IETF Logo Mail Archive

Re: [IPsec] [Last-Call] [yang-doctors] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08

tom petch <daedulus@btconnect.com> Tue, 22 September 2020 16:22 UTC

Return-Path: <daedulus@btconnect.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D70483A0816; Tue, 22 Sep 2020 09:22:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.701
X-Spam-Level:
X-Spam-Status: No, score=-1.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hkk2aoGUrkh0; Tue, 22 Sep 2020 09:22:25 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40090.outbound.protection.outlook.com [40.107.4.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F9523A052C; Tue, 22 Sep 2020 09:22:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=m+Nqds+h/MJ6kc4ocvBesFbRXRddcOsWfsW+x8j/P+tSVCMmh+rTi+gBpSLqT6g30rmogI0Co01HuFW5cUP3Sh2MIX/rLvBKp3RAFAZUrpSIff1NdjbmoIVYKnYhaqnHkNsXV7CPlZIwyl8MTpir2TQGU5FypCNombQQxefp+P9dLvbbIb7/Jsfu4V2w2XlgNAFGUulYCdosEvYh4HXrwYhK+w/H4ZJGZoU+HKLwJys7mirGQxyUL2tfmWgoPVnnHPtcAtMirFd2HjP8uyOCE1/S5QTmLIAHW0hK5j3bVWSylAL+weBcvjxcSXNjkxor9zexcIvxwyNihytk3qTw4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iMMXvmSqFwh8FZBuaoYRDZDSRoO14tg1dX5KX4ZQzBs=; b=moDRMeRT7iWcjrnPdsYFV9hZOF8v77qsbO8ZA8Gcp1MSld04DANNpFkD0nvLmGqfBSdxDnZXYANnWwaK6ZhrKMIk7yqJlFe0der3lzNUTCIlIbTKCuCh62cAmhfT4H+kzP1GHKLiUQoX81IwvrCSZJ/wX0ZkjwOIMyyvZRimlDrJk3xiyaV7wGYTL9Q1uXJbqbhcZC5jY3BS0MO1ylQnm2swrv9hp+rhvwIGfuRaTdh583aFPL9IwV/+OLmNtpWJ4sPo85gzgrZYhLsBeInaUWYuWe+dFdA5E1FKn0xxCBuEj9nw7vTl6qiRDG5Bq+YjpBfbHl0UX1oQ3xPq2WmPHw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iMMXvmSqFwh8FZBuaoYRDZDSRoO14tg1dX5KX4ZQzBs=; b=YBkf2rJXm4ORPODrBzjkJWZ6m4XdnbJ/CwrICXCzMqYAQDIPQH/DccCQa9qqmBWh0Ph8pBIhpc4L+T1WSCcd/97ve30T865ks4SBlesOA46QytMM/HXl25t3xxzHDKG0LYwwAcZetwVldNcyMB921PvB2fO+BKLRSS0OfXvrS24=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=btconnect.com;
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8) by VI1PR07MB5502.eurprd07.prod.outlook.com (2603:10a6:803:b7::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.4; Tue, 22 Sep 2020 16:22:21 +0000
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::6165:9c1c:e5b1:15db]) by VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::6165:9c1c:e5b1:15db%5]) with mapi id 15.20.3412.020; Tue, 22 Sep 2020 16:22:21 +0000
To: "Rob Wilton (rwilton)" <rwilton=40cisco.com@dmarc.ietf.org>, Rafa Marin-Lopez <rafa@um.es>
References: <159827985531.30993.17722282912726281276@ietfa.amsl.com> <D25A15B0-B714-407C-B119-F83B634099D4@chopps.org> <MN2PR11MB43668FA513A764EA0514790BB53B0@MN2PR11MB4366.namprd11.prod.outlook.com> <27C522C8-53E3-40EF-ADD7-5B2F84FFCF83@um.es> <MN2PR11MB4366E30B3C372D13B391AE07B53B0@MN2PR11MB4366.namprd11.prod.outlook.com>
Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>, Gabriel Lopez <gabilm@um.es>, Christian Hopps <chopps@chopps.org>, "draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org" <draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, Martin Björklund <mbj+ietf@4668.se>, "yang-doctors@ietf.org" <yang-doctors@ietf.org>
From: tom petch <daedulus@btconnect.com>
Message-ID: <5F6A24BA.7040802@btconnect.com>
