Re: [I2nsf] One comment on draft-ietf-i2nsf-sdn-ipsec-flow-protection-02:
Rafa Marin-Lopez <rafa@um.es> Thu, 12 July 2018 14:47 UTC
Return-Path: <rafa@um.es>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75303130E68; Thu, 12 Jul 2018 07:47:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LcR0sMwtnPlY; Thu, 12 Jul 2018 07:47:53 -0700 (PDT)
Received: from xenon44.um.es (xenon44.um.es [155.54.212.171]) by ietfa.amsl.com (Postfix) with ESMTP id 2A243126BED; Thu, 12 Jul 2018 07:47:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon44.um.es (Postfix) with ESMTP id C389120357; Thu, 12 Jul 2018 16:47:48 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon44.um.es
Received: from xenon44.um.es ([127.0.0.1]) by localhost (xenon44.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id cHU9uRZqTUge; Thu, 12 Jul 2018 16:47:48 +0200 (CEST)
Received: from quantum.inf.um.es (quantum.inf.um.es [155.54.204.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa@um.es) by xenon44.um.es (Postfix) with ESMTPSA id 39A0B1FF7C; Thu, 12 Jul 2018 16:47:47 +0200 (CEST)
From: Rafa Marin-Lopez <rafa@um.es>
Message-Id: <D1141001-608F-4E69-807F-90F8F92310B1@um.es>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D217EBAE-F2CF-4A00-8749-6DEB97940147"
Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\))
Date: Thu, 12 Jul 2018 16:47:46 +0200
In-Reply-To: <C02846B1344F344EB4FAA6FA7AF481F12BE354B7@DGGEML522-MBX.china.huawei.com>
Cc: Rafa Marin-Lopez <rafa@um.es>, "draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org" <draft-ietf-i2nsf-sdn-ipsec-flow-protection.all@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>
To: "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com>
References: <C02846B1344F344EB4FAA6FA7AF481F12BE354B7@DGGEML522-MBX.china.huawei.com>
X-Mailer: Apple Mail (2.3445.8.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/Xp2A4wbI1dnQQ-RerQAXmXjb5zI>
Subject: Re: [I2nsf] One comment on draft-ietf-i2nsf-sdn-ipsec-flow-protection-02:
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2018 14:47:57 -0000
Dear Xialiang: We are exploring different alternatives where the controller does not see or know the key material that will finally end in the NSFs. In the current approach specified in the I-D, both Tx SA and Rx SA will still have different keys (inbound SA will have a different key than the outbound SA). The main discussion is whether it is suitable that a trusted entity such the controller sees the keys used in the inbound and outbound SA in case 2. Do you have any solution in mind? Best Regards. > El 12 jul 2018, a las 3:12, Xialiang (Frank, Network Integration Technology Research Dept) <frank.xialiang@huawei.com> escribió: > > Hi authors, > In Section 5.2.1, to avoid exposure of other nodes once one node is compromised, key materials for each pair must be different and irreversible, this may cause performance issue with controller with large network during initial setup and rekey. > > So, to distribute some of the SA key calculation to each device while still avoiding negotiation latency, the other options is that controller can send common key material to all NSFs, then NSF calculates actual SA key using the common key and known local, peer info. This way, both peers can generate Tx SA and Rx SA without negotiating with each other, also, the keys will be unique for each tunnel. > > Will you consider this option? > > Thanks! > > B.R. > Frank ------------------------------------------------------- Rafa Marin-Lopez, PhD Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es -------------------------------------------------------
- [I2nsf] One comment on draft-ietf-i2nsf-sdn-ipsec… Xialiang (Frank, Network Integration Technology Research Dept)
- Re: [I2nsf] One comment on draft-ietf-i2nsf-sdn-i… Rafa Marin-Lopez
- [I2nsf] 答复: One comment on draft-ietf-i2nsf-sdn-i… Xialiang (Frank, Network Integration Technology Research Dept)