Re: [Last-Call] [IPsec] [I2nsf] [yang-doctors] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Christian (,Rob):

Thanks again for this conversation. Please see our comments inline.


As a consequence, the resolution was to move forward with a pragmatic approach at this point of time, by changing the names of the modules (and prefixes) to refer to the I2NSF work.

These are 2 different things. The original discussion was about moving the SAD and SPD from ikeless module to the common one which then would have brought them into the IKE module, and required people just implementing IKE to also implement the SAD and SPD parts.

In comparison this new compromise request is a tiny change, and allows a much larger audience to reap the benefit of your work. The change is the addition of "feature ikeless-notification" and then putting the "if ikeless-notification" under the notifications.

This doesn't change the semantics of your module it just allows people to re-use the ikeless module for supporting SAD and SPD w/o implementing the notifications.

If you feel more clarity is needed for the SDN use-case then adding the text, "To allow for greater re-use of this module, the notifications are marked as a feature. For the SDN use case clients will expect this feature to be implemented.”

We agree that this is a small change (if no other change is required). In fact, we have tested it and we have not observed any technical problem. The main concern is the one I mentioned to Rob: having a feature to “activate” notifications (or not) in the ikeless module does not fit in the context of this I-D, unless we find out a valid use case where this feature makes sense. 

In other words, it would be really nice if the inclusion of the text you proposed (“To allow for greater…” ) had a main text to support how this is useful in the context of this I-D. Personally, this would make me feel more confortable. 

Having said all this, let us inform about v09 changes to I2NSF wg and ask about this new change in order to see if there is any objection. Then, if there is no objection we can prepare v10 very quickly with this additional modification.

We hope this is reasonable.

Best Regards.

Features are reported just as modules are in the capabilities. An SDN client would look for both capabilities rather than just the one (along with all the other capabilities they will be looking for to actually be a functional YANG client).

Thanks,
Chris.


Best Regards.


Thanks,
Chris.


Hope this helps.

Best Regards.

El 12 oct 2020, a las 18:01, Rob Wilton (rwilton) <rwilton=40cisco.com@xxxxxxxxxxxxxx> escribió:

Hi Rafa, authors,
 
Just to check.
 
Has there been any closure on the suggestion from Chris on “notifications in the ikeless module as a feature"?  This would seem to be a fairly cheap & easy compromise.
 
Thanks,
Rob
 
 
From: yang-doctors <yang-doctors-bounces@xxxxxxxx> On Behalf Of Lou Berger
Sent: 27 September 2020 15:26
To: Christian Hopps <chopps@xxxxxxxxxx>; Martin Björklund <mbj+ietf@xxxxxxx>
Cc: Robert Wilton <rwilton=40cisco.com@xxxxxxxxxxxxxx>; i2nsf@xxxxxxxx; Gabriel Lopez <gabilm@xxxxx>; draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@xxxxxxxx; ipsec@xxxxxxxx; last-call@xxxxxxxx; Rafa Marin-Lopez <rafa@xxxxx>; yang-doctors@xxxxxxxx
Subject: Re: [yang-doctors] [IPsec] [Last-Call] [I2nsf] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
 
This is a sub-optimal compromise b/c all IPsec have SA databases even ones running IKE -- i.e., SA databases are common whether exposed in YANG or not -- but if it can move it forward perhaps good enough.


Speaking as an interested party, I hope that some compromise / good enough solution is followed in the -09 version of  this draft.

Lou

On 9/23/2020 7:20 AM, Christian Hopps wrote:
 


On Sep 23, 2020, at 6:58 AM, Martin Björklund <mbj+ietf@xxxxxxx> wrote:
 
Hi,

Christian Hopps <
chopps@xxxxxxxxxx> wrote:




On Sep 23, 2020, at 5:29 AM, Rafa Marin-Lopez <rafa@xxxxx> wrote:




But I would like to check: My understanding is that the changes that
Chris is proposing are pretty small.  I.e. move the SA structure under
ipsec-common, and put it under a YANG feature.  Are you sure that it
is impractical to accommodate this change which would allow a single
ipsec module to be shared and extended via YANG augmentations?


In the context of our I-D, if we move SAD structure to ipsec-common,
what we are meaning is that IPsec SA configuration data (setting
values to the SAD structure) are common to the IKE case and the
IKE-less cases, which are not. It is confusing.

Something defined in a common module but marked as a feature does not
imply that that feature has to be implemented by an importing
module. This is not confusing to YANG implementers or users I
think. If we are just talking about document flow here, then a
sentence saying "the SAD feature is not required to implement IKE
functionality" is quite enough to clear that up I think.

Another alternative could be to move these containers to another
(new) module.
 
It may also be enough to mark the notifications in the ikeless module as a feature I suppose. That is the actual thing I think non-SDN implementations would want to omit. The module name "ikeless" is not great in this case, but perhaps workable.


This is a sub-optimal compromise b/c all IPsec have SA databases even ones running IKE -- i.e., SA databases are common whether exposed in YANG or not -- but if it can move it forward perhaps good enough.


I'm definitely concerned about IETF process and real world usability here. These modules are basically workable for ipsec I think, they could be used by operators today. If we restart the entire process to redo this work for the more generic IPsec case it will probably be years before they are finished and in the field. This new work can be started, but why not have something usable in the meantime?
 
Thanks,
Chris.
 


/martin





Thanks,
Chris.


Moreover, the usage of feature means that, after all, this “common” is
not “common” to both cases IKE case and IKE-less. Again, it seems
confusing. In the IKE case, the SDN/I2NSF controller does not
configure the SAD at all but the IKE implementation in the NSF. In our
opinion, in order to properly add this IPsec SA operational state to
the IKE case we should include operational data about the IPsec SAs
(config false) to the ietf-ipsec-ike. Alternatively, we have certain
operational data (ro) in the SAD structure in the IKE-less case. If
only those are moved to the common part should be ok but we think it
does not solve the problem.

 



_______________________________________________
IPsec mailing list
IPsec@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
I2nsf mailing list
I2nsf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/i2nsf

-------------------------------------------------------
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@xxxxx
-------------------------------------------------------




_______________________________________________
IPsec mailing list
IPsec@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ipsec

_______________________________________________
I2nsf mailing list
I2nsf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/i2nsf

-------------------------------------------------------
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@xxxxx
-------------------------------------------------------




_______________________________________________
IPsec mailing list
IPsec@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ipsec

_______________________________________________
IPsec mailing list
IPsec@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ipsec

-------------------------------------------------------
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@xxxxx
-------------------------------------------------------




-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux