Review request
draft-ietf-i2nsf-sdn-ipsec-flow-protection

Request Review of draft-ietf-i2nsf-sdn-ipsec-flow-protection
Requested rev. no specific revision (document currently at 07)
Type Early Review
Team YANG Doctors (yangdoctors)
Deadline 2019-04-30
Requested 2019-04-06
Requested by Yoav Nir
Authors Rafael Lopez, Gabriel Lopez-Millan, Fernando Pereniguez-Garcia
WG chairs Yoav Nir, Linda Dunbar
Draft last updated 2019-08-05
Completed reviews Yangdoctors Early review of -04 by Martin Björklund (diff)
Comments
The issue we are currently having trouble with is with how to handle the list of algorithms that are supported by IPsec.  The list is dynamic -- the IPsecME working group adds new algorithms and deprecates others; non-IETF entities such as the Russian government also sometimes ask to have their national algorithms registered. OTOH, the I2NSF is a working group that is supposed to finish its work and close down.  So how do we handle changes to the list of algorithms?

Version -03 of the draft had an enumeration of algorithms.  This would make a snapshot of the IANA registry for IPsec algorithms and require us to update the document any time IANA updated their registry.

This version (-04) references draft-ietf-netconf-crypto-types.  I'm not sure that's a good thing, because that draft misses some IPsec algorithms and includes some we don't use in IPsec.

Another option that's been raised is to replace integrity-algorithm-t and encryption-algorithm-t with uint32 (same as we already do for dh_group) and use the numbers from the IANA registry.  It doesn't help with deprecation, but any new algorithms immediately are valid values as long as both NSF and controller recognize them.
Assignment Reviewer Martin Björklund
State Completed
Review review-ietf-i2nsf-sdn-ipsec-flow-protection-04-yangdoctors-early-bjorklund-2019-04-17
Reviewed rev. 04 (document currently at 07)
Review result Not Ready
Review completed: 2019-04-17