IETF Logo Mail Archive

Re: [IPsec] New Version Notification for draft-tran-ipsecme-ikev2-yang-00.txt

Tommy Pauly <tpauly@apple.com> Sun, 03 April 2016 18:39 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBD9912D1E2 for <ipsec@ietfa.amsl.com>; Sun, 3 Apr 2016 11:39:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.33
X-Spam-Level:
X-Spam-Status: No, score=-4.33 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WOhr6HB5Uk1v for <ipsec@ietfa.amsl.com>; Sun, 3 Apr 2016 11:39:30 -0700 (PDT)
Received: from mail-in6.apple.com (mail-out6.apple.com [17.151.62.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C79DC12D642 for <IPsec@ietf.org>; Sun, 3 Apr 2016 11:39:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1459708770; x=2323622370; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=l4UHurYq6/ZSPFh16sRFCU/YOszT4hVhspkfzolClkY=; b=BOmv/EUYmH0YmwtXnGxCoENTPTIP3btGPTzH1V6a5IkUG9Q4hsrNNBcI9djJh4Ve EGgriVu4Cu+xek79qzrA5UzKDUzqgPHqJiQmP2ioCWC65w1Iw2IaCqc4DhA+I1/c bgF1JYSUgeK3PkxukzotKkJENbbhU5BmaMz+20ow2VOfVbOwWvV45H7XSmWxoWh7 q2vlVclpsZNW9ZZToRMT4awqbKQVqieeE2tAA93Z8FTBUTvY52aj0OPm73JfKqXN ziolXXR7AUiskCQRq4hXywkJ8T8LgMCgzbyShQTObJuwMmi/8ThtAZhJFe/FBJFw mrLsmosiPiDPI5Jvq5DmvA==;
Received: from relay2.apple.com (relay2.apple.com [17.128.113.67]) by mail-in6.apple.com (Apple Secure Mail Relay) with SMTP id 0E.43.27179.26361075; Sun, 3 Apr 2016 11:39:30 -0700 (PDT)
X-AuditID: 11973e15-f79686d000006a2b-66-570163624139
Received: from nwk-mmpp-sz12.apple.com (nwk-mmpp-sz12.apple.com [17.128.115.204]) (using TLS with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by relay2.apple.com (Apple SCV relay) with SMTP id AD.FA.23128.26361075; Sun, 3 Apr 2016 11:39:30 -0700 (PDT)
Received: from [17.168.173.28] (unknown [17.168.173.28]) by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 7.0.5.35.0 64bit (built Mar 31 2015)) with ESMTPSA id <0O520099EMHLTA30@nwk-mmpp-sz12.apple.com> for IPsec@ietf.org; Sun, 03 Apr 2016 11:39:30 -0700 (PDT)
Sender: tpauly@apple.com
Content-type: multipart/alternative; boundary="Apple-Mail=_A069B5EF-DD83-454B-B0CE-688BC8902D96"
MIME-version: 1.0 (Mac OS X Mail 9.3 \(3117\))
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <2D1BA3CFD799FD44A1F3650A84C4000F1233D4F0@eusaamb107.ericsson.se>
Date: Sun, 03 Apr 2016 15:39:20 -0300
Message-id: <45C85A6B-0816-411F-9183-73309F7D6A08@apple.com>
References: <2D1BA3CFD799FD44A1F3650A84C4000F1233D4F0@eusaamb107.ericsson.se>
To: Khanh Tran <khanh.x.tran@ericsson.com>, Daniel Migault <daniel.migault@ericsson.com>
X-Mailer: Apple Mail (2.3117)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrKLMWRmVeSWpSXmKPExsUi2FDorJuUzBhu8OeGisX+LS/YHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVced+L3PB+kuMFcdvr2NsYJyylbGLkZNDQsBE4sKd6ewQtpjE hXvr2boYuTiEBPYySmz52QhUxAFW1H4hD6RGSGA5k8SFH+UQNfOYJL50LgarERaQkNi8JxGk hlkgSeLYk6WsIDavgJ7E3LsnwWxhgQiJowcvMIHYbAIqEse/bWAGsTkF/CQ2XnoBdg+LgKrE m869bBBzVCXmH/sBNcdGomPNBXaIG3wl7j5/DDZHRCBK4uDlKcwQZ8pK9H7LATlNQmALm8Sh KbNZJzAKz0Jy0iwkJ0HEtSWWLXzNDGFrSuzvXs6CKa4h0fltIusCRrZVjEK5iZk5upl5ZnqJ BQU5qXrJ+bmbGEHxMN1OdAfjmVVWhxgFOBiVeHhfuDOEC7EmlhVX5h5ilOZgURLn/fbzX5iQ QHpiSWp2ampBalF8UWlOavEhRiYOTqkGxhh3jrbTAU9Cs61beV7eE90WV9d8a+O11wc1F+y3 ePQ6uvR3WABTgFGdddGNTv7P/ypLuH+LJGjlLtD3/in14BzLvgr3KMezslfqHNIbPdbs9VtY mBfBwuxTut1FY/+xOZMkF0WtmO6Y92Pb9JN2E95qrOC4m6a9L9HTL9xlV//+d7IGvY/alFiK MxINtZiLihMBcM0gX2gCAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrPIsWRmVeSWpSXmKPExsUi2FB8RjcpmTHcYPsnOYv9W16wOTB6LFny kymAMYrLJiU1J7MstUjfLoEr4879XuaC9ZcYK47fXsfYwDhlK2MXIweHhICJRPuFvC5GTiBT TOLCvfVsILaQwHImiQs/yrsYuYDseUwSXzoXg9ULC0hIbN6TCFLDLJAkcezJUlYQm1dAT2Lu 3ZNgtrBAhMTRgxeYQGw2ARWJ4982MIPYnAJ+EhsvvWAEsVkEVCXedO5lg5ijKjH/2A+oOTYS HWsusEPc4Ctx9/ljsDkiAlESBy9PYYY4WVai91vOBEaBWUiumIXkCoi4tsSyha+ZIWxNif3d y1kwxTUkOr9NZF3AyLaKUaAoNSex0kgvsaAgJ1UvOT93EyM4fAuddzAeW2Z1iFGAg1GJh/eF O0O4EGtiWXFl7iFGCQ5mJRHe9fGM4UK8KYmVValF+fFFpTmpxYcYJzICPTmRWUo0OR8YXXkl 8YYmJgYmxsZmxsbmJua0FFYS51UNAbpIID2xJDU7NbUgtQjmKCYOTqkGRhVXP41JN2KOCa3x krHkU+K+c/xCFeeMjl1HpNe1ySsm+sqeWlXCGNnzTGxTvqTM2syThj/WyYmzdARorPWVOCbc +/Zx/MGjXGGCa0WXpazOPNLWqvzlgPJDpwYnn7SwHdFm52M9uPmuFIdF/Hio8UbkZ/HRqZIy AgsylzRtyZm7PvUow0cOJZbijERDLeai4kQAjn8c2NICAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/cqkYmR5VRBO67GvswP9H3NRbS8I>
Cc: "IPsec@ietf.org" <IPsec@ietf.org>
Subject: Re: [IPsec] New Version Notification for draft-tran-ipsecme-ikev2-yang-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Apr 2016 18:39:33 -0000

