Technical Summary
This document describes how to provide IPsec-based flow protection
(integrity and confidentiality) by means of an Interface to Network
Security Function (I2NSF) controller. It considers two main well-
known scenarios in IPsec: (i) gateway-to-gateway and (ii) host-to-
host. The service described in this document allows the
configuration and monitoring of IPsec Security Associations (SAs)
from a I2NSF Controller to one or several flow-based Network Security
Functions (NSFs) that rely on IPsec to protect data traffic.
The document focuses on the I2NSF NSF-facing interface by providing
YANG data models for configuring the IPsec databases (SPD, SAD, PAD)
and IKEv2. This allows IPsec SA establishment with minimal
intervention by the network administrator. It does not define any
new protocol.
Working Group Summary
The document describes two modes of configuration, or "cases" as they're called in the document: IKE and IKE-less. The "IKE" case involves configuring the NSFs with policies, identities, and credentials so that the IKE protocol can set up traffic keys. The "IKE-less" case involves configuring the NSFs with policies and traffic keys directly. The "IKE-less" case was controversial at first, with people from the IPsecME group objecting to it. Over time some usage scenarios were described where the IKE-less case may be more efficient, and the document now represents the consensus of the working group. Substantial and helpful feedback was provided by the YANG doctors -- the most notable were changes in namespace and notifications to support reuse out of of I2NSF.
The YANG model in this document raised early issues with the of embedding IANA registries in YANG models. In this case, it was the list of algorithms used for IKE or IPsec. Different versions of the document had different schemes, but the final design settled on embedding the algorithm number from the IANA registry as an integer.
Document Quality
The document received WG review. Additional, these reviews included IPsec SMEs such as Tero Kivinen and Paul Wouters.
The authors have an incomplete implementation that is open source.
Personnel
The document shepherd is Yoav Nir.
The responsible AD is Roman Danyliw.