Re: [I2nsf] [IPsec] How does Overlay Network inform the Underlay network on which flows among Overlay network nodes need to go through IPSec Tunnel? (was : Flow Security Policies exchanged over I2NSF service layer interface?

Sun, 19 Jun 2016 14:46:34 -0700 

On (06/19/16 20:06), Rafa Marin Lopez wrote:
> > I had a related question Section 8.2, #2 as well: is the first
> > data packet in the clear or not?  If it is not in the clear, how
> > can you determine the flow in the general case? 
> 
> [Rafa] Please be aware that, if ESP (AH does not encrypt the packet)
> has been applied to the packet before reaching the GW1 the IP header of
> that packet is still visible (it is not encrypted). And based on that
> information there would be SPD entries so that the IPsec implementation
> would act based on that visible information. Thus, adding the controller
> does not change that behavior. So I am not sure the issue/problem you
> may have in mind.

if the first packet is using AH, then the sender has alredy made
some assumption about the auth key. How is the receiver going to
know that key (assuming that AH has been added for a reason)? 
And what is the point of  the following (quoted from Section 8.2)
if the sender is already making some assumptions about the AH
parameters for the first packet?

   "2.  The SDN Controller looks for security policies in its SPD table
       and decides that the flow MUST be protected, for example, with
       IPsec ESP in tunnel mode.

   3.  The SDN controller derives keys for the IPsec tunnel and enforces
       them, along with other information required, such as IPsec mode
       (ESP or AH), into both gateways' IPsec Security Association
       Database (SAD)."

To put this in another way, isnt this a chicken-and-egg problem:
receiver is supposed to use the first data packet figure out the
sadb/spd configuration (which may or may not include both AH and ESP),
but the first packet itself has some AH  (with no ESP) based on <what
negotiation?>?

> > If it is in 
> > the clear, what is the scope of the security consideration?
> 
> [Rafa] Not sure about what do you mean? Are you referring to section
> 9 or other aspect?

Is the IPsec SA/SPD negotiated in Section 8.1 applicable/different
for the first packet compared  to the rest of the flow?

--Sowmini

_______________________________________________
I2nsf mailing list
I2nsf@ietf.org
https://www.ietf.org/mailman/listinfo/i2nsf

Reply via email to