IETF Logo Mail Archive

Re: [Sdn] [I2nsf] New update of draft-abad-sdnrg-sdn-ipsec-flow-protection

"Dacheng Zhang" <dacheng.zdc@alibaba-inc.com> Fri, 23 October 2015 02:20 UTC

Return-Path: <dacheng.zdc@alibaba-inc.com>
X-Original-To: sdn@ietfa.amsl.com
Delivered-To: sdn@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D4F81B30D6 for <sdn@ietfa.amsl.com>; Thu, 22 Oct 2015 19:20:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.45
X-Spam-Level:
X-Spam-Status: No, score=0.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z1BW2fjRFFcF for <sdn@ietfa.amsl.com>; Thu, 22 Oct 2015 19:20:26 -0700 (PDT)
Received: from out4133-66.mail.aliyun.com (out4133-66.mail.aliyun.com [42.120.133.66]) by ietfa.amsl.com (Postfix) with ESMTP id 004DA1B30D4 for <sdn@irtf.org>; Thu, 22 Oct 2015 19:20:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1445566822; h=Date:Subject:From:To:Message-ID:Mime-version:Content-type; bh=r8WQyns2bnbJ+p0agSZb8yf1O0fNryBYJqAVcSUymlw=; b=iO0okHje1yNv1YYFcp3wAAx/RBWQDISxFFpiHSmaNwQaFD3wzC8O2WNb7agNGPCXIg6zamVtOx4yAzD8SMMCeIi7VauDwNlFLZuTadZOAsncjN7br38ht7DE/wLGtK13gxjv3MGBabR7bYEoiD/Bfo3Sp9je5wkLWlPK9wAp8I8=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R151e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=e02c03282; MF=dacheng.zdc@alibaba-inc.com; NM=1; PH=DS; RN=8; SR=0;
Received: from 10.62.53.193(mailfrom:dacheng.zdc@alibaba-inc.com ip:182.92.253.23) by smtp.aliyun-inc.com(127.0.0.1); Fri, 23 Oct 2015 10:20:17 +0800
User-Agent: Microsoft-MacOutlook/14.5.7.151005
Date: Fri, 23 Oct 2015 10:20:14 +0800
From: Dacheng Zhang <dacheng.zdc@alibaba-inc.com>
To: Rafa Marin Lopez <rafa@um.es>, Linda Dunbar <linda.dunbar@huawei.com>
Message-ID: <D24FB47B.2CEFA%dacheng.zdc@alibaba-inc.com>
Thread-Topic: [I2nsf] [Sdn] New update of draft-abad-sdnrg-sdn-ipsec-flow-protection
References: <CD8880C6-90B6-4125-BBCE-6AA0B76DA2D7@um.es> <4A95BA014132FF49AE685FAB4B9F17F657D71571@dfweml701-chm> <89725C38-5C24-44B2-9957-BAD267993F92@um.es> <160732AF-02A9-48FB-BF91-94412A1688C0@um.es> <4A95BA014132FF49AE685FAB4B9F17F657D7208A@dfweml701-chm> <BA5091B1-1D84-4A61-ACFC-1332C992E81C@um.es>
In-Reply-To: <BA5091B1-1D84-4A61-ACFC-1332C992E81C@um.es>
Mime-version: 1.0
Content-type: text/plain; charset="GB2312"
Content-transfer-encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/sdn/Llfkb5Qaf4EWKUJDkEviB-qI46c>
X-Mailman-Approved-At: Mon, 26 Oct 2015 15:54:37 -0700
Cc: Sam Hartman <hartmans@painless-security.com>, "sdn@irtf.org" <sdn@irtf.org>, Alejandro Abad UM <alejandroprimitivo.abad@um.es>, "i2nsf@ietf.org" <i2nsf@ietf.org>, Gabriel Lopez <gabilm@um.es>, Mahesh Jethanandani <mjethanandani@gmail.com>
Subject: Re: [Sdn] [I2nsf] New update of draft-abad-sdnrg-sdn-ipsec-flow-protection
X-BeenThere: sdn@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List to Discuss SDN Research Group in the IRTF <sdn.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/sdn>, <mailto:sdn-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sdn/>
List-Post: <mailto:sdn@irtf.org>
List-Help: <mailto:sdn-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/sdn>, <mailto:sdn-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2015 02:20:30 -0000

Hi, 

Maybe this work is not really considered in the current agenda. But I
think it is very interesting. Also, I am thinking whether the similar idea
can be used to mange the policies of securing routing protocols. We used
to specify a key table specification for different routing protocols. At
that time, someone mentioned it could be a good idea to use controllers to
deploy keys for routing protocols, so that we don’t have to extend IKEv2
to negotiate them. 

Thoughts?

Cheers

Dacheng

在 15-10-23 上午5:54, "I2nsf on behalf of Rafa Marin Lopez"
<i2nsf-bounces@ietf.org on behalf of rafa@um.es> 写入:

>Hi Linda:
>
>> El 22 oct 2015, a las 22:06, Linda Dunbar <linda.dunbar@huawei.com>
>>escribió:
>> 
>> Rafa and Gabi,
>>  
>> Thank you very much for the explanation. That is very helpful.
>>  
>> Based on your explanation,  the Capability Layer interface for IPSec
>>has been defined
>
>If you are referring to the YANG model with IPsec then we have a good
>step with draft-wang-ipsecme-ipsec-yang
>
>> but there is need for the Service Layer rules for IPSec. The service
>>layer IPSec rules can be applied to many pairs of IPsec tunnels, so that
>>administrators don’t need to manually setup each one. Is my
>>understanding correct?
>
>Right, that is also our understanding.
>
>>  
>> Is it true that the IKE policies can be utilized between Security
>>Controller and Client for the Service Layer interface?
>
>Yes, that might be a possibility, though we understand a deeper analysis
>is required.
>
>Best Regards.
>
>>  
>> Thanks, Linda
>>  
>> From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Gabriel Lopez
>> Sent: Thursday, October 22, 2015 3:32 AM
>> To: Rafa Marin Lopez
>> Cc: i2nsf@ietf.org; sdn@irtf.org; Alejandro Abad UM; Linda Dunbar
>> Subject: Re: [I2nsf] [Sdn] New update of
>>draft-abad-sdnrg-sdn-ipsec-flow-protection
>>  
>>  
>> Hi,
>>  
>> Thanks for the review.
>>  
>> Please, note that the draft also include IKE policies.
>>  
>> As described in Rafa’s response, IKE allows two peers to dynamically
>>negotiate the cryptography material for IPSec in a secure way.
>> An example of IKE policies could be:
>>  
>> ike {
>>             proposal proposal-1 {
>>                         authentication-method pre-shared-keys;
>>                         dh-group group1;
>>                         authentication-algorithm sha1;
>>                         encryption-algorithm 3des-cbc;
>>                         lifetime-seconds 1000;
>>             }
>>             proposal proposal-2 {
>>                         authentication-method pre-shared-keys;
>>                         dh-group group2;
>>                         authentication-algorithm md5;
>>                         encryption-algorithm des-cbc;
>>                         lifetime-seconds 10000;
>> }
>>  
>> Best regards, Gabi.
>>  
>>  
>> El 22 oct 2015, a las 10:19, Rafa Marin Lopez <rafa@um.es> escribió:
>>  
>> Dear Linda:
>> 
>> First of all, thanks for commenting on our draft.
>> 
>> 
>> El 22 oct 2015, a las 0:43, Linda Dunbar <linda.dunbar@huawei.com>
>>escribió:
>> 
>> Rafa, 
>> 
>> Thank you very much for sharing the draft.
>> 
>> Can you elaborate what kind of IPSec policies that Apps can give to
>>"SDN Controller”?
>> I am not an expert on IPSec, so pardon me if my question is not
>>correct:  if client needs "protected IPsec traffic", can them simply
>>establish two parallel IPSec tunnels?
>> 
>> Any question is good. So, thank you. Let me try to clarify. When you
>>want to establish an IPsec protected tunnel you have to configure
>>rules/policies to determine what kind of traffic you want to protect.
>> 
>> Imagine you have* :
>> 
>> Network A(172.16.1.0/24) ― GW_A
>>(192.168.1.100/24)-Internet-(192.168.2.100/24) GW_B - (172.16.2.0/24)
>>Network_B
>> 
>> With ipsec-tools in Linux you define the following policies to protect
>>traffic between both networks with a tunnel. Administrators of both
>>networks have to configure this in both GW_A and GW_B :
>> 
>> spdadd 172.16.1.0/24 172.16.2.0/24 any -P out ipsec
>>           esp/tunnel/192.168.1.100-192.168.2.100/require;
>> 
>> spdadd 172.16.2.0/24 172.16.1.0/24 any -P in ipsec
>>           esp/tunnel/192.168.2.100-192.168.1.100/require;
>> 
>> *See the detailed example in Fig. 5 in
>>http://www.ipsec-howto.org/x304.html
>> 
>> Moreover it has to specify other parameters such as credentials to be
>>used to establish IKE SA, cryptographic algorithms etc…
>> 
>> 
>> 
>> What is your goal? Only to give use cases for IPSec policy?
