Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipsec-flow-protection-05.txt

"Valery Smyslov" <> Mon, 22 July 2019 15:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D818612013B; Mon, 22 Jul 2019 08:39:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RlR4-xSxxRYV; Mon, 22 Jul 2019 08:39:19 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::e43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 42EB8120052; Mon, 22 Jul 2019 08:39:19 -0700 (PDT)
Received: by with SMTP id a186so24777983vsd.7; Mon, 22 Jul 2019 08:39:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=h6kTiaHxUypV5ZSxO9XTWz8mGlwrSrxmr958xIPTqPs=; b=jxDkMSLx6upi258GC1ScvKf83EP9k8gJ4+a7YXgl+7s+WFoz3ZjBNG2ibJdfePIBw0 Cot70hSmx9A823NTzjlTqm593lUmtrYzOSTd3JwdyVMzYP30HIJjKD58Mkm4tQkGCFv5 +QHvvrYuKoiRpb1vioi4GSrUa2amECWmwpjqPIuFATE/cAhcDxRPPhlMR7+6kuYsXbzK SP0zT7CDdZTtOfFhfSEkXcD7elpbpeKHn7LnSx9WGYwsIANjactQi23Oi8ReLAbv1sMq IdYAxSwUBKRx6sZjRAugKlHMDI2HPw7drhAnpF4bDwIKcXlUg+kMeCNCgM6gtApnTdSP MmnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=h6kTiaHxUypV5ZSxO9XTWz8mGlwrSrxmr958xIPTqPs=; b=poWdjloAxkqPK2GQGzWgp7/jsiW9XwfwtbmgFqgR9W73O4edZvCfvNgO1Ag5fqE8aq AXV88fpbY3lC5ELuWIPA2Hd2m9/9yAzGyQp1wAlfebAjjhQ2j42Yd+c2Jzw2aOadDoHy c41+4kwtwhmwsIqUUyK1TeFax4710OLooige3Nf3S34F8xSEqcXn16oJHVx7kEWRMHyH q5rsNPgaT4RlSFPMdbxCZ4ABHmB4BSZH88N7ZWhfff3u7H5nr4RSeSm+kVlfwp0L9U7g e24uZHkOs7giRicoGDWWLoIPjNRYST3dpIx7wmp9LvP99M+ObV3RHNqnQ+8F4y6V7tYX wARw==
X-Gm-Message-State: APjAAAU+UhGTS3EC6aCr4OJK/sSyRjxT+PXGoHacwAMA3SM/NysKrZK+ qBLDVdnsxf/AlFsHbuzGiKw=
X-Google-Smtp-Source: APXvYqxx+av6NC/y/tG2hXBT0kTxwuu/YcOzo26LvGwzs7JYJjV+B0/ZG5DHduI/qZzPR85+t64H4A==
X-Received: by 2002:a67:bc7:: with SMTP id 190mr20262856vsl.6.1563809958244; Mon, 22 Jul 2019 08:39:18 -0700 (PDT)
Received: from svannotebook ([2001:67c:370:128:b8f4:fc59:5b3c:83af]) by with ESMTPSA id l129sm37222734vki.45.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Jul 2019 08:39:17 -0700 (PDT)
From: "Valery Smyslov" <>
To: "'Rafa Marin Lopez'" <>
Cc: "'Yoav Nir'" <>, <>, <>, =?utf-8?Q?'Fernando_Pere=C3=B1=C3=ADguez_Garc=C3=ADa'?= <>, <>, "'Gabriel Lopez'" <>
References: <> <> <> <016c01d53f08$e0c2d1d0$a2487570$> <>
In-Reply-To: <>
Date: Mon, 22 Jul 2019 18:39:14 +0300
Message-ID: <030c01d540a3$9e7a74d0$db6f5e70$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_030D_01D540BC.C3D2D060"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHCFNK4T/q9sOv9UIwCeVdICbA12QI+UTb7AODQKd0B9E5Q0QGsr2TdpscZwzA=
Content-Language: ru
Archived-At: <>
Subject: Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipsec-flow-protection-05.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 22 Jul 2019 15:39:26 -0000

Hi Rafa,


sure this problem is general for any SDN solution.

My point was that if SC performs a lot of real-time 

(or near real-time) tasks as it may happen in IKE-less case, 

then this problem may become serious.


Anyway, I'm happy with the updated text, thank you.

However, in a following document(s), suggested by Yoav,

I'd like to see more concrete advices of how SC should

act in this situation to ensure that the consistence of the 

network is preserved despite all the possible delays etc.






From: Rafa Marin Lopez <> 
Sent: Monday, July 22, 2019 6:11 PM
To: Valery Smyslov <>
Cc: Rafa Marin Lopez <>es>; Yoav Nir <>om>;;; Fernando Pereñíguez García <>es>;; Gabriel Lopez <>
Subject: Re: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipsec-flow-protection-05.txt


Hi Valery:


Thank you very much for your comments. Please see ours inside.

El 20 jul 2019, a las 16:38, Valery Smyslov < <> > escribió:




thank you for updating the document. I still think that some aspect

of IKE-less use case are not discussed yet (well, probably they are not 

"serious", depending on one's definition of "serious").


Unlike IKE case. which we can consider as mostly static configuration,

the IKE-less case is a dynamic one. If IPsec SA are being created 

on demand (via kernel-acquire) and the traffic volume is high,

then depending on the IPsec policy IKE-less case can become 

a highly dynamic, which implies additional requirement on both

the network connecting SC and NSF and the performance of the protocol used to 

secure their communications. In other words, in IKE case the communication

between IKE daemon and kernel is seamless, while in IKE-less

case the communication between NSF ("kernel") and SC adds

noticeable delay (and can potentially add quite a long delay),

which can influence total performance of the system.


Generally IKE-less case requires more communications between

different nodes to establish or rekey IPsec SA, than IKE case

(I assume that IKE SA is already established), that may have

an impact on high-speed networks with short-lived IPsec SAs,

especially if they are created per transport connection

(say one IPsec SA for one TCP session).


[Authors] What you have just described is what happens in any SDN-based network. In fact, your comment would be applicable to practically any scenario based on the SDN paradigm. In the particular case of the I-D, the IKE-less case is the most similar to case you can see in, for example, Openflow networks where latency is also important (just as an example : )


I believe, that SC's task of managing IPsec SAs in IKE-less case 

may become quite complex, especially because due to the

additional delay, introduced by the network, the picture of the

state of the SAs the SC has can become inaccurate (well, 

it will always be inaccurate, but with short delays it doesn't matter).

Just an example. Consider an SC receives a signal from NSF that an SA

is soft expired and starts rekeying process by first installing a new

pair of inbound SAs. It successfully installs them on the NSF

it receives notification from, but then it receives a notification

that the other NSF has rebooted, so it must clear all the SAs on

its peers, including the just installed new one (which is only

half-done). There seems to be a lot of nuances, and the document 

completely ignores them. Not that I think that the task

is impossible, but the algorithm of managing the SAs can become

quite complex and possibly unreliable.


[Authors] We largely thought about this kind of cases, although we do not see any different that may happen in SDN-based network nowadays. And it seems to me that SDN is becoming something generally accepted despite the different nuances that needs to be consider. In any case, what you mention is not ignored in our document because it is included in the text we have in section 5.3 (see below) where we highlight the complexity is shifted to the SC (that’s clear). But as I mentioned, this is not specific to IKE-less case but for any solution based on the pure SDN paradigm (such as Openflow networks). In other words, the cases you well mention are applicable to any SDN-based solution.


I didn't find this discussion in the draft (sorry if I missed it).


Your comments are somehow summarized in the following text section 5.3


"On the contrary, the overload of creating fresh IPsec
   SAs is shifted to the Security Controller since IKEv2 is not in the
   NSF.  As a consequence, this may result in a more complex
   implementation in the controller side.  This overload may create some
   scalability issues when the number of NSFs is high.

In general, literature around SDN-based network management using a

   centralized Security Controller is aware about scalability issues and

   solutions have been already provided (e.g. hierarchical Security

   Controllers; having multiple replicated Security Controllers, etc)."


I would add that a high-speed dedicated management network between the SC and the NSFs can be also in place to even limit reduce these delays between the SC and NSFs (this idea comes again from Openflow networks). Also the SC can select more “intelligent” lifetime to orchestrate better when the notifications may appear.


In any case, we think we can improve that text as follows: 


"On the contrary, the overload of creating and managing IPsec

   SAs is shifted to the Security Controller since IKEv2 is not in the
   NSF. As a consequence, this may result in a more complex
   implementation in the controller side in comparison with

   IKE case.  For example, the Security Controller have to deal with 

   the latency existing in the path between the Security Controller 

   and the NSF in order to solve tasks such as, rekey or creation and 

   installation of new IPsec SAs. However, this is not specific to our 

   contribution but a general aspect in any SDN-based network. 

   In summary, this overload may create some scalability and performance 

   issues when the number of NSFs is high.