Date: Tue, 22 Sep 2020 17:22:18 +0100
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
In-Reply-To: <MN2PR11MB4366E30B3C372D13B391AE07B53B0@MN2PR11MB4366.namprd11.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-ClientProxiedBy: LO2P265CA0122.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:9f::14) To VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.1.65] (86.153.136.175) by LO2P265CA0122.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:9f::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.3412.20 via Frontend Transport; Tue, 22 Sep 2020 16:22:20 +0000
X-Originating-IP: [86.153.136.175]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: fd1ac7f5-8887-4f33-85fd-08d85f13aeb5
X-MS-TrafficTypeDiagnostic: VI1PR07MB5502:
X-Microsoft-Antispam-PRVS: <VI1PR07MB55025DB8E37BE8CEF4A09DBCC63B0@VI1PR07MB5502.eurprd07.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: H48V7r7JbpSExxuPAX+tJQp9PjwBF0Uug7m+E44vCnKzbUhwvso/S8pAWNSXD2fb0KQHepS67mh108gGwVGrXXzbbkyuct7XMG/pQD/oUk94OJOgaoLh9ooUUUka3uvJ8nLApvmoOAxxGYgik6QOevkYbAf0QvLkHqSe+Wm0tGr3Rfj1VzBS/UUUHf6jHFfQFWhkzeFX4atD9qL1iKWwAXGhkg+HgF9OScdUULXYyovAut5ATD7cXfT70b9FdUHUCJS+9dIBH1SLkupSX4QtpSXGQWyMMfp9PXc2MneC38i7XbMPFztewRJUyCX/FBn7Nxf1uYJM3bI4GmtJOyFdMguIbxAqLkVCaYtEoysOjwfxoQdE+GzQB4GmBnhqS9NJajkI19CUQHXn43dFYwex526ZncY+EEj24nOIb2mmD2FQ6naF6JU5cFqMU5D8URItHRYlaSbJwwYp2bHYoAV0kA==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB6704.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(136003)(39860400002)(346002)(376002)(396003)(54906003)(956004)(2616005)(36756003)(53546011)(316002)(16576012)(86362001)(8676002)(66556008)(6486002)(7416002)(966005)(26005)(66946007)(33656002)(110136005)(16526019)(186003)(4326008)(83380400001)(5660300002)(87266011)(478600001)(52116002)(66476007)(8936002)(66574015)(2906002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData: u/xPP+TvyBOmUotdhXfmx6IGbrVv9inzil1ynkHQuMTtL223+sAHyQr34iafQPDoiob8kxRRc6JQfY3IyI3F2YcnuVsEnyB+Ro5axMu0X94LsNuY2Noe1tPlFdOB8gWsCgO/wt7s1aBRCkoQwf26fVOPrjrDQxPKp/82SvojgLprCTNn0Xrm+GrnNVGj5mO4KveKfpKQhNS7cMSf+0W5RHC04E26nG6szo21Ye4kO+dE9pcEK2I5v5xt7jZxXJ7QK9V7hhL50WrMOZPrlC1jfPMGS1giB/10osYsXujk2SPk8MuXt6rqLOr2meTCdvKQRqj04jNvO/EtBcah1VWH1t0alTUyHME3n8AGsz/qtlWlptJBmT73c/ymWFZyzcZKepqiD6r3HdlDvnvG6V6TR6ZIxIO66v1edN3kbpE1LG2TiaCzQ1gg01BX7WZ3dWI8gWBOsl581VOI2VwZfkICwbiYa05mYhYg8ZXvU2QX6JYL7hvVO+PgmnqxlFAqdL/PjbbwUPvZKOP8DXsStkuKEj9f7E25GY4pzcLa2GgBA8jq7aNmv9+hRt7JN8Xirdjl/a83xGKDqRkAS/8c+usnL0MDHrGk7eZvmS6EGz+yq89CLLgE1W73f7MmbPjFvqJtUOpg2w8/PAuAP/Rqcf8x9Q==
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fd1ac7f5-8887-4f33-85fd-08d85f13aeb5
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB6704.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Sep 2020 16:22:21.5125 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 16kbi/sxABFd6I+8WD63s3zD4XsC//7WJvEiGUmlUAuzwiHYCBjTufiRu6OY9lBY7UH1bhKus0dckATZvn0gvQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB5502
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/zkQ6Xljtfad_tkOALpemNSK0bMY>
Subject: Re: [IPsec] [Last-Call] [yang-doctors] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2020 16:22:28 -0000

On 22/09/2020 16:38, Rob Wilton (rwilton) wrote:
> Hi Rafa,
>
> Thanks for getting back to me.
>
> Yes, changing the name of the module is an okay, if not ideal,
> resolution.  But I appreciate that you also want to be done with this
> work.
>
> But I would like to check:  My understanding is that the changes that
> Chris is proposing are pretty small.  I.e. move the SA structure
> under ipsec-common, and put it under a YANG feature.  Are you sure
> that it is impractical to accommodate this change which would allow a
> single ipsec module to be shared and extended via YANG
> augmentations?

Rob

As you say, the changes look feasible and IMHO will pay for themselves 
long term.

But another point to consider is the prefix or prefixes.  Note that the 
current I-D has ike and ikeless which could cause much confusion 
depending on what this I-D ends up containing.

There are a number of related i2nsf modules and a number of different 
unrelated prefix.  I have encouraged authors to use nsf... for prefix 
and would encourage that even more strongly if the only change here is 
to the module name.  As you know, imports of an IETF module by an IETF 
module have to use the prefix defined in the module.

Tom Petch
















> Thanks, Rob
>
>
> From: Rafa Marin-Lopez <rafa@um.es> Sent: 22 September 2020 14:05 To:
> Rob Wilton (rwilton) <rwilton@cisco.com> Cc: Rafa Marin-Lopez
> <rafa@um.es>; Christian Hopps <chopps@chopps.org>; Gabriel Lopez
> <gabilm@um.es>;
> draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org;
> i2nsf@ietf.org; ipsec@ietf.org; last-call@ietf.org;
> yang-doctors@ietf.org; Martin Björklund <mbj+ietf@4668.se> Subject:
> Re: [yang-doctors] Yangdoctors last call review of
> draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
>
> Dear Rob:
>
> Apologies for our delayed answer. We are now working in the revision
> to submit v09 by compiling all the comments.
>
> As you mentioned, we want to avoid any further delay. As we mentioned
> to Chris in the past (i2nsf mailing list), we do not have any problem
> to include some additional text (e.g. “-sdn-" in the module names).
> Therefore, Rob, we agree with your point of view about this.
>
> In summary, we are working in the next revision v09, and our idea to
> address Chris’ comments was to include -sdn- to the module names.
>
> We hope this is fine.
>
> Best regards.
>
>
> El 22 sept 2020, a las 13:56, Rob Wilton (rwilton)
> <rwilton@cisco.com<mailto:rwilton@cisco.com>> escribió:
>
> Hi draft authors, Chris,
>
> Can we also please try and close on this issue raised by Chris.
>
> Chris, I don’t think that there is any great way to solve this issue
> using YANG features, but presumably the constraint could be enforced
> with a must statement, or groupings could be used to copy parts of
> the ipsec structure into an sdn specific ipsec tree structure.
>
> I understand that there isn't any great desire to delay these drafts
> by trying to generalize the ipsec YANG model contained within it.
> However, I think that means that the modules should have "-sdn-" in
> their names to indicate that they are intended specifically for the
> SDN use case, and should not be confused with the more generic ipsec
> YANG modules that have been proposed.
>
> Regards, Rob
>
>
>
> -----Original Message----- From: yang-doctors
> <yang-doctors-bounces@ietf.org<mailto:yang-doctors-bounces@ietf.org>>
> On Behalf Of Christian Hopps Sent: 24 August 2020 18:08 To: Martin
> Björklund <mbj+ietf@4668.se<mailto:mbj+ietf@4668.se>> Cc:
> i2nsf@ietf.org<mailto:i2nsf@ietf.org>;
