Rafa, Gabriel, and Sowmini, Here are some comments from IPSecMe group for your draft-abad-i2nsf-sdn-ipsec-flow-protection-01. I think it worth the check
-----Original Message----- From: Yoav Nir [mailto:[email protected]] Sent: Thursday, April 13, 2017 4:42 PM To: Linda Dunbar <[email protected]> Cc: [email protected]; Michael Richardson <[email protected]> Subject: Re: [IPsec] Can IPSec (RFC 5996) support tunnels with end point being (virtual) CPEs which has a set of workload attached (say Virtual Machines) all having virtual IP addresses? <<snip>> >> - I2NSF has a proposal on using Controller to manager all the IPSec >> tunnels: >> https://datatracker.ietf.org/doc/html/draft-abad-i2nsf-sdn-ipsec-flow-protection. >> What kind of issues do you see with the proposed approach? > > I didn't read it. I did. They have two cases. In case #1 the controller provisions credentials for IKE and entries in PAD and SPD. In case #2 you forego IKE and have the controller provision the SAs (including keys). I especially didn’t like case #2. Sharing a secret key among three entities is a bad idea. A shared authentication credential can also be misused, but that’s a hard attack to mount. A shared traffic key makes the controller a very attractive target. More in general, SDN was born in the data center. In a data center an all-knowing controller makes sense. This is true for routing as it is for NSFs such as firewalls, IDPs and IDSs. VPN extends the reach of the private network to all corners of the Internet. Think of a store chain with a CPE in every one of thousands of branches. Or a bank. The problem there is that there is no central administrative function. Local branches may switch ISP and renumber their network without bothering to tell the IT people. So the model where the controller knows everything is tough to deploy in practice. It is probably necessary to have two-way communications, where the CPE tells the controller about its topology (how it partitions the Internet to “in” vs “out”) so that the controller can set up the appropriate SPDs. There have been several attempts at this. RFC 7018 describes requirements, but the WG ultimately failed to publish a solution document. There are also more recent commercial solutions sold today under the marketing name of “SD-WAN”, which is sort of like SDN if you squint hard enough. All of these have some interaction between CPE and controllers (or hubs) which draft-abad does not. Yoav _______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
