Hi Daniel, > El 29 mar 2016, a las 1:39, Daniel Migault <daniel.miga...@ericsson.com> > escribió: > > Hi Gabriel, > Thanks for the feed back. > > For IKEv2 the document to consider is draft-tran-ipsecme-ikev2-yang-00. > > ok, then I suggest the authors to remove the IKEv2 model from draft-tran-ipsecme-yang-01 > > I agree that it would be usefull to have some basic example. This is in our > plane. > However i am wondering if the basic scenaos should rather concern ipsec > confirurations than ikev2. > Please let us know what are the scenario you would like us to document. > >
Let’s suppose a very basic, manually defined, end-to-end ipsec configuration for ipsec-tools. #SAD info (1) add 192.168.56.1 192.168.56.2 ah 0x200 -A hmac-md5 0x12345…. (2) add 192.168.56.2. 192.168.56.1 ah 0x300 -A hmac-md5 0x98765…. #SPD info (3) spdadd 192.168.56.1 192.168.56.2 any -P out ipsec ah/transport//require; (4) spdadd 192.168.56.2 192.168.56.1 any -P in ipsec ah/transport//require; From draft-tran-ipsecme-yang-01, let’s try to model the first sentence (1): ipsec/sad/sad-entries/ ipsec/sad/sad-entries/spi=0x200 ipsec/sad/sad-entries/anti-replay-window= ipsec/sad/sad-entries/ip-comp= ipsec/sad/sad-entries/local-peer=192.168.56.1 ipsec/sad/sad-entries/local-remote=192.168.56.2 ipsec/sad/sad-entries/sa-mode=transport ipsec/sad/sad-entries/security-protocol=ah ipsec/sad/sad-entries/sequence-number= ipsec/sad/sad-entries/sequence-number-overflow-flag= ipsec/sad/sad-entries/path-mtu= ipsec/sad/sad-entries/life-time= ipsec/sad/sad-entries/upper-protocol= <——Why upper-protocol in the SAD entry? ipsec/sad/sad-entries/direction= <— ¿? ipsec/sad/sad-entries/source-address= <— For tunnel mode? ipsec/sad/sad-entries/destination-address= <— " ipsec/sad/sad-entries/nat-traversal-flag= ipsec/sad/sad-entries/ah/authentication-algorithm=hmac-md5-96/0x12345….. <—Why key-str is defined like 16/40 string/hex? for the second sentence (2): ipsec/sad/sad-entries/spi=0x300 ipsec/sad/sad-entries/local-peer=192.168.56.2 ipsec/sad/sad-entries/local-remote=192.168.56.1 ipsec/sad/sad-entries/sa-mode=transport ipsec/sad/sad-entries/security-protocol=ah ipsec/sad/sad-entries/ah/authentication-algorithm=hmac-md5-96/0x98765….. … (omitted) .. for the third sentence (3): ipsec/spd/spd-entries/ ipsec/spd/spd-entries/name=foo ipsec/spd/spd-entries/description=foo desc ipsec/spd/spd-entries/anti-replay-windows= <— already used in sad, RFC4301 allocates this value in the SAD entry ipsec/spd/spd-entries/perfect-forward-secrecy= ipsec/spd/spd-entries/seq ipsec/spd/spd-entries/seq/seq-id <— ¿? can be define more than one proposal per spd entry? ipsec/spd/spd-entries/seq/proposal —> /ipsec/proposal/ ipsec/spd/spd-entries/seq/proposal —> /ipsec/proposal/name=foo ipsec/spd/spd-entries/seq/proposal —> /ipsec/proposal/ah=auth-hmac-md5-96 <—Why do you make use here of the type ike-integrity-algorithm-t using a different name than in the sad entry? ipsec/spd/spd-entries/seq/proposal —> /ipsec/proposal/esp= ipsec/spd/spd-entries/seq/proposal —> /ipsec/proposal/ip-comp= <— already used in sad? ipsec/spd/spd-entries/seq/proposal —> /ipsec/proposal/lifetime= However, the spd entry model does not contain values such as local and remote IP address (as described in RFC4301), ipsec mode (transport/tunnel), direction, Next Layer Protocol, PFP flags, etc. Best regards, Gabi. > BR > Daniel > > > Hi, > > Documents