IETF Logo Mail Archive

Re: [Sdn] [I2nsf] New update of draft-abad-sdnrg-sdn-ipsec-flow-protection

Rafa Marin Lopez <rafa@um.es> Thu, 22 October 2015 08:20 UTC

Return-Path: <rafa@um.es>
X-Original-To: sdn@ietfa.amsl.com
Delivered-To: sdn@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD5C01B2F48 for <sdn@ietfa.amsl.com>; Thu, 22 Oct 2015 01:20:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TpkMXF8gOxAs for <sdn@ietfa.amsl.com>; Thu, 22 Oct 2015 01:20:04 -0700 (PDT)
Received: from xenon23.um.es (xenon23.um.es [155.54.212.163]) by ietfa.amsl.com (Postfix) with ESMTP id 139E31B2F43 for <sdn@irtf.org>; Thu, 22 Oct 2015 01:20:04 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon23.um.es (Postfix) with ESMTP id 66F97366D; Thu, 22 Oct 2015 10:20:02 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon23.um.es
Received: from xenon23.um.es ([127.0.0.1]) by localhost (xenon23.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id xOfPJ+2OvEmf; Thu, 22 Oct 2015 10:20:02 +0200 (CEST)
Received: from eduroam_um-7-128.inf.um.es (eduroam_um-7-128.inf.um.es [155.54.7.128]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa) by xenon23.um.es (Postfix) with ESMTPSA id F14C16E0; Thu, 22 Oct 2015 10:19:58 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3094\))
From: Rafa Marin Lopez <rafa@um.es>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F657D71571@dfweml701-chm>
Date: Thu, 22 Oct 2015 10:19:57 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <89725C38-5C24-44B2-9957-BAD267993F92@um.es>
References: <CD8880C6-90B6-4125-BBCE-6AA0B76DA2D7@um.es> <4A95BA014132FF49AE685FAB4B9F17F657D71571@dfweml701-chm>
To: Linda Dunbar <linda.dunbar@huawei.com>
X-Mailer: Apple Mail (2.3094)
Archived-At: <http://mailarchive.ietf.org/arch/msg/sdn/Z83L6EvyPoHooVcO1z-TXRrNDTk>
Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>, Gabriel Lopez <gabilm@um.es>, "sdn@irtf.org" <sdn@irtf.org>, Alejandro Abad UM <alejandroprimitivo.abad@um.es>, Rafa Marin Lopez <rafa@um.es>
Subject: Re: [Sdn] [I2nsf] New update of draft-abad-sdnrg-sdn-ipsec-flow-protection
X-BeenThere: sdn@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List to Discuss SDN Research Group in the IRTF <sdn.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/sdn>, <mailto:sdn-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sdn/>
List-Post: <mailto:sdn@irtf.org>
List-Help: <mailto:sdn-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/sdn>, <mailto:sdn-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2015 08:20:07 -0000

Dear Linda:

First of all, thanks for commenting on our draft.

> El 22 oct 2015, a las 0:43, Linda Dunbar <linda.dunbar@huawei.com> escribió:
> 
> Rafa, 
> 
> Thank you very much for sharing the draft. 
> 
> Can you elaborate what kind of IPSec policies that Apps can give to "SDN Controller”? 
> I am not an expert on IPSec, so pardon me if my question is not correct:  if client needs "protected IPsec traffic", can them simply establish two parallel IPSec tunnels? 

Any question is good. So, thank you. Let me try to clarify. When you want to establish an IPsec protected tunnel you have to configure rules/policies to determine what kind of traffic you want to protect. 

Imagine you have* :  

Network A(172.16.1.0/24) — GW_A (192.168.1.100/24)-Internet-(192.168.2.100/24) GW_B - (172.16.2.0/24) Network_B

With ipsec-tools in Linux you define the following policies to protect traffic between both networks with a tunnel. Administrators of both networks have to configure this in both GW_A and GW_B :

spdadd 172.16.1.0/24 172.16.2.0/24 any -P out ipsec
           esp/tunnel/192.168.1.100-192.168.2.100/require;

spdadd 172.16.2.0/24 172.16.1.0/24 any -P in ipsec
           esp/tunnel/192.168.2.100-192.168.1.100/require;

*See the detailed example in Fig. 5 in http://www.ipsec-howto.org/x304.html

Moreover it has to specify other parameters such as credentials to be used to establish IKE SA, cryptographic algorithms etc…

> 
> What is your goal? Only to give use cases for IPSec policy?

Our goal is to automatize the management of IPsec security associations so that administrators do not have add those rules in each device. The general idea stemmed from the following principle:

To establish an IPsec security association you run first IKE to negotiate the IPsec SA (control plane). Once it is established some parameters are configured in the kernel of the network devices, so they can process the IP packets with IPsec before forwarding (data plane). So for us, there is a clear separation between these two planes.

Additionally, please think that IPsec uses packet filtering (and cryptography). In this sense we consider that a NSF can perform this task. Thus, some interface as those to be defined in I2NSF may be required. Btw, you can find a YANG model for ipsec in the following link:

https://tools.ietf.org/html/draft-tran-ipecme-yang-ipsec-00


> Or do you plan to dive in one step further to define the semantics of the polices or rules for IPSec?  

If I understand correctly your question I will say the semantics and rules for IPsec are already there as shown in the example. Another thing to consider is to define through an application a more general rule such as “I want to protect traffic against eavesdropping between these two networks" that is finally translated in more specific IPsec policies

We hope this clarify your doubts. In any case, if you have any other question do not hesitate to ask. 

Best Regards.
> 
> Thanks, Linda 
> 
> -----Original Message-----
> From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Rafa Marin Lopez
> Sent: Wednesday, October 21, 2015 4:15 AM
> To: sdn@irtf.org; i2nsf@ietf.org
> Cc: Gabriel Lopez; Alejandro Abad UM; Rafa Marin Lopez
> Subject: [I2nsf] New update of draft-abad-sdnrg-sdn-ipsec-flow-protection
> 
> Dear all:
> 
> You may find a new update about Software-Defined Networking (SDN)-based IPsec Flow Protection in this link:
> 
> https://tools.ietf.org/id/draft-abad-sdnrg-sdn-ipsec-flow-protection-01.txt
> 
> We have added some minor modifications and a section to explain the relationship with I2NSF work.
> 
> Comments are really welcome.
> 
> Best Regards.
> 
> -------------------------------------------------------
> Rafael Marin Lopez, PhD
> Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia
> 30100 Murcia - Spain
> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
> -------------------------------------------------------
> 
> 
> 
> 
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org
> https://www.ietf.org/mailman/listinfo/i2nsf

-------------------------------------------------------
Rafael Marin Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
-------------------------------------------------------

v2.23.0 | Report a Bug | By Email