IETF Logo Mail Archive

Re: [nvo3] How does Overlay Network inform the Underlay network on which flows among Overlay network nodes need to go through IPSec Tunnel? (was : Flow Security Policies exchanged over I2NSF service layer interface?

Sowmini Varadhan <sowmini.varadhan@oracle.com> Fri, 17 June 2016 21:21 UTC

Return-Path: <sowmini.varadhan@oracle.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62A7D12D8BB; Fri, 17 Jun 2016 14:21:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.646
X-Spam-Level:
X-Spam-Status: No, score=-5.646 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PSYolIN9VSC9; Fri, 17 Jun 2016 14:21:54 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 225C612D145; Fri, 17 Jun 2016 14:21:54 -0700 (PDT)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u5HLLhVc028709 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 17 Jun 2016 21:21:44 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0022.oracle.com (8.14.4/8.13.8) with ESMTP id u5HLLhCb017224 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 17 Jun 2016 21:21:43 GMT
Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id u5HLLgvG004772; Fri, 17 Jun 2016 21:21:42 GMT
Received: from oracle.com (/10.154.116.124) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 17 Jun 2016 14:21:42 -0700
Date: Fri, 17 Jun 2016 17:21:39 -0400
From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
To: Linda Dunbar <linda.dunbar@huawei.com>
Message-ID: <20160617212139.GA29411@oracle.com>
References: <4A95BA014132FF49AE685FAB4B9F17F657EB4B26@dfweml501-mbb> <CACP96tSfp4XEU9mKzRD=Dm5hMDGN7uGiM6Eje5-_udiDXWLwsA@mail.gmail.com> <4A95BA014132FF49AE685FAB4B9F17F657EB587D@dfweml501-mbb>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F657EB587D@dfweml501-mbb>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/xZKCw34olnjHgEdiwQUoZmvGINY>
Cc: "I2NSF@ietf.org" <I2NSF@ietf.org>, NVO3 <nvo3@ietf.org>, Sowmini Varadhan <sowmini05@gmail.com>, Liyizhou <liyizhou@huawei.com>
Subject: Re: [nvo3] How does Overlay Network inform the Underlay network on which flows among Overlay network nodes need to go through IPSec Tunnel? (was : Flow Security Policies exchanged over I2NSF service layer interface?
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2016 21:21:56 -0000

On (06/17/16 08:43), Linda Dunbar wrote:
>    Sowmini,
>     
>    You said:
>    "However, applying IPsec to specific flows (e.g., those defined by a src
>    or dst port on which the service listens) is important."
>     
>    What is the current operation procedure for Overlay network to inform the
>    underlay network on which flows to go through IPSec channel?
>    You said:
>    "..But that also made me wonder about the interaction between IPsec/IKE
>    and the proposed BGP FS (IPsec is frequently used between end-systems that
>    do not want to run a BGP daemon). Since the config information that needs
>    to be distributed are things like keys, algorithms etc to populate the
>    sadb/spd, IKE looks more appropriate in most cases."
>     
>    Does the underlay network controller get some information (or hint from
>    the Overlay network controller) on how the keys are configured for the
>    IPSec tunnel for the specific flows among the Overlay nodes?

there are 2 aspects to this

- for the underlay network, as nodes/NVEs appear, the controller 
  needs to update the relevant nodes, because, as you pointed out,
  ipsec SAs are between 2 end-points, so all the needed pair-wise
  associations need to be set up. 

- overlay -> underlay communication- overlay network needs some way
  to tell the underlay which flows need to the ipsec transforms
  (and what ipsec config params to use for those transforms). At the 
  moment we have a simplistic model for achieving this, but
  this obviously needs to scale. One way would be by orchestrating this
  via some management connection to the controller.

--Sowmini

v2.23.0 | Report a Bug | By Email