IETF Logo Mail Archive

Re: [I2nsf] Éric Vyncke's No Objection on draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: (with COMMENT)

Rafa Marin-Lopez <rafa@um.es> Tue, 01 December 2020 17:59 UTC

Return-Path: <rafa@um.es>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41B7D3A140F; Tue, 1 Dec 2020 09:59:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.117
X-Spam-Level:
X-Spam-Status: No, score=-2.117 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=um.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ORyfKz8PUmsB; Tue, 1 Dec 2020 09:59:53 -0800 (PST)
Received: from mx01.puc.rediris.es (outbound4mad.lav.puc.rediris.es [130.206.19.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A63A03A13F4; Tue, 1 Dec 2020 09:59:52 -0800 (PST)
Received: from xenon42.um.es (xenon42.um.es [155.54.212.169]) by mx01.puc.rediris.es with ESMTP id 0B1Hxivq006431-0B1Hxivr006431; Tue, 1 Dec 2020 18:59:44 +0100
Received: from localhost (localhost [127.0.0.1]) by xenon42.um.es (Postfix) with ESMTP id 25ABC2563C; Tue, 1 Dec 2020 18:59:44 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon42.um.es
Received: from xenon42.um.es ([127.0.0.1]) by localhost (xenon42.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 0cFLEknpu9oH; Tue, 1 Dec 2020 18:59:44 +0100 (CET)
Received: from quantum.inf.um.es (quantum.inf.um.es [155.54.204.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa@um.es) by xenon42.um.es (Postfix) with ESMTPSA id 65FA425631; Tue, 1 Dec 2020 18:59:36 +0100 (CET)
From: Rafa Marin-Lopez <rafa@um.es>
Message-Id: <D3458128-2B47-46F4-BC3E-2DB57EE2400C@um.es>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E8D01BF7-4F22-44EB-8E26-F446A53FDA4B"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
Date: Tue, 01 Dec 2020 18:59:35 +0100
In-Reply-To: <160456490800.32068.18022486542487420574@ietfa.amsl.com>
Cc: Rafa Marin-Lopez <rafa@um.es>, The IESG <iesg@ietf.org>, i2nsf@ietf.org, draft-ietf-i2nsf-sdn-ipsec-flow-protection@ietf.org, ynir.ietf@gmail.com, i2nsf-chairs@ietf.org
To: Éric Vyncke <evyncke@cisco.com>
References: <160456490800.32068.18022486542487420574@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3445.104.14)
X-FEAS-SPF: spf-result=pass, ip=155.54.212.169, helo=xenon42.um.es, mailFrom=rafa@um.es
Authentication-Results: mx01.puc.rediris.es; spf=pass (rediris.es: domain of rafa@um.es designates 155.54.212.169 as permitted sender) smtp.mailfrom=rafa@um.es
X-FE-Policy-ID: 2:15:0:SYSTEM
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=um.es; s=DKIM; c=relaxed/relaxed; h=from:message-id:content-type:mime-version:subject:date:cc:to:references; bh=jxIkYfFL0TlztLOiI/SDIKOdwVomH0b19yGHWDTMRQQ=; b=2PdUvTjpMZ3cb2B4b/pHPJcfmnEkz7GwqjyzHzx0tuPR8VgnQpsXsYBwxVtc4fgdm2QyVf1Pq8I4 g1DH8RnnQ0s3w0O8Fb0KvhhPVOrwYZjwbK5hb4k/SN/TIvS9eDNTC5qGfJOmlFpT7+ooRv7U3HwJ VtpqZePezpLYyp1+6nBD/EEffAnxZiTQCAXWpYiDv2oZHaWfZZToO9lE0reTm+hH+0NU/r3mK7Ee l1YGPFbt8DjqzlsZ76wpLhAqMQf4KpszMByHTM2xnU1kcjUZTEXuo++iORoxzLxd+kVCF/Scno9l 81qQzd3g0TqU2ZMfizcfpfA415L6nKdO2V2z4A==
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/wWgVvsizOrf6rvbQsGJMwa-3DWE>
Subject: Re: [I2nsf] Éric Vyncke's No Objection on draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: (with COMMENT)
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2020 17:59:55 -0000

Dear Éric:

Thank you very much for your insight and comments. They are very valuable. Please see our comments inline.

> El 5 nov 2020, a las 9:28, Éric Vyncke via Datatracker <noreply@ietf.org> escribió:
> 
> Éric Vyncke has entered the following ballot position for
> draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thank you for the work put into this document.
> 
> Please find below one blocking DISCUSS point, some non-blocking COMMENT points,
> and some nits.
> 
> I support Erik Kline's DISCUSS points as well as Ben Kaduk's DISCUSS point
> about vendor-specific.
> 
> I hope that this helps to improve the document,
> 
> Regards,
> 
> -éric
> == COMMENTS ==
> 
> -- Section 5 --
> Isn't there also the 'load sharing by IPSEC-only NSF' a use case ? Where simple
> ECMP could split traffic to several IPSec-only NSFs configured with the same
> parameters (SADB, SPD, ...) (anti-reply being probably impossible to offer
> though)

[Authors] This is a very interesting question. During the development of this I-D there was no discussion about this use case. The I-D focused on defining an interface to allow configure case 1 (with IKE) and case 2 (with IKE-less). 

