Dear all:
Recently we submitted v09. We would like to summarize the status:
- We have applied all the comments we received so far (except one, see below).
In particular, we would like to highlight that we have renamed the modules as a
consequence of some comments. In particular:
ietf-ipsec-common —> ietf-i2nsf-ikec
ietf-ipsec-ike —> ietf-i2nsf-ike
ietf-ipsec-ikeless -> ietf-i2nsf-ikeless
- Moreover we made a minor change. We realized that encryption algorithms
should also have a key-length. For example, it is not enough to say the
algorithm is AES-CBC without specifying the key-length (e.g. 128 bits).
- Regarding the pending comment, as you may have followed in the mailing list,
it has been proposed to add a feature ikeless-notification and the
corresponding if ikeless-notification in each notification to indicate whether
notifications are implemented by the NSF. The goal here is to ensure broader
applicability of the ikeless module. If there is no objection, we can include
this feature adding a description about the motivation behind this and prepare
v10 very quickly.
"To ensure broader applicability of this module, the notifications are marked
as a feature. For the implementation of ikeless case, the NSF is expected to
implement this feature.";
The result would be (in tree format):
notifications:
+---n sadb-acquire {ikeless-notification}?
| +--ro ipsec-policy-name string
| +--ro traffic-selector
| +--ro local-subnet inet:ip-prefix
| +--ro remote-subnet inet:ip-prefix
| +--ro inner-protocol? ipsec-inner-protocol
| +--ro local-ports* [start end]
| | +--ro start inet:port-number
| | +--ro end inet:port-number
| +--ro remote-ports* [start end]
| +--ro start inet:port-number
| +--ro end inet:port-number
+---n sadb-expire {ikeless-notification}?
| +--ro ipsec-sa-name string
| +--ro soft-lifetime-expire? boolean
| +--ro lifetime-current
| +--ro time? uint32
| +--ro bytes? uint32
| +--ro packets? uint32
| +--ro idle? uint32
+---n sadb-seq-overflow {ikeless-notification}?
| +--ro ipsec-sa-name string
+---n sadb-bad-spi {ikeless-notification}?
+--ro spi uint32
Best Regards.
> El 12 oct 2020, a las 20:15, internet-dra...@ietf.org escribió:
>
>
> A new version of I-D, draft-ietf-i2nsf-sdn-ipsec-flow-protection-09.txt
> has been successfully submitted by Rafa Marin-Lopez and posted to the
> IETF repository.
>
> Name: draft-ietf-i2nsf-sdn-ipsec-flow-protection
> Revision: 09
> Title: Software-Defined Networking (SDN)-based IPsec Flow
> Protection
> Document date: 2020-10-12
> Group: i2nsf
> Pages: 92
> URL:
> https://www.ietf.org/archive/id/draft-ietf-i2nsf-sdn-ipsec-flow-protection-09.txt
> Status:
> https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection
> Htmlized:
> https://tools.ietf.org/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection-09
> Diff:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-i2nsf-sdn-ipsec-flow-protection-09
>
> Abstract:
> This document describes how to provide IPsec-based flow protection
> (integrity and confidentiality) by means of an Interface to Network
> Security Function (I2NSF) controller. It considers two main well-
> known scenarios in IPsec: (i) gateway-to-gateway and (ii) host-to-
> host. The service described in this document allows the
> configuration and monitoring of IPsec Security Associations (SAs)
> from a I2NSF Controller to one or several flow-based Network Security
> Functions (NSFs) that rely on IPsec to protect data traffic.
>
> The document focuses on the I2NSF NSF-facing interface by providing
> YANG data models for configuring the IPsec databases (SPD, SAD, PAD)
> and IKEv2. This allows IPsec SA establishment with minimal
> intervention by the network administrator. It does not define any
> new protocol.
>
>
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
-------------------------------------------------------
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: r...@um.es
-------------------------------------------------------
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
