Re: [IPsec] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-09.txt
Lou Berger <lberger@labn.net> Fri, 16 October 2020 22:55 UTC
Return-Path: <lberger@labn.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2445E3A07C3; Fri, 16 Oct 2020 15:55:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.539
X-Spam-Level:
X-Spam-Status: No, score=-0.539 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.213, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vBbO_vF2tnLM; Fri, 16 Oct 2020 15:55:11 -0700 (PDT)
Received: from slmp-550-48.slc.westdc.net (unknown [174.127.108.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C5363A07BD; Fri, 16 Oct 2020 15:55:10 -0700 (PDT)
Received: from pool-100-15-105-234.washdc.fios.verizon.net ([100.15.105.234]:61284 helo=[11.5.0.121]) by slmp-550-48.slc.westdc.net with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <lberger@labn.net>) id 1kTYcv-00Bivr-1y; Fri, 16 Oct 2020 16:55:09 -0600
To: Rafa Marin-Lopez <rafa@um.es>, i2nsf@ietf.org
Cc: ipsec@ietf.org, yang-doctors@ietf.org, last-call@ietf.org, draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org
References: <160252655236.514.5675626677635075934@ietfa.amsl.com> <D9E7F4D7-E6EC-4268-B989-F764CEE34B2B@um.es>
From: Lou Berger <lberger@labn.net>
Message-ID: <0df078b7-14b6-1262-4cfa-4d1429ef945c@labn.net>
Date: Fri, 16 Oct 2020 18:55:07 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <D9E7F4D7-E6EC-4268-B989-F764CEE34B2B@um.es>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - slmp-550-48.slc.westdc.net
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - labn.net
X-Get-Message-Sender-Via: slmp-550-48.slc.westdc.net: authenticated_id: lberger@labn.net
X-Authenticated-Sender: slmp-550-48.slc.westdc.net: lberger@labn.net
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Se2h9pC6-wqrS0GD0Xzubhx6wwg>
Subject: Re: [IPsec] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-09.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2020 22:55:13 -0000
On 10/16/2020 4:19 AM, Rafa Marin-Lopez wrote:
> If there is no objection, we can include this feature adding a
> description about the motivation behind this and prepare v10 very
quickly.
Thank you for this. I think it would be a really helpful change -- and
I support it.
Lou
(as contributor with multiple hats)
On 10/16/2020 4:19 AM, Rafa Marin-Lopez wrote:
> Dear all:
>
> Recently we submitted v09. We would like to summarize the status:
>
> - We have applied all the comments we received so far (except one, see
> below). In particular, we would like to highlight that we have renamed
> the modules as a consequence of some comments. In particular:
>
> ietf-ipsec-common —> ietf-i2nsf-ikec
> ietf-ipsec-ike —> ietf-i2nsf-ike
> ietf-ipsec-ikeless -> ietf-i2nsf-ikeless
>
> - Moreover we made a minor change. We realized that encryption
> algorithms should also have a key-length. For example, it is not enough
> to say the algorithm is AES-CBC without specifying the key-length (e.g.
> 128 bits).
>
> - Regarding the pending comment, as you may have followed in the mailing
> list, it has been proposed to add a feature *ikeless-notification* and
> the corresponding *if ikeless-notification* in each notification to
> indicate whether notifications are implemented by the NSF. The goal here
> is to ensure broader applicability of the ikeless module. If there is no
> objection, we can include this feature adding a description about the
> motivation behind this and prepare v10 very quickly.
>
> "To ensure broader applicability of this module, the notifications are
> marked as a feature. For the implementation of ikeless case, the NSF is
> expected to implement this feature.";
>
> The result would be (in tree format):
>
> notifications:
> +---n sadb-acquire *{ikeless-notification}*?
> | +--ro ipsec-policy-name string
> | +--ro traffic-selector
> | +--ro local-subnet inet:ip-prefix
> | +--ro remote-subnet inet:ip-prefix
> | +--ro inner-protocol? ipsec-inner-protocol
> | +--ro local-ports* [start end]
> | | +--ro start inet:port-number
> | | +--ro end inet:port-number
> | +--ro remote-ports* [start end]
> | +--ro start inet:port-number
> | +--ro end inet:port-number
> +---n sadb-expire *{ikeless-notification}*?
> | +--ro ipsec-sa-name string
> | +--ro soft-lifetime-expire? boolean
> | +--ro lifetime-current
> | +--ro time? uint32
> | +--ro bytes? uint32
> | +--ro packets? uint32
> | +--ro idle? uint32
> +---n sadb-seq-overflow *{ikeless-notification}*?
> | +--ro ipsec-sa-name string
> +---n sadb-bad-spi *{ikeless-notification}*?
> +--ro spi uint32
>
>
> Best Regards.
>
>> El 12 oct 2020, a las 20:15, internet-drafts@ietf.org
>> <mailto:internet-drafts@ietf.org> escribió:
>>
>>
>> A new version of I-D, draft-ietf-i2nsf-sdn-ipsec-flow-protection-09.txt
>> has been successfully submitted by Rafa Marin-Lopez and posted to the
>> IETF repository.
>>
>> Name:draft-ietf-i2nsf-sdn-ipsec-flow-protection
>> Revision:09
>> Title:Software-Defined Networking (SDN)-based IPsec Flow Protection
>> Document date:2020-10-12
>> Group:i2nsf
>> Pages:92
>> URL:
>> https://www.ietf.org/archive/id/draft-ietf-i2nsf-sdn-ipsec-flow-protection-09.txt
>> Status:
>> https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/
>> Htmlized:
>> https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection
>> Htmlized:
>> https://tools.ietf.org/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection-09
>> Diff:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-i2nsf-sdn-ipsec-flow-protection-09
>>
>> Abstract:
>> This document describes how to provide IPsec-based flow protection
>> (integrity and confidentiality) by means of an Interface to Network
>> Security Function (I2NSF) controller. It considers two main well-
>> known scenarios in IPsec: (i) gateway-to-gateway and (ii) host-to-
>> host. The service described in this document allows the
>> configuration and monitoring of IPsec Security Associations (SAs)
>> from a I2NSF Controller to one or several flow-based Network Security
>> Functions (NSFs) that rely on IPsec to protect data traffic.
>>
>> The document focuses on the I2NSF NSF-facing interface by providing
>> YANG data models for configuring the IPsec databases (SPD, SAD, PAD)
>> and IKEv2. This allows IPsec SA establishment with minimal
>> intervention by the network administrator. It does not define any
>> new protocol.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of
>> submission
>> until the htmlized version and diff are available at tools.ietf.org
>> <http://tools.ietf.org>.
>>
>> The IETF Secretariat
>>
>>
>
> -------------------------------------------------------
> Rafa Marin-Lopez, PhD
> Dept. Information and Communications Engineering (DIIC)
> Faculty of Computer Science-University of Murcia
> 30100 Murcia - Spain
> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es <mailto:rafa@um.es>
> -------------------------------------------------------
>
>
>
>
- Re: [IPsec] New Version Notification for draft-ie… Rafa Marin-Lopez
- Re: [IPsec] New Version Notification for draft-ie… Lou Berger