Re: [I2nsf] [IPsec] WGLC and IPR poll for draft-ietf-i2nsf-sdn-ipsec-flow-protection-04

Rafa Marin-Lopez <rafa@um.es> Mon, 03 June 2019 10:33 UTC

Return-Path: <rafa@um.es>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B5851201D9; Mon, 3 Jun 2019 03:33:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o9M1RtUqNoHf; Mon, 3 Jun 2019 03:33:03 -0700 (PDT)
Received: from xenon43.um.es (xenon43.um.es [155.54.212.170]) by ietfa.amsl.com (Postfix) with ESMTP id CA4991201AE; Mon, 3 Jun 2019 03:33:02 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon43.um.es (Postfix) with ESMTP id 7766B20A60; Mon, 3 Jun 2019 12:33:01 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon43.um.es
Received: from xenon43.um.es ([127.0.0.1]) by localhost (xenon43.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id AFSGUfh6KOU2; Mon, 3 Jun 2019 12:33:01 +0200 (CEST)
Received: from quantum.inf.um.es (quantum.inf.um.es [155.54.204.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa@um.es) by xenon43.um.es (Postfix) with ESMTPSA id 7F5BE20192; Mon, 3 Jun 2019 12:32:58 +0200 (CEST)
From: Rafa Marin-Lopez <rafa@um.es>
Message-Id: <7C701C5B-4980-4CAD-B8D8-A4CADE3304FC@um.es>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F57E2CE1-7C43-4B24-87F1-DD0104787A08"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 03 Jun 2019 12:32:57 +0200
In-Reply-To: <alpine.LRH.2.21.1905291036480.22788@bofh.nohats.ca>
Cc: Rafa Marin-Lopez <rafa@um.es>, Fernando Pereñíguez García <fernando.pereniguez@cud.upct.es>, "i2nsf@ietf.org" <i2nsf@ietf.org>, Gabriel Lopez <gabilm@um.es>, "ipsec@ietf.org WG" <ipsec@ietf.org>, Linda Dunbar <linda.dunbar@huawei.com>
To: Paul Wouters <paul@nohats.ca>, Tero Kivinen <kivinen@iki.fi>
References: <4A95BA014132FF49AE685FAB4B9F17F66B3869DE@sjceml521-mbs.china.huawei.com> <DBBD75C3-9FB3-473F-A627-062DB3F5C32D@um.es> <alpine.LRH.2.21.1904210811200.1903@bofh.nohats.ca> <ED73306E-F807-42A4-B063-D45E133B8419@um.es> <alpine.LRH.2.21.1905241401320.3939@bofh.nohats.ca> <718671CF-46BF-427A-A008-A9F8EB3631D0@um.es> <alpine.LRH.2.21.1905291036480.22788@bofh.nohats.ca>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/ecW0_0FikyDkDFwn045vjZhuEcI>
Subject: Re: [I2nsf] [IPsec] WGLC and IPR poll for draft-ietf-i2nsf-sdn-ipsec-flow-protection-04
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2019 10:33:06 -0000

Hi Paul, Tero

>> 
>> “For security reasons, a NSF MUST NOT allow any traffic unless the Security Controller mandates so. In other words, since the NSF needs IPsec information coming from the SC, if that information is not in place yet the safest option is DISCARD (drop) packets."
> 
> I assume there are two types of deployment, "cleartext but encrypt when
> possible" and "encryption mandatory". So I feel the MUST NOT is a bit
> too strong. Perhaps limit it to say "if encryption is mandatory for
> all traffic of an NSF, its default policy MUST be to drop packets to
> prevent cleartext packet leaks".
> 
> But then you also do not need per-tunnel "drop" policies, so the SC does
> not have to instruct the NSF for anything.

[Authors] Indeed the NSF should have this policy without contacting with the SC. The NSF should know beforehand (before SC can say anything to the NSF) that the whole deployment policy will be "cleartext but encrypt when possible” or “encryption mandatory”. We should be able to use our interface to include a default policy "cleartext but encrypt when possible” or "“encryption mandatory” in the NSF’s startup config. In this case, this startup config is not set by the Security Controller but by some other entity during the NSF “bootstrapping" (before it is deployed in the network). This initial startup config would include what Tero mentioned about different policies that allow this NSF to contact the SC once the NSF has been deployed. 

Moreover, we should allow to change between "cleartext but encrypt when possible” and “encryption mandatory” if the administrator requires so. This change could be performed by the SC. Perhaps we could add the following text:


“For security reasons, if encryption is mandatory for all traffic of a NSF, its default policy MUST be to drop (DISCARD) packets to prevent cleartext packet leaks. This default policy MUST be in the startup configuration datastore in the NSF before the NSF contacts with the Security Controller. Moreover, the startup configuration datastore MUST be pre-configured with the required ALLOW policies that allow to communicate the NSF with the Security Controller once the NSF is deployed. This pre-configuration step is not carried out by the Security Controller but by some other entity before the NSF deployment. In this manner, when the NSF reboots, it will always apply first the configuration in the startup configuration before contacting the Security Controller."



> 
>>> 
> 
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org
> https://www.ietf.org/mailman/listinfo/i2nsf

-------------------------------------------------------
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
-------------------------------------------------------