Re: [nvo3] FW: Any use cases of Overlay network requesting IPSec connection from the Underlay for a specific time span? (was : Flow Security Policies exchanged over I2NSF service layer interface?
Sowmini Varadhan <sowmini05@gmail.com> Thu, 16 June 2016 15:57 UTC
Return-Path: <sowmini05@gmail.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4A0412D95E for <nvo3@ietfa.amsl.com>; Thu, 16 Jun 2016 08:57:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Level:
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ln3fovDdSCJb for <nvo3@ietfa.amsl.com>; Thu, 16 Jun 2016 08:57:27 -0700 (PDT)
Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68F8D12B076 for <nvo3@ietf.org>; Thu, 16 Jun 2016 08:57:26 -0700 (PDT)
Received: by mail-oi0-x231.google.com with SMTP id d132so76072668oig.1 for <nvo3@ietf.org>; Thu, 16 Jun 2016 08:57:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=wp869claZVUPuPq5XJzL7s4kq7pHLEc7D8Mbk/CxJn0=; b=Cd1Y4Luy0w+ITEeMOznj3pTjCgu69JF8Urbjdmmm1Bf2dHy/vlrOMo8ER+xRKwiO3O d33YcGEmNR29VQLQCp9fNwPL19T6RoUGMIz4TmAd29CB6VZQZ00C+7yhlTXeSyOcGIGP jy5muk8uCAGhEKCkYUmNTxdFoDHWDhmKxBOaAFHvLWadLfAL47u0sB7c2qrNBao5b3nP loL94kPh3BHvn4csNRg2TSv/kK861/nnnXWKRvKUbHZ2gkJ2vrYsfVTfM+n2Im/7iIo8 0u0lKQZv/b8qqyDDuLizZh4iveeWXTRbFbbdjgAsedQOJVta8SQRYvb2kB3pM6IHAWLI SFXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=wp869claZVUPuPq5XJzL7s4kq7pHLEc7D8Mbk/CxJn0=; b=hfSVgDvfg2vk6jE30YlVHx/OQePAwkN7WJZZty1cMVMjAO/+yWiJJDR9lgA78Ezvpo wO4IagI4L4Nj3eO8PVkzzjgcZ7PetjcM81uCZBaMNnLTDZVFUDhar9/jCoN5q5MUTueE x5D+wakAMPYIaY4T5T/k01JHY6wFL5ZL15h+rGPLSVp83YpDkQ0Oe/lfVBMWClshANWY fiXoXLeEMWc9pOZtKmb7mYYf/3QjOEUbcfdVlA8GpnKDT3smst7CJfsAfQEkdz82hYak cQuRs8R2tU72UKIur1TmaGOdztBWgUECQGJjOzl8roV86QuWFzZTBfMVr6KiUBuGHAMu a2uA==
X-Gm-Message-State: ALyK8tKS/pb2otOIXu0m8JdTzqT08XrKvMs4ck2kN60/rRqzlndgyfqQ9RIW7fFfOoQn0zKYDdNOUF/ckPvQwg==
X-Received: by 10.157.47.189 with SMTP id r58mr289782otb.163.1466092645553; Thu, 16 Jun 2016 08:57:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.42.87 with HTTP; Thu, 16 Jun 2016 08:57:24 -0700 (PDT)
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F657EB4B26@dfweml501-mbb>
References: <4A95BA014132FF49AE685FAB4B9F17F657EB4B26@dfweml501-mbb>
From: Sowmini Varadhan <sowmini05@gmail.com>
Date: Thu, 16 Jun 2016 11:57:24 -0400
Message-ID: <CACP96tSfp4XEU9mKzRD=Dm5hMDGN7uGiM6Eje5-_udiDXWLwsA@mail.gmail.com>
To: Linda Dunbar <linda.dunbar@huawei.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/zB6RMEPVoEy7BFPzjcAaha_ZxsY>
Cc: Sowmini Varadhan <sowmini.varadhan@oracle.com>, NVO3 <nvo3@ietf.org>, Liyizhou <liyizhou@huawei.com>
Subject: Re: [nvo3] FW: Any use cases of Overlay network requesting IPSec connection from the Underlay for a specific time span? (was : Flow Security Policies exchanged over I2NSF service layer interface?
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2016 15:57:29 -0000
On Wed, Jun 15, 2016 at 8:55 AM, Linda Dunbar <linda.dunbar@huawei.com> wrote: > > NVO3 Participants, > > > > I2NSF (Interface to Network Security function) has a work item in defining the flow security policy between domains (which includes inquiry of the capability from one domain to another and the actual flow policy rules from one domain to another). > > Very often, the paths (or links) among nodes of a overlay network are provided by other network operators (a.k.a. “underlay network”). The flow policy rules are intended to filter out unwanted traffic from underlay network so that various attack traffic won’t saturated the access links to the overlay nodes. > > > > One interesting scenario brought up is Overlay nodes may need to request some traffic to be traversing IPsec channel. To achieve this goal, it is necessary for Overlay Network controller to inquire if the needed IPsec resource are even available before send the request (may even involve AAA process between controllers of each corresponding domain ). > > > > Want to have a survey if people see the use case of Overlay Network needing portion of traffic to be through IPSec channel? Yes, this is a valid use case, and one that we are looking at as well. > IPSec is supposed to be between two end nodes. Here we assume that the Overlay nodes don’t have the resource or capability for IPsec, but expect IPsec between flow’s ingress and egress nodes (i.e. NVE). > Any opinion is appreciated. > > Are there any use cases of overlay network needing IPSec among their nodes only for a specific time span? i.e. Time based IPSec connection? Time based IPsec connection is not a use-case we have encountered. People usually use IKE for periodic key-rollover, if that is the goal. However, applying IPsec to specific flows (e.g., those defined by a src or dst port on which the service listens) is important. But that also made me wonder about the interaction between IPsec/IKE and the proposed BGP FS (IPsec is frequently used between end-systems that do not want to run a BGP daemon). Since the config information that needs to be distributed are things like keys, algorithms etc to populate the sadb/spd, IKE looks more appropriate in most cases. Like [CJ], I too have to read the draft in greater detail to comment further. --Sowmini
- Re: [nvo3] How does Overlay Network inform the Un… Sowmini Varadhan
- Re: [nvo3] [I2nsf] How does Overlay Network infor… Rafa Marin Lopez
- [nvo3] How does Overlay Network inform the Underl… Linda Dunbar
- Re: [nvo3] FW: Any use cases of Overlay network r… Sowmini Varadhan
- Re: [nvo3] FW: Any use cases of Overlay network r… Lucy yong
- Re: [nvo3] Can Overlay nodes see any difference o… Xuxiaohu
- Re: [nvo3] FW: Any use cases of Overlay network r… Xuxiaohu
- Re: [nvo3] : Any use cases of Overlay network req… Linda Dunbar
- [nvo3] Can Overlay nodes see any difference on ho… Linda Dunbar
- Re: [nvo3] FW: Any use cases of Overlay network r… Tom Herbert
- Re: [nvo3] FW: Any use cases of Overlay network r… Xuxiaohu
- Re: [nvo3] FW: Any use cases of Overlay network r… Lucy yong
- Re: [nvo3] FW: Any use cases of Overlay network r… Lou Berger
- [nvo3] FW: Any use cases of Overlay network reque… Linda Dunbar