IETF Logo Mail Archive

Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-protection

Yoav Nir <ynir.ietf@gmail.com> Thu, 20 July 2017 08:12 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DA2C129562; Thu, 20 Jul 2017 01:12:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mYu3dhhrsXCJ; Thu, 20 Jul 2017 01:12:54 -0700 (PDT)
Received: from mail-wm0-x242.google.com (mail-wm0-x242.google.com [IPv6:2a00:1450:400c:c09::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E5CF126557; Thu, 20 Jul 2017 01:12:54 -0700 (PDT)
Received: by mail-wm0-x242.google.com with SMTP id 184so32635wmo.3; Thu, 20 Jul 2017 01:12:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=4DBCINq4Kf9CsyPaLyok6mt71aWJjvPJRuOtPID8MZ0=; b=h79NIbEH8yNrkv8Mj1SeK8wxpSuDLY++xSXLmq774KGoJwgTlkBhB763XLCHums2X9 0YzX+5W2JMuEK8zlaY66u1aR3KeQRo+jykZlum1CkgCmdRRX0VUqy6qXJXHTFanTiLlb qo9bcbvY1/J9ml+FYOn0cVwMMCnlz4zCk3gIhKxsf9lDlOADUEH7lzsoHPPejT9GQNDY QfRc9Ta0JU2dH4+GsntGuejj50fg3VqMlQs8NVVRXOPG+cVwTwu7Xs8J9PNilqEX2W46 e3DMoSLIfcokcskUg5UzmrgaTCEuTwufNfrSp5ZVX2yy5NKaKjMLWMsLERzww4KTuvEo LQxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=4DBCINq4Kf9CsyPaLyok6mt71aWJjvPJRuOtPID8MZ0=; b=AfbZVjNFH+Ix3hgSEo6xDSHc/WNrSLqp+ARRiT21Qgmd1uso5E8E4nKzA1Rt9VNeS/ ROQPB2DrHVTpr/8T+KnpbCpsvR/NfpI50NWNgWFIcMTLJSSK3MyT7cna0Lbly2gUIv5n j9a8GFUch01NRRZ59pqCP0KAJvwe8FCYJkBawdqZKQkXulQy17XXHtC3H3nKAzJ5nuco Fto/gSkPSXcApXGsEEjH+J70J078GXdEMqAinzeZ1KGG9rMdss6SAbgRg0XsmonJWnc6 mji8avcYJWje+FAguiEtC+/Ufey0YHONelNu5KLKgIoaPr93V27jAqbXcfsDpeMHYkqU RjEg==
X-Gm-Message-State: AIVw112PJlAFSSFCBfxS8vbOmg7KPRnJYRkl9LBhOUtXnnQ6f1Q5FGqc LDxKz82I9Owxjg==
X-Received: by 10.28.51.5 with SMTP id z5mr1596713wmz.80.1500538372697; Thu, 20 Jul 2017 01:12:52 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:7059:801e:36de:6305? ([2001:67c:370:128:7059:801e:36de:6305]) by smtp.gmail.com with ESMTPSA id s2sm1776102wra.71.2017.07.20.01.12.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Jul 2017 01:12:51 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <F21DF147-9748-44F9-A7F8-D01A7DC910D3@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_9867516A-B997-4AFC-B27F-EC935C2DCCDC"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Thu, 20 Jul 2017 10:12:50 +0200
In-Reply-To: <04b701d3012d$b5f05920$21d10b60$@gmail.com>
Cc: Gabriel Lopez <gabilm@um.es>, i2nsf@ietf.org, IPsecME WG <ipsec@ietf.org>, Rafa Marin Lopez <rafa@um.es>, Alejandro Pérez Méndez <alex@um.es>
To: Valery Smyslov <svanru@gmail.com>
References: <021c01d2ffcf$95f043b0$c1d0cb10$@gmail.com> <f56439b8-09f7-af23-32ed-061dc1f887a8@um.es> <02e601d3005a$c1791170$446b3450$@gmail.com> <1e2efa38-5b95-7685-8fb9-047b656f0e58@um.es> <031201d30085$d4cab0a0$7e6011e0$@gmail.com> <F49572FB-D58D-44F8-9C7F-EF7E817A973B@um.es> <04b701d3012d$b5f05920$21d10b60$@gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/dnrAnVFK9xyt10g5bkDlSN5SlDw>
Subject: Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-protection
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 08:12:56 -0000

> On 20 Jul 2017, at 9:56, Valery Smyslov <svanru@gmail.com> wrote:
> 
> Hi Gabriel,
> 
> I think that at this point the discussion is not very productive.
> I admit that I’m not very familiar with SDNs, so I have to
> blindly trust you when you state that the SDN Controller
> knows everything and is able to control everything,
> so it is like God. Probably this is true.

That the controller (or its administrator) knows everything is part of the model of SDN. SDN comes from datacenters and in datacenters the administrators control everything and the protocol is used to configure a whole bunch of routers and switches.

I2NSF is extending this to security boxes such as firewalls, IDS, etc. The context is still the data center. The firewalls are at the edge of the datacenter and the intruder detection is either co-located with the firewall or inside.

VPN is different. While one or more box is within the datacenter, the vast majority of boxes are out of the datacenter and located all over the Internet. Their routing is usually not under the control of the administrator, so we’d like to control just the IPsec configuration.

