Re: [nvo3] FW: Any use cases of Overlay network requesting IPSec connection from the Underlay for a specific time span? (was : Flow Security Policies exchanged over I2NSF service layer interface?
Lucy yong <lucy.yong@huawei.com> Thu, 16 June 2016 14:19 UTC
Return-Path: <lucy.yong@huawei.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91EE412D773; Thu, 16 Jun 2016 07:19:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.647
X-Spam-Level:
X-Spam-Status: No, score=-5.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YAEG7N7pPAwr; Thu, 16 Jun 2016 07:19:10 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 834B912D74D; Thu, 16 Jun 2016 07:19:09 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml706-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CQX72130; Thu, 16 Jun 2016 14:19:06 +0000 (GMT)
Received: from DFWEML701-CAH.china.huawei.com (10.193.5.175) by lhreml706-cah.china.huawei.com (10.201.5.182) with Microsoft SMTP Server (TLS) id 14.3.235.1; Thu, 16 Jun 2016 15:19:02 +0100
Received: from DFWEML501-MBB.china.huawei.com ([10.193.5.179]) by dfweml701-cah.china.huawei.com ([10.193.5.175]) with mapi id 14.03.0235.001; Thu, 16 Jun 2016 07:18:53 -0700
From: Lucy yong <lucy.yong@huawei.com>
To: Xuxiaohu <xuxiaohu@huawei.com>, Lou Berger <lberger@labn.net>, Linda Dunbar <linda.dunbar@huawei.com>, Liyizhou <liyizhou@huawei.com>, NVO3 <nvo3@ietf.org>
Thread-Topic: [nvo3] FW: Any use cases of Overlay network requesting IPSec connection from the Underlay for a specific time span? (was : Flow Security Policies exchanged over I2NSF service layer interface?
Thread-Index: AdHBttspF0pOVdD6ST+kJ/stBROvZgAAPeIQAAFZtWAAelRdMAB46/+QAABawNAAPN71wAAa2zQQABmpEIAAGUn2gAAIsN8A
Date: Thu, 16 Jun 2016 14:18:53 +0000
Message-ID: <2691CE0099834E4A9C5044EEC662BB9D57299BE8@dfweml501-mbb>
References: <4A95BA014132FF49AE685FAB4B9F17F657EB4B26@dfweml501-mbb> <d47517f0-b1b7-950d-ac81-04f16af591b8@labn.net> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0D5646D5@NKGEML515-MBX.china.huawei.com>
In-Reply-To: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0D5646D5@NKGEML515-MBX.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.132.101]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020201.5762B55B.01D4, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 88aeb6b020015da33772ae53dcc4e213
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/c7Bx1xoWpoksjqEEY6G32qfcNUU>
Cc: "IPsec@ietf.org" <IPsec@ietf.org>
Subject: Re: [nvo3] FW: Any use cases of Overlay network requesting IPSec connection from the Underlay for a specific time span? (was : Flow Security Policies exchanged over I2NSF service layer interface?
