Re: [I2nsf] Let's try to draw closure for sdn-ipsec-flow-protection ( RE: Reviewing sdn-ipsec-flow-protection

Linda Dunbar <linda.dunbar@huawei.com> Fri, 01 March 2019 16:15 UTC

Return-Path: <linda.dunbar@huawei.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18FC8130EAA for <i2nsf@ietfa.amsl.com>; Fri, 1 Mar 2019 08:15:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CNtwmeUnyWrj for <i2nsf@ietfa.amsl.com>; Fri, 1 Mar 2019 08:15:37 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55818130F0F for <i2nsf@ietf.org>; Fri, 1 Mar 2019 08:15:36 -0800 (PST)
Received: from lhreml704-cah.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id BF19F47717402A46F6A4 for <i2nsf@ietf.org>; Fri, 1 Mar 2019 16:15:33 +0000 (GMT)
Received: from SJCEML702-CHM.china.huawei.com (10.208.112.38) by lhreml704-cah.china.huawei.com (10.201.108.45) with Microsoft SMTP Server (TLS) id 14.3.408.0; Fri, 1 Mar 2019 16:15:33 +0000
Received: from SJCEML521-MBS.china.huawei.com ([169.254.2.241]) by SJCEML702-CHM.china.huawei.com ([169.254.4.38]) with mapi id 14.03.0415.000; Fri, 1 Mar 2019 08:15:27 -0800
From: Linda Dunbar <linda.dunbar@huawei.com>
To: Rafa Marin-Lopez <rafa@um.es>
CC: Gabriel Lopez <gabilm@um.es>, "i2nsf@ietf.org" <i2nsf@ietf.org>, =?utf-8?B?RmVybmFuZG8gUGVyZcOxw61ndWV6IEdhcmPDrWE=?= <fernando.pereniguez@cud.upct.es>, Yoav Nir <ynir.ietf@gmail.com>
Thread-Topic: [I2nsf] Let's try to draw closure for sdn-ipsec-flow-protection ( RE: Reviewing sdn-ipsec-flow-protection
Thread-Index: AQHU0BxowvpIaQmao0S+wyL6nUFba6X27TUw
Date: Fri, 1 Mar 2019 16:15:27 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B2C7CC3@sjceml521-mbs.china.huawei.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B2C71AA@sjceml521-mbs.china.huawei.com> <B05FCEFD-B617-416F-BE3B-2D4E472F6D39@um.es>
In-Reply-To: <B05FCEFD-B617-416F-BE3B-2D4E472F6D39@um.es>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.192.11.84]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F66B2C7CC3sjceml521mbschi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/sh5cL35B8SsicKPUwM9R0fwPIzs>
Subject: Re: [I2nsf] Let's try to draw closure for sdn-ipsec-flow-protection ( RE: Reviewing sdn-ipsec-flow-protection
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2019 16:15:48 -0000

Rafa,

Thanks. What you suggested is good to me.
If there is no objection from the WG, we can call WGLC after IETF104.

Linda
From: Rafa Marin-Lopez [mailto:rafa@um.es]
Sent: Friday, March 01, 2019 4:49 AM
To: Linda Dunbar <linda.dunbar@huawei.com>;
Cc: Rafa Marin-Lopez <rafa@um.es>;; Gabriel Lopez <gabilm@um.es>;; i2nsf@ietf.org; Fernando Pereñíguez García <fernando.pereniguez@cud.upct.es>;; Yoav Nir <ynir.ietf@gmail.com>;
Subject: Re: [I2nsf] Let's try to draw closure for sdn-ipsec-flow-protection ( RE: Reviewing sdn-ipsec-flow-protection

Hi Linda, Yoav:

Thank you for e-mail, some comments inline.

El 27 feb 2019, a las 21:35, Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>> escribió:

Gabriel and Rafa,

What you suggested in this email are all valid options:
•        NSF could provide them by itself during the NSF’s registration process into the controller.
•        the controller receives the capabilities for a set of NSFs from an external entity.
•        IPsec-based NSFs can consider the usage of the capabilities model to inform the security controller about IPsec capabilities.

We will include these options.

Can you update the draft before IETF104 (March 11)? So we can start the WG LC during IETF104.

Yes, we are working with that, applying all the comments we received from Paul, Yoav and you. We will upload a new version in March 11.


During IETF103, authors of draft-carrel-ipsecme-controller-ike stated that 3rd case (Controller-IKE) should be added to the document.

We thought it was still an open debate. In fact, I mentioned in the last meeting that between case 1 and case 3, I would prefer case 1 (IKE case) since as I said ( minute 1:05:03) I do not see any advantage provided by Controller-IKE. Any feature included in Controller-IKE is already in case 1. Therefore, the question about what are the advantages of Controller-IKE vs case 1 has not been answered yet, in my humble opinion.

Also it is still debatable that case 2 (now IKE-less case) does not scale.  The reason is the following: regardless we are talking about IPsec management or not, if we look to SDN world, the scalability is, in general, an issue. But there are also literature providing solutions for scalability. In fact, IKE-less case operates similarly to Openflow-based SDN networks and there are  solutions for that.

SDWAN depends on the Controller based IKE to scale.

I think that SDWAN needs a solution that allows to scale but it does not mean it has to be Controller-IKE, no?


Since draft-carrel-ipsecme-controller-ike has detailed description for Controll-IKE, you only need to simply add a brief description as presented by David and refer to their draft for details.
Something like:

Case 3: Controller-IKE
Controller-IKE is DH based key exchange done through the controller with following characteristics:
•    All peers send their DH public value to the controller
•    Controller sends the list of all public values to all peers
•    All peers calculate a unique pairwise secret for each other peer
•    No peer-to-peer messages.

