IETF Logo Mail Archive

Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-protection

Gabriel Lopez <gabilm@um.es> Tue, 18 July 2017 16:35 UTC

Return-Path: <gabilm@um.es>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3C1712700F; Tue, 18 Jul 2017 09:35:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nCnf1LVJaGfG; Tue, 18 Jul 2017 09:35:19 -0700 (PDT)
Received: from xenon44.um.es (xenon44.um.es [155.54.212.171]) by ietfa.amsl.com (Postfix) with ESMTP id 4F987131B90; Tue, 18 Jul 2017 09:35:14 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon44.um.es (Postfix) with ESMTP id 9F15D1FE16; Tue, 18 Jul 2017 18:35:13 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon44.um.es
Received: from xenon44.um.es ([127.0.0.1]) by localhost (xenon44.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 1TTEgkJr6VMU; Tue, 18 Jul 2017 18:35:13 +0200 (CEST)
Received: from [192.168.1.7] (135.red-83-36-225.dynamicip.rima-tde.net [83.36.225.135]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: gabilm) by xenon44.um.es (Postfix) with ESMTPSA id 9265020057; Tue, 18 Jul 2017 18:35:10 +0200 (CEST)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_108DC393-618A-4F3B-B669-A182B24825FE"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail
From: Gabriel Lopez <gabilm@um.es>
In-Reply-To: <A636232E-159E-4300-B2E1-451E648ED3A1@gmail.com>
Date: Tue, 18 Jul 2017 18:35:06 +0200
Cc: Yaron Sheffer <yaronf.ietf@gmail.com>, i2nsf@ietf.org, IPsecME WG <ipsec@ietf.org>, Valery Smyslov <svanru@gmail.com>, Rafa Marin Lopez <rafa@um.es>, Tero Kivinen <kivinen@iki.fi>
Message-Id: <E5CDDCDE-4CA0-4A3B-B076-1EB80A031395@um.es>
References: <021c01d2ffcf$95f043b0$c1d0cb10$@gmail.com> <22894.9183.134135.875338@fireball.acr.fi> <35EBA0C1-B6C9-4DEE-B967-E98ACC2DEDD0@gmail.com> <f3c9b22d-63a9-7f16-3379-363510659754@gmail.com> <A636232E-159E-4300-B2E1-451E648ED3A1@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/0tb8Hy_9cZVEusTzmrUXZM55fvg>
Subject: Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-protection
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 16:35:21 -0000

Hi Yoav,

> El 18 jul 2017, a las 17:48, Yoav Nir <ynir.ietf@gmail.com> escribió:
> 
> With AES-GCM, AES-CCM, ChaCha20-Poly1305 you don’t need a PRNG at all.
> 
> With AES-CBC you need an unpredictable IV, but you could generate them by encrypting a counter with one AES key (that could be provided by the controller)


As you know IPsec is independent of the key management protocol. What the draft proposes is a way to allow the Controller (in case 2) to provide the required information for IPsec and to allow the Controller to receive the IPsec kernel notification regarding SA required, SA expiration, etc, etc.., exactly as IKE does. These notification, as Rafa says, are modelled by the YANG file and allow the Controller to have the whole view of what is is happening in the NSFs. It allows the Controller to refresh keys, SA information, etc, etc,

Regards, Gabi.


> 
> But you still need the TLS session.
> 
>> On 18 Jul 2017, at 17:34, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:
>> 
>> On 18/07/17 17:14, Yoav Nir wrote:
>>> I mostly agree, but one point…
>>> 
>>>> On 18 Jul 2017, at 17:06, Tero Kivinen <kivinen@iki.fi> wrote:
>>> <snip/>
>>> 
>>>> This I think is important question, i.e., what is the gain for not
>>>> running IKEv2 between the nodes?
>>>> 
>>> Simpler gateway, less code, no PK operations, no need for random number generator.
>>> 
>>> The counter-argument is that without all these you can’t setup a TLS session to run netconf over.
>>> 
>>> Yoav
>>> 
>> No random number generator? I don't think this is true even for a pure ESP endpoint.
>> 
>> Thanks,
>>   Yaron
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec



-----------------------------------------------------------
Gabriel López Millán
Departamento de Ingeniería de la Información y las Comunicaciones
University of Murcia
Spain
Tel: +34 868888504
Fax: +34 868884151
email: gabilm@um.es <mailto:gabilm@um.es>

v2.23.0 | Report a Bug | By Email