> On 20 Nov 2018, at 17:14, Paul Wouters <[email protected]> wrote: > > On Mon, 19 Nov 2018, Rafa Marin Lopez wrote: > >>> Based on the introduction and abstract of the draft, this document does two >>> things: >>> >>> 1) Specify a yang model for use with SDWAN + IKE + IPsec >>> 2) Define the desired modes and algorithms to use with 1) >>> >>> It does not try to map the entire IKE/IPsec IANA registry into a yang >>> model. Let me know if this is incorrect, because I use >>> this as an assumption for the remainder of the review. >> >> We must say that our I-D specifies 1) but being SDWAN one of the possible >> scenarios to operate so that the intent was to map the IKE/IPsec IANA >> registry. In any case we can change that approach if the WG consider is the >> right way to proceed. > > Then I would stick with RFC 8221 and RFC 8247 entries that have SHOULD > or MUST (and not include MUST- or SHOULD-) > > So if any other new uses are defined, they don't try to use obsoleted or > decayed algorithms. >
Hi, Paul. While I agree with your conclusion (although I think it’s fine to include the single MUST- which is HMAC-SHA1), this is not really a new application. It’s more like a new control plane for the old VPN application. The typical implementation for the NSF in the ipsec-flow-protection draft will be running on a machine that has an IPsec and potentially IKE implementation. The authors’ own implementation is running on top of the Linux kernel (and StrongSwan). If I was still working for an IPsec vendor, I would implement this as a new usermode process pushing SAs or policy into the kernel and into the VPN daemon. So this isn’t like TLS 1.3 where you’ll need to upgrade the TLS implementation anyway to get TLS 1.3, and the new crypto will just come in the same package. The NSF code can be made to run on top of a 10-year-old software implementation or 10-year-old hardware from before AES-GCM existed. Still, as long as AES-CBC and HMAC-SHA1 are in, even that 10-year-old Linux can work, which is why I agree with your conclusion, except for the tweak that MUST- is also OK. Yoav _______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
