Re: [IPsec] using BGP signaling to achieve IPsec Tunnel configuration (draft-hujun-idr-bgp-ipsec): potential conflict with the I2NSF's Controller facilitated IPsec configuration

Linda Dunbar <linda.dunbar@huawei.com> Wed, 03 April 2019 16:39 UTC

Return-Path: <linda.dunbar@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89E6312009E; Wed, 3 Apr 2019 09:39:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id trNBwaM23_33; Wed, 3 Apr 2019 09:39:16 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2418E120046; Wed, 3 Apr 2019 09:39:15 -0700 (PDT)
Received: from LHREML714-CAH.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id 44810522BAF7D62503DE; Wed, 3 Apr 2019 17:38:43 +0100 (IST)
Received: from SJCEML703-CHM.china.huawei.com (10.208.112.39) by LHREML714-CAH.china.huawei.com (10.201.108.37) with Microsoft SMTP Server (TLS) id 14.3.408.0; Wed, 3 Apr 2019 17:38:41 +0100
Received: from SJCEML521-MBS.china.huawei.com ([169.254.2.52]) by SJCEML703-CHM.china.huawei.com ([169.254.5.214]) with mapi id 14.03.0439.000; Wed, 3 Apr 2019 09:38:34 -0700
From: Linda Dunbar <linda.dunbar@huawei.com>
To: "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>, "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>, Fernando Pereñíguez García <fernando.pereniguez@cud.upct.es>
CC: Roman Danyliw <rdd@cert.org>, idr wg <idr@ietf.org>, "stephane.litkowski@orange.com" <stephane.litkowski@orange.com>, "i2nsf@ietf.org" <i2nsf@ietf.org>, "idr-chairs@ietf.org" <idr-chairs@ietf.org>, Gabriel López Millán <gabilm@um.es>, Yoav Nir <ynir.ietf@gmail.com>, Alvaro Retana <aretana.ietf@gmail.com>, "ipsec@ietf.org WG" <ipsec@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>, Rafa Marin Lopez <rafa@um.es>, Paul Wouters <paul@nohats.ca>
Thread-Topic: [IPsec] using BGP signaling to achieve IPsec Tunnel configuration (draft-hujun-idr-bgp-ipsec): potential conflict with the I2NSF's Controller facilitated IPsec configuration
Thread-Index: AQHU6NcBV2DVYwGHs0CAeJcFZ0X8daYoVi6AgAA64gCAAhIbAIAAAePA
Date: Wed, 03 Apr 2019 16:38:33 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B3612B1@sjceml521-mbs.china.huawei.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B33E27F@sjceml521-mbs.china.huawei.com> <CAB=gXc6aZ2D1K_q3MjVJMEYxEykJO_oxhoSkOEyytOOaa=_ouA@mail.gmail.com> <PR1PR07MB5755052B214EA1243DF2A7EE95550@PR1PR07MB5755.eurprd07.prod.outlook.com> <C02846B1344F344EB4FAA6FA7AF481F12CA424B2@dggemm511-mbx.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.192.11.109]
Content-Type: multipart/related; boundary="_005_4A95BA014132FF49AE685FAB4B9F17F66B3612B1sjceml521mbschi_"; type="multipart/alternative"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/-6OXv-S_xFhofs4R6-ZmIaSU6fk>
Subject: Re: [IPsec] using BGP signaling to achieve IPsec Tunnel configuration (draft-hujun-idr-bgp-ipsec): potential conflict with the I2NSF's Controller facilitated IPsec configuration
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2019 16:39:18 -0000

p.s. meant to include
https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/ already has:

[cid:image001.png@01D4EA11.C3579EB0]
[cid:image002.png@01D4EA11.C3579EB0]

Linda

From: Linda Dunbar
Sent: Wednesday, April 03, 2019 11:36 AM
To: Xialiang (Frank, Network Standard & Patent Dept) <frank.xialiang@huawei.com>; Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com>; Fernando Pereñíguez García <fernando.pereniguez@cud.upct.es>
Cc: Roman Danyliw <rdd@cert.org>; idr wg <idr@ietf.org>; stephane.litkowski@orange.com; i2nsf@ietf.org; idr-chairs@ietf.org; Gabriel López Millán <gabilm@um.es>; Yoav Nir <ynir.ietf@gmail.com>; Alvaro Retana <aretana.ietf@gmail.com>; ipsec@ietf.org WG <ipsec@ietf.org>; Benjamin Kaduk <kaduk@mit.edu>; Rafa Marin Lopez <rafa@um.es>; Paul Wouters <paul@nohats.ca>
Subject: RE: [IPsec] using BGP signaling to achieve IPsec Tunnel configuration (draft-hujun-idr-bgp-ipsec): potential conflict with the I2NSF's Controller facilitated IPsec configuration

Jun,

For example, the SPD for IPsec Traffic Selection instructed by the controller as specified by  https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/  can conflict from the TS sent from the BGP peers. What should the node do? Listen to its peers for Traffic selection for an IPsec tunnel, or listen to its controller (or its administrator)?

