IETF Logo Mail Archive

Re: [Sdn] [I2nsf] New update of draft-abad-sdnrg-sdn-ipsec-flow-protection

Gabriel Lopez <gabilm@um.es> Fri, 23 October 2015 09:58 UTC

Return-Path: <gabilm@um.es>
X-Original-To: sdn@ietfa.amsl.com
Delivered-To: sdn@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36EBF1B33F7 for <sdn@ietfa.amsl.com>; Fri, 23 Oct 2015 02:58:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.76
X-Spam-Level:
X-Spam-Status: No, score=-1.76 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sS5udFRKb2Pw for <sdn@ietfa.amsl.com>; Fri, 23 Oct 2015 02:58:01 -0700 (PDT)
Received: from xenon21.um.es (xenon21.um.es [155.54.212.161]) by ietfa.amsl.com (Postfix) with ESMTP id 16ECA1B33BF for <sdn@irtf.org>; Fri, 23 Oct 2015 02:58:01 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon21.um.es (Postfix) with ESMTP id 0310A40521; Fri, 23 Oct 2015 11:58:00 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon21.um.es
Received: from xenon21.um.es ([127.0.0.1]) by localhost (xenon21.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 4sWI0IUYCELV; Fri, 23 Oct 2015 11:57:59 +0200 (CEST)
Received: from eduroam_um-7-160.inf.um.es (eduroam_um-7-160.inf.um.es [155.54.7.160]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: gabilm) by xenon21.um.es (Postfix) with ESMTPSA id CA7073FD54; Fri, 23 Oct 2015 11:57:53 +0200 (CEST)
Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3094\))
Content-Type: multipart/signed; boundary="Apple-Mail=_F67A2683-9731-4F49-99F1-D6BB0C65A83D"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail 2.6b2
From: Gabriel Lopez <gabilm@um.es>
In-Reply-To: <D24FB47B.2CEFA%dacheng.zdc@alibaba-inc.com>
Date: Fri, 23 Oct 2015 11:57:51 +0200
Message-Id: <F6AE1687-BB0D-4EFB-8606-1A6A0CF18372@um.es>
References: <CD8880C6-90B6-4125-BBCE-6AA0B76DA2D7@um.es> <4A95BA014132FF49AE685FAB4B9F17F657D71571@dfweml701-chm> <89725C38-5C24-44B2-9957-BAD267993F92@um.es> <160732AF-02A9-48FB-BF91-94412A1688C0@um.es> <4A95BA014132FF49AE685FAB4B9F17F657D7208A@dfweml701-chm> <BA5091B1-1D84-4A61-ACFC-1332C992E81C@um.es> <D24FB47B.2CEFA%dacheng.zdc@alibaba-inc.com>
To: Dacheng Zhang <dacheng.zdc@alibaba-inc.com>
X-Mailer: Apple Mail (2.3094)
Archived-At: <http://mailarchive.ietf.org/arch/msg/sdn/iUHVWz5-MvOpSqRcurrIclDdvpE>
Cc: Sam Hartman <hartmans@painless-security.com>, "sdn@irtf.org" <sdn@irtf.org>, Alejandro Abad UM <alejandroprimitivo.abad@um.es>, "i2nsf@ietf.org" <i2nsf@ietf.org>, Linda Dunbar <linda.dunbar@huawei.com>, Rafa Marin Lopez <rafa@um.es>, Mahesh Jethanandani <mjethanandani@gmail.com>
Subject: Re: [Sdn] [I2nsf] New update of draft-abad-sdnrg-sdn-ipsec-flow-protection
X-BeenThere: sdn@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List to Discuss SDN Research Group in the IRTF <sdn.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/sdn>, <mailto:sdn-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sdn/>
List-Post: <mailto:sdn@irtf.org>
List-Help: <mailto:sdn-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/sdn>, <mailto:sdn-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2015 09:58:06 -0000

Hi Dacheng,


> El 23 oct 2015, a las 4:20, Dacheng Zhang <dacheng.zdc@alibaba-inc.com> escribió:
> 
> Hi,
> 
> Maybe this work is not really considered in the current agenda. But I
> think it is very interesting. Also, I am thinking whether the similar idea
> can be used to mange the policies of securing routing protocols.

I’m not an expert on security routing protocols, but I think the idea es basically the same: to provide key material to the peers (router,  ipsec peer, etc.).

> We used
> to specify a key table specification for different routing protocols. At
> that time, someone mentioned it could be a good idea to use controllers to
> deploy keys for routing protocols, so that we don’t have to extend IKEv2
> to negotiate them.


> 
> Thoughts?

It would depend on how routers trust each other. In our example, an IPSec peer could be provisioned with cryptographic keys from the controller (in the case peers belong to the same domain) or they could make use of IKE to dynamically negotiate these keys.