draft-tran-ipsecme-yang-01 and draft-tran-ipsecme-ikev2-yang-00 > have been submitted the same date (2016-03-18) and most of the authors > coincide. Both documents describe a Yang IKEv2 configuration data model. The > latter is focused on IKEv2, the former includes IPSec and IKEv1 data models. > > Sorry, I’m a bit confused, what is the right document to check the IKEv2 yang > model? > > In both cases, it would be useful to include examples for basic IPSec/IKE > scenarios. > > Regards, Gabi. > > >> El 27 mar 2016, a las 1:04, Daniel Migault <daniel.miga...@ericsson.com >> <mailto:daniel.miga...@ericsson.com>> escribió: >> >> Hi, >> >> Please find our first version for the YANG model for IKEv2. Feel free to >> post comments. I would be also happy to have face-to-face discussions on the >> draft - especially from IKEv2 implementers. >> >> BR, >> Daniel >> >> -----Original Message----- >> From: internet-dra...@ietf.org <mailto:internet-dra...@ietf.org> >> [mailto:internet-dra...@ietf.org <mailto:internet-dra...@ietf.org>] >> Sent: Friday, March 18, 2016 11:01 AM >> To: Xia Chen; Honglei Wang; Khanh Tran; Khanh Tran; Vijay Kumar Nagaraj; >> Daniel Migault >> Subject: New Version Notification for draft-tran-ipsecme-ikev2-yang-00.txt >> >> >> A new version of I-D, draft-tran-ipsecme-ikev2-yang-00.txt >> has been successfully submitted by Khanh Tran and posted to the IETF >> repository. >> >> Name: draft-tran-ipsecme-ikev2-yang >> Revision: 00 >> Title: Yang Data Model for IKEv2 >> Document date: 2016-03-18 >> Group: Individual Submission >> Pages: 76 >> URL: >> https://www.ietf.org/internet-drafts/draft-tran-ipsecme-ikev2-yang-00.txt >> <https://www.ietf.org/internet-drafts/draft-tran-ipsecme-ikev2-yang-00.txt> >> Status: >> https://datatracker.ietf.org/doc/draft-tran-ipsecme-ikev2-yang/ >> <https://datatracker.ietf.org/doc/draft-tran-ipsecme-ikev2-yang/> >> Htmlized: https://tools.ietf.org/html/draft-tran-ipsecme-ikev2-yang-00 >> <https://tools.ietf.org/html/draft-tran-ipsecme-ikev2-yang-00> >> >> >> Abstract: >> This document defines a YANG data model that can be used to >> configure and manage Internet Key Exchange version 2 (IKEv2). The >> model covers the IKEv2 protocol configuration and operational state. >> >> >> >> >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org >> <http://tools.ietf.org/>. >> >> The IETF Secretariat >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org <mailto:IPsec@ietf.org> >> https://www.ietf.org/mailman/listinfo/ipsec >> <https://www.ietf.org/mailman/listinfo/ipsec> > > > > ----------------------------------------------------------- > Gabriel López Millán > Departamento de Ingeniería de la Información y las Comunicaciones > University of Murcia > Spain > Tel: +34 868888504 <tel:%2B34%20868888504> > Fax: +34 868884151 <tel:%2B34%20868884151> > email: gab...@um.es <mailto:gab...@um.es> > > > > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org <mailto:IPsec@ietf.org> > https://www.ietf.org/mailman/listinfo/ipsec > <https://www.ietf.org/mailman/listinfo/ipsec> > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec ----------------------------------------------------------- Gabriel López Millán Departamento de Ingeniería de la Información y las Comunicaciones University of Murcia Spain Tel: +34 868888504 Fax: +34 868884151 email: gab...@um.es <mailto:gab...@um.es>
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec