Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-protection

["Valery Smyslov" <svanru@gmail.com>]

Hi Alejandro,

> >>   > It is more fragile too. You must perform periodical rekey (update keys)
> >>   > and this must be done synchronously.
> >> You have to do it by pairs, does not seem that difficult. And, as IKE
> >> does, you create the new ones and, once created, delete the old ones. I
> >> don't see the synchrony problem that important.
> > In ideal world - yes. In real world - I'm not so sure.
> > Imagine you have an SA expired and the SDN installs a new SA
> > on the peers, but one of SDN-peer TLS connection failed because off
> > the temporary network problem, so you have a new SA partially installed.
> > What is the peer that didn't receive a new SA supposed to do?
> > Continue to use an old one despite the fact that it is expired?
> > Block all traffic? Something else?
> In fact, I think the SDN-based approach performs even better than IKE in
> this regards.
> Imagine what happens if the corresponding IKE rekey process fails for
> the very same temporary network problem. In the best case, CHILD SAs are
> deleted after a hard expiration, and they will need to be re-created
> when triggered by the SPD again. This is roughly identical to the SDN
> approach. But, typically, when an IKE rekey fails, the initiator will
> likely close the entire IKE_SA thinking the other peer is down, which
> would result into having to recreate the IKE_SA (including the DH
> exchange), and all the associated CHILD_SAs afterwards.

Exactly, that's what IKE will do. But this is reasonable, because if IKE
messages cannot go between peers, it is most probably that 
IPsec won't go either (especially in case of UDP encapsulation).
With SDN the situation is a bit different. The network problem 
takes place on SDN-EE path, while EE-EE path works well,
but the peers cannot communicate, because SDN fails to provide
the keys in time. Note, that rekey may take place quite often, depending 
on the algorithms involved. 

> > How NAT traversal is to be done in IKE-less case? I understand, that
> > NATs are also controlled by SDN, but does SDN pre-install NAT mappings?
> 
> That's a good question. I would say so, yes.

So, SDN needs to synchronously configure one more entity (NAT)
for IPsec to start working? 

> But, would that generate problems if the NAT box is not included in your
> SDN (e.g. it belongs to the mall centre or similar)?

In this case you first need to use UDP encapsulation and second need to send
NAT keepalive messages periodically. Usually it is IKE who  sends
these messages (I admit that you can also sends them from the kernel).
IKE also determines if there is a NAT in between and which peer is 
behind the NAT. In case the NAT is out of SDN control, who will do this job?

What is supposed to be done if packet with invalid AH/ESP SPI is received?
Clearly, the packet itself is dropped, but later IKEv2 extensions (namely
RFC6290, Quick Crash Detection) allows to send IKE notification
to the peer with a security token to help peers quickly recover from the crash.
What is supposed to be done in IKE-less case? Or do you think  that
with SDN such things like non-synchronized IPsec states never happen?

Regards,
Valery. 

> These are exactly the sort of situations that need to be figured out.

I believe there are many of them.

Regards,
Valery.