Re: [I2nsf] Let's try to draw closure for sdn-ipsec-flow-protection ( RE: Reviewing sdn-ipsec-flow-protection

Rafa Marin-Lopez <> Fri, 01 March 2019 10:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8FA85130E2F for <>; Fri, 1 Mar 2019 02:49:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1B32yJc1x_TX for <>; Fri, 1 Mar 2019 02:49:02 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 7AADC130DE4 for <>; Fri, 1 Mar 2019 02:49:01 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4A0A020CFE; Fri, 1 Mar 2019 11:48:58 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with LMTP id 51j-gfAkeIZ4; Fri, 1 Mar 2019 11:48:58 +0100 (CET)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 30664201F4; Fri, 1 Mar 2019 11:48:56 +0100 (CET)
From: Rafa Marin-Lopez <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B7D666A7-FE2E-4655-941A-179FB387C1E3"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
Date: Fri, 1 Mar 2019 11:48:53 +0100
In-Reply-To: <>
Cc: Rafa Marin-Lopez <>, Gabriel Lopez <>, "" <>, =?utf-8?B?RmVybmFuZG8gUGVyZcOxw61ndWV6IEdhcmPDrWE=?= <>, Yoav Nir <>
To: Linda Dunbar <>
References: <>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <>
Subject: Re: [I2nsf] Let's try to draw closure for sdn-ipsec-flow-protection ( RE: Reviewing sdn-ipsec-flow-protection
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Mar 2019 10:49:07 -0000

Hi Linda, Yoav:

Thank you for e-mail, some comments inline.

> El 27 feb 2019, a las 21:35, Linda Dunbar <>; escribió:
> Gabriel and Rafa,
> What you suggested in this email are all valid options:
> ·        NSF could provide them by itself during the NSF’s registration process into the controller.
> ·        the controller receives the capabilities for a set of NSFs from an external entity.
> ·        IPsec-based NSFs can consider the usage of the capabilities model to inform the security controller about IPsec capabilities.

We will include these options.
>   <>
> Can you update the draft before IETF104 (March 11)? So we can start the WG LC during IETF104.

Yes, we are working with that, applying all the comments we received from Paul, Yoav and you. We will upload a new version in March 11. 

> During IETF103, authors of draft-carrel-ipsecme-controller-ike stated that 3rd case (Controller-IKE) should be added to the document.

We thought it was still an open debate. In fact, I mentioned in the last meeting that between case 1 and case 3, I would prefer case 1 (IKE case) since as I said ( minute 1:05:03) I do not see any advantage provided by Controller-IKE. Any feature included in Controller-IKE is already in case 1. Therefore, the question about what are the advantages of Controller-IKE vs case 1 has not been answered yet, in my humble opinion.

Also it is still debatable that case 2 (now IKE-less case) does not scale.  The reason is the following: regardless we are talking about IPsec management or not, if we look to SDN world, the scalability is, in general, an issue. But there are also literature providing solutions for scalability. In fact, IKE-less case operates similarly to Openflow-based SDN networks and there are  solutions for that.

> SDWAN depends on the Controller based IKE to scale. 

I think that SDWAN needs a solution that allows to scale but it does not mean it has to be Controller-IKE, no?

> Since draft-carrel-ipsecme-controller-ike has detailed description for Controll-IKE, you only need to simply add a brief description as presented by David and refer to their draft for details.
> Something like:
> Case 3: Controller-IKE
> Controller-IKE is DH based key exchange done through the controller with following characteristics:
> ¾    All peers send their DH public value to the controller
> ¾    Controller sends the list of all public values to all peers
> ¾    All peers calculate a unique pairwise secret for each other peer
> ¾    No peer-to-peer messages.
> Re-keys mechanism is further described in draft-carrel-ipsecme-controller-ike

Just a clarification, there is no case 1 or 2 now. We have IKE case or IKE-less case. Having said that, our idea to accomplish this request is to add text in the comparison about IKE case and IKE-less case. In fact, we have now :

“On the contrary, the overload of creating fresh IPsec SAs is shifted to
   the Security Controller since IKEv2 is not in the NSF. As a
   consequence, this may result in a more complex implementation in the
   controller side.”

We can add the following:

“This overload may create some scalability issues when the number of NSFs is high. In general, literature around SDN-based network management using a centralized SDN controller is aware about scalability issues and solutions have been already provided (e.g. hierarchical SDN controllers; having multiple replicated SDN controllers...). In the context of IPsec management, one straight way to reduce the overhead and the potential scalability issue in the Security Controller is to apply "IKE case”, described in this document, since the IPsec SAs are managed between NSFs without the involvement of the Security Controller at all, except by the initial IKE configuration provided by the Security Controller. Other solutions, such as Controller-IKE <draft-carrel-ipsecme-controller-ike>, have proposed that NSFs provide their DH public keys to the Security Controller, so that the Security Controller distributes all public keys to all peers. All peers can calculate a unique pairwise secret for each other peer and there is no inter-NSF messages. A re-key mechanism is further described in <draft-carrel-ipsecme-controller-ike>.” 

Does it sound reasonable?

> -----
> Because of SDWAN getting more importance for enterprises to reach cloud DCs, scaling IPsec becomes very critical.

Yes, scaling is critical of any SDN solution, regardless whether is IPsec or not. For example, how openflow-based networks solve scalability issues.

> Recently, there are multiple initiatives in Routing Area for SD-WAN, all of them need IPsec:
> draft-sajassi-bess-secure-evpn
> draft-rosen-bess-secure-l3vpn
> draft-ietf-rtgwg-net2cloud-problem-statement
> draft-ietf-rtgwg-net2cloud-gap-analysis
> It will be better if we can smooth out the IPsec scaling solution, and telling routing area not to re-invent the wheel.

Thank you very much for these references.
> Please let us know if you need help in editing the draft to bring it to WGLC.

Sure. We are doing the work now and we will be ready for March 11.

Best Regards.

> Linda & Yoav
> From: I2nsf [ <>] On Behalf Of Gabriel Lopez
> Sent: Thursday, January 24, 2019 8:24 AM
> To: Rafa Marin Lopez < <>>
> Cc: <>; Fernando Pereñíguez García < <>>; Gabriel Lopez < <>>; Yoav Nir < <>>
> Subject: Re: [I2nsf] Reviewing sdn-ipsec-flow-protection
> Hi all.
> El 14 nov 2018, a las 10:30, Rafa Marin-Lopez < <>> escribió:
> Hi Yoav:
> El 8 nov 2018, a las 17:11, Yoav Nir < <>> escribió:
> Hi, all
> The interaction between Controller and NSF
> There’s no way for the controller to retrieve NSF capabilities. What if the NSF does not implement rc5?  It’s fine if we say that the Controller knows in advance what the capabilities of each NSF are, but it should be stated.
> Agree. Nevertheless, I would say that the most correct way is when the controller asks the NSF about capabilities after NSF and controller connect. 
> Regarding this question, we wonder how the controller knows about the capabilities provided by each IPsec NSF. As Rafa pointed out, one way is that the NSF could provide them by itself during the NSF’s registration process into the controller. Another way is that the controller receives the capabilities for a set of NSFs from an external entity. Following the I2NSF Reference Model in RFC 8329, it is assumed this role is assigned to the “Developer’s Management System”.
> In our concrete example where a NSF provides IPsec-based security functions, our understanding of that IPsec capabilities refer the set of features a IPsec NSF node is able to support. A (non-exhaustive) list is: 
> -           IKE support
> -           IKEless support
> -           For IKE case: authentication and encryption algorithms, dh_groups, authentication method, NAT traversal support, etc. 
> -           For IKEless case: authentication, integrity and encryption algorithms, AH support, etc.
> We would like to draw attention to IPsec-based NSFs and suggest authors of these drafts to consider the usage of the capabilities model to inform the security controller about IPsec capabilities.
> Thanks in advance and best regards, Gabi.
> _______________________________________________
> I2nsf mailing list
> <>
> <>
> -----------------------------------------------------------
> Gabriel López Millán
> Departamento de Ingeniería de la Información y las Comunicaciones
> University of Murcia
> Spain
> Tel: +34 868888504 <tel:+34%20868888504>
> Fax: +34 868884151 <tel:+34%20868884151>
> email: <>
> <Controller IKE case 2.pdf>_______________________________________________
> I2nsf mailing list
> <>
> <>
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: