Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipsec-flow-protection-05.txt
"Valery Smyslov" <smyslov.ietf@gmail.com> Sat, 20 July 2019 14:39 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0EB912017F; Sat, 20 Jul 2019 07:39:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.497
X-Spam-Level:
X-Spam-Status: No, score=-0.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UDyeD7KQrKec; Sat, 20 Jul 2019 07:39:07 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A08712010D; Sat, 20 Jul 2019 07:39:07 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id k20so64501404ios.10; Sat, 20 Jul 2019 07:39:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=qe25DgyLw3LrOvAOonlEWyb5Hw/2VSQn56CF/5sUBdI=; b=irKWZvQspEVtbMfOeewIcMTXBUUmQ0lpm3OwrztK8i0uknDUQ8p6KdXrYCeYc9wPJS qvtqldv1Bzu54252mDNkBXCWxukGWpd97QBB68pNAsqzw7NC3wVytt7LHAN3WCcgmkV6 DFPqzAIO1mFbNy5AIeKRqijB+U6EPgZ9gCKQJcmKWCfbNS8v8ixJapTFPbZRs7v6pH4o PHMrE6luDrprDW8SPhAf9ctYhKEz4kOy1LWuSZWaWMXfgFI1rPGkVVfgyZV24jg2Y+TN Cd5YwN3wWJtTDH6uD1FxjDFXA8E5CQJJgIaw45Ddh2pyQ/BagnU2USxkg/V92Rw42ycn UXxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=qe25DgyLw3LrOvAOonlEWyb5Hw/2VSQn56CF/5sUBdI=; b=nk77eVO7ZZDUALMhyRbsirA/+7o94bTJmd6BM7+90wynFXqaNR65YWcsuomVWL2poC udquMINRBElEi2BE/COtd67o1U48Il4XQu74pjyRPBlIl6AXtmUxjid52SHTZvjikO6Y VtwHlbIskYySkmTvn63v+/NJhA5rrsjgKgKQo1as3QFAIHq+IyUlJVZYTp1qUFSCjGvt QpTMGQ9frsQ0F8HjWjTgxN9sq+lEIO4gt7rIN/4l1mM0+a6TnGKYNvJX1SCA9EhjHySU Q2X77HJP/QCp/nS3yceFkdMI7bIBia9wkw4ikYIG9jpNQeoErB9zfrYaerX7S1YwqeGt Bf5g==
X-Gm-Message-State: APjAAAUCSqi0Ad+zxSD9hb3nmuL8n9Af4Qg+5q+kjqJWTv5BN5dTkCOK Fqcf1DGdEtG6FzBbVq2nRts=
X-Google-Smtp-Source: APXvYqxSCRZ7N58KgqZXc5NLNaH85/+zxxq3I7rLS5kj2tbCsD2hkV4md9PzyVDlpGIx7rhnK2ofhQ==
X-Received: by 2002:a02:16c5:: with SMTP id a188mr62835857jaa.86.1563633546461; Sat, 20 Jul 2019 07:39:06 -0700 (PDT)
Received: from svannotebook ([75.98.19.132]) by smtp.gmail.com with ESMTPSA id p3sm42118008iom.7.2019.07.20.07.39.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 20 Jul 2019 07:39:05 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Yoav Nir' <ynir.ietf@gmail.com>, 'Rafa Marin-Lopez' <rafa@um.es>
Cc: i2nsf@ietf.org, ipsec@ietf.org, 'Fernando Pereñíguez García' <fernando.pereniguez@cud.upct.es>, mbj@tail-f.com, 'Gabriel Lopez' <gabilm@um.es>
References: <156253524318.473.14686910090362577746@ietfa.amsl.com> <4E36A715-3B6C-4BDF-A149-9E10574E3F96@um.es> <5758F23C-087D-49AB-87E0-FE7E0F6D15A1@gmail.com>
In-Reply-To: <5758F23C-087D-49AB-87E0-FE7E0F6D15A1@gmail.com>
Date: Sat, 20 Jul 2019 17:38:57 +0300
Message-ID: <016c01d53f08$e0c2d1d0$a2487570$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_016D_01D53F22.0618E370"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHCFNK4T/q9sOv9UIwCeVdICbA12QI+UTb7AODQKd2m4OC+kA==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/ZY0c-GSkTX1XlEHLFTe52QdWb8U>
Subject: Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipsec-flow-protection-05.txt
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Jul 2019 14:39:10 -0000
Hi,
thank you for updating the document. I still think that some aspect
of IKE-less use case are not discussed yet (well, probably they are not
"serious", depending on one's definition of "serious").
