Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-03 (Section 1)

Rafa Marin Lopez <> Thu, 06 December 2018 10:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E333D130E23; Thu, 6 Dec 2018 02:14:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Pu-l5Wj0VnvZ; Thu, 6 Dec 2018 02:14:11 -0800 (PST)
Received: from ( [IPv6:2001:720:1710:601::43]) by (Postfix) with ESMTP id 20A48130DCE; Thu, 6 Dec 2018 02:14:11 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id C96D521703; Thu, 6 Dec 2018 11:14:08 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with LMTP id qf0OPW4UJpLa; Thu, 6 Dec 2018 11:14:08 +0100 (CET)
Received: from [] ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa) by (Postfix) with ESMTPSA id 74EA921730; Thu, 6 Dec 2018 11:14:05 +0100 (CET)
Content-Type: multipart/alternative; boundary="Apple-Mail=_541542A4-482B-4037-9C10-A3C4BA557473"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Rafa Marin Lopez <>
In-Reply-To: <>
Date: Thu, 6 Dec 2018 11:06:44 +0100
Cc: Rafa Marin Lopez <>, Yoav Nir <>, Gabriel Lopez <>, "" <>, " WG" <>, Paul Wouters <>
Message-Id: <>
References: <> <> <> <> <> <> <> <> <>
To: Linda Dunbar <>
X-Mailer: Apple Mail (2.3124)
Archived-At: <>
Subject: Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-03 (Section 1)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Dec 2018 10:14:16 -0000

Hi Linda:

I still have doubts about these terms. In both cases, there is a centralized key distribution: with IKE , the controller may distribute key material (i.g. the PSK for IKE authentication) or some certification. Without IKE  (case 2) the centralized key distribution refers to IPsec SAs. 

Moreover the word IKE is important in case 1 , only IKEv2 is considered. 

Best Regards.

> El 5 dic 2018, a las 22:29, Linda Dunbar <> escribió:
> I like the title of  “distributed keying” (case 1) vs “centralized keying” (Case 2).
> Linda
>   <>
> From: I2nsf [] On Behalf Of Yoav Nir
> Sent: Tuesday, November 27, 2018 4:39 PM
> To: Gabriel Lopez <>
> Cc:; WG <>rg>; Paul Wouters <>ca>; Rafa Marin Lopez <>
> Subject: Re: [I2nsf] [IPsec] Review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-03 (Section 1)
> A couple of remarks (with no hats)
> If we’re bikeshedding the names, I think the difference is that in one case the two NSFs generate traffic keys between themselves, and in the other it is the controller that generates the keys for them.  So how about “distributed keying” vs “centralized keying”, or perhaps “automatic keying” vs “SDN keying”.
> Also, I have been asked by someone not on this list whether our work covers the road warrior use case. I said it didn’t and wondered why. So I got these points:
> Road warriors are numerous and not where the administrator can configure them manually.
> Additionally, the configuration of what networks, gateways (NSFs), and resources a road warrior may access (in IPsec terms, the SPD and PAD) change often.
> Because of the above, some automatic method of configuring SPD and PAD is needed.
> There is also the issue of multiple VPN gateways covering similar domains, and VPN gateways being overloaded or down for maintenance, as well as malfunctions in the network behind those VPN gateways. So the decision on which gateway a road warrior should use to access a particular resource is also a natural question to ask an SDN controller.
> Since I used to work for a VPN vendor, I can tell you what our product did:
> The current configuration was formatted (automatically by a management function) as a text file that the road warrior downloaded through the VPN gateway (the gateway doubled as a server serving this one file)
> The proper gateway to connect to was determined by pinging all gateways that were possible according to the configuration file.
> This did not account for any internal networking issues.
> I don’t know if this should be part of *this* effort, but there is a use case for road warrior SDN.
> Yoav