Best regards, Gabi.

> 
> Cheers
> 
> Dacheng
> 
> 在 15-10-23 上午5:54, "I2nsf on behalf of Rafa Marin Lopez"
> <i2nsf-bounces@ietf.org on behalf of rafa@um.es> 写入:
> 
>> Hi Linda:
>> 
>>> El 22 oct 2015, a las 22:06, Linda Dunbar <linda.dunbar@huawei.com>
>>> escribió:
>>> 
>>> Rafa and Gabi,
>>> 
>>> Thank you very much for the explanation. That is very helpful.
>>> 
>>> Based on your explanation,  the Capability Layer interface for IPSec
>>> has been defined
>> 
>> If you are referring to the YANG model with IPsec then we have a good
>> step with draft-wang-ipsecme-ipsec-yang
>> 
>>> but there is need for the Service Layer rules for IPSec. The service
>>> layer IPSec rules can be applied to many pairs of IPsec tunnels, so that
>>> administrators don’t need to manually setup each one. Is my
>>> understanding correct?
>> 
>> Right, that is also our understanding.
>> 
>>> 
>>> Is it true that the IKE policies can be utilized between Security
>>> Controller and Client for the Service Layer interface?
>> 
>> Yes, that might be a possibility, though we understand a deeper analysis
>> is required.
>> 
>> Best Regards.
>> 
>>> 
>>> Thanks, Linda
>>> 
>>> From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Gabriel Lopez
>>> Sent: Thursday, October 22, 2015 3:32 AM
>>> To: Rafa Marin Lopez
>>> Cc: i2nsf@ietf.org; sdn@irtf.org; Alejandro Abad UM; Linda Dunbar
>>> Subject: Re: [I2nsf] [Sdn] New update of
>>> draft-abad-sdnrg-sdn-ipsec-flow-protection
>>> 
>>> 
>>> Hi,
>>> 
>>> Thanks for the review.
>>> 
>>> Please, note that the draft also include IKE policies.
>>> 
>>> As described in Rafa’s response, IKE allows two peers to dynamically
>>> negotiate the cryptography material for IPSec in a secure way.
>>> An example of IKE policies could be:
>>> 
>>> ike {
>>>            proposal proposal-1 {
>>>                        authentication-method pre-shared-keys;
>>>                        dh-group group1;
>>>                        authentication-algorithm sha1;
>>>                        encryption-algorithm 3des-cbc;
>>>                        lifetime-seconds 1000;
>>>            }
>>>            proposal proposal-2 {
>>>                        authentication-method pre-shared-keys;
>>>                        dh-group group2;
>>>                        authentication-algorithm md5;
>>>                        encryption-algorithm des-cbc;
>>>                        lifetime-seconds 10000;
>>> }
>>> 
>>> Best regards, Gabi.
>>> 
>>> 
>>> El 22 oct 2015, a las 10:19, Rafa Marin Lopez <rafa@um.es> escribió:
>>> 
>>> Dear Linda:
>>> 
>>> First of all, thanks for commenting on our draft.
>>> 
>>> 
>>> El 22 oct 2015, a las 0:43, Linda Dunbar <linda.dunbar@huawei.com>
>>> escribió:
>>> 
>>> Rafa,
>>> 
>>> Thank you very much for sharing the draft.
>>> 
>>> Can you elaborate what kind of IPSec policies that Apps can give to
>>> "SDN Controller”?
>>> I am not an expert on IPSec, so pardon me if my question is not
>>> correct:  if client needs "protected IPsec traffic", can them simply
>>> establish two parallel IPSec tunnels?
>>> 
>>> Any question is good. So, thank you. Let me try to clarify. When you
>>> want to establish an IPsec protected tunnel you have to configure
>>> rules/policies to determine what kind of traffic you want to protect.
>>> 
>>> Imagine you have* :
>>> 
>>> Network A(172.16.1.0/24) ― GW_A
>>> (192.168.1.100/24)-Internet-(192.168.2.100/24) GW_B - (172.16.2.0/24)
>>> Network_B
>>> 
>>> With ipsec-tools in Linux you define the following policies to protect
>>> traffic between both networks with a tunnel. Administrators of both
>>> networks have to configure this in both GW_A and GW_B :
>>> 
>>> spdadd 172.16.1.0/24 172.16.2.0/24 any -P out ipsec
>>>          esp/tunnel/192.168.1.100-192.168.2.100/require;
>>> 
>>> spdadd 172.16.2.0/24 172.16.1.0/24 any -P in ipsec
>>>          esp/tunnel/192.168.2.100-192.168.1.100/require;
>>> 
>>> *See the detailed example in Fig. 5 in
>>> http://www.ipsec-howto.org/x304.html
>>> 
>>> Moreover it has to specify other parameters such as credentials to be
>>> used to establish IKE SA, cryptographic algorithms etc…
>>> 
>>> 
>>> 
>>> What is your goal? Only to give use cases for IPSec policy?
>>> 
>>> Our goal is to automatize the management of IPsec security associations