Unlike IKE case. which we can consider as mostly static configuration,
the IKE-less case is a dynamic one. If IPsec SA are being created
on demand (via kernel-acquire) and the traffic volume is high,
then depending on the IPsec policy IKE-less case can become
a highly dynamic, which implies additional requirement on both
the network connecting SC and NSF and the performance of the protocol used to
secure their communications. In other words, in IKE case the communication
between IKE daemon and kernel is seamless, while in IKE-less
case the communication between NSF ("kernel") and SC adds
noticeable delay (and can potentially add quite a long delay),
which can influence total performance of the system.
Generally IKE-less case requires more communications between
different nodes to establish or rekey IPsec SA, than IKE case
(I assume that IKE SA is already established), that may have
an impact on high-speed networks with short-lived IPsec SAs,
especially if they are created per transport connection
(say one IPsec SA for one TCP session).
I believe, that SC's task of managing IPsec SAs in IKE-less case
may become quite complex, especially because due to the
additional delay, introduced by the network, the picture of the
state of the SAs the SC has can become inaccurate (well,
it will always be inaccurate, but with short delays it doesn't matter).
Just an example. Consider an SC receives a signal from NSF that an SA
is soft expired and starts rekeying process by first installing a new
pair of inbound SAs. It successfully installs them on the NSF
it receives notification from, but then it receives a notification
that the other NSF has rebooted, so it must clear all the SAs on
its peers, including the just installed new one (which is only
half-done). There seems to be a lot of nuances, and the document
completely ignores them. Not that I think that the task
is impossible, but the algorithm of managing the SAs can become
quite complex and possibly unreliable.
I didn't find this discussion in the draft (sorry if I missed it).
Regards,
Valery.
Thanks for getting this done and published.
We will wait with requesting publication until the I2NSF session next week. Between now and then, please re-read the draft and send a message to the list is something is seriously wrong.
Barring any such shouting, we will request publication right after the meeting.
Thanks again,
Linda and Yoav
On 16 Jul 2019, at 15:42, Rafa Marin-Lopez <rafa@um.es <mailto:rafa@um.es> > wrote:
Dear all:
We submitted a new version of the I-D (v05) where we have applied several changes. In the following you have a summary of the main changes, which we will expand/explain during our presentation:
- We have dealt with YANG doctors’ review (Martin's)
- We have dealt with Paul Wouters’ comments and Tero’s comments.
- We have added more specific text in the descriptions.
- Notifications have a simpler format now since most of the information that contained in the past is already handled by the Security Controller.
- State data has been reduced. For example, in IKE case, most of the information is related with IKE and not with the specific details about IPsec SAs that IKE handles (after all, IKE can abstract this information from the Security Controller).
- We have included text in the security section to discuss about the default IPsec policies that should be in the NSF when it starts before contacting with the SC such as the IPsec policies required to allow traffic between the SC and the NSF.
- We have added a subsection 5.3.4 about NSF discovery by the Security Controller.