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2016 14:19:13 -0000
FYI. draft-hy-nov3-gue-4-secure-transport specifies ESP-over-UDP that provides the benefits mentioned below. Lucy -----Original Message----- From: nvo3 [mailto:nvo3-bounces@ietf.org] On Behalf Of Xuxiaohu Sent: Wednesday, June 15, 2016 10:04 PM To: Lou Berger; Linda Dunbar; Liyizhou; NVO3 Cc: IPsec@ietf.org Subject: Re: [nvo3] FW: Any use cases of Overlay network requesting IPSec connection from the Underlay for a specific time span? (was : Flow Security Policies exchanged over I2NSF service layer interface? Hi Lou, If IPsec tunnels are used within data centers, the security need is well satisfied. However, the ECMP capability built on the UDP tunnels is lost at all. So, how about encapsulating IPsec ESP over UDP tunnels for load-balancing improvement purpose? Note that this ESP-over-UDP encapsulation is different from the ESP-over-UDP encapsulation as described in RFC3948: the former uses the UDP tunnel for load-balancing improvement purpose and therefore the source port is used as an entropy field, in contrast, the latter uses the UDP tunnel for NAT traversal purpose and therefore the source port is set to a constant value (i.e.,4500). By the way, I had wrote a draft about this ESP-over-UDP approach (w/o submission) three years ago when considering how to use UDP tunnels to transport MPLS and IP traffic. If there is enough interest on this ESP-over-UDP approach, I can update it and then submit it for further discussion. Best regards, Xiaohu > -----Original Message----- > From: nvo3 [mailto:nvo3-bounces@ietf.org] On Behalf Of Lou Berger > Sent: Wednesday, June 15, 2016 11:00 PM > To: Linda Dunbar; Liyizhou; NVO3 > Subject: Re: [nvo3] FW: Any use cases of Overlay network requesting > IPSec connection from the Underlay for a specific time span? (was : > Flow Security Policies exchanged over I2NSF service layer interface? > > > Yes -- this is a real use case. > > This use case (overlays interconnected over IPsec tunnels with NVE end > points) motivated our work on RFC5566 and we built supported for it > (as well as other tunnel technologies) in a quagga based NVO3 controller. > This code is publicly available, but is not yet part of a standard quagga release. > > Lou > > On 6/15/2016 8:55 AM, Linda Dunbar wrote: > > > > NVO3 Participants, > > > > > > > > I2NSF (Interface to Network Security function) has a work item in > > defining the flow security policy between domains (which includes > > inquiry of the capability from one domain to another and the actual > > flow policy rules from one domain to another). > > > > Very often, the paths (or links) among nodes of a overlay network > > are provided by other network operators (a.k.a. "underlay network"). > > The flow policy rules are intended to filter out unwanted traffic > > from underlay network so that various attack traffic won't saturated > > the access links to the overlay nodes. > > > > > > > > One interesting scenario brought up is Overlay nodes may need to > > request some traffic to be traversing IPsec channel. To achieve this > > goal, it is necessary for Overlay Network controller to inquire if > > the needed IPsec resource are even available before send the request > > (may even involve AAA process between controllers of each > > corresponding domain ). > > > > > > > > Want to have a survey if people see the use case of Overlay Network > > needing portion of traffic to be through IPSec channel? > > > > IPSec is supposed to be between two end nodes. Here we assume that > > the Overlay nodes don't have the resource or capability for IPsec, > > but expect IPsec between flow's ingress and egress nodes (i.e. NVE). > > > > > > > > Any opinion is appreciated. > > > > Thanks, > > > > Linda > > > > > > > > *From:*Linda Dunbar > > *Sent:* Tuesday, June 14, 2016 4:03 PM > > *To:* 'christian.jacquenet@orange.com'; BOUCADAIR Mohamed IMT/OLN > > *Cc:* I2NSF@ietf.org > > *Subject:* Any use cases of Overlay network requesting IPSec > > connection from the Underlay for a specific time span? (was : Flow > > Security Policies exchanged over I2NSF service layer interface? > > > > > > > > Christian, > > > > > > > > Your feedback seems to suggest that Overlay network Controller may > > send request to the underlay network controller requesting IPsec > > connections among overlay nodes. Do I understand you correctly? > > > > > > > > Are there any use cases of overlay network needing IPSec among their > > nodes only for a specific time span? i.e. Time based IPSec connection? > > > > > > > > Linda > > > > > > > > *From:*christian.jacquenet@orange.com > > <mailto:christian.jacquenet@orange.com> > > [mailto:christian.jacquenet@orange.com] > > *Sent:* Monday, June 13, 2016 11:23 AM > > *To:* Linda Dunbar; BOUCADAIR Mohamed IMT/OLN > > *Subject:* RE: Any feedback on the Protocol Independent Flow > > Security Policies exchanged over I2NSF service layer interface? > > > > > > > > > > > > *[snip]* > > > > > > > > > > > > > > > > Very