IETF Logo Mail Archive

Re: [Idr] Possible to set up priority for Tunnels established by draft-ietf-idr-tunnel-encaps-09 ?

Linda Dunbar <linda.dunbar@huawei.com> Tue, 10 July 2018 19:56 UTC

Return-Path: <linda.dunbar@huawei.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9005A1311A3; Tue, 10 Jul 2018 12:56:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 83xIkdxwDp_x; Tue, 10 Jul 2018 12:56:31 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D30EF1310CD; Tue, 10 Jul 2018 12:56:30 -0700 (PDT)
Received: from lhreml701-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id A261276D80D6B; Tue, 10 Jul 2018 20:56:25 +0100 (IST)
Received: from SJCEML701-CHM.china.huawei.com (10.208.112.40) by lhreml701-cah.china.huawei.com (10.201.108.42) with Microsoft SMTP Server (TLS) id 14.3.382.0; Tue, 10 Jul 2018 20:56:27 +0100
Received: from SJCEML521-MBS.china.huawei.com ([169.254.2.132]) by SJCEML701-CHM.china.huawei.com ([169.254.3.22]) with mapi id 14.03.0399.000; Tue, 10 Jul 2018 12:56:21 -0700
From: Linda Dunbar <linda.dunbar@huawei.com>
To: Eric C Rosen <erosen@juniper.net>, Jeff Tantsura <jefftant.ietf@gmail.com>, "idr@ietf.org" <idr@ietf.org>, "draft-ietf-idr-tunnel-encaps@ietf.org" <draft-ietf-idr-tunnel-encaps@ietf.org>
Thread-Topic: [Idr] Possible to set up priority for Tunnels established by draft-ietf-idr-tunnel-encaps-09 ?
Thread-Index: AQHUF8Lt5oAKKlZ+BUmHgmLAUQBnVKSHVqBAgAGwM4D//5RVgA==
Date: Tue, 10 Jul 2018 19:56:21 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B0AE724@sjceml521-mbs.china.huawei.com>
References: <78D707C9-6DC2-459F-81E4-A53B46F1F019@gmail.com> <4A95BA014132FF49AE685FAB4B9F17F66B0A8BCC@sjceml521-mbs.china.huawei.com> <e0782033-0031-163f-de07-c055b4322efd@juniper.net>
In-Reply-To: <e0782033-0031-163f-de07-c055b4322efd@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.218.181.47]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F66B0AE724sjceml521mbschi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/3zkNyGbliUmO7bXrCWqWA5wy5lY>
Subject: Re: [Idr] Possible to set up priority for Tunnels established by draft-ietf-idr-tunnel-encaps-09 ?
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 19:56:34 -0000

Eric,

Security area has a Working Group draft on the data model of exchanging IPsec Keys: https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/

It was a very lengthy debate on exposing the key via Netconf. Eventually, they (IPsecme group) agreed to ADOPT BUT requiring the authors to document all the associated security risks in the draft. So that people/companies who are willing to take the risks documented in the draft can use them. Maybe we can get pass security expert review afterwards.

We are hoping for a BGP message with a specific SAFI as did in RFC 5512 to carry the information instead of mixing with the BGP UPDATE message, so that receiving CPE doesn’t have to do extra processing, and the msg can be sent via any paths.

Linda

From: Eric C Rosen [mailto:erosen@juniper.net]
Sent: Tuesday, July 10, 2018 10:13 AM
To: Linda Dunbar <linda.dunbar@huawei.com>; Jeff Tantsura <jefftant.ietf@gmail.com>; idr@ietf.org; draft-ietf-idr-tunnel-encaps@ietf.org
Subject: Re: [Idr] Possible to set up priority for Tunnels established by draft-ietf-idr-tunnel-encaps-09 ?

On 7/9/2018 4:28 PM, Linda Dunbar wrote:

We would like to use RR as controller to distribute more detailed tunnel information, such as IPsec configuration & keys because in managed large scale Overlay deployment (SD-WAN), it doesn’t scale to allow all CPEs to negotiate IPsec keys.

When first working on RFC 5566, I proposed a number of sub-TLVs that could be used to convey information about how to set up the IPsec Security Associations.  None of thes survived review by the security experts.  Setting up the Security Associations is the job of IKEv2.  If you want to replace IKEv2 with BGP, you'll need a thorough security analysis of your proposed mechanism.

One might think it is okay to have BGP UPDATEs carry secret keys , as long as the UPDATEs only travel on sessions that are protected by IPsec.  I wouldn't necessarily assume that, as BGP UPDATEs have been known to leak (intentionally or unintentionally) beyond their intended scope.

v2.23.0 | Report a Bug | By Email