Hi, Linda > On 21 Apr 2017, at 0:40, Linda Dunbar <linda.dun...@huawei.com> wrote: > > Yoav, > > You said that it is a bad idea to have "sharing key among multiple points" as > introduced by draft-abad-i2nsf-sdn-ipsec-flow-protection. > > Isn't the "Group Encryption Key" of having a "Key Server" distributing the > key to multiple members doing the same? > http://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/GETVPN_DIG_version_1_0_External.pdf > > <http://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/GETVPN_DIG_version_1_0_External.pdf>
Just because Cisco do it doesn’t mean that it’s not a bad idea. :-) GETVPN is based on GDOI (RFC 6407). GDOI is about extending IPsec to multicast communications, where in a group of nodes a node encrypts a multicast IPsec packet and sends it to all group members who in turn decrypt it. For group communications sharing a key is inevitable. GETVPN extends the key server back to regular unicast IPsec. It trades the security and robustness of pair-wise key exchange for the operational convenience of using a single traffic key for the entire configuration.In return for everyone using the same key, they eliminate the need for each node to be configured with the IP address and protected domain of every other node. Any SDN or SDN-like solution does not need to eliminate configuration as that can be done dynamically by the controller. I don’t think the trade-off that was necessary for GDOI and convenient for GETVPN has many advantages for VPN with SDN. Yoav
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec