Re: [Secdispatch] Controller-IKE

"David Carrel (carrel)" <carrel@cisco.com> Mon, 22 July 2019 14:59 UTC

Return-Path: <carrel@cisco.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C08A91200B1 for <secdispatch@ietfa.amsl.com>; Mon, 22 Jul 2019 07:59:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=eht/wFpi; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=RKMiD61M
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8qLZISLUkiZK for <secdispatch@ietfa.amsl.com>; Mon, 22 Jul 2019 07:59:23 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 171F4120059 for <secdispatch@ietf.org>; Mon, 22 Jul 2019 07:59:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=16249; q=dns/txt; s=iport; t=1563807562; x=1565017162; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=ILz8DL2ipaE5KFMI6XcITX+pHtjYpeRIFEHO5WAF/+E=; b=eht/wFpiFrVpikRy/i0imLYAx97YT29/+h1DTOo3aLPwQ8e998cZ7JTw hXm93j6KjcCtAyruSa4u3STrHDpCd16ORvxnBhBGleHHVQuS7fc3RneLQ ho8BeMBuMB6YL1bZaZiJcA1yL15v3VtArWhXqPf7DOU/tYQvW4O9ce+3P w=;
IronPort-PHdr: =?us-ascii?q?9a23=3A8zFIwxNEM08pZ9d0/wkl6mtXPHoupqn0MwgJ65?= =?us-ascii?q?Eul7NJdOG58o//OFDEuKQ/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETB?= =?us-ascii?q?oZkYMTlg0kDtSCDBjwJeTwYigSF8VZX1gj9Ha+YgBY?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AIAABrzjVd/5xdJa1lGgEBAQEBAgE?= =?us-ascii?q?BAQEHAgEBAQGBUwUBAQEBCwGBFC9QA21VIAQLKoQdg0cDhFKJK4JbiVSJJ4R?= =?us-ascii?q?VgS6BJANUCQEBAQwBARgBDAgCAQGDekYCF4JMIzQJDgEDAQEEAQECAQZthR4?= =?us-ascii?q?MhUoBAQEBAwEBEBEdAQEsCwEPAgEIEQMBAigDAgICHwYLFAkIAgQOBSKDAAG?= =?us-ascii?q?BHU0DHQECDKAdAoE4iGBxgTKCeQEBBYE2Ag5BQII8DQuCEwMGgTQBi14XgX+?= =?us-ascii?q?BEScfgkw+ghpHAQEDAYF9DQmCVTKCJo54hH6Ia41GQAkCghmGWIlAg3Qbgi2?= =?us-ascii?q?HJYQMiiyUfYF1jhMCBAIEBQIOAQEFgVA4gVhwFTsqAYJBgkKDcYUUhT9yAQu?= =?us-ascii?q?BHY5xAQE?=
X-IronPort-AV: E=Sophos;i="5.64,295,1559520000"; d="scan'208,217";a="599824900"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 22 Jul 2019 14:59:21 +0000
Received: from XCH-RCD-018.cisco.com (xch-rcd-018.cisco.com [173.37.102.28]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id x6MExMtd003474 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 22 Jul 2019 14:59:22 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-RCD-018.cisco.com (173.37.102.28) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 22 Jul 2019 09:59:21 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 22 Jul 2019 09:59:20 -0500
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 22 Jul 2019 10:59:20 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cgmpGD9I020uQudAg6EKvziod/2kRNfyD0gnYeCd8VwFYmcbpqiRZAT7UIgGXovnf+wrWhkiP+TMsLGcUpucr9b7pzjFxS6IIccslJ1o4pAR6IFbqXYaahEf6VdtHEFiRyDZZTs8jbOp1NBEfSjxx0utC1tgaqxvHlGUBwfpPMW5jjOfGHCUw6AhU7mwgcuP26zurQuCWwzYn5seHz1DhKp3oPmxqm9o5qQLiyP56sTbkWqazTZNIRqv6/1sTYVkguohTNO76+qgq4uWFZxtZ7pRNtAtuG8P41soCblALPuhFJjq2A/D/ap2z8IeUIiwY8LuTRvJZ2RlX/glGgszvQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ILz8DL2ipaE5KFMI6XcITX+pHtjYpeRIFEHO5WAF/+E=; b=kQYIWfb+QEVke+G+qwOgjdCRZl9uJTtTO2uYT1s9rLbF5BPquaPpU0VM9IGovFRiXGN/1o+QAE6nzUYUcXx4IpnCIj01TZ85SedVUGE43gtQH6J+GlMVypPfajnnF13gVN9l+mXpNwEiE9i4FeAmktsxWlLjLTOkY2MElp+8cScHE02qN8cuylvBVWuLM7kNoQCZfmYYgMTknMaNhULXWHF/JVFu79SFK544vcOLijv/muxnWkhQS6SZHaEPLoh+oA8apT9joYIXMFVK9+blRZC2tuhiiZT7vZ/jVoBzttezD7bMwvs6K6H1e1Bx9Moj9sLBzkEM2Rio6p41Ms66DA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=cisco.com;dmarc=pass action=none header.from=cisco.com;dkim=pass header.d=cisco.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ILz8DL2ipaE5KFMI6XcITX+pHtjYpeRIFEHO5WAF/+E=; b=RKMiD61MDYhyWH3qHbBp/aDUc9tN3FL+s4YJgJ26kV2ZjOSqOhXZNB6SJrJmzSdXJ78QwDDCcrmxUGoPvitamz8e/61Ib4XzFMiFsQ8/YlvF0XYdxzZIGuk4vB7KutSoLUAI92WQgsMWLDsN0ypBReqSxpFzh7fLBwofK6Mjg7g=
Received: from BYAPR11MB3046.namprd11.prod.outlook.com (20.177.225.213) by BYAPR11MB3206.namprd11.prod.outlook.com (20.177.127.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.14; Mon, 22 Jul 2019 14:59:18 +0000
Received: from BYAPR11MB3046.namprd11.prod.outlook.com ([fe80::c895:4d83:c5b8:b3d6]) by BYAPR11MB3046.namprd11.prod.outlook.com ([fe80::c895:4d83:c5b8:b3d6%6]) with mapi id 15.20.2073.012; Mon, 22 Jul 2019 14:59:18 +0000
From: "David Carrel (carrel)" <carrel@cisco.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
CC: "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: [Secdispatch] Controller-IKE
Thread-Index: AQHVPqG2qaTEIVD/zEy+2+Xv9S/jD6bWtjWA//+TP4A=
Date: Mon, 22 Jul 2019 14:59:18 +0000
Message-ID: <10D8DC7B-13D7-474B-89EF-905C5B31DEBE@cisco.com>
References: <CDF90625-34F6-40C3-8AE4-AACD50D70C2E@cisco.com> <CAHbuEH7NQ3DV1nt_vq2wyQ4yZC2carVmRk8LfURGe9eWHfboeQ@mail.gmail.com>
In-Reply-To: <CAHbuEH7NQ3DV1nt_vq2wyQ4yZC2carVmRk8LfURGe9eWHfboeQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=carrel@cisco.com;
x-originating-ip: [2001:420:c0c8:1008::132]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 49345e50-17da-454f-7727-08d70eb52c10
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:BYAPR11MB3206;
x-ms-traffictypediagnostic: BYAPR11MB3206:
x-ms-exchange-purlcount: 7
x-microsoft-antispam-prvs: <BYAPR11MB32060CE78705C377251083FCCBC40@BYAPR11MB3206.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 01068D0A20
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(376002)(366004)(346002)(396003)(136003)(189003)(199004)(14444005)(2906002)(68736007)(256004)(99286004)(81156014)(8676002)(81166006)(25786009)(4326008)(8936002)(66946007)(66446008)(7736002)(36756003)(76116006)(66556008)(5660300002)(2616005)(66476007)(476003)(46003)(11346002)(14454004)(33656002)(446003)(64756008)(316002)(606006)(6506007)(229853002)(6306002)(102836004)(71190400001)(6246003)(54896002)(6512007)(6116002)(6916009)(53936002)(76176011)(86362001)(71200400001)(6436002)(966005)(6486002)(486006)(478600001)(186003)(53546011)(236005); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR11MB3206; H:BYAPR11MB3046.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: hxEZnYCRRvcHI2FyL0phKo8IubMpxPsSb9k4KRHlRh+LQrvq3uemr9VsSGgBRkEQ1gP1Pb88UbJSX395m5Ohp+5qlHro5RJyvLItCM5VsrPhly8AvSFPIVZFgcnqj121U/Mq4Mqc9dwQ4YaSB6peqGmS+lFBr9B9WbT4jbOtkAe38Aqc8wHi1jOlYWJ71Pc/e+F5TtVzFq4lSF1t13Eo6a8+eKGwI8Lx7n3GfEJEuyoK7ldd7uiayqdz8EXI8nfaqC24ahAAI3G/BJC/0JX9O2vfLEEyRt3QTAO+j46kv+sIKpnW52Z5BYeTLfAoS12XxAi2Or5lRVm7fSsFICIITR0Foj6TYHLsC1Dn8SqA8DKbm8+AlWtXYpsOj8DDc/859Oc7gOukl+WqpwWw3RHDfN7jRsWi560BRF89o/HzwLI=
Content-Type: multipart/alternative; boundary="_000_10D8DC7B13D7474B89EF905C5B31DEBEciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 49345e50-17da-454f-7727-08d70eb52c10
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jul 2019 14:59:18.5671 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: carrel@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3206
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.28, xch-rcd-018.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/qGLNGggimj7qg8E59So9tXvAe58>
Subject: Re: [Secdispatch] Controller-IKE
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2019 14:59:26 -0000

