A YANG Data Model for IPsec Flow Protection Based on Software-Defined Networking (SDN)

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: The IESG <iesg@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>, draft-ietf-i2nsf-sdn-ipsec-flow-protection@ietf.org, i2nsf-chairs@ietf.org, i2nsf@ietf.org, rdd@cert.org, rfc-editor@rfc-editor.org, ynir.ietf@gmail.com
Subject: Protocol Action: 'Software-Defined Networking (SDN)-based IPsec Flow Protection' to Proposed Standard (draft-ietf-i2nsf-sdn-ipsec-flow-protection-14.txt)

The IESG has approved the following document:
- 'Software-Defined Networking (SDN)-based IPsec Flow Protection'
  (draft-ietf-i2nsf-sdn-ipsec-flow-protection-14.txt) as Proposed Standard

This document is the product of the Interface to Network Security Functions
Working Group.

The IESG contact persons are Benjamin Kaduk and Roman Danyliw.

A URL of this Internet Draft is:

Technical Summary

   This document describes how to provide IPsec-based flow protection
   (integrity and confidentiality) by means of an Interface to Network
   Security Function (I2NSF) controller.  It considers two main well-
   known scenarios in IPsec: (i) gateway-to-gateway and (ii) host-to-
   host.  The service described in this document allows the
   configuration and monitoring of IPsec Security Associations (SAs)
   from a I2NSF Controller to one or several flow-based Network Security
   Functions (NSFs) that rely on IPsec to protect data traffic.

   The document focuses on the I2NSF NSF-facing interface by providing
   YANG data models for configuring the IPsec databases (SPD, SAD, PAD)
   and IKEv2.  This allows IPsec SA establishment with minimal
   intervention by the network administrator.  It does not define any
   new protocol.

Working Group Summary

The document describes two modes of configuration, or "cases" as they're called in the document: IKE and IKE-less. The "IKE" case involves configuring the NSFs with policies, identities, and credentials so that the IKE protocol can set up traffic keys. The "IKE-less" case involves configuring the NSFs with policies and traffic keys directly. The "IKE-less" case was controversial at first, with people from the IPsecME group objecting to it. Over time some usage scenarios were described where the IKE-less case may be more efficient, and the document now represents the consensus of the working group.  Substantial and helpful feedback was provided by the YANG doctors -- the most notable were changes in namespace and notifications to support reuse out of of I2NSF.

The YANG model in this document raised early issues with the of embedding IANA registries in YANG models. In this case, it was the list of algorithms used for IKE or IPsec. Different versions of the document had different schemes, but the final design settled on embedding the algorithm number from the IANA registry as an integer.

Document Quality

The document received WG review.  Additional, these reviews included IPsec SMEs such as Tero Kivinen and Paul Wouters.

The authors have an incomplete implementation that is open source.


The document shepherd is Yoav Nir.  

The responsible AD is Roman Danyliw.