Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-protection
Rafa Marin-Lopez <rafa@um.es> Tue, 18 July 2017 16:32 UTC
Return-Path: <rafa@um.es>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DDC7129B5E; Tue, 18 Jul 2017 09:32:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GYbx8HkLJga4; Tue, 18 Jul 2017 09:32:35 -0700 (PDT)
Received: from xenon44.um.es (xenon44.um.es [155.54.212.171]) by ietfa.amsl.com (Postfix) with ESMTP id 849B21200C5; Tue, 18 Jul 2017 09:32:35 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon44.um.es (Postfix) with ESMTP id 041A81FE16; Tue, 18 Jul 2017 18:32:33 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon44.um.es
Received: from xenon44.um.es ([127.0.0.1]) by localhost (xenon44.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id T1ESkLDdjIYt; Tue, 18 Jul 2017 18:32:32 +0200 (CEST)
Received: from quantum.inf.um.es (quantum.inf.um.es [155.54.204.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa@um.es) by xenon44.um.es (Postfix) with ESMTPSA id 60BB620057; Tue, 18 Jul 2017 18:32:32 +0200 (CEST)
From: Rafa Marin-Lopez <rafa@um.es>
Message-Id: <CB644F50-497E-4814-87D0-6E9C3FB28E0C@um.es>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1BF0FFC2-C7B3-4E1F-A249-2C2799D4B015"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Tue, 18 Jul 2017 18:32:32 +0200
In-Reply-To: <alpine.LRH.2.21.1707181026110.22377@bofh.nohats.ca>
Cc: Rafa Marin-Lopez <rafa@um.es>, Valery Smyslov <svanru@gmail.com>, i2nsf@ietf.org, IPsecME WG <ipsec@ietf.org>
To: Paul Wouters <paul@nohats.ca>
References: <021c01d2ffcf$95f043b0$c1d0cb10$@gmail.com> <alpine.LRH.2.21.1707181026110.22377@bofh.nohats.ca>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/JacEoj6_WTKSR479A2HnTlaigXM>
Subject: Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-protection
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 16:32:37 -0000
Hi Paul: >> It is more fragile too. You must perform periodical rekey (update keys) >> and this must be done synchronously. All the rekey problems that were >> solved by IKE will arise again. > > Indeed! For example, if the ESP algorithm is an AEAD, and the endpoint > reboots, and the central unit re-issues the same key, [Rafa] Just a clarification, the central unit (Security Controller) will never re-issue the same key (it is pseudo-randomly generated by the controller) Moreover the controller will know when to do the rekey and the end point the requires it. We have those notifications (expires) in our YANG model for this reason. > the endpoint will > re-start the GCM counter at 1, thereby compromising the security and in > effect leaking the private key. > > IKE is a lot more then just a channel to shove private keys and > src/dst policies to endpoints. I would much rather see a minimal-IKEv2 > implementation then this "non-IKE" style solution. > > Paul > > _______________________________________________ > I2nsf mailing list > I2nsf@ietf.org > https://www.ietf.org/mailman/listinfo/i2nsf ------------------------------------------------------- Rafa Marin-Lopez, PhD Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es -------------------------------------------------------
- [I2nsf] draft-abad-i2nsf-sdn-ipsec-flow-protection Valery Smyslov
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Paul Wouters
- [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-p… Tero Kivinen
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Yoav Nir
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Yaron Sheffer
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Yoav Nir
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Alejandro Pérez Méndez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Gabriel Lopez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Valery Smyslov
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Valery Smyslov
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Alejandro Pérez Méndez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Tero Kivinen
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Valery Smyslov
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Gabriel Lopez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Valery Smyslov
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Yoav Nir
- Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-fl… Gabriel Lopez