IETF Logo Mail Archive

[I2nsf] IETF 103 I2NSF WG session agenda call

Linda Dunbar <linda.dunbar@huawei.com> Thu, 18 October 2018 21:58 UTC

Return-Path: <linda.dunbar@huawei.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52527130E23 for <i2nsf@ietfa.amsl.com>; Thu, 18 Oct 2018 14:58:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bJYpLgTmGdOa for <i2nsf@ietfa.amsl.com>; Thu, 18 Oct 2018 14:58:19 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 960C1130DEF for <i2nsf@ietf.org>; Thu, 18 Oct 2018 14:58:19 -0700 (PDT)
Received: from lhreml704-cah.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 38192A2FD5E26 for <i2nsf@ietf.org>; Thu, 18 Oct 2018 22:58:15 +0100 (IST)
Received: from SJCEML701-CHM.china.huawei.com (10.208.112.40) by lhreml704-cah.china.huawei.com (10.201.108.45) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 18 Oct 2018 22:58:16 +0100
Received: from SJCEML521-MBS.china.huawei.com ([169.254.2.103]) by SJCEML701-CHM.china.huawei.com ([169.254.3.28]) with mapi id 14.03.0415.000; Thu, 18 Oct 2018 14:58:09 -0700
From: Linda Dunbar <linda.dunbar@huawei.com>
To: "i2nsf@ietf.org" <i2nsf@ietf.org>
Thread-Topic: IETF 103 I2NSF WG session agenda call
Thread-Index: AdRnKr1pBkcH2ig7QCmByaxnynNGZQ==
Date: Thu, 18 Oct 2018 21:58:09 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B1781E9@sjceml521-mbs.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.192.11.112]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F66B1781E9sjceml521mbschi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/IDtoTBh9kzvEiptQr_5YiSEvclc>
Subject: [I2nsf] IETF 103 I2NSF WG session agenda call
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Oct 2018 21:58:22 -0000

I2NSF WG session will be on Nov 7 at 15:40-17:10 (90 minutes).
Please let us know if you need meeting slot. If you need to present remotely, please let us know as soon as possible.

We will designate some meeting time to discuss security risks associated with different levels of information exchanged with Network functions for the purpose of some degrees of simplifying the  IPsec SA on the network functions.


Currently, there are three proposals going around (Details of those proposals are described in detail in https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/ and https://datatracker.ietf.org/doc/draft-carrel-ipsecme-controller-ike/.):

1.              Have the SD-WAN controller provision security policy (SPD and PAD in RFC4301 language) and maybe also credentials, and have the endpoints use IKEv2 to derive the IPsec session keys and set up tunnels.

2.              Have the SDN controller provision IPsec session keys to the IPsec endpoints.

3.              Keep the DH exchange (through the SD-WAN controller) but eliminate the rest of IKEv2 so the controller doesn't get the IPsec session keys

The goal is to document the risks of sharing the IPsec session keys with the controller, so that users can make the informed decision.

Linda & Yoav

v2.23.0 | Report a Bug | By Email