marked as a feature. For the SDN use case clients will expect this feature to be implemented.”
> 
> We agree that this is a small change (if no other change is required). In fact, we have tested it and we have not observed any technical problem. The main concern is the one I mentioned to Rob: having a feature to “activate” notifications (or not) in the ikeless module does not fit in the context of this I-D, unless we find out a valid use case where this feature makes sense.
> 
> In other words, it would be really nice if the inclusion of the text you proposed (“To allow for greater…” ) had a main text to support how this is useful in the context of this I-D. Personally, this would make me feel more confortable.
> 
> Having said all this, let us inform about v09 changes to I2NSF wg and ask about this new change in order to see if there is any objection. Then, if there is no objection we can prepare v10 very quickly with this additional modification.
> 
> We hope this is reasonable.
> 
> Best Regards.
>> 
>> Features are reported just as modules are in the capabilities. An SDN client would look for both capabilities rather than just the one (along with all the other capabilities they will be looking for to actually be a functional YANG client).
>> 
>> Thanks,
>> Chris.
>> 
>>> 
>>> Best Regards.
>>> 
>>>> 
>>>> Thanks,
>>>> Chris.
>>>> 
>>>>> 
>>>>> Hope this helps.
>>>>> 
>>>>> Best Regards.
>>>>> 
>>>>>> El 12 oct 2020, a las 18:01, Rob Wilton (rwilton) <rwilton=40cisco.com@dmarc.ietf.org <mailto:rwilton=40cisco.com@dmarc.ietf.org>> escribió:
>>>>>> 
>>>>>> Hi Rafa, authors,
>>>>>> 
>>>>>> Just to check.
>>>>>> 
>>>>>> Has there been any closure on the suggestion from Chris on “notifications in the ikeless module as a feature"?  This would seem to be a fairly cheap & easy compromise.
>>>>>> 
>>>>>> Thanks,
>>>>>> Rob
>>>>>> 
>>>>>> 
>>>>>> From: yang-doctors <yang-doctors-bounces@ietf.org <mailto:yang-doctors-bounces@ietf.org>> On Behalf Of Lou Berger
>>>>>> Sent: 27 September 2020 15:26
>>>>>> To: Christian Hopps <chopps@chopps.org <mailto:chopps@chopps.org>>; Martin Björklund <mbj+ietf@4668.se <mailto:mbj+ietf@4668.se>>
>>>>>> Cc: Robert Wilton <rwilton=40cisco.com@dmarc.ietf.org <mailto:rwilton=40cisco.com@dmarc.ietf.org>>; i2nsf@ietf.org <mailto:i2nsf@ietf.org>; Gabriel Lopez <gabilm@um.es <mailto:gabilm@um.es>>; draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org <mailto:draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org>; ipsec@ietf.org <mailto:ipsec@ietf.org>; last-call@ietf.org <mailto:last-call@ietf.org>; Rafa Marin-Lopez <rafa@um.es <mailto:rafa@um.es>>; yang-doctors@ietf.org <mailto:yang-doctors@ietf.org>
>>>>>> Subject: Re: [yang-doctors] [IPsec] [Last-Call] [I2nsf] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
>>>>>> 
>>>>>> This is a sub-optimal compromise b/c all IPsec have SA databases even ones running IKE -- i.e., SA databases are common whether exposed in YANG or not -- but if it can move it forward perhaps good enough.
>>>>>> 
>>>>>> 
>>>>>> Speaking as an interested party, I hope that some compromise / good enough solution is followed in the -09 version of  this draft.
>>>>>> Lou
>>>>>> 
>>>>>> On 9/23/2020 7:20 AM, Christian Hopps wrote:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On Sep 23, 2020, at 6:58 AM, Martin Björklund <mbj+ietf@4668.se <mailto:mbj+ietf@4668.se>> wrote:
>>>>>> 
>>>>>> Hi,
>>>>>> 
>>>>>> Christian Hopps <chopps@chopps.org <mailto:chopps@chopps.org>> wrote:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On Sep 23, 2020, at 5:29 AM, Rafa Marin-Lopez <rafa@um.es <mailto:rafa@um.es>> wrote:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> But I would like to check: My understanding is that the changes that
>>>>>> Chris is proposing are pretty small.  I.e. move the SA structure under
>>>>>> ipsec-common, and put it under a YANG feature.  Are you sure that it
>>>>>> is impractical to accommodate this change which would allow a single
>>>>>> ipsec module to be shared and extended via YANG augmentations?