>> 
>> Our goal is to automatize the management of IPsec security associations
>>so that administrators do not have add those rules in each device. The
>>general idea stemmed from the following principle:
>> 
>> To establish an IPsec security association you run first IKE to
>>negotiate the IPsec SA (control plane). Once it is established some
>>parameters are configured in the kernel of the network devices, so they
>>can process the IP packets with IPsec before forwarding (data plane). So
>>for us, there is a clear separation between these two planes.
>> 
>> Additionally, please think that IPsec uses packet filtering (and
>>cryptography). In this sense we consider that a NSF can perform this
>>task. Thus, some interface as those to be defined in I2NSF may be
>>required. Btw, you can find a YANG model for ipsec in the following link:
>> 
>> https://tools.ietf.org/html/draft-tran-ipecme-yang-ipsec-00
>> 
>> 
>> 
>> Or do you plan to dive in one step further to define the semantics of
>>the polices or rules for IPSec?
>> 
>> If I understand correctly your question I will say the semantics and
>>rules for IPsec are already there as shown in the example. Another thing
>>to consider is to define through an application a more general rule such
>>as “I want to protect traffic against eavesdropping between these two
>>networks" that is finally translated in more specific IPsec policies
>> 
>> We hope this clarify your doubts. In any case, if you have any other
>>question do not hesitate to ask.
>> 
>> Best Regards.
>> 
>> 
>> Thanks, Linda 
>> 
>> -----Original Message-----
>> From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Rafa Marin
>>Lopez
>> Sent: Wednesday, October 21, 2015 4:15 AM
>> To: sdn@irtf.org; i2nsf@ietf.org
>> Cc: Gabriel Lopez; Alejandro Abad UM; Rafa Marin Lopez
>> Subject: [I2nsf] New update of
>>draft-abad-sdnrg-sdn-ipsec-flow-protection
>> 
>> Dear all:
>> 
>> You may find a new update about Software-Defined Networking (SDN)-based
>>IPsec Flow Protection in this link:
>> 
>> 
>>https://tools.ietf.org/id/draft-abad-sdnrg-sdn-ipsec-flow-protection-01.t
>>xt
>> 
>> We have added some minor modifications and a section to explain the
>>relationship with I2NSF work.
>> 
>> Comments are really welcome.
>> 
>> Best Regards.
>> 
>> -------------------------------------------------------
>> Rafael Marin Lopez, PhD
>> Dept. Information and Communications Engineering (DIIC) Faculty of
>>Computer Science-University of Murcia
>> 30100 Murcia - Spain
>> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
>> -------------------------------------------------------
>> 
>> 
>> 
>> 
>> _______________________________________________
>> I2nsf mailing list
>> I2nsf@ietf.org
>> https://www.ietf.org/mailman/listinfo/i2nsf
>> 
>> -------------------------------------------------------
>> Rafael Marin Lopez, PhD
>> Dept. Information and Communications Engineering (DIIC)
>> Faculty of Computer Science-University of Murcia
>> 30100 Murcia - Spain
>> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
>> -------------------------------------------------------
>> 
>> 
>> 
>> 
>> _______________________________________________
>> sdn mailing list
>> sdn@irtf.org
>> https://www.irtf.org/mailman/listinfo/sdn
>>  
>>  
>> 
>> -----------------------------------------------------------
>> Gabriel López Millán
>> Departamento de Ingeniería de la Información y las Comunicaciones
>> University of Murcia
>> Spain
>> Tel: +34 868888504
>> Fax: +34 868884151
>> email: gabilm@um.es
>
>-------------------------------------------------------
>Rafael Marin Lopez, PhD
>Dept. Information and Communications Engineering (DIIC)
>Faculty of Computer Science-University of Murcia
>30100 Murcia - Spain
>Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
>-------------------------------------------------------
>
>
>
>
>_______________________________________________
>I2nsf mailing list
>I2nsf@ietf.org
>https://www.ietf.org/mailman/listinfo/i2nsf

v2.23.0 | Report a Bug | By Email