Hi. This may be of interest to this working group.
The I2NSF working group is meeting this afternoon at 13:30 On the agenda ([1]) there’s a 10-minute slot for controlling IPsec endpoints using SDN ([2]). I think this draft has two issues: Their IKE-less case (case #2) has session keys generated on the controller and forwarded to the IPsec endpoints. IMO this introduces new ways for the keys to leak. The information flow in the draft is all from the controller to the endpoints. The controller is assumed to a-priori know the entire topology of all endpoints. IMO this is not realistic for VPNs where often the addresses are allocated by third party ISPs. I think any SDN or SDN-like solution for populating the SPD and PAD would need to have information flowing from the endpoints to the controller about the protected domain of that endpoint. Before that you can’t generate the SPDs. OTOH this group failed in creating something like that in the AD-VPN work item. Several companies are now offering their own “SD-WAN” solution that is partly about automatic configuration of IPsec tunnels. So in case you’re interested, you can come to the I2NSF meeting and hear their presentation. Yoav [1] https://www.ietf.org/proceedings/99/agenda/agenda-99-i2nsf-02.txt <https://www.ietf.org/proceedings/99/agenda/agenda-99-i2nsf-02.txt> [2] https://tools.ietf.org/html/draft-abad-i2nsf-sdn-ipsec-flow-protection-03 <https://tools.ietf.org/html/draft-abad-i2nsf-sdn-ipsec-flow-protection-03>
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