Kathleen,

I have discussed Controller-IKE in the I2NSF meetings and I follow it closely.  I2NSF flow protection draft discusses two ways to configure the device for key management.  You can configure it for IKE and send all the static IKE configuration to the device, or you can configure it for NO key exchange and have the control station push the IPsec keys to the device.  The IKE option is pretty straightforward and standard.  The static key option is … what it is.

Contoller-IKE would also fit into the I2NSF framework.  If Controller-IKE moves forward, then I would want to see additions to the I2NSF flow protection to allow it to configure a 3rd key management option.  I2NSF flow protection would not carry the Controller-IKE messages, but it would configure the device to do Controller-IKE.  The actual Controller-IKE exchange would be with the RR.

Dave


From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Monday, July 22, 2019 at 10:29 AM
To: "David Carrel (carrel)" <carrel@cisco.com>
Cc: "secdispatch@ietf.org" <secdispatch@ietf.org>
Subject: Re: [Secdispatch] Controller-IKE

Hi David,

Could you please explain how this is different from the adopted work in I2NSF, https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/ ?

This is referenced in your draft along with one another, but there is no analysis on why they don't fit the need.  The draft in I2NSF pulled in the IPsecMe working group and underwent significant revisions as a result to deal with several initial security issues.  If there 's a gap that can be solved with that draft, could that be a way forward or is this needed for some specific reason?  It would be helpful to understand this.

Thank you,
Kathleen

On Fri, Jul 19, 2019 at 10:20 PM David Carrel (carrel) <carrel@cisco.com<mailto:carrel@cisco.com>> wrote:
Folks,

I would like to present Controller-IKE in the Montreal Security Dispatch meeting.  There is growing interest from routing folks, and I strongly feel we should evaluate and progress this in the security area.  I’ll have some slides to share shortly.  For now, please do read the draft.  Also there are some drafts referencing this:

Controller-IKE: https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike-01

Also some docs referencing this form of key management:
BESS, Secure EVPN: https://tools.ietf.org/html/draft-sajassi-bess-secure-evpn-02
And: https://tools.ietf.org/html/draft-dunbar-bess-bgp-sdwan-usage-01

Comments appreciated.

Dave

_______________________________________________
Secdispatch mailing list
Secdispatch@ietf.org<mailto:Secdispatch@ietf.org>
https://www.ietf.org/mailman/listinfo/secdispatch


--

Best regards,
Kathleen