Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-protection
"Valery Smyslov" <svanru@gmail.com> Wed, 19 July 2017 06:19 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F5C312EC44; Tue, 18 Jul 2017 23:19:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.198
X-Spam-Level:
X-Spam-Status: No, score=-1.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id stiDgWIyrkfn; Tue, 18 Jul 2017 23:19:43 -0700 (PDT)
Received: from mail-lf0-x22b.google.com (mail-lf0-x22b.google.com [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6616212EB2B; Tue, 18 Jul 2017 23:19:42 -0700 (PDT)
Received: by mail-lf0-x22b.google.com with SMTP id l200so1591066lfb.2; Tue, 18 Jul 2017 23:19:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=AT4ed6FsBc6j2BrQ0WTtoLX79LQjsgFVtq23S+Fhy+g=; b=ntcoqbDg2Ud9JSRMVkkWGwy6DTFFQJLkxHCiXF6PzXHH5xSddoPId2KZge3LHfUQv1 l4sT7TQ3BsY/O6TTIMxZur5p+vRaHNThvVDbs7qyK7ku7DSwYx+Dz12I0db9fXKt+Cf0 oy/5fqdsVVHHk9br2jBKFc4mDudGrbW3agWWJO5MW/vugUcID2mdEIKaOrZIRBZTjYAH uk564udG9/zGQTWSmhRzaC6BVcTs94FHUIQALIjImMXSXLmau3MRp3t6wB6y67F79v7A 3TEqdD+Y/snv6pROGKKCSoiBcE+UFQsEaZawFLmpX5d5QAvIiSu+XBQL7NLyM70xeDvA LWuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=AT4ed6FsBc6j2BrQ0WTtoLX79LQjsgFVtq23S+Fhy+g=; b=mg+PWJTUxNhQZZiJ6ju7IuvIPqk+fIbWPqgHWcd6e2dI3qgAy2nna1IFm6PGtT73vJ Rviqd8oq0Sn/kSFwR6lt91lMqyDz1N2Ur5fE3GmKfkWzry0zldQwpHph2vZ3fDFPHdrM 4cyQEqITtRv+/kto4ecBUmTOzhlZEQ/zgcabpS54ghkL7lorJfvT4Tj8riCNUCgybrVV tk7CfHeGsm/7oYRSjxraZbSmlDKirgz0Xje041BZZGFMpUdWhIh4boYPdji9K9qIWxJH EF2Twd9gIWJip40QO3FQtGM8GV9dkfY4p/xRc66WOY5u97WeIcO4Ehj+pVh7tWnMBfQY yNtA==
X-Gm-Message-State: AIVw113GhxUC0Fln5qXs+oies9S8YPH3MTsqnV8BFLTeQHOVtrRaTfSV klL4uzDedqe7XcmM
X-Received: by 10.46.82.23 with SMTP id g23mr1996542ljb.32.1500445180419; Tue, 18 Jul 2017 23:19:40 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id w3sm1078686ljd.35.2017.07.18.23.19.39 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 18 Jul 2017 23:19:39 -0700 (PDT)
From: Valery Smyslov <svanru@gmail.com>
To: 'Rafa Marin-Lopez' <rafa@um.es>, 'Tero Kivinen' <kivinen@iki.fi>
Cc: i2nsf@ietf.org, 'IPsecME WG' <ipsec@ietf.org>
References: <021c01d2ffcf$95f043b0$c1d0cb10$@gmail.com> <22894.9183.134135.875338@fireball.acr.fi> <CC3CAE3F-8562-4259-B53A-F22B1F019BFC@um.es>
In-Reply-To: <CC3CAE3F-8562-4259-B53A-F22B1F019BFC@um.es>
Date: Wed, 19 Jul 2017 09:19:40 +0300
Message-ID: <02dd01d30057$01b63730$0522a590$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_02DE_01D30070.27067C70"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQKDIHC5dXDQzOp5aMUY5Ta8XNCy6AK2RBfzANbASFeg3f7ZgA==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/0UeRdjNibF8Tn9Sdw5cjT1W_HXQ>
Subject: Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-protection
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 06:19:44 -0000
Hi Rafa, Hi Tero, Valery: Please see inline. El 18 jul 2017, a las 17:06, Tero Kivinen <kivinen@iki.fi> escribió: Valery Smyslov writes: I'm very much concerned with the IKE-less option presented in the draft. First, the Network Controller becomes a very attractive target for attacks in this case, since an attacker, if attack is successful, will gain all the keys for the whole system. And it is big difference if you get the traffic keys, or if you get just the authentication keys used to authenticate the peers when creating traffic keys. [Rafa] Overall, the SDN paradigm states the controller is a trusted entity. The controller can generate session keys based on PNRG and sends those keys and forget about them. No need to store any keys, just generate them and distribute them. Having said this, in SDN paradigm, (and forgetting for a moment about IPsec) , the SDN controller is ALWAYS a very attractive target. Reason: if a SDN controller is attacked the attacker has the control over the network (it can make the entire network no operative). Example: in the SDN paradigm, for example, the “router” does not have routing protocol, just routing/switching table. The SDN controller fills tables. If the SDN is attacked the “router” does not know how to react anymore. [Valery] No, there situations are completely different. If attackers hijacks SDN and makes the entire network no operative, this is an active attack and it is easy to detect and take some measures. On the other hand, if an attacker hijacks SDN, learns all the keys and then just passively eavesdrops all the traffic in the network – you’ll never know that you were really hijacked. That’s much more dangerous. And another consideration. Did you see the ongoing discussion in the TLS WG about the draft draft-green-tls-static-dh-in-tls13 that basically suggests to hand over the TLS keys to some third party for later inspection of encrypted traffic? Your proposal looks like more “superior” approach, since SDN can collaborate with inspection devices handing them over the keys. And the large proportion of security people in the TLS WG seem to find this idea inappropriate for IETF standards in general. Regards, Valery.
- [I2nsf] draft-abad-i2nsf-sdn-ipsec-flow-protection Valery Smyslov
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Paul Wouters
- [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-p… Tero Kivinen
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Yoav Nir
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Yaron Sheffer
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Yoav Nir
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Alejandro Pérez Méndez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Gabriel Lopez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Valery Smyslov
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Valery Smyslov
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Alejandro Pérez Méndez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Tero Kivinen
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Valery Smyslov
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Gabriel Lopez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Valery Smyslov
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Yoav Nir
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Gabriel Lopez