IETF Logo Mail Archive

Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-protection

"Valery Smyslov" <svanru@gmail.com> Wed, 19 July 2017 06:46 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA42412ECC8; Tue, 18 Jul 2017 23:46:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.199
X-Spam-Level:
X-Spam-Status: No, score=-1.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qaq37zroRBWl; Tue, 18 Jul 2017 23:46:32 -0700 (PDT)
Received: from mail-lf0-x230.google.com (mail-lf0-x230.google.com [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 255AA12ECB4; Tue, 18 Jul 2017 23:46:32 -0700 (PDT)
Received: by mail-lf0-x230.google.com with SMTP id t72so28108635lff.1; Tue, 18 Jul 2017 23:46:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=dOtlIXQlGt277QdjxJbWlab+LShgJb+mzFXuMhyD9AE=; b=KekisdVjjbPH9VTuUntndH23LuAEtBYflCOC0W2muh9mZssQW+MO3YqNtNwrIoLRIh GjbFgXFw6ZLlcQ/pyKRjlQGlYdpUFhj4JuVeMk4uIUHwrFJw8Y5Kb40qrKXQE8kPb+sv XaZvft6MFyFCbpDN/axVTRe88rHVbE0tQJK94q7dtSXVj0Gv2lXow6O3nKstTCHLkbmH 0dVnTgFNM7BXshJkNVT+sisgyHOY1AStG63GCZEqfaeMldUGVTVKHK08Q6O+YGZ1FTZG ruYwDr6l6/JYD3qACqZSYXzFD0C947sikVCR3YTrEGc0n4ovrDzhXcn7KlzMpeLyOBba wfmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=dOtlIXQlGt277QdjxJbWlab+LShgJb+mzFXuMhyD9AE=; b=JTJp2XbeJzXrl66p2eyKY0Lr4gGd+m0n861QRgiBzArzKtsVdF9jcIO8icYDrCHTyc lHNRgJXluPQNF5s0h6hNoHd6MyXAqI9QuUdf1cs9ze1O1Ek6u6m/2a3QUKsHNNKU7v+d hU8U02X/wZZPl6BumlC1uzfnPQIsnYBOv4RbNjH+tTEINVbpUPLoRVoDIl3LlH2T/xbP uz4tz/qkab0zht8X/yCZ55890MRFr9WIjsIR45TcF+jg/Sq3LSKKGF9+BY6GL3wRfQDI LHXppi0NIehvA5VhSo1zOiIW6MMG2sPNAVrjkPmtujzYMkY5wt5cidqES4bw40w62SF1 ab6Q==
X-Gm-Message-State: AIVw113N+MMDM20LVvDRroDF36RVPIZM5mL+HoLmhNPUOgGb5XEGNJdl JCbnajkIMKfbb0Wg
X-Received: by 10.46.83.86 with SMTP id t22mr2180014ljd.24.1500446790464; Tue, 18 Jul 2017 23:46:30 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id i15sm1107265ljd.6.2017.07.18.23.46.29 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 18 Jul 2017 23:46:29 -0700 (PDT)
From: Valery Smyslov <svanru@gmail.com>
To: 'Alejandro Pérez Méndez' <alex@um.es>, i2nsf@ietf.org
Cc: 'IPsecME WG' <ipsec@ietf.org>, 'Rafa Marin-Lopez' <rafa@um.es>
References: <021c01d2ffcf$95f043b0$c1d0cb10$@gmail.com> <f56439b8-09f7-af23-32ed-061dc1f887a8@um.es>
In-Reply-To: <f56439b8-09f7-af23-32ed-061dc1f887a8@um.es>
Date: Wed, 19 Jul 2017 09:46:30 +0300
Message-ID: <02e601d3005a$c1791170$446b3450$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQKDIHC5dXDQzOp5aMUY5Ta8XNCy6AHIW25WoOwsABA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/r2CgtrTK5jfHWD2U3KNZWw_mZ1k>
Subject: Re: [I2nsf] [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-protection
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 06:46:34 -0000

Hi Alejandro,

> Hi Valery, all,
> 
>  >
>  > In general, central distribution of session keys looks much less secure,
>  > than running IKEv2 on them.
> That's arguable, yes. But being less secure does not mean being useless.
> Coming to my previous comment, we don't use RSA with 8192 bit keys for
> everything. Although it is more secure, there are scenarios were a
> lighter approach is enough. If running IKE is too much for your devices,
> the IKE-less option might work for you if your security contraints are
> fewer. This SDN-based approach does not need to solve everyone's
> problems for every possible scenario. Neither does Kerberos, IPsec
> itself nor any other security protocol.

OK, but then you should clearly state your requirement.
Otherwise it is possible to drive situation to absurdum.
For example, for a sake of device simplicity, you may
get rid of IPsec at all and send all the traffic that needs protection
to SDN via existing TLS connection/ The SDN then will route
it to appropriate peer. It would work and will make devices
even more dumber (to be clear - I don't propose this,
it is just an example of corner case solution that in theory would work).

>  > You loose PFS property,
> I don't see why. Actually, keys on the controller are generated by a
> secure RNG so every key you generate is completely unrelated to the
> previous one. That's indeed an advantage, rather than the opposite.

It depends. If you use PRNG instead of true RNG, then you'll have no PFS.

>  > you loose
>  > the property that no one but the peers know the session keys etc.
> Right.
> 
>  > It is more fragile too. You must perform periodical rekey (update keys)
>  > and this must be done synchronously.
> You have to do it by pairs, does not seem that difficult. And, as IKE
> does, you create the new ones and, once created, delete the old ones. I
> don't see the synchrony problem that important.

In ideal world - yes. In real world - I'm not so sure.
Imagine you have an SA expired and the SDN installs a new SA
on the peers, but one of SDN-peer TLS connection failed because off
the temporary network problem, so you have a new SA partially installed.
What is the peer that didn't receive a new SA supposed to do?
Continue to use an old one despite the fact that it is expired?
Block all traffic? Something else? 

How NAT traversal is to be done in IKE-less case? I understand, that
NATs are also controlled by SDN, but does SDN pre-install NAT mappings?

Regards,
Valery.
 
> Regards,
> Alejandro
> 
>  > Regards,
>  > Valery Smyslov.
>  >
>  > _______________________________________________
>  > IPsec mailing list
>  > IPsec@ietf.org
>  > https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email