   Nevertheless, literature around SDN-based network management using a
   centralized Security Controller is aware about scalability and
   performance issues and solutions have been already provided and
   discussed (e.g.  hierarchical Security Controllers; having multiple
   replicated Security Controllers, dedicated high-speed management
   networks, etc). In the context of SDN-based IPsec management, one

   way to reduce the latency and alleviate some performance issues can

   be the installation of the IPsec policies and IPsec SAs at the same time

   (proactive mode, as described in Section 7.1) instead of waiting for

   notifications (e.g. a notification sadb-acquire when a new IPsec SA 

   is required) to proceed with the IPsec SA installations (reactive mode). 

   Another way to reduce the overhead and the potential scalability and

   performance issues in the Security Controller is to apply the IKE
   case described in this document, since the IPsec SAs are managed
   between NSFs without the involvement of the Security Controller at
   all, except by the initial IKE configuration provided by the Security


Please see also our comments to Yoav.


Best Regards.








Thanks for getting this done and published.


We will wait with requesting publication until the I2NSF session next week.  Between now and then, please re-read the draft and send a message to the list is something is seriously wrong.


Barring any such shouting, we will request publication right after the meeting.


Thanks again,


Linda and Yoav

On 16 Jul 2019, at 15:42, Rafa Marin-Lopez < <>> wrote:


Dear all:

We submitted a new version of the I-D (v05) where we have applied several changes. In the following you have a summary of the main changes, which we will expand/explain during our presentation: 

- We have dealt with YANG doctors’ review (Martin's)

- We have dealt with Paul Wouters’ comments and Tero’s comments.


- We have added more specific text in the descriptions.

- Notifications have a simpler format now since most of the information that contained in the past is already handled by the Security Controller.

- State data has been reduced. For example, in IKE case, most of the information is related with IKE and not with the specific details about IPsec SAs that IKE handles (after all, IKE can abstract this information from the Security Controller).


- We have included text in the security section to discuss about the default IPsec policies that should be in the NSF when it starts before contacting with the SC such as the IPsec policies required to allow traffic between the SC and the NSF.


- We have added a subsection 5.3.4 about NSF discovery by the Security Controller.

- In order to specify the crypto-algorithms we have used a simple approach by including an integer and adding a text pointing the IANA in the reference clause. For example:

typedef encryption-algorithm-type {
           type uint32;
               "The encryption algorithm is specified with a 32-bit
               number extracted from IANA Registry. The acceptable
               values MUST follow the requirement levels for
               encryption algorithms for ESP and IKEv2.";
                "IANA Registry- Transform Type 1 - Encryption
                Algorithm Transform IDs. RFC 8221 - Cryptographic
                Algorithm Implementation Requirements and Usage
                Guidance for Encapsulating Security Payload (ESP)
                and Authentication Header (AH) and RFC 8247 -
                Algorithm Implementation Requirements and Usage
                Guidance for the Internet Key Exchange Protocol
                Version 2 (IKEv2).";


- We have included three additional Annexes with examples in about the usage of the YANG model.


- We have performed pyang --lint --lint-ensure-hyphenated-names and pyang -f yang --yang-line-length 69 in our model without warnings.


Best Regards.

Inicio del mensaje reenviado:


De:  <>

Asunto: [I2nsf] I-D Action: draft-ietf-i2nsf-sdn-ipsec-flow-protection-05.txt

Fecha: 7 de julio de 2019, 23:34:03 CEST

Para: < <>>

Cc:  <>

Responder a:  <>


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Interface to Network Security Functions WG of the IETF.

       Title           : Software-Defined Networking (SDN)-based IPsec Flow Protection
       Authors         : Rafa Marin-Lopez
                         Gabriel Lopez-Millan
                         Fernando Pereniguez-Garcia
           Filename        : draft-ietf-i2nsf-sdn-ipsec-flow-protection-05.txt
           Pages           : 81
           Date            : 2019-07-07

  This document describes how providing IPsec-based flow protection by
  means of a Software-Defined Network (SDN) controller (aka.  Security
  Controller) and establishes the requirements to support this service.
  It considers two main well-known scenarios in IPsec: (i) gateway-to-
  gateway and (ii) host-to-host.  The SDN-based service described in
  this document allows the distribution and monitoring of IPsec
  information from a Security Controller to one or several flow-based
  Network Security Function (NSF).  The NSFs implement IPsec to protect
  data traffic between network resources.

  The document focuses on the NSF Facing Interface by providing models
  for configuration and state data required to allow the Security
  Controller to configure the IPsec databases (SPD, SAD, PAD) and IKEv2
  to establish Security Associations with a reduced intervention of the
  network administrator.

The IETF datatracker status page for this draft is:

There are also htmlized versions available at:

A diff from the previous version is available at:

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at <> .

Internet-Drafts are also available by anonymous FTP at:

I2nsf mailing list


Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151  <> e-mail:





I2nsf mailing list