I2NSF WG session will be on Nov 7 at 15:40-17:10 (90 minutes). Please let us know if you need meeting slot. If you need to present remotely, please let us know as soon as possible.
We will designate some meeting time to discuss security risks associated with different levels of information exchanged with Network functions for the purpose of some degrees of simplifying the IPsec SA on the network functions. Currently, there are three proposals going around (Details of those proposals are described in detail in https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/ and https://datatracker.ietf.org/doc/draft-carrel-ipsecme-controller-ike/.): 1. Have the SD-WAN controller provision security policy (SPD and PAD in RFC4301 language) and maybe also credentials, and have the endpoints use IKEv2 to derive the IPsec session keys and set up tunnels. 2. Have the SDN controller provision IPsec session keys to the IPsec endpoints. 3. Keep the DH exchange (through the SD-WAN controller) but eliminate the rest of IKEv2 so the controller doesn't get the IPsec session keys The goal is to document the risks of sharing the IPsec session keys with the controller, so that users can make the informed decision. Linda & Yoav
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