In any case, we would like to correctly understand what you are mentioning here. If our understanding is correct the idea is to have, for example, two NSFs (NSF A and NSF B) which have the same IPsec SA configured in both. That would mean the same SPI, traffic selectors, and same symmetric keys, and the same IP addresses that represent the tunnel endpoints, is this correct? 

The traffic may go through NSF -A or NSF-B (we are assuming that NSF-A and NSF-B use tunnel endpoints) due to ECMP to reach NSF-C, which is the NSF in the other network. We were wondering if you had in mind that NSF-A and NSF-B act as a single “virtual” NSF, thus representing with the same tunnel endpoint in the IPsec SA so that NSF-C believes that tunnel endpoint is common to NSF-A and NSF-B (actually NSF-C does not distinguish between NSF-A or NSF-B). We assume this since you mention that IPsec SAs and policies are exactly the same  in NSF-A and NSF-B. So in the end, the NSF-C has only two IPsec SAs: one for the inbound traffic and another for the outbound traffic. In such a case, we agree with you that anti-replay must be deactivated since the sequence numbers in the NSF-A and NSF-B are not synchronized and NSF-C may see this as replay and drop the packets. 

Option 1:

                             -> NSF-A ------|
Network 1       ----+                       +------------IPsec tunnel-----------NSF-C---- Network 2
                             -> NSF-B-------|


Another alternative that you may have considered is that, actually, there are two tunnels , one between NSF-A and NSF-C and another one between NSF-B and NSF-C, and therefore they are different IPsec SAs (different SPIs, symmetric keys, endpoint tunnel). Something like:


Option 2:

                     -> NSF-A ------|--------------------------------------------|
Network 1       ----+                                                           NSF-C---- Network 2
                     -> NSF-B-------|--------------------------------------------|


Either way, if something similar to these options is what you had in mind, we believe that it is possible to configure it in case 2 (IKE-less). For option 1, the programming in the I2NSF controller for this use case should consider NSF-A and NSF-B as a cluster of NSFs (a “virtual” NSF made up of two “physical” NSFs) and configure same IPsec SAs and policies in both NSF-A and B. Also, it should also react to a notification coming from NSF-A or NSF-B as a notification coming from the virtual NSF, e.g., a rekey coming from the virtual NSF. For option 2, it is simpler because the controller only needs to keep two different IPsec SAs.

In our opinion, it is undoubtedly an interesting use case but since it was not analyzed during I2NSF discussion we would not dare to include it without further discussion. Having said this, we believe we could write a personal I-D explaining this use case. In our opinion, our current I-D has the pieces required to carry out this scenario.

> 
> -- Section 6 --
> It seems that this section sometimes uses the term 'model' instead of 'module’.

[Authors] It is true that we use both. In RFC 7950 abstract, it seems to refer to model to the “data model” while module is referring to “YANG module”. In fact, RFC 7950 mentions:

“ YANG data models are defined in modules.  A module contains a collection of related definitions.

In any case, we will revise the text so that we use model when we are referring to data model. 

> 
> -- Section 6.1 --
> I would have preferred to use 'local-prefix' rather than 'local-subnet' as the
> latter is old looking IPv4 subnet.

[Authors] Ok, no problem . We will change this.


> 
> The "state" part does not seem to contain the current state of the IKE finite
> state machine, is it on purpose ?

[Authors] Yes, it is. With case 1 (IKE in the NSF) the design is thought as the I2NSF controller sends the configuration and leaves IKE to do its operation, simplifying the I2NSF controller operation. We did not feel from the discussions in the I2NSF WG the need of adding the data about IKE state machine. 

> 
> -- Section 8.2 --
> As IKEv2 provides "perfect forward secrecy" should this section mandating the
> use of a secure channel between SDN and the NSF also with "perfect forward
> secrecy" and same reasoning for the encryption algorithms of course.


[Authors] Yes, you’re correct. We could add the following text in section 8.2

“The security association between the I2NSF Controller and the NSFs MUST provide, at least, the same degree of protection as the one achieved by the IPsec SAs configured in the NSFs. In particular, the security association between the I2NSF Controller and the NSFs MUST provide forward secrecy if this property is to be achieved in the IPsec SAs that the I2NSF Controller configures in the NSFs. Similarly, the encryption algorithms used in the security association between I2NSF Controller and the NSF MUST have, at least, the same strength as the algorithms used to establish the IPsec SAs.”

Is this reasonable?

Best Regards.


> 
> 
> 
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org
> https://www.ietf.org/mailman/listinfo/i2nsf

-------------------------------------------------------
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
-------------------------------------------------------

v2.23.0 | Report a Bug | By Email