>>> so that administrators do not have add those rules in each device. The
>>> general idea stemmed from the following principle:
>>> 
>>> To establish an IPsec security association you run first IKE to
>>> negotiate the IPsec SA (control plane). Once it is established some
>>> parameters are configured in the kernel of the network devices, so they
>>> can process the IP packets with IPsec before forwarding (data plane). So
>>> for us, there is a clear separation between these two planes.
>>> 
>>> Additionally, please think that IPsec uses packet filtering (and
>>> cryptography). In this sense we consider that a NSF can perform this
>>> task. Thus, some interface as those to be defined in I2NSF may be
>>> required. Btw, you can find a YANG model for ipsec in the following link:
>>> 
>>> https://tools.ietf.org/html/draft-tran-ipecme-yang-ipsec-00
>>> 
>>> 
>>> 
>>> Or do you plan to dive in one step further to define the semantics of
>>> the polices or rules for IPSec?
>>> 
>>> If I understand correctly your question I will say the semantics and
>>> rules for IPsec are already there as shown in the example. Another thing
>>> to consider is to define through an application a more general rule such
>>> as “I want to protect traffic against eavesdropping between these two
>>> networks" that is finally translated in more specific IPsec policies
>>> 
>>> We hope this clarify your doubts. In any case, if you have any other
>>> question do not hesitate to ask.
>>> 
>>> Best Regards.
>>> 
>>> 
>>> Thanks, Linda
>>> 
>>> -----Original Message-----
>>> From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Rafa Marin
>>> Lopez
>>> Sent: Wednesday, October 21, 2015 4:15 AM
>>> To: sdn@irtf.org; i2nsf@ietf.org
>>> Cc: Gabriel Lopez; Alejandro Abad UM; Rafa Marin Lopez
>>> Subject: [I2nsf] New update of
>>> draft-abad-sdnrg-sdn-ipsec-flow-protection
>>> 
>>> Dear all:
>>> 
>>> You may find a new update about Software-Defined Networking (SDN)-based
>>> IPsec Flow Protection in this link:
>>> 
>>> 
>>> https://tools.ietf.org/id/draft-abad-sdnrg-sdn-ipsec-flow-protection-01.t
>>> xt
>>> 
>>> We have added some minor modifications and a section to explain the
>>> relationship with I2NSF work.
>>> 
>>> Comments are really welcome.
>>> 
>>> Best Regards.
>>> 
>>> -------------------------------------------------------
>>> Rafael Marin Lopez, PhD
>>> Dept. Information and Communications Engineering (DIIC) Faculty of
>>> Computer Science-University of Murcia
>>> 30100 Murcia - Spain
>>> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
>>> -------------------------------------------------------
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> I2nsf mailing list
>>> I2nsf@ietf.org
>>> https://www.ietf.org/mailman/listinfo/i2nsf
>>> 
>>> -------------------------------------------------------
>>> Rafael Marin Lopez, PhD
>>> Dept. Information and Communications Engineering (DIIC)
>>> Faculty of Computer Science-University of Murcia
>>> 30100 Murcia - Spain
>>> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
>>> -------------------------------------------------------
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> sdn mailing list
>>> sdn@irtf.org
>>> https://www.irtf.org/mailman/listinfo/sdn
>>> 
>>> 
>>> 
>>> -----------------------------------------------------------
>>> Gabriel López Millán
>>> Departamento de Ingeniería de la Información y las Comunicaciones
>>> University of Murcia
>>> Spain
>>> Tel: +34 868888504
>>> Fax: +34 868884151
>>> email: gabilm@um.es
>> 
>> -------------------------------------------------------
>> Rafael Marin Lopez, PhD
>> Dept. Information and Communications Engineering (DIIC)
>> Faculty of Computer Science-University of Murcia
>> 30100 Murcia - Spain
>> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
>> -------------------------------------------------------
>> 
>> 
>> 
>> 
>> _______________________________________________
>> I2nsf mailing list
>> I2nsf@ietf.org
>> https://www.ietf.org/mailman/listinfo/i2nsf
> 
> 



-----------------------------------------------------------
Gabriel López Millán
Departamento de Ingeniería de la Información y las Comunicaciones
University of Murcia
Spain
Tel: +34 868888504
Fax: +34 868884151
email: gabilm@um.es <mailto:gabilm@um.es>

v2.23.0 | Report a Bug | By Email