Re-keys mechanism is further described in draft-carrel-ipsecme-controller-ike

Just a clarification, there is no case 1 or 2 now. We have IKE case or IKE-less case. Having said that, our idea to accomplish this request is to add text in the comparison about IKE case and IKE-less case. In fact, we have now :

“On the contrary, the overload of creating fresh IPsec SAs is shifted to
   the Security Controller since IKEv2 is not in the NSF. As a
   consequence, this may result in a more complex implementation in the
   controller side.”

We can add the following:

“This overload may create some scalability issues when the number of NSFs is high. In general, literature around SDN-based network management using a centralized SDN controller is aware about scalability issues and solutions have been already provided (e.g. hierarchical SDN controllers; having multiple replicated SDN controllers...). In the context of IPsec management, one straight way to reduce the overhead and the potential scalability issue in the Security Controller is to apply "IKE case”, described in this document, since the IPsec SAs are managed between NSFs without the involvement of the Security Controller at all, except by the initial IKE configuration provided by the Security Controller. Other solutions, such as Controller-IKE <draft-carrel-ipsecme-controller-ike>, have proposed that NSFs provide their DH public keys to the Security Controller, so that the Security Controller distributes all public keys to all peers. All peers can calculate a unique pairwise secret for each other peer and there is no inter-NSF messages. A re-key mechanism is further described in <draft-carrel-ipsecme-controller-ike>.”

Does it sound reasonable?


-----
Because of SDWAN getting more importance for enterprises to reach cloud DCs, scaling IPsec becomes very critical.

Yes, scaling is critical of any SDN solution, regardless whether is IPsec or not. For example, how openflow-based networks solve scalability issues.


Recently, there are multiple initiatives in Routing Area for SD-WAN, all of them need IPsec:
draft-sajassi-bess-secure-evpn
draft-rosen-bess-secure-l3vpn
draft-ietf-rtgwg-net2cloud-problem-statement
draft-ietf-rtgwg-net2cloud-gap-analysis
It will be better if we can smooth out the IPsec scaling solution, and telling routing area not to re-invent the wheel.

Thank you very much for these references.



Please let us know if you need help in editing the draft to bring it to WGLC.

Sure. We are doing the work now and we will be ready for March 11.

Best Regards.



Linda & Yoav


From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Gabriel Lopez
Sent: Thursday, January 24, 2019 8:24 AM
To: Rafa Marin Lopez <rafa@um.es<mailto:rafa@um.es>>
Cc: i2nsf@ietf.org<mailto:i2nsf@ietf.org>; Fernando Pereñíguez García <fernando.pereniguez@cud.upct.es<mailto:fernando.pereniguez@cud.upct.es>>; Gabriel Lopez <gabilm@um.es<mailto:gabilm@um.es>>; Yoav Nir <ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>>
Subject: Re: [I2nsf] Reviewing sdn-ipsec-flow-protection

Hi all.



El 14 nov 2018, a las 10:30, Rafa Marin-Lopez <rafa@um.es<mailto:rafa@um.es>> escribió:

Hi Yoav:



El 8 nov 2018, a las 17:11, Yoav Nir <ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>> escribió:

Hi, all






  *   The interaction between Controller and NSF

     *   There’s no way for the controller to retrieve NSF capabilities. What if the NSF does not implement rc5?  It’s fine if we say that the Controller knows in advance what the capabilities of each NSF are, but it should be stated.

Agree. Nevertheless, I would say that the most correct way is when the controller asks the NSF about capabilities after NSF and controller connect.


Regarding this question, we wonder how the controller knows about the capabilities provided by each IPsec NSF. As Rafa pointed out, one way is that the NSF could provide them by itself during the NSF’s registration process into the controller. Another way is that the controller receives the capabilities for a set of NSFs from an external entity. Following the I2NSF Reference Model in RFC 8329, it is assumed this role is assigned to the “Developer’s Management System”.

In our concrete example where a NSF provides IPsec-based security functions, our understanding of that IPsec capabilities refer the set of features a IPsec NSF node is able to support. A (non-exhaustive) list is:
-           IKE support
-           IKEless support
-           For IKE case: authentication and encryption algorithms, dh_groups, authentication method, NAT traversal support, etc.
-           For IKEless case: authentication, integrity and encryption algorithms, AH support, etc.

We would like to draw attention to IPsec-based NSFs and suggest authors of these drafts to consider the usage of the capabilities model to inform the security controller about IPsec capabilities.

Thanks in advance and best regards, Gabi.





_______________________________________________
I2nsf mailing list
I2nsf@ietf.org<mailto:I2nsf@ietf.org>
https://www.ietf.org/mailman/listinfo/i2nsf

-----------------------------------------------------------
Gabriel López Millán
Departamento de Ingeniería de la Información y las Comunicaciones
University of Murcia
Spain
Tel: +34 868888504<tel:+34%20868888504>
Fax: +34 868884151<tel:+34%20868884151>
email: gabilm@um.es<mailto:gabilm@um.es>



<Controller IKE case 2.pdf>_______________________________________________
I2nsf mailing list
I2nsf@ietf.org<mailto:I2nsf@ietf.org>
https://www.ietf.org/mailman/listinfo/i2nsf

-------------------------------------------------------
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es<mailto:rafa@um.es>
-------------------------------------------------------