[I2nsf] questions and comments to drat-carrel-ipsecme-controller-ike-00
Linda Dunbar <linda.dunbar@huawei.com> Mon, 13 August 2018 17:18 UTC
Return-Path: <linda.dunbar@huawei.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2884130FA2; Mon, 13 Aug 2018 10:18:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tj-8_HcJA1iS; Mon, 13 Aug 2018 10:18:38 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCC17130FA6; Mon, 13 Aug 2018 10:18:37 -0700 (PDT)
Received: from lhreml705-cah.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id BC2CB91A2FC3; Mon, 13 Aug 2018 18:18:32 +0100 (IST)
Received: from SJCEML702-CHM.china.huawei.com (10.208.112.38) by lhreml705-cah.china.huawei.com (10.201.108.46) with Microsoft SMTP Server (TLS) id 14.3.399.0; Mon, 13 Aug 2018 18:18:34 +0100
Received: from SJCEML521-MBX.china.huawei.com ([169.254.1.107]) by SJCEML702-CHM.china.huawei.com ([169.254.4.45]) with mapi id 14.03.0399.000; Mon, 13 Aug 2018 10:18:27 -0700
From: Linda Dunbar <linda.dunbar@huawei.com>
To: IPsecME WG <ipsec@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>, "David Carrel (carrel)" <carrel@cisco.com>, "Brian Weis (bew)" <bew@cisco.com>
Thread-Topic: questions and comments to drat-carrel-ipsecme-controller-ike-00
Thread-Index: AdQzJnFoUIG14rlySeOdz3p0yhsQ5A==
Date: Mon, 13 Aug 2018 17:18:25 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B0DADDC@sjceml521-mbx.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.218.180.231]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F66B0DADDCsjceml521mbxchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/NWjwa93pUMVxYyxJi4S15wXGV4s>
Subject: [I2nsf] questions and comments to drat-carrel-ipsecme-controller-ike-00
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Aug 2018 17:18:40 -0000
David and Brian, In your draft, you assumed that Devices (e.g. A or B) sends its Public key to the Controller. In some SD-WAN deployment, Controller manages & distributes the "Public key" and "nonce" to each device to achieve Zero Touch Provisioning. Can you update the Figure 2 to reflect "Controller" sending "public key to devices"? Since this document is about Controller managed IKE, can we have a section on recommendation of which attributes of IPsec are suitable to be distributed by Controller? For example, - PAD (Peer Authentication Database) can be maintained by Controller for deployment of devices with constraint resource - Public key & nonce managed by Controller The Rekey process in Section 4 describes some occasions with a device having 2 or 4 SAs for each Peer (Section 4.2). Does it mean the receiving node has to use two different decryption keys? How does the receiving node know which one the sender actually used? The entire Section 4 description is no different from scenario of two peers' direct communication (i.e. without Controller being present), is it correct? Thank you very much Linda Dunbar
- [I2nsf] questions and comments to drat-carrel-ips… Linda Dunbar
- Re: [I2nsf] questions and comments to drat-carrel… Linda Dunbar