Hi Rafa, Both your case 2 solution and my proposal cannot meet the requirement that “the controller does not see or know the key material that will finally end in the NSFs”. My proposal is more about the performance improvement than yours.
My idea is that the best solution is to prevent the controller to see the key. B.R. Frank 发件人: Rafa Marin-Lopez [mailto:[email protected]] 发送时间: 2018年7月12日 22:48 收件人: Xialiang (Frank, Network Integration Technology Research Dept) <[email protected]> 抄送: Rafa Marin-Lopez <[email protected]>; [email protected]; [email protected] 主题: Re: One comment on draft-ietf-i2nsf-sdn-ipsec-flow-protection-02: Dear Xialiang: We are exploring different alternatives where the controller does not see or know the key material that will finally end in the NSFs. In the current approach specified in the I-D, both Tx SA and Rx SA will still have different keys (inbound SA will have a different key than the outbound SA). The main discussion is whether it is suitable that a trusted entity such the controller sees the keys used in the inbound and outbound SA in case 2. Do you have any solution in mind? Best Regards. El 12 jul 2018, a las 3:12, Xialiang (Frank, Network Integration Technology Research Dept) <[email protected]<mailto:[email protected]>> escribió: Hi authors, In Section 5.2.1, to avoid exposure of other nodes once one node is compromised, key materials for each pair must be different and irreversible, this may cause performance issue with controller with large network during initial setup and rekey. So, to distribute some of the SA key calculation to each device while still avoiding negotiation latency, the other options is that controller can send common key material to all NSFs, then NSF calculates actual SA key using the common key and known local, peer info. This way, both peers can generate Tx SA and Rx SA without negotiating with each other, also, the keys will be unique for each tunnel. Will you consider this option? Thanks! B.R. Frank ------------------------------------------------------- Rafa Marin-Lopez, PhD Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 Fax: +34868884151 e-mail: [email protected]<mailto:[email protected]> -------------------------------------------------------
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
