Hi,
Note that I am an IPsec person and not a routing expert.
The document's idea looks fine to me. It is using BGP messages
to provision IKEv2 so that IPsec tunnels can be setup to protect
packets as best as possible. That's great :)
And unlike most proposals the IPsec WG sees, this document does not try
to replace IKEv2 with its own smarter Key Exchange protocol, so that's
a double plus :)
Thanks for reaching out to the ipsec WG, we really appreciate the chance
to read drafts that use IPsec to give advise.
Below are some of my comments and questions I have:
- Configuring large number of tunnels is error prone and not scalable
* Only true to some extend
* See AutoVPN, DMVPM, NHRP+IKE
* Still, this provisioning system seems to fit your eco system. It's as
simple as it can be and
does not seem to introduce any new complexity or risks.
- What is "color"?
- Section 3, step 4:
When a router need to forward a packet along a path is determined
by a BGP UPDATE which has a tunnel encapsulation attribute that
contains one or more IPsec TLV, and router decides use IPsec
based on local policy,
Required vs Optional IPsec issue. If only one end has "required" and the
other end has "optional" then unencrypted packets will be dropped. Seeing
IPsec tunnel TLV should probably mean it is mandatory to setup a tunnel?
It can be done as "optional" but then the IPsec/kernel mechanisms cannot
trigger an IKE/IPsec negotiation and this protocol needs to be
responsible for not just configuring IKEv2/IPsec but also for bringing
up the tunnels when needed.
- Section 3, step 6:
- signaