IETF Logo Mail Archive

Re: [yang-doctors] [IPsec] [I2nsf] [Last-Call] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08

Rafa Marin-Lopez <rafa@um.es> Thu, 15 October 2020 07:12 UTC

Return-Path: <rafa@um.es>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F11473A1323; Thu, 15 Oct 2020 00:12:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=um.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KEa1359Mkzgi; Thu, 15 Oct 2020 00:12:54 -0700 (PDT)
Received: from mx02.puc.rediris.es (outbound4sev.lav.puc.rediris.es [130.206.19.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B517F3A131A; Thu, 15 Oct 2020 00:12:53 -0700 (PDT)
Received: from xenon44.um.es (xenon44.um.es [155.54.212.171]) by mx02.puc.rediris.es with ESMTP id 09F7Cd7H003315-09F7Cd7I003315; Thu, 15 Oct 2020 09:12:39 +0200
Received: from localhost (localhost [127.0.0.1]) by xenon44.um.es (Postfix) with ESMTP id AF008202AF; Thu, 15 Oct 2020 09:12:39 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon44.um.es
Received: from xenon44.um.es ([127.0.0.1]) by localhost (xenon44.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 8_NZFiH63X1F; Thu, 15 Oct 2020 09:12:39 +0200 (CEST)
Received: from [192.168.1.33] (135.red-79-150-250.dynamicip.rima-tde.net [79.150.250.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa@um.es) by xenon44.um.es (Postfix) with ESMTPSA id DF937201D7; Thu, 15 Oct 2020 09:12:33 +0200 (CEST)
From: Rafa Marin-Lopez <rafa@um.es>
Message-Id: <1142B610-2D58-4DE5-96F7-773D02C1B42A@um.es>
Content-Type: multipart/alternative; boundary="Apple-Mail=_372870A4-A581-4A53-8C03-2CCC4A3A7F5C"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
Date: Thu, 15 Oct 2020 09:12:32 +0200
In-Reply-To: <7C422A91-5543-41A0-B907-6AAD9F83E6DA@chopps.org>
Cc: Rafa Marin-Lopez <rafa@um.es>, "last-call@ietf.org" <last-call@ietf.org>, Gabriel Lopez <gabilm@um.es>, "draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org" <draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>, Martin Björklund <mbj+ietf@4668.se>, "yang-doctors@ietf.org" <yang-doctors@ietf.org>, Lou Berger <lberger@labn.net>, Fernando Pereniguez-Garcia <fernando.pereniguez@cud.upct.es>
To: Christian Hopps <chopps@chopps.org>, "Rob Wilton (rwilton)" <rwilton@cisco.com>
References: <MN2PR11MB4366E30B3C372D13B391AE07B53B0@MN2PR11MB4366.namprd11.prod.outlook.com> <2B88888E-A264-4D81-A8DA-9C6225E83E0E@um.es> <70A0A406-0742-4F28-A5A4-8D539B160E24@chopps.org> <20200923.125826.1562347052257995146.id@4668.se> <CBC552B2-6039-48E8-988D-4F2BA3FD6B2E@chopps.org> <023fc27b-f86e-ed71-0c8f-d270c338f08c@labn.net> <MN2PR11MB43662E1711367EDE9A066452B5070@MN2PR11MB4366.namprd11.prod.outlook.com> <E827743C-74A1-42CE-9765-7ECD062D8E41@um.es> <10116C35-8FBF-4914-9846-883D2C7F7A11@chopps.org> <B3282660-5C6A-4B69-8CFC-57AFBCE2B544@um.es> <7C422A91-5543-41A0-B907-6AAD9F83E6DA@chopps.org>
X-Mailer: Apple Mail (2.3445.104.14)
X-FEAS-SPF: spf-result=pass, ip=155.54.212.171, helo=xenon44.um.es, mailFrom=rafa@um.es
Authentication-Results: mx02.puc.rediris.es; spf=pass (rediris.es: domain of rafa@um.es designates 155.54.212.171 as permitted sender) smtp.mailfrom=rafa@um.es
X-FE-Policy-ID: 2:15:0:SYSTEM, 2:15:1:upct.es
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=um.es; s=DKIM; c=relaxed/relaxed; h=from:message-id:content-type:mime-version:subject:date:cc:to:references; bh=c0sJhzBv7Ffkj7pK4oNyxSyXmgL89HH3UIdpJBJmHRE=; b=WgC4VAxmJ4208E9ukUk1v5CnfyiSuIWOXR64wSfuD9QhmQ8ep7DuwcbxEup0m5lpRoRuSFEjd4FM CpCN1az83i/ffpGflnqQ0CIOoE2vUPSck3DRO+YhLeYTmrWXO+T7YpWaglVgvBAC36iJCW//MdNV QIFQMKzaXMcKzfNtu3b552J9DfgRNRe7QB+S3Ok5UBviKtfQalfvrOQcqj/3+34c0SnAVLB/xfz8 3NHYT4PREbM6feY6ckmWMvDC2CV8vF3CB3bYQK8D694iuqC+wOsUsfTAfvTnMSbUb8wNLznx0TT4 wz0lcB5Lr+ez+V0MA7Y3+NgaUlA5x2x7m/fgpw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/-8aDqGrPXfkYEI_AMuiXt60HM0s>
Subject: Re: [yang-doctors] [IPsec] [I2nsf] [Last-Call] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2020 07:12:57 -0000

Hi Christian (,Rob):

Thanks again for this conversation. Please see our comments inline.

>> 
>> As a consequence, the resolution was to move forward with a pragmatic approach at this point of time, by changing the names of the modules (and prefixes) to refer to the I2NSF work.
> 
> These are 2 different things. The original discussion was about moving the SAD and SPD from ikeless module to the common one which then would have brought them into the IKE module, and required people just implementing IKE to also implement the SAD and SPD parts.
> 
> In comparison this new compromise request is a tiny change, and allows a much larger audience to reap the benefit of your work. The change is the addition of "feature ikeless-notification" and then putting the "if ikeless-notification" under the notifications.
> 
> This doesn't change the semantics of your module it just allows people to re-use the ikeless module for supporting SAD and SPD w/o implementing the notifications.
> 
> If you feel more clarity is needed for the SDN use-case then adding the text, "To allow for greater re-use of this module, the notifications are marked as a feature. For the SDN use case clients will expect this feature to be implemented.”

We agree that this is a small change (if no other change is required). In fact, we have tested it and we have not observed any technical problem. The main concern is the one I mentioned to Rob: having a feature to “activate” notifications (or not) in the ikeless module does not fit in the context of this I-D, unless we find out a valid use case where this feature makes sense. 

In other words, it would be really nice if the inclusion of the text you proposed (“To allow for greater…” ) had a main text to support how this is useful in the context of this I-D. Personally, this would make me feel more confortable. 

Having said all this, let us inform about v09 changes to I2NSF wg and ask about this new change in order to see if there is any objection. Then, if there is no objection we can prepare v10 very quickly with this additional modification.

We hope this is reasonable.

Best Regards.
> 
> Features are reported just as modules are in the capabilities. An SDN client would look for both capabilities rather than just the one (along with all the other capabilities they will be looking for to actually be a functional YANG client).
> 
> Thanks,
> Chris.
> 
>> 
>> Best Regards.
>> 
>>> 
>>> Thanks,
>>> Chris.
>>> 
>>>> 
>>>> Hope this helps.
>>>> 
>>>> Best Regards.
>>>> 
>>>>> El 12 oct 2020, a las 18:01, Rob Wilton (rwilton) <rwilton=40cisco.com@dmarc.ietf.org <mailto:rwilton=40cisco.com@dmarc.ietf.org>> escribió:
>>>>> 
>>>>> Hi Rafa, authors,
>>>>>  
>>>>> Just to check.
>>>>>  
>>>>> Has there been any closure on the suggestion from Chris on “notifications in the ikeless module as a feature"?  This would seem to be a fairly cheap & easy compromise.
>>>>>  
>>>>> Thanks,
>>>>> Rob
>>>>>  
>>>>>  
>>>>> From: yang-doctors <yang-doctors-bounces@ietf.org <mailto:yang-doctors-bounces@ietf.org>> On Behalf Of Lou Berger
>>>>> Sent: 27 September 2020 15:26
>>>>> To: Christian Hopps <chopps@chopps.org <mailto:chopps@chopps.org>>; Martin Björklund <mbj+ietf@4668.se <mailto:mbj+ietf@4668.se>>
>>>>> Cc: Robert Wilton <rwilton=40cisco.com@dmarc.ietf.org <mailto:rwilton=40cisco.com@dmarc.ietf.org>>; i2nsf@ietf.org <mailto:i2nsf@ietf.org>; Gabriel Lopez <gabilm@um.es <mailto:gabilm@um.es>>; draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org <mailto:draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org>; ipsec@ietf.org <mailto:ipsec@ietf.org>; last-call@ietf.org <mailto:last-call@ietf.org>; Rafa Marin-Lopez <rafa@um.es <mailto:rafa@um.es>>; yang-doctors@ietf.org <mailto:yang-doctors@ietf.org>
>>>>> Subject: Re: [yang-doctors] [IPsec] [Last-Call] [I2nsf] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
>>>>>  
>>>>> This is a sub-optimal compromise b/c all IPsec have SA databases even ones running IKE -- i.e., SA databases are common whether exposed in YANG or not -- but if it can move it forward perhaps good enough.
>>>>> 
>>>>> 
>>>>> Speaking as an interested party, I hope that some compromise / good enough solution is followed in the -09 version of  this draft.
>>>>> Lou
>>>>> 
>>>>> On 9/23/2020 7:20 AM, Christian Hopps wrote:
>>>>>  
>>>>> 
>>>>> 
>>>>> On Sep 23, 2020, at 6:58 AM, Martin Björklund <mbj+ietf@4668.se <mailto:mbj+ietf@4668.se>> wrote:
>>>>>  
>>>>> Hi,
>>>>> 
>>>>> Christian Hopps <chopps@chopps.org <mailto:chopps@chopps.org>> wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> On Sep 23, 2020, at 5:29 AM, Rafa Marin-Lopez <rafa@um.es <mailto:rafa@um.es>> wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> But I would like to check: My understanding is that the changes that
>>>>> Chris is proposing are pretty small.  I.e. move the SA structure under
>>>>> ipsec-common, and put it under a YANG feature.  Are you sure that it
>>>>> is impractical to accommodate this change which would allow a single
>>>>> ipsec module to be shared and extended via YANG augmentations?
>>>>> 
>>>>> 
>>>>> In the context of our I-D, if we move SAD structure to ipsec-common,
>>>>> what we are meaning is that IPsec SA configuration data (setting
>>>>> values to the SAD structure) are common to the IKE case and the
>>>>> IKE-less cases, which are not. It is confusing.
>>>>> 
>>>>> Something defined in a common module but marked as a feature does not
>>>>> imply that that feature has to be implemented by an importing
>>>>> module. This is not confusing to YANG implementers or users I
>>>>> think. If we are just talking about document flow here, then a
>>>>> sentence saying "the SAD feature is not required to implement IKE
>>>>> functionality" is quite enough to clear that up I think.
>>>>> 
>>>>> Another alternative could be to move these containers to another
>>>>> (new) module.
>>>>>  
>>>>> It may also be enough to mark the notifications in the ikeless module as a feature I suppose. That is the actual thing I think non-SDN implementations would want to omit. The module name "ikeless" is not great in this case, but perhaps workable.
>>>>> 
>>>>> 
>>>>> This is a sub-optimal compromise b/c all IPsec have SA databases even ones running IKE -- i.e., SA databases are common whether exposed in YANG or not -- but if it can move it forward perhaps good enough.
>>>>> 
>>>>> 
>>>>> I'm definitely concerned about IETF process and real world usability here. These modules are basically workable for ipsec I think, they could be used by operators today. If we restart the entire process to redo this work for the more generic IPsec case it will probably be years before they are finished and in the field. This new work can be started, but why not have something usable in the meantime?
>>>>>  
>>>>> Thanks,
>>>>> Chris.
>>>>>  
>>>>> 
>>>>> 
>>>>> /martin
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> Thanks,
>>>>> Chris.
>>>>> 
>>>>> 
>>>>> Moreover, the usage of feature means that, after all, this “common” is
>>>>> not “common” to both cases IKE case and IKE-less. Again, it seems
>>>>> confusing. In the IKE case, the SDN/I2NSF controller does not
>>>>> configure the SAD at all but the IKE implementation in the NSF. In our
>>>>> opinion, in order to properly add this IPsec SA operational state to
>>>>> the IKE case we should include operational data about the IPsec SAs
>>>>> (config false) to the ietf-ipsec-ike. Alternatively, we have certain
>>>>> operational data (ro) in the SAD structure in the IKE-less case. If
>>>>> only those are moved to the common part should be ok but we think it
>>>>> does not solve the problem.
>>>>> 
>>>>>  
>>>>> -- 
>>>>> last-call mailing list
>>>>> last-call@ietf.org <mailto:last-call@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/last-call <https://www.ietf.org/mailman/listinfo/last-call>
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> IPsec mailing list
>>>>> IPsec@ietf.org <mailto:IPsec@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec>_______________________________________________
>>>>> I2nsf mailing list
>>>>> I2nsf@ietf.org <mailto:I2nsf@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/i2nsf <https://www.ietf.org/mailman/listinfo/i2nsf>
>>>> -------------------------------------------------------
>>>> Rafa Marin-Lopez, PhD
>>>> Dept. Information and Communications Engineering (DIIC)
>>>> Faculty of Computer Science-University of Murcia
>>>> 30100 Murcia - Spain
>>>> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es <mailto:rafa@um.es>
>>>> -------------------------------------------------------
>>>> 
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> IPsec mailing list
>>>> IPsec@ietf.org <mailto:IPsec@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec>
>>> _______________________________________________
>>> I2nsf mailing list
>>> I2nsf@ietf.org <mailto:I2nsf@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/i2nsf <https://www.ietf.org/mailman/listinfo/i2nsf>
>> -------------------------------------------------------
>> Rafa Marin-Lopez, PhD
>> Dept. Information and Communications Engineering (DIIC)
>> Faculty of Computer Science-University of Murcia
>> 30100 Murcia - Spain
>> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es <mailto:rafa@um.es>
>> -------------------------------------------------------
>> 
>> 
>> 
>> 
>> _______________________________________________
>> IPsec mailing list
>> IPsec@ietf.org <mailto:IPsec@ietf.org>
>> https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org <mailto:IPsec@ietf.org>
> https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec>
-------------------------------------------------------
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
-------------------------------------------------------

v2.23.0 | Report a Bug | By Email