- In order to specify the crypto-algorithms we have used a simple approach by including an integer and adding a text pointing the IANA in the reference clause. For example:
typedef encryption-algorithm-type {
type uint32;
description
"The encryption algorithm is specified with a 32-bit
number extracted from IANA Registry. The acceptable
values MUST follow the requirement levels for
encryption algorithms for ESP and IKEv2.";
reference
"IANA Registry- Transform Type 1 - Encryption
Algorithm Transform IDs. RFC 8221 - Cryptographic
Algorithm Implementation Requirements and Usage
Guidance for Encapsulating Security Payload (ESP)
and Authentication Header (AH) and RFC 8247 -
Algorithm Implementation Requirements and Usage
Guidance for the Internet Key Exchange Protocol
Version 2 (IKEv2).";
}
- We have included three additional Annexes with examples in about the usage of the YANG model.
- We have performed pyang --lint --lint-ensure-hyphenated-names and pyang -f yang --yang-line-length 69 in our model without warnings.
Best Regards.
Inicio del mensaje reenviado:
De: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
Asunto: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipsec-flow-protection-05.txt
Fecha: 7 de julio de 2019, 23:34:03 CEST
Para: <i-d-announce@ietf.org <mailto:i-d-announce@ietf.org> >
Cc: i2nsf@ietf.org <mailto:i2nsf@ietf.org>
Responder a: i2nsf@ietf.org <mailto:i2nsf@ietf.org>
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Interface to Network Security Functions WG of the IETF.
Title : Software-Defined Networking (SDN)-based IPsec Flow Protection
Authors : Rafa Marin-Lopez
Gabriel Lopez-Millan
Fernando Pereniguez-Garcia
Filename : draft-ietf-i2nsf-sdn-ipsec-flow-protection-05.txt
Pages : 81
Date : 2019-07-07
Abstract:
This document describes how providing IPsec-based flow protection by
means of a Software-Defined Network (SDN) controller (aka. Security
Controller) and establishes the requirements to support this service.
It considers two main well-known scenarios in IPsec: (i) gateway-to-
gateway and (ii) host-to-host. The SDN-based service described in
this document allows the distribution and monitoring of IPsec
information from a Security Controller to one or several flow-based
Network Security Function (NSF). The NSFs implement IPsec to protect
data traffic between network resources.
The document focuses on the NSF Facing Interface by providing models
for configuration and state data required to allow the Security
Controller to configure the IPsec databases (SPD, SAD, PAD) and IKEv2
to establish Security Associations with a reduced intervention of the
network administrator.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/
There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection-05
https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection-05
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-i2nsf-sdn-ipsec-flow-protection-05
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
I2nsf mailing list
I2nsf@ietf.org <mailto:I2nsf@ietf.org>
https://www.ietf.org/mailman/listinfo/i2nsf
-------------------------------------------------------
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: <mailto:rafa@um.es> rafa@um.es
-------------------------------------------------------
_______________________________________________
I2nsf mailing list
I2nsf@ietf.org <mailto:I2nsf@ietf.org>
https://www.ietf.org/mailman/listinfo/i2nsf
- [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipsec-fl… internet-drafts
- [I2nsf] Fwd: I-D Action: draft-ietf-i2nsf-sdn-ips… Rafa Marin-Lopez
- Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipse… Yoav Nir
- Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipse… Valery Smyslov
- Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipse… Yoav Nir
- Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipse… Valery Smyslov
- [I2nsf] [IPsec] Fwd: I-D Action: draft-ietf-i2nsf… Tero Kivinen
- Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipse… Rafa Marin Lopez
- Re: [I2nsf] [IPsec] I-D Action: draft-ietf-i2nsf-… Rafa Marin Lopez
- Re: [I2nsf] [IPsec] I-D Action: draft-ietf-i2nsf-… Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] I-D Action: draft-ietf-i2nsf-… Susan Hares
- Re: [I2nsf] [IPsec] Fwd: I-D Action: draft-ietf-i… Nico Williams
- Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipse… Valery Smyslov
- Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipse… Yoav Nir
- Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipse… Valery Smyslov
- Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipse… Rafa Marin-Lopez
- Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipse… Valery Smyslov
- Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipse… Rafa Marin Lopez
- Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipse… Valery Smyslov