>>>>>> 
>>>>>> 
>>>>>> In the context of our I-D, if we move SAD structure to ipsec-common,
>>>>>> what we are meaning is that IPsec SA configuration data (setting
>>>>>> values to the SAD structure) are common to the IKE case and the
>>>>>> IKE-less cases, which are not. It is confusing.
>>>>>> 
>>>>>> Something defined in a common module but marked as a feature does not
>>>>>> imply that that feature has to be implemented by an importing
>>>>>> module. This is not confusing to YANG implementers or users I
>>>>>> think. If we are just talking about document flow here, then a
>>>>>> sentence saying "the SAD feature is not required to implement IKE
>>>>>> functionality" is quite enough to clear that up I think.
>>>>>> 
>>>>>> Another alternative could be to move these containers to another
>>>>>> (new) module.
>>>>>> 
>>>>>> It may also be enough to mark the notifications in the ikeless module as a feature I suppose. That is the actual thing I think non-SDN implementations would want to omit. The module name "ikeless" is not great in this case, but perhaps workable.
>>>>>> 
>>>>>> 
>>>>>> This is a sub-optimal compromise b/c all IPsec have SA databases even ones running IKE -- i.e., SA databases are common whether exposed in YANG or not -- but if it can move it forward perhaps good enough.
>>>>>> 
>>>>>> 
>>>>>> I'm definitely concerned about IETF process and real world usability here. These modules are basically workable for ipsec I think, they could be used by operators today. If we restart the entire process to redo this work for the more generic IPsec case it will probably be years before they are finished and in the field. This new work can be started, but why not have something usable in the meantime?
>>>>>> 
>>>>>> Thanks,
>>>>>> Chris.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> /martin
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Thanks,
>>>>>> Chris.
>>>>>> 
>>>>>> 
>>>>>> Moreover, the usage of feature means that, after all, this “common” is
>>>>>> not “common” to both cases IKE case and IKE-less. Again, it seems
>>>>>> confusing. In the IKE case, the SDN/I2NSF controller does not
>>>>>> configure the SAD at all but the IKE implementation in the NSF. In our
>>>>>> opinion, in order to properly add this IPsec SA operational state to
>>>>>> the IKE case we should include operational data about the IPsec SAs
>>>>>> (config false) to the ietf-ipsec-ike. Alternatively, we have certain
>>>>>> operational data (ro) in the SAD structure in the IKE-less case. If
>>>>>> only those are moved to the common part should be ok but we think it
>>>>>> does not solve the problem.
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> last-call mailing list
>>>>>> last-call@ietf.org <mailto:last-call@ietf.org>
>>>>>> https://www.ietf.org/mailman/listinfo/last-call <https://www.ietf.org/mailman/listinfo/last-call>
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> IPsec mailing list
>>>>>> IPsec@ietf.org <mailto:IPsec@ietf.org>
>>>>>> https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec>_______________________________________________
>>>>>> I2nsf mailing list
>>>>>> I2nsf@ietf.org <mailto:I2nsf@ietf.org>
>>>>>> https://www.ietf.org/mailman/listinfo/i2nsf <https://www.ietf.org/mailman/listinfo/i2nsf>
>>>>> -------------------------------------------------------
>>>>> Rafa Marin-Lopez, PhD
>>>>> Dept. Information and Communications Engineering (DIIC)
>>>>> Faculty of Computer Science-University of Murcia
>>>>> 30100 Murcia - Spain
>>>>> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es <mailto:rafa@um.es>
>>>>> -------------------------------------------------------
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> IPsec mailing list
>>>>> IPsec@ietf.org <mailto:IPsec@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec>
>>>> _______________________________________________
>>>> I2nsf mailing list
>>>> I2nsf@ietf.org <mailto:I2nsf@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/i2nsf <https://www.ietf.org/mailman/listinfo/i2nsf>
>>> -------------------------------------------------------
>>> Rafa Marin-Lopez, PhD
>>> Dept. Information and Communications Engineering (DIIC)
>>> Faculty of Computer Science-University of Murcia
>>> 30100 Murcia - Spain
>>> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es <mailto:rafa@um.es>
>>> -------------------------------------------------------
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> IPsec mailing list
>>> IPsec@ietf.org <mailto:IPsec@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec>
>> _______________________________________________
>> IPsec mailing list
>> IPsec@ietf.org <mailto:IPsec@ietf.org>
>> https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec>
> -------------------------------------------------------
> Rafa Marin-Lopez, PhD
> Dept. Information and Communications Engineering (DIIC)
> Faculty of Computer Science-University of Murcia
> 30100 Murcia - Spain
> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es <mailto:rafa@um.es>
> -------------------------------------------------------