Unlike attached routes discovery, IPsec TS is usually configured by nodes’ administer or Controller. That is probably why RFC5566 doesn’t cover any of those aspects.

Best regards,

Linda

From: Xialiang (Frank, Network Standard & Patent Dept)
Sent: Monday, April 01, 2019 8:52 PM
To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>>; Fernando Pereñíguez García <fernando.pereniguez@cud.upct.es<mailto:fernando.pereniguez@cud.upct.es>>; Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>
Cc: Roman Danyliw <rdd@cert.org<mailto:rdd@cert.org>>; idr wg <idr@ietf.org<mailto:idr@ietf.org>>; stephane.litkowski@orange.com<mailto:stephane.litkowski@orange.com>; i2nsf@ietf.org<mailto:i2nsf@ietf.org>; idr-chairs@ietf.org<mailto:idr-chairs@ietf.org>; Gabriel López Millán <gabilm@um.es<mailto:gabilm@um.es>>; Yoav Nir <ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>>; Alvaro Retana <aretana.ietf@gmail.com<mailto:aretana.ietf@gmail.com>>; ipsec@ietf.org<mailto:ipsec@ietf.org> WG <ipsec@ietf.org<mailto:ipsec@ietf.org>>; Benjamin Kaduk <kaduk@mit.edu<mailto:kaduk@mit.edu>>; Rafa Marin Lopez <rafa@um.es<mailto:rafa@um.es>>; Paul Wouters <paul@nohats.ca<mailto:paul@nohats.ca>>
Subject: 答复: [IPsec] using BGP signaling to achieve IPsec Tunnel configuration (draft-hujun-idr-bgp-ipsec): potential conflict with the I2NSF's Controller facilitated IPsec configuration

Hi Jun,
My personal view is no matter which use cases (SDN-based or BGP-based) you are for, the basic goal is to configure/distribute the IPSec parameters between the associated peers, for next step IKEv2 session negotiation. That is why all these related drafts should be aligned in certain way.

B.R.
Frank

发件人: I2nsf [mailto:i2nsf-bounces@ietf.org] 代表 Hu, Jun (Nokia - US/Mountain View)
发送时间: 2019年4月2日 6:22
收件人: Fernando Pereñíguez García <fernando.pereniguez@cud.upct.es<mailto:fernando.pereniguez@cud.upct.es>>; Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>
抄送: Roman Danyliw <rdd@cert.org<mailto:rdd@cert.org>>; idr wg <idr@ietf.org<mailto:idr@ietf.org>>; stephane.litkowski@orange.com<mailto:stephane.litkowski@orange.com>; i2nsf@ietf.org<mailto:i2nsf@ietf.org>; idr-chairs@ietf.org<mailto:idr-chairs@ietf.org>; Gabriel López Millán <gabilm@um.es<mailto:gabilm@um.es>>; Yoav Nir <ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>>; Alvaro Retana <aretana.ietf@gmail.com<mailto:aretana.ietf@gmail.com>>; ipsec@ietf.org<mailto:ipsec@ietf.org> WG <ipsec@ietf.org<mailto:ipsec@ietf.org>>; Benjamin Kaduk <kaduk@mit.edu<mailto:kaduk@mit.edu>>; Rafa Marin Lopez <rafa@um.es<mailto:rafa@um.es>>; Paul Wouters <paul@nohats.ca<mailto:paul@nohats.ca>>
主题: Re: [I2nsf] [IPsec] using BGP signaling to achieve IPsec Tunnel configuration (draft-hujun-idr-bgp-ipsec): potential conflict with the I2NSF's Controller facilitated IPsec configuration

Again, Linda, as discussed with you multiple times, my draft is really about extending current draft-ietf-idr-tunnel-encaps<https://datatracker.ietf.org/doc/draft-ietf-idr-tunnel-encaps/> to cover IPsec tunnel and other encryption tunnel like DTLS in next revsion (based on the feedback I got from Prague);
My draft is not intended to address SDN for IPsec use case and it does not require a central controller, and there are use cases where a central controller is not needed or can’t be used, my draft is intended for those cases;

