IETF Logo Mail Archive

Re: [Sdn] [I2nsf] New update of draft-abad-sdnrg-sdn-ipsec-flow-protection

Rafa Marin Lopez <rafa@um.es> Thu, 22 October 2015 21:54 UTC

Return-Path: <rafa@um.es>
X-Original-To: sdn@ietfa.amsl.com
Delivered-To: sdn@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 237FB1ACE37 for <sdn@ietfa.amsl.com>; Thu, 22 Oct 2015 14:54:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fzjp4eiBC_M2 for <sdn@ietfa.amsl.com>; Thu, 22 Oct 2015 14:54:34 -0700 (PDT)
Received: from xenon23.um.es (xenon23.um.es [155.54.212.163]) by ietfa.amsl.com (Postfix) with ESMTP id 7BA001ACE30 for <sdn@irtf.org>; Thu, 22 Oct 2015 14:54:34 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon23.um.es (Postfix) with ESMTP id 0A56270A2; Thu, 22 Oct 2015 23:54:33 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon23.um.es
Received: from xenon23.um.es ([127.0.0.1]) by localhost (xenon23.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id BOxkUwGoSI4l; Thu, 22 Oct 2015 23:54:22 +0200 (CEST)
Received: from [192.168.1.40] (67.Red-88-23-6.staticIP.rima-tde.net [88.23.6.67]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa) by xenon23.um.es (Postfix) with ESMTPSA id 6C8817088; Thu, 22 Oct 2015 23:54:18 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3094\))
From: Rafa Marin Lopez <rafa@um.es>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F657D7208A@dfweml701-chm>
Date: Thu, 22 Oct 2015 23:54:17 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <BA5091B1-1D84-4A61-ACFC-1332C992E81C@um.es>
References: <CD8880C6-90B6-4125-BBCE-6AA0B76DA2D7@um.es> <4A95BA014132FF49AE685FAB4B9F17F657D71571@dfweml701-chm> <89725C38-5C24-44B2-9957-BAD267993F92@um.es> <160732AF-02A9-48FB-BF91-94412A1688C0@um.es> <4A95BA014132FF49AE685FAB4B9F17F657D7208A@dfweml701-chm>
To: Linda Dunbar <linda.dunbar@huawei.com>
X-Mailer: Apple Mail (2.3094)
Archived-At: <http://mailarchive.ietf.org/arch/msg/sdn/emtyuyIPJ36LmRjUzmp1nCn9wX0>
Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>, Gabriel Lopez <gabilm@um.es>, "sdn@irtf.org" <sdn@irtf.org>, Alejandro Abad UM <alejandroprimitivo.abad@um.es>, Rafa Marin Lopez <rafa@um.es>
Subject: Re: [Sdn] [I2nsf] New update of draft-abad-sdnrg-sdn-ipsec-flow-protection
X-BeenThere: sdn@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List to Discuss SDN Research Group in the IRTF <sdn.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/sdn>, <mailto:sdn-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sdn/>
List-Post: <mailto:sdn@irtf.org>
List-Help: <mailto:sdn-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/sdn>, <mailto:sdn-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2015 21:54:38 -0000

Hi Linda:

> El 22 oct 2015, a las 22:06, Linda Dunbar <linda.dunbar@huawei.com> escribió:
> 
> Rafa and Gabi,
>  
> Thank you very much for the explanation. That is very helpful.
>  
> Based on your explanation,  the Capability Layer interface for IPSec has been defined

If you are referring to the YANG model with IPsec then we have a good step with draft-wang-ipsecme-ipsec-yang

> but there is need for the Service Layer rules for IPSec. The service layer IPSec rules can be applied to many pairs of IPsec tunnels, so that administrators don’t need to manually setup each one. Is my understanding correct?

Right, that is also our understanding. 

>  
> Is it true that the IKE policies can be utilized between Security Controller and Client for the Service Layer interface?

Yes, that might be a possibility, though we understand a deeper analysis is required.

Best Regards.

