Shepherd writeup
draft-ietf-i2nsf-sdn-ipsec-flow-protection-07

1. Summary
The document shepherd is Yoav Nir.  The responsible AD is Roman Danyliw.

This document describes a way to configure IPsec policy and/or keys on IPsec implementations (NSFs) using an SDN controller in two of the main IPsec scenarios: host-to-host, and gateway-to-gateway. It intentionally leaves out the client-to-gateway scenario, also known as the "road warrior", as such clients don't fit into the model of control by an SDN controller.  The working group has consensus that Standards Track is the appropriate track for this document.

2. Review and Consensus
The document describes two modes of configuration, or "cases" as they're called in the document: IKE and IKE-less. The "IKE" case involves configuring the NSFs with policies, identities, and credentials so that the IKE protocol can set up traffic keys. The "IKE-less" case involves configuring the NSFs with policies and traffic keys directly. The "IKE-less" case was controversial at first, with people from the IPsecME group objecting to it. Over time some usage scenarios were described where the IKE-less case may be more efficient, and the document now represents the consensus of the working group. It has received wide review, including from IPsec people such as Tero Kivinen and Paul Wouters.  The YANG models have received early review from the YANG doctors.

The authors have an incomplete implementation that is open source.

3. Intellectual Property
Each author has confirmed conformance with BCP 78/79. There are no IPR disclosure on the document.

4. Other Points
We believe the document is ready for publication.
The YANG model in this document raised the issue of embedding IANA registries in YANG models. In this case, it was the list of algorithms used for IKE or IPsec. Different versions of the document had different schemes, but we finally settled on embedding the algorithm number from the IANA registry as an integer.
Back