Linda Dunbar writes: > There are two cases proposed by SDN controlled IPsec Flow Protection: > > - Case 1 is SDN controller only sending down the IPsec configuration > attributes to End points, and End Points supports the IKEs and SA > maintenance. > > - Case 2 is end points not supporting IKEv2. SDN controller manage > all the SA Key computation and distribute to all end nodes. We had > an interim meeting discussing this. (see the attached Meeting > minutes). > > Question to IPsecme WG: How about something in between? > > - Assume that SDN controller maintain TLS (or DTLS) to all end > points for distributing the IPsec configuration attributes (same as > Case 1 above). > > - Instead of using IKEv2 for two end points (E1 & E2) to establish > secure channel first for SA negotiation purpose, E1 can utilize the > secure channel between E1 <-> SDN-Controller <-> E2 to negotiate SA > with E2 and responsible for its own SA computation. > > - E1&E2 still compute SA and maintain SAD. Only utilize the secure > channel through the SDN controller to exchange SA. > > This method not only doesn’t require the SDN controller to keep all > the SAD for all nodes, but also simplify large SD-WAN deployment > with large number of IPsec tunnels among many end points.
There is lots of TLA who would like that kind of setup, including some goverments, as this would allow very easy way to keep track of all traffic keys, as they are always transmitted through the SDN controller, so there is no need to hack..., I mean install trusted 3rd party key backup software to every single node. I think this has exactly same bad properties than case 2 has, i.e., it will provide traffic keys in one centralized location where they are convinently available for those who will need them, without any co-operation from the actual nodes sending or receiving traffic, and it does not solve the issue of providing the ways to do proper key management parts that IKEv2 also does. If the nodes are doing Diffie-Hellman through the SDN controller, then I do not see any benefit from the case 1, I mean then you still have all the calculations to be done, so why not run full IKEv2 instead and that will also solve all other management issues we have talked before (rekeying, deleting SAs, negotiation per flow SAs, NAT detection and NAT-T, etc). -- [email protected] _______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
