Re: [IPsec] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-09.txt
Lou Berger <lberger@labn.net> Fri, 16 October 2020 22:55 UTC
Return-Path: <lberger@labn.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2445E3A07C3; Fri, 16 Oct 2020 15:55:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.539
X-Spam-Level:
X-Spam-Status: No, score=-0.539 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.213, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vBbO_vF2tnLM; Fri, 16 Oct 2020 15:55:11 -0700 (PDT)
Received: from slmp-550-48.slc.westdc.net (unknown [174.127.108.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C5363A07BD; Fri, 16 Oct 2020 15:55:10 -0700 (PDT)
Received: from pool-100-15-105-234.washdc.fios.verizon.net ([100.15.105.234]:61284 helo=[11.5.0.121]) by slmp-550-48.slc.westdc.net with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <lberger@labn.net>) id 1kTYcv-00Bivr-1y; Fri, 16 Oct 2020 16:55:09 -0600
To: Rafa Marin-Lopez <rafa@um.es>, i2nsf@ietf.org
Cc: ipsec@ietf.org, yang-doctors@ietf.org, last-call@ietf.org, draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org
References: <160252655236.514.5675626677635075934@ietfa.amsl.com> <D9E7F4D7-E6EC-4268-B989-F764CEE34B2B@um.es>
From: Lou Berger <lberger@labn.net>
Message-ID: <0df078b7-14b6-1262-4cfa-4d1429ef945c@labn.net>
Date: Fri, 16 Oct 2020 18:55:07 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <D9E7F4D7-E6EC-4268-B989-F764CEE34B2B@um.es>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - slmp-550-48.slc.westdc.net
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - labn.net
X-Get-Message-Sender-Via: slmp-550-48.slc.westdc.net: authenticated_id: lberger@labn.net
X-Authenticated-Sender: slmp-550-48.slc.westdc.net: lberger@labn.net
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Se2h9pC6-wqrS0GD0Xzubhx6wwg>
Subject: Re: [IPsec] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-09.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2020 22:55:13 -0000
On 10/16/2020 4:19 AM, Rafa Marin-Lopez wrote: > If there is no objection, we can include this feature adding a > description about the motivation behind this and prepare v10 very quickly. Thank you for this. I think it would be a really helpful change -- and I support it. Lou (as contributor with multiple hats) On 10/16/2020 4:19 AM, Rafa Marin-Lopez wrote: > Dear all: > > Recently we submitted v09. We would like to summarize the status: > > - We have applied all the comments we received so far (except one, see > below). In particular, we would like to highlight that we have renamed > the modules as a consequence of some comments. In particular: > > ietf-ipsec-common —> ietf-i2nsf-ikec > ietf-ipsec-ike —> ietf-i2nsf-ike > ietf-ipsec-ikeless -> ietf-i2nsf-ikeless > > - Moreover we made a minor change. We realized that encryption > algorithms should also have a key-length. For example, it is not enough > to say the algorithm is AES-CBC without specifying the key-length (e.g. > 128 bits). > > - Regarding the pending comment, as you may have followed in the mailing > list, it has been proposed to add a feature *ikeless-notification* and > the corresponding *if ikeless-notification* in each notification to > indicate whether notifications are implemented by the NSF. The goal here > is to ensure broader applicability of the ikeless module. If there is no > objection, we can include this feature adding a description about the > motivation behind this and prepare v10 very quickly. > > "To ensure broader applicability of this module, the notifications are > marked as a feature. For the implementation of ikeless case, the NSF is > expected to implement this feature."; > > The result would be (in tree format): > > notifications: > +---n sadb-acquire *{ikeless-notification}*? > | +--ro ipsec-policy-name string > | +--ro traffic-selector > | +--ro local-subnet inet:ip-prefix > | +--ro remote-subnet inet:ip-prefix > | +--ro inner-protocol? ipsec-inner-protocol > | +--ro local-ports* [start end] > | | +--ro start inet:port-number > | | +--ro end inet:port-number > | +--ro remote-ports* [start end] > | +--ro start inet:port-number > | +--ro end inet:port-number > +---n sadb-expire *{ikeless-notification}*? > | +--ro ipsec-sa-name string > | +--ro soft-lifetime-expire? boolean > | +--ro lifetime-current > | +--ro time? uint32 > | +--ro bytes? uint32 > | +--ro packets? uint32 > | +--ro idle? uint32 > +---n sadb-seq-overflow *{ikeless-notification}*? > | +--ro ipsec-sa-name string > +---n sadb-bad-spi *{ikeless-notification}*? > +--ro spi uint32 > > > Best Regards. > >> El 12 oct 2020, a las 20:15, internet-drafts@ietf.org >> <mailto:internet-drafts@ietf.org> escribió: >> >> >> A new version of I-D, draft-ietf-i2nsf-sdn-ipsec-flow-protection-09.txt >> has been successfully submitted by Rafa Marin-Lopez and posted to the >> IETF repository. >> >> Name:draft-ietf-i2nsf-sdn-ipsec-flow-protection >> Revision:09 >> Title:Software-Defined Networking (SDN)-based IPsec Flow Protection >> Document date:2020-10-12 >> Group:i2nsf >> Pages:92 >> URL: >> https://www.ietf.org/archive/id/draft-ietf-i2nsf-sdn-ipsec-flow-protection-09.txt >> Status: >> https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/ >> Htmlized: >> https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection >> Htmlized: >> https://tools.ietf.org/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection-09 >> Diff: >> https://www.ietf.org/rfcdiff?url2=draft-ietf-i2nsf-sdn-ipsec-flow-protection-09 >> >> Abstract: >> This document describes how to provide IPsec-based flow protection >> (integrity and confidentiality) by means of an Interface to Network >> Security Function (I2NSF) controller. It considers two main well- >> known scenarios in IPsec: (i) gateway-to-gateway and (ii) host-to- >> host. The service described in this document allows the >> configuration and monitoring of IPsec Security Associations (SAs) >> from a I2NSF Controller to one or several flow-based Network Security >> Functions (NSFs) that rely on IPsec to protect data traffic. >> >> The document focuses on the I2NSF NSF-facing interface by providing >> YANG data models for configuring the IPsec databases (SPD, SAD, PAD) >> and IKEv2. This allows IPsec SA establishment with minimal >> intervention by the network administrator. It does not define any >> new protocol. >> >> >> >> >> Please note that it may take a couple of minutes from the time of >> submission >> until the htmlized version and diff are available at tools.ietf.org >> <http://tools.ietf.org>. >> >> The IETF Secretariat >> >> > > ------------------------------------------------------- > Rafa Marin-Lopez, PhD > Dept. Information and Communications Engineering (DIIC) > Faculty of Computer Science-University of Murcia > 30100 Murcia - Spain > Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es <mailto:rafa@um.es> > ------------------------------------------------------- > > > >
- Re: [IPsec] New Version Notification for draft-ie… Rafa Marin-Lopez
- Re: [IPsec] New Version Notification for draft-ie… Lou Berger