Hello,

Thanks for working on this YANG model! I’m including some general points of feedback of typos and missing topics in the IKEv2 YANG document.

Section 3.1 has typos. This should be request/response pairs, not request/request:

     . Peer Request MESSAGE ID stores the Message ID of the last
        request received by the peer.
     . Peer Request MESSAGE ID stores the Message ID of the last
        response received by the peer.
     . Local Request MESSAGE ID stores the Message ID of the last
        request received by the local host.
     . Local Request MESSAGE ID stores the Message ID of the last
        response received by the local host.

In Section 3.2, you refer to “Authorized DH”. This term seems confusing, since it sounds like it should be some official term in IKEv2. It seems that you are just referring to a list of selected DH groups that the peer is willing to negotiate. The comment you have regarding the relationship of the DH group to the KEi payload, "RFC7296 this MUST be the DH Transform used in the KEi”, should also be more clear. The KEi payload will be based on the predicted/preferred DH group; however, the proposals may include other DH groups that will be used after an INVALID_KE_PAYLOAD exchange.

Section 3.4 capitalization error: "Note that The definition”…

Your coverage of IKE_AUTH (Section 3.4) mentions CERT for authentication, but not Shared Secret or EAP. EAP particularly is a very important part of how credentials need to be configured, and how the exchange will ultimately work.

The coverage of Configuration Request and Reply also seems to be missing. I see this mentioned:

      |  |  +--rw config-request
      |  |  |  +--rw (ip-address)?
      |  |  |     +--:(ipv4-address)
      |  |  |     |  +--rw ipv4-address?   inet:ipv4-address
      |  |  |     +--:(ipv6-address)
      |  |  |        +--rw ipv6-address?   inet:ipv6-address

However, this only includes two of many types of configuration attributes. Please include all of them, and make sure to specify the address encoding correctly. For example, while IPv4 addresses are just 4 octets, IPv6 configured addresses use 17 octets (address + prefix len).

Thanks,
Tommy




> On Mar 29, 2016, at 5:22 PM, Khanh Tran <khanh.x.tran@ericsson.com> wrote:
> 
> Hi Paul,
>  
> Below are my comments to your questions that are relating to draft-tran-ipsecme-ikev2-yang-00.txt.
>  
> Q1: What does all right reserved means? I think the question beyond that is how the YANG model can be used, and who owns it? Can you respond to this?
> A1: Yes, we will remove the following description:
>        " Copyright (c) 2016 Ericsson AB."+
>        " All rights reserved.";
>  
>  
> Q2:   leaf initial-retransmission-timeout I think that the question is how do we specify units in the YANG model. Is that something that is part of the YANG model? I think we should also ask if the WG would like us to add different ways to express there transmission time out? – I can respond to this question if you prefer.
> A2: yes, we can specify the unit for this attribute (I assume the unit will be “miliseconds”)  
> Ex:
>          leaf initial-retransmission-timeout {
>            type uint32;
>            units "miliseconds";
>            default 100;
>            description
>              "initial retransmission timeout value";
>          }
>  
>          leaf nat-keepalive-interval {
>              type uint16 {
>                range "5..300";
>              }
>              units "Seconds";
>              default 20;
>              description "NAT detected and keepalive interval";
>          }
>  
>  
> Q3: How YANG can be updated when IANA registries are updated. I think also some text could be added into the draft for that. – Can you respond to this?
> A3: yes, we can add the text in the draft for reference to IANA.  When IANA registries are updated, the YANG module should be notified for changes and update accordingly.
>  
>  
> Best regards,
> Khanh Tran
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org <mailto:IPsec@ietf.org>
> https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec>

v2.23.0 | Report a Bug | By Email