IETF Logo Mail Archive

Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-protection

Alejandro Pérez Méndez <alex@um.es> Wed, 19 July 2017 07:38 UTC

Return-Path: <alex@um.es>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B93FF12ECC3; Wed, 19 Jul 2017 00:38:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kvMz6GYIeW2J; Wed, 19 Jul 2017 00:38:57 -0700 (PDT)
Received: from xenon43.um.es (xenon43.um.es [155.54.212.170]) by ietfa.amsl.com (Postfix) with ESMTP id 1C73A127337; Wed, 19 Jul 2017 00:38:56 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon43.um.es (Postfix) with ESMTP id 574C42097C; Wed, 19 Jul 2017 09:38:55 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon43.um.es
Received: from xenon43.um.es ([127.0.0.1]) by localhost (xenon43.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 4t53yxGOi8tj; Wed, 19 Jul 2017 09:38:55 +0200 (CEST)
Received: from [192.168.100.23] (unknown [185.154.58.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon43.um.es (Postfix) with ESMTPSA id 41AF32032A; Wed, 19 Jul 2017 09:38:53 +0200 (CEST)
To: Valery Smyslov <svanru@gmail.com>, i2nsf@ietf.org
Cc: 'IPsecME WG' <ipsec@ietf.org>, 'Rafa Marin-Lopez' <rafa@um.es>
References: <021c01d2ffcf$95f043b0$c1d0cb10$@gmail.com> <f56439b8-09f7-af23-32ed-061dc1f887a8@um.es> <02e601d3005a$c1791170$446b3450$@gmail.com>
From: Alejandro Pérez Méndez <alex@um.es>
Message-ID: <1e2efa38-5b95-7685-8fb9-047b656f0e58@um.es>
Date: Wed, 19 Jul 2017 09:38:53 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <02e601d3005a$c1791170$446b3450$@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/ODfc9B8aiphvC0g9VSUV5stEBbI>
Subject: Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-protection
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 07:39:00 -0000

Hi Valery,
> Hi Alejandro,
>
>> Hi Valery, all,
>>
>>   >
>>   > In general, central distribution of session keys looks much less secure,
>>   > than running IKEv2 on them.
>> That's arguable, yes. But being less secure does not mean being useless.
>> Coming to my previous comment, we don't use RSA with 8192 bit keys for
>> everything. Although it is more secure, there are scenarios were a
>> lighter approach is enough. If running IKE is too much for your devices,
>> the IKE-less option might work for you if your security contraints are
>> fewer. This SDN-based approach does not need to solve everyone's
>> problems for every possible scenario. Neither does Kerberos, IPsec
>> itself nor any other security protocol.
> OK, but then you should clearly state your requirement.
> Otherwise it is possible to drive situation to absurdum.
> For example, for a sake of device simplicity, you may
> get rid of IPsec at all and send all the traffic that needs protection
> to SDN via existing TLS connection/ The SDN then will route
> it to appropriate peer. It would work and will make devices
> even more dumber (to be clear - I don't propose this,
> it is just an example of corner case solution that in theory would work).

I see your point and agree the document may need to state it if not 
completely clear implicitly.
It's a trade-off between simplicity (use as few protocols/functionality 
as possible), performance (use as few memory/disk/CPU resources as 
possible, this includes not using SSH/TLS other than for the control 
channel), and security (be as secure as possible, but not overkilling 
for the requirements of the scenario).
>>   > You loose PFS property,
>> I don't see why. Actually, keys on the controller are generated by a
>> secure RNG so every key you generate is completely unrelated to the
>> previous one. That's indeed an advantage, rather than the opposite.
> It depends. If you use PRNG instead of true RNG, then you'll have no PFS.

I think it is a fair assumption that an SDN controller, which is far 
from being a constrained device, will have a true RNG.

>
>>   > you loose
>>   > the property that no one but the peers know the session keys etc.
>> Right.
>>
>>   > It is more fragile too. You must perform periodical rekey (update keys)
>>   > and this must be done synchronously.
>> You have to do it by pairs, does not seem that difficult. And, as IKE
>> does, you create the new ones and, once created, delete the old ones. I
>> don't see the synchrony problem that important.
> In ideal world - yes. In real world - I'm not so sure.
> Imagine you have an SA expired and the SDN installs a new SA
> on the peers, but one of SDN-peer TLS connection failed because off
> the temporary network problem, so you have a new SA partially installed.
> What is the peer that didn't receive a new SA supposed to do?
> Continue to use an old one despite the fact that it is expired?
> Block all traffic? Something else?
In fact, I think the SDN-based approach performs even better than IKE in 
this regards.
Imagine what happens if the corresponding IKE rekey process fails for 
the very same temporary network problem. In the best case, CHILD SAs are 
deleted after a hard expiration, and they will need to be re-created 
when triggered by the SPD again. This is roughly identical to the SDN 
approach. But, typically, when an IKE rekey fails, the initiator will 
likely close the entire IKE_SA thinking the other peer is down, which 
would result into having to recreate the IKE_SA (including the DH 
exchange), and all the associated CHILD_SAs afterwards.

> How NAT traversal is to be done in IKE-less case? I understand, that
> NATs are also controlled by SDN, but does SDN pre-install NAT mappings?

That's a good question. I would say so, yes.
But, would that generate problems if the NAT box is not included in your 
SDN (e.g. it belongs to the mall centre or similar)?
These are exactly the sort of situations that need to be figured out.

Regards,
Alejandro
>
> Regards,
> Valery.
>   
>> Regards,
>> Alejandro
>>
>>   > Regards,
>>   > Valery Smyslov.
>>   >
>>   > _______________________________________________
>>   > IPsec mailing list
>>   > IPsec@ietf.org
>>   > https://www.ietf.org/mailman/listinfo/ipsec
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email