Skip to main content

Shepherd writeup
draft-ietf-i2nsf-sdn-ipsec-flow-protection

1. Summary
The document shepherd is Yoav Nir.  The responsible AD is Roman Danyliw.

This document describes a way to configure IPsec policy and/or keys on IPsec
implementations (NSFs) using an SDN controller in two of the main IPsec
scenarios: host-to-host, and gateway-to-gateway. It intentionally leaves out
the client-to-gateway scenario, also known as the "road warrior", as such
clients don't fit into the model of control by an SDN controller.  The working
group has consensus that Standards Track is the appropriate track for this
document.

2. Review and Consensus
The document describes two modes of configuration, or "cases" as they're called
in the document: IKE and IKE-less. The "IKE" case involves configuring the NSFs
with policies, identities, and credentials so that the IKE protocol can set up
traffic keys. The "IKE-less" case involves configuring the NSFs with policies
and traffic keys directly. The "IKE-less" case was controversial at first, with
people from the IPsecME group objecting to it. Over time some usage scenarios
were described where the IKE-less case may be more efficient, and the document
now represents the consensus of the working group. It has received wide review,
including from IPsec people such as Tero Kivinen and Paul Wouters.  The YANG
models have received early review from the YANG doctors.

The authors have an incomplete implementation that is open source.

3. Intellectual Property
Each author has confirmed conformance with BCP 78/79. There are no IPR
disclosure on the document.

4. Other Points
We believe the document is ready for publication.
The YANG model in this document raised the issue of embedding IANA registries
in YANG models. In this case, it was the list of algorithms used for IKE or
IPsec. Different versions of the document had different schemes, but we finally
settled on embedding the algorithm number from the IANA registry as an integer.
Back