Hi, We are looking at using the ipsec model defined in "draft-ietf-i2nsf-sdn-ipsec-flow-protection" for augmenting to support IPTFS (https://tools.ietf.org/html/draft-ietf-ipsecme-iptfs-01). This isn't necessarily b/c we have an interest in SDN per-se, but just that it appears to be *the* available IPsec YANG model. :)
When we started to augment in our configuration and operations state we encountered some issues. The biggest issue is that the IKE model does not have a SAD. This seems to be a fairly large omission. For example the conn-entry in in the IKE model has a list of encryption algorithms and integrity algorithms etc.. these would be used to make a proposal to the remote IKE; however, eventually something is selected, and an IKE SA, and subsequent CHILD_SA) are created. These SAs will have the specific selected parameters as well as other operational state (e.g., packet and byte counters etc). This SA operational state should be accessible in the YANG model. One obvious way to do this would be to re-use the ikeless SAD by moving it to ipsec-common. The other smaller issue is how the IKE connection entry configuration uses an SPD entry (I think). When IKE actually initiates a connection there may be multiple SPD entries that are created in order to support, for example, an IPsec tunnel. I believe the SPD entry under conn-entry in the ipsec-ike model though is being used only to specify the policy for the child SA that will be created. All the actual SPD entries that are created due to an IKE connection being established (with the corresponding child SAs referenced by reqid for the PROTECT versions) should probably be accessible from YANG as well. Otherwise one cannot view things such as BYPASS policy that has been installed. The most obvious fix here would be to move the SPD out of ipsec-ikeless and into ipsec-common. This doesn't leave anything in ipsec-ikeless though. :) It could be that the IKE created SAs and SPDs also should only be accessible as read-only (operational state), but that would probably have to be determined by the YANG server and not specified in the model if the SAD and SPD would be shared by both IKE and IKE-less operation. Thoughts? Thanks, Chris.
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