>  
> Thanks, Linda
>  
> From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Gabriel Lopez
> Sent: Thursday, October 22, 2015 3:32 AM
> To: Rafa Marin Lopez
> Cc: i2nsf@ietf.org; sdn@irtf.org; Alejandro Abad UM; Linda Dunbar
> Subject: Re: [I2nsf] [Sdn] New update of draft-abad-sdnrg-sdn-ipsec-flow-protection
>  
>  
> Hi,
>  
> Thanks for the review.
>  
> Please, note that the draft also include IKE policies.
>  
> As described in Rafa’s response, IKE allows two peers to dynamically negotiate the cryptography material for IPSec in a secure way.
> An example of IKE policies could be:
>  
> ike {
>             proposal proposal-1 {
>                         authentication-method pre-shared-keys;
>                         dh-group group1;
>                         authentication-algorithm sha1;
>                         encryption-algorithm 3des-cbc;
>                         lifetime-seconds 1000;
>             }
>             proposal proposal-2 {
>                         authentication-method pre-shared-keys;
>                         dh-group group2;
>                         authentication-algorithm md5;
>                         encryption-algorithm des-cbc;
>                         lifetime-seconds 10000;
> }
>  
> Best regards, Gabi.
>  
>  
> El 22 oct 2015, a las 10:19, Rafa Marin Lopez <rafa@um.es> escribió:
>  
> Dear Linda:
> 
> First of all, thanks for commenting on our draft.
> 
> 
> El 22 oct 2015, a las 0:43, Linda Dunbar <linda.dunbar@huawei.com> escribió:
> 
> Rafa, 
> 
> Thank you very much for sharing the draft. 
> 
> Can you elaborate what kind of IPSec policies that Apps can give to "SDN Controller”? 
> I am not an expert on IPSec, so pardon me if my question is not correct:  if client needs "protected IPsec traffic", can them simply establish two parallel IPSec tunnels? 
> 
> Any question is good. So, thank you. Let me try to clarify. When you want to establish an IPsec protected tunnel you have to configure rules/policies to determine what kind of traffic you want to protect. 
> 
> Imagine you have* :  
> 
> Network A(172.16.1.0/24) — GW_A (192.168.1.100/24)-Internet-(192.168.2.100/24) GW_B - (172.16.2.0/24) Network_B
> 
> With ipsec-tools in Linux you define the following policies to protect traffic between both networks with a tunnel. Administrators of both networks have to configure this in both GW_A and GW_B :
> 
> spdadd 172.16.1.0/24 172.16.2.0/24 any -P out ipsec
>           esp/tunnel/192.168.1.100-192.168.2.100/require;
> 
> spdadd 172.16.2.0/24 172.16.1.0/24 any -P in ipsec
>           esp/tunnel/192.168.2.100-192.168.1.100/require;
> 
> *See the detailed example in Fig. 5 in http://www.ipsec-howto.org/x304.html
> 
> Moreover it has to specify other parameters such as credentials to be used to establish IKE SA, cryptographic algorithms etc…
> 
> 
> 
> What is your goal? Only to give use cases for IPSec policy?
> 
> Our goal is to automatize the management of IPsec security associations so that administrators do not have add those rules in each device. The general idea stemmed from the following principle:
> 
> To establish an IPsec security association you run first IKE to negotiate the IPsec SA (control plane). Once it is established some parameters are configured in the kernel of the network devices, so they can process the IP packets with IPsec before forwarding (data plane). So for us, there is a clear separation between these two planes.
> 
> Additionally, please think that IPsec uses packet filtering (and cryptography). In this sense we consider that a NSF can perform this task. Thus, some interface as those to be defined in I2NSF may be required. Btw, you can find a YANG model for ipsec in the following link:
> 
> https://tools.ietf.org/html/draft-tran-ipecme-yang-ipsec-00
> 
> 
> 
> Or do you plan to dive in one step further to define the semantics of the polices or rules for IPSec?  
> 
> If I understand correctly your question I will say the semantics and rules for IPsec are already there as shown in the example. Another thing to consider is to define through an application a more general rule such as “I want to protect traffic against eavesdropping between these two networks" that is finally translated in more specific IPsec policies
> 
> We hope this clarify your doubts. In any case, if you have any other question do not hesitate to ask. 
> 
> Best Regards.
> 
> 
> Thanks, Linda 
> 
> -----Original Message-----
> From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Rafa Marin Lopez
> Sent: Wednesday, October 21, 2015 4:15 AM
> To: sdn@irtf.org; i2nsf@ietf.org
> Cc: Gabriel Lopez; Alejandro Abad UM; Rafa Marin Lopez
> Subject: [I2nsf] New update of draft-abad-sdnrg-sdn-ipsec-flow-protection
> 
> Dear all:
> 
> You may find a new update about Software-Defined Networking (SDN)-based IPsec Flow Protection in this link:
> 
> https://tools.ietf.org/id/draft-abad-sdnrg-sdn-ipsec-flow-protection-01.txt
> 
> We have added some minor modifications and a section to explain the relationship with I2NSF work.
> 
> Comments are really welcome.
> 
> Best Regards.
> 
> -------------------------------------------------------
> Rafael Marin Lopez, PhD
> Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia
> 30100 Murcia - Spain
> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
> -------------------------------------------------------
> 
> 
> 
> 
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org
> https://www.ietf.org/mailman/listinfo/i2nsf
> 
> -------------------------------------------------------
> Rafael Marin Lopez, PhD
> Dept. Information and Communications Engineering (DIIC)
> Faculty of Computer Science-University of Murcia
> 30100 Murcia - Spain
> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
> -------------------------------------------------------
> 
> 
> 
> 
> _______________________________________________
> sdn mailing list
> sdn@irtf.org
> https://www.irtf.org/mailman/listinfo/sdn
>  
>  
> 
> -----------------------------------------------------------
> Gabriel López Millán
> Departamento de Ingeniería de la Información y las Comunicaciones
> University of Murcia
> Spain
> Tel: +34 868888504
> Fax: +34 868884151
> email: gabilm@um.es

-------------------------------------------------------
Rafael Marin Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
-------------------------------------------------------

v2.23.0 | Report a Bug | By Email