Hi Yoav, > El 18 jul 2017, a las 17:48, Yoav Nir <[email protected]> escribió: > > With AES-GCM, AES-CCM, ChaCha20-Poly1305 you don’t need a PRNG at all. > > With AES-CBC you need an unpredictable IV, but you could generate them by > encrypting a counter with one AES key (that could be provided by the > controller)
As you know IPsec is independent of the key management protocol. What the draft proposes is a way to allow the Controller (in case 2) to provide the required information for IPsec and to allow the Controller to receive the IPsec kernel notification regarding SA required, SA expiration, etc, etc.., exactly as IKE does. These notification, as Rafa says, are modelled by the YANG file and allow the Controller to have the whole view of what is is happening in the NSFs. It allows the Controller to refresh keys, SA information, etc, etc, Regards, Gabi. > > But you still need the TLS session. > >> On 18 Jul 2017, at 17:34, Yaron Sheffer <[email protected]> wrote: >> >> On 18/07/17 17:14, Yoav Nir wrote: >>> I mostly agree, but one point… >>> >>>> On 18 Jul 2017, at 17:06, Tero Kivinen <[email protected]> wrote: >>> <snip/> >>> >>>> This I think is important question, i.e., what is the gain for not >>>> running IKEv2 between the nodes? >>>> >>> Simpler gateway, less code, no PK operations, no need for random number >>> generator. >>> >>> The counter-argument is that without all these you can’t setup a TLS >>> session to run netconf over. >>> >>> Yoav >>> >> No random number generator? I don't think this is true even for a pure ESP >> endpoint. >> >> Thanks, >> Yaron > > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec ----------------------------------------------------------- Gabriel López Millán Departamento de Ingeniería de la Información y las Comunicaciones University of Murcia Spain Tel: +34 868888504 Fax: +34 868884151 email: [email protected] <mailto:[email protected]>
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
