Yoav, Thank you very much for the detailed explanation.
Just out of curiosity, what kind of “security and robustness of pair-wise key exchange” are lost by using a single traffic key for multiple end points? Even with SDN approach, as being proposed by the draft-abad-i2nsf-sdn-ipsec-flow-protection-01, some end points (i.e. branch CPEs) may not have enough resource to manage large number of security associations with many other end points (as in many SD-WAN branch to branch direct tunnels use case). Linda From: Yoav Nir [mailto:[email protected]] Sent: Thursday, April 20, 2017 5:19 PM To: Linda Dunbar <[email protected]> Cc: [email protected]; Michael Richardson <[email protected]>; [email protected] Subject: Re: sharing key among multiple end points vs. Group Encryption Key - draft-abad-i2nsf-sdn-ipsec-flow-protectio Hi, Linda On 21 Apr 2017, at 0:40, Linda Dunbar <[email protected]<mailto:[email protected]>> wrote: Yoav, You said that it is a bad idea to have "sharing key among multiple points" as introduced by draft-abad-i2nsf-sdn-ipsec-flow-protection. Isn't the "Group Encryption Key" of having a "Key Server" distributing the key to multiple members doing the same? http://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/GETVPN_DIG_version_1_0_External.pdf Just because Cisco do it doesn’t mean that it’s not a bad idea. :-) GETVPN is based on GDOI (RFC 6407). GDOI is about extending IPsec to multicast communications, where in a group of nodes a node encrypts a multicast IPsec packet and sends it to all group members who in turn decrypt it. For group communications sharing a key is inevitable. GETVPN extends the key server back to regular unicast IPsec. It trades the security and robustness of pair-wise key exchange for the operational convenience of using a single traffic key for the entire configuration.In return for everyone using the same key, they eliminate the need for each node to be configured with the IP address and protected domain of every other node. Any SDN or SDN-like solution does not need to eliminate configuration as that can be done dynamically by the controller. I don’t think the trade-off that was necessary for GDOI and convenient for GETVPN has many advantages for VPN with SDN. Yoav
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