> draft-ietf-i2nsf-sdn-ipsec-flow-
> protection.all@ietf.org<mailto:protection.all@ietf.org>;
> ipsec@ietf.org<mailto:ipsec@ietf.org>;
> last-call@ietf.org<mailto:last-call@ietf.org>; yang-
> doctors@ietf.org<mailto:doctors@ietf.org> Subject: Re: [yang-doctors]
> Yangdoctors last call review of draft-ietf-
> i2nsf-sdn-ipsec-flow-protection-08
>
> [adding in ipsec@]
>
> Hi,
>
> This draft was discussed in ipsecme at the last IETF, and there was
> a desire to look closer at a couple changes that would make these
> models usable by ipsec generally rather than only for SDNs. Otherwise
> we will end up with 2 models that look very similar and duplicate
> almost all the functionality. This was going to be done during the
> next yang doctor review, but it looks like that happened in the
> meantime (ships in the night).
>
> At minimum the module names should include "-sdn-" if no other
> changes are made to indicate that they are only for sdn use; however,
> this is not the optimal solution.
>
> A better solution would be to move the containers currently under
> ikeless (for SA and Policy databases) under ipsec-common.
>
> The feedback I received from the authors was that the SDN
> controllers didn't care about the actual SAs and policies when using
> IKE so they didn't want to require someone implementing ike+common
> modules to have to support them.
>
> The YANG question I suppose is, is there an easy way to move these
> containers from ipsec-ikeless to ipsec-common, but still allow for
> them to be empty and/or unimplemented for the SDN IKE use case? If
> they were made features, is there a proper YANG way to indicate that
> if the ikeless module is present then those features must also be
> supported thus matching the functionality as defined by the current
> draft?
>
> Thanks, Chris.
>
>
>
>
> On Aug 24, 2020, at 10:37 AM, Martin Björklund via Datatracker
> <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:
>
>
> Reviewer: Martin Björklund Review result: Ready with Nits
>
> I did an early YANG Doctor's review of this draft.  Most of my
> comments then have been addressed in this version.
>
> Comments:
>
> o  As I wrote in my early review, the RFC editor enforces a common
> format of YANG modules, so it is better to adhere to this format
> before sending the draft to the RFC editor.  Use
>
> pyang -f yang --yang-line-length 69 <FILE>
>
> to get a consistent look-and-feel for your module.
>
> (You will have to manually re-flow description statements after
> this.)
>
>
> o  There are some leafs that are optional in the model, but w/o a
> default value and w/o an explanation of what happens if that leaf is
> not set.  You should find those and either make them mandatory, add a
> default value, or explain what it means when it isn't set. As an
> example,
> /ipsec-ike/pad/pad-entrypeer-authenticatin/pre-shared/secret is
> optional.  I suspect that this leaf needs to be mandatory. Another
> example is the leaf espencap.
>
>
> /martin
>
>
> _______________________________________________ yang-doctors mailing
> list yang-doctors@ietf.org<mailto:yang-doctors@ietf.org>
> https://www.ietf.org/mailman/listinfo/yang-doctors
>
>
> ------------------------------------------------------- Rafa
> Marin-Lopez, PhD Dept. Information and Communications Engineering
> (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia
> - Spain Telf: +34868888501 Fax: +34868884151 e-mail:
> rafa@um.es<mailto:rafa@um.es>
> -------------------------------------------------------
>
>
>
>
>
>
ob

As you

v2.23.0 | Report a Bug | By Email