So I really don’t see any conflict here

From: IPsec <ipsec-bounces@ietf.org<mailto:ipsec-bounces@ietf.org>> On Behalf Of Fernando Pere?íguez García
Sent: Monday, April 1, 2019 3:05 PM
To: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>
Cc: Roman Danyliw <rdd@cert.org<mailto:rdd@cert.org>>; idr wg <idr@ietf.org<mailto:idr@ietf.org>>; stephane.litkowski@orange.com<mailto:stephane.litkowski@orange.com>; i2nsf@ietf.org<mailto:i2nsf@ietf.org>; idr-chairs@ietf.org<mailto:idr-chairs@ietf.org>; Gabriel López Millán <gabilm@um.es<mailto:gabilm@um.es>>; Yoav Nir <ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>>; Alvaro Retana <aretana.ietf@gmail.com<mailto:aretana.ietf@gmail.com>>; ipsec@ietf.org<mailto:ipsec@ietf.org> WG <ipsec@ietf.org<mailto:ipsec@ietf.org>>; Benjamin Kaduk <kaduk@mit.edu<mailto:kaduk@mit.edu>>; Rafa Marin Lopez <rafa@um.es<mailto:rafa@um.es>>; Paul Wouters <paul@nohats.ca<mailto:paul@nohats.ca>>
Subject: Re: [IPsec] using BGP signaling to achieve IPsec Tunnel configuration (draft-hujun-idr-bgp-ipsec): potential conflict with the I2NSF's Controller facilitated IPsec configuration

Hi Linda,

We have revised draft-hujun-idr-bgp-ipsec and, to the best of our understanding, we do not see any conflict with our draft being discussed in I2NSF. The IPsec attributes configured through BGP are only the peer’s tunnel address and local/remote subnet prefixes (that are used for the traffic selectors).  The rest of the IPsec configuration (AH/ESP, cryptographic algorithms, keys, etc.) are obtained via a “color mapping”, which is something not covered by the draft since it assumes routers are somehow pre-provisioned with this information.

Thus, we do not see this draft is also facing the task of formalizing the complete configuration of an IPsec device. We appreciate any clarification in case we are wrong.

Best regards,
Fernando..

El jue., 28 mar. 2019 a las 16:01, Linda Dunbar (<linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>) escribió:

Just to reiterate the concerns and issues I raised during IDR Thurs session discussion on using BGP signaling to achieve IPsec Tunnel configuration (draft-hujun-idr-bgp-ipsec).
Copy I2NSF WG because there is similar discussion for over a year.
Copy IPsecme WG as the group has many experts on the IPsec configuration.


1.      I2NSF WG has an on-going discussion on Controller facilitated IPsec configuration which has been discussed for over a year.  Even though the I2NSF’s  IPsec Configuration is between Controller and devices, whereas the BGP signaling IPsec Configuration proposed by draft-hujun-idr-bgp-ipsec is between peers, the configuration parameters to the devices are for the same purpose, therefore, should be aligned to avoid future conflicts to the industry.



2.      When using IPsec Tunnel between two peers, usually they are separated by untrusted domain. If Router “A” is allowed to  gets the IPsec tunnel configurations from peers across untrusted domain (instead of the today’s practice of from administrators), then many issues come up, for example:



How can a router “A” trust the Traffic Selection policy from a remote peer B? If the router “A” already has its Traffic Selection policy configured for a specific IPsec tunnel, but different from the Traffic Selection policy from remote peer B, which policy should Route A enforce for the IPsec Tunnel?  If the router “A” doesn’t have Traffic Selection policy specified, there are two remote nodes B & C signaling the “A” with different Traffic Selection policy, what should A do?



3.      RFC5566 only specifies a simple indication of IPsec Encap, but doesn’t do any of the IPsec configuration portion.



As indicated by BESS WG chair, there are multiple drafts addressing IPsec in BESS, IDR, and WGs in Security Area, involved Chairs and ADs may need to agree where is the home for continuing the discussion to avoid future conflicts.


Cheers,
Linda Dunbar
_______________________________________________
IPsec mailing list
IPsec@ietf.org<mailto:IPsec@ietf.org>
https://www.ietf.org/mailman/listinfo/ipsec


--
----------------------------------------------------------------------------------------------------
Fernando Pereñíguez García, PhD
Department of Sciences and Informatics
University Defense Center, (CUD), Spanish Air Force Academy, MDE-UPCT
C/ Coronel Lopez Peña, s/n, 30720, San Javier, Murcia - SPAIN
Tel: +34 968 189 946 Fax: +34 968 189 970
------------------------------------------------------------------------------------------------------