often, the paths (or links) among nodes of a overlay network > > are provided by other network operators (a.k.a. "underlay network"). > > Very much like traditional networks placing FW (Firewall) or IPS > > (Intrusion Prevention System) on the wire to enforce the flow > > security rules, I2NSF *_Protocol Independent Flow Security > > Policies_* can be used by overlay networks to request certain flow > > based security rules to be enforced by its underlay networks, to > > prevent the unwanted attacks traffic from occupying the physical > > links and ports to the overlay network nodes, and to avoid the > > overlay nodes' CPU/Storage/Port utilization being consumed down by > > the various attacks. Here is one example of "Overlay Video > > Communication network" exchange Flow Policies to the Underlay network. > > > > > > > > > > > > cid:image001.png@01D1B516.7F74E410 > > > > > > > > */[CJ] /*The above example clearly shows the necessary interaction > > between the two PDPs/controllers, to make sure that decisions made > > by the network controller accommodate the needs of the video > > customer as possibly expressed towards the video controller: for > > example, customer demands that the confidentiality of the > > videoconference needs to be preserved, thereby suggesting the use of > > the IPsec protocol suite. The video controller may enforce an IPsec > > design based upon the transport mode, whereas the network controller > > is solicited to allocate IPsec resources (read for example no AH, > > ESP in NULL mode) accordingly. This may possibly raise conflicting > > configuration tasks (the video controller uses AH, the network > > controller doesn't), thereby leading to inconsistency that may > > jeopardize the service. Whether BGP FS is used to carry security > > policy information between the two controllers is hardly the point, > > imho: what matters is the consistency of the (flow-based security > > policies enforced by both parties, and which should be derived from the customer's requirements (if any). > > > > The goal of I2NSF is to specify the common information model and > > data model for the *_ Protocol Independent Flow Security Policies > > _*which can be queried and set between domains. > > > > [CJ] OK. > > > > * * > > > > https://datatracker.ietf.org/doc/draft-fang-i2nsf-inter-cloud-ddos-m > > it igation-api/ is just the starting point. (needs more work to > > improve the clarity). > > We are asking if people to express their opinion on this work to the > > I2NSF@ietf.org <mailto:I2NSF@ietf.org> list. > > > > [CJ] I need to read this draft and will get back to you accordingly, > > but this may take a couple of weeks as I'm pretty busy for the time being. > > > > > > > > I'll let Med further comment as appropriate. > > > > > > > > Cheers, > > > > > > > > Christian. > > > > > > > > Thanks, Linda > > > > > > > > > _____________________________________________________________ > _________ > > ___________________________________________________ > > > > Ce message et ses pieces jointes peuvent contenir des informations > > confidentielles ou privilegiees et ne doivent donc pas etre > > diffuses, exploites ou copies sans autorisation. Si vous avez recu > > ce message par erreur, veuillez le signaler a l'expediteur et le > > detruire ainsi que les pieces > jointes. Les messages electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > > > This message and its attachments may contain confidential or > > privileged information that may be protected by law; they should not > > be > distributed, used or copied without authorisation. > > If you have received this email in error, please notify the sender > > and delete this > message and its attachments. > > As emails may be altered, Orange is not liable for messages that > > have been > modified, changed or falsified. > > Thank you. > > > > > > _______________________________________________ > > nvo3 mailing list > > nvo3@ietf.org > > https://www.ietf.org/mailman/listinfo/nvo3 > > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list nvo3@ietf.org https://www.ietf.org/mailman/listinfo/nvo3
- Re: [nvo3] How does Overlay Network inform the Un… Sowmini Varadhan
- Re: [nvo3] [I2nsf] How does Overlay Network infor… Rafa Marin Lopez
- [nvo3] How does Overlay Network inform the Underl… Linda Dunbar
- Re: [nvo3] FW: Any use cases of Overlay network r… Sowmini Varadhan
- Re: [nvo3] FW: Any use cases of Overlay network r… Lucy yong
- Re: [nvo3] Can Overlay nodes see any difference o… Xuxiaohu
- Re: [nvo3] FW: Any use cases of Overlay network r… Xuxiaohu
- Re: [nvo3] : Any use cases of Overlay network req… Linda Dunbar
- [nvo3] Can Overlay nodes see any difference on ho… Linda Dunbar
- Re: [nvo3] FW: Any use cases of Overlay network r… Tom Herbert
- Re: [nvo3] FW: Any use cases of Overlay network r… Xuxiaohu
- Re: [nvo3] FW: Any use cases of Overlay network r… Lucy yong
- Re: [nvo3] FW: Any use cases of Overlay network r… Lou Berger
- [nvo3] FW: Any use cases of Overlay network reque… Linda Dunbar