> 
> I just want to reiterate, that while security architecture
> with central key distribution is definitely feasible and
> it is feasible to make it secure, my strong opinion is that
> it is still a large step backward from End-to-End security
> model and it is much more fragile. And I agree with Tero that
> “EE simplicity” argument in most cases doesn’t look
> reasonable to buy. Probably you can add justifications
> to this argument, e.g. by providing estimates how much
> resources you are going to save on EE if you get rid of IKE
> (but leave IPsec, TLS and so on).
> 
> Regards,
> Valery.
> 
> From: Gabriel Lopez [mailto:gabilm@um.es <mailto:gabilm@um.es>]
> Sent: Wednesday, July 19, 2017 5:21 PM
> To: Valery Smyslov
> Cc: Alejandro Pérez Méndez; i2nsf@ietf.org <mailto:i2nsf@ietf.org>; IPsecME WG; Rafa Marin Lopez
> Subject: Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-protection
> 
> Hi Valery,
> 
>> El 19 jul 2017, a las 13:54, Valery Smyslov <svanru@gmail.com <mailto:svanru@gmail.com>> escribió:
>> 
>> Hi Alejandro,
>> 
>> 
>>>>> It is more fragile too. You must perform periodical rekey (update keys)
>>>>> and this must be done synchronously.
>>>> You have to do it by pairs, does not seem that difficult. And, as IKE
>>>> does, you create the new ones and, once created, delete the old ones. I
>>>> don't see the synchrony problem that important.
>>> In ideal world - yes. In real world - I'm not so sure.
>>> Imagine you have an SA expired and the SDN installs a new SA
>>> on the peers, but one of SDN-peer TLS connection failed because off
>>> the temporary network problem, so you have a new SA partially installed.
>>> What is the peer that didn't receive a new SA supposed to do?
>>> Continue to use an old one despite the fact that it is expired?
>>> Block all traffic? Something else?
>> In fact, I think the SDN-based approach performs even better than IKE in
>> this regards.
>> Imagine what happens if the corresponding IKE rekey process fails for
>> the very same temporary network problem. In the best case, CHILD SAs are
>> deleted after a hard expiration, and they will need to be re-created
>> when triggered by the SPD again. This is roughly identical to the SDN
>> approach. But, typically, when an IKE rekey fails, the initiator will
>> likely close the entire IKE_SA thinking the other peer is down, which
>> would result into having to recreate the IKE_SA (including the DH
>> exchange), and all the associated CHILD_SAs afterwards.
>> 
>> Exactly, that's what IKE will do. But this is reasonable, because if IKE
>> messages cannot go between peers, it is most probably that
>> IPsec won't go either (especially in case of UDP encapsulation).
>> With SDN the situation is a bit different. The network problem
>> takes place on SDN-EE path, while EE-EE path works well,
>> but the peers cannot communicate, because SDN fails to provide
>> the keys in time. Note, that rekey may take place quite often, depending
>> on the algorithms involved.
> 
> [Gabi] This kind of strong requirements on the controller availability and workload is assumed in the SDN paradigm. Let’s think in a L2 OpenFlow controller for example, where the L2-switch has to forward a copy of the incoming frame before to forward it.
> 
> 
> 
>> How NAT traversal is to be done in IKE-less case? I understand, that
>> NATs are also controlled by SDN, but does SDN pre-install NAT mappings?
> 
> That's a good question. I would say so, yes.
> 
> So, SDN needs to synchronously configure one more entity (NAT)
> for IPsec to start working?
> 
> [Gabi] If NAT is required the controller should know that, the IPsec configuration required to cross the NAT should be applied by the Security Controller . The configuration of the NAT entity may be configured independently (manually or not, note that there are Yang models for NAT (https://tools.ietf.org/html/draft-sivakumar-yang-nat-07 <https://tools.ietf.org/html/draft-sivakumar-yang-nat-07>)).
> 
> 
> 
> 
> But, would that generate problems if the NAT box is not included in your
> SDN (e.g. it belongs to the mall centre or similar)?
> 
> In this case you first need to use UDP encapsulation and second need to send
> NAT keepalive messages periodically. Usually it is IKE who  sends
> these messages (I admit that you can also sends them from the kernel).
> IKE also determines if there is a NAT in between and which peer is
> behind the NAT. In case the NAT is out of SDN control, who will do this job?
> 
> [Gabi] the Controller should know that there is NAT in the scenario.
> 
> 
> What is supposed to be done if packet with invalid AH/ESP SPI is received?
> 
> 
> 
> 
> Clearly, the packet itself is dropped, but later IKEv2 extensions (namely
> RFC6290, Quick Crash Detection) allows to send IKE notification
> to the peer with a security token to help peers quickly recover from the crash.
> What is supposed to be done in IKE-less case? Or do you think  that
> with SDN such things like non-synchronized IPsec states never happen?
> 
> [Gabi] If it is an audiatable event by the kernel, the peer can notify the controller about that (some examples of notifications are already included in the yang model)
> 
> Thanks for the comments, this discussion is really interesting ….
> 
> Regards, Gabi.
>> 
>> Regards,
>> Valery.
>> 
>> 
>> These are exactly the sort of situations that need to be figured out.
>> 
>> I believe there are many of them.
>> 
>> Regards,
>> Valery.
>> 
>> _______________________________________________
>> I2nsf mailing list
>> I2nsf@ietf.org <mailto:I2nsf@ietf.org>
>> https://www.ietf.org/mailman/listinfo/i2nsf <https://www.ietf.org/mailman/listinfo/i2nsf>
> 
> 
> 
> -----------------------------------------------------------
> Gabriel López Millán
> Departamento de Ingeniería de la Información y las Comunicaciones
> University of Murcia
> Spain
> Tel: +34 868888504
> Fax: +34 868884151
> email: gabilm@um.es <mailto:gabilm@um.es>
> 
> 
> 
> 
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org <mailto:I2nsf@ietf.org>
> https://www.ietf.org/mailman/listinfo/i2nsf <https://www.ietf.org/mailman/listinfo/i2nsf>

v2.23.0 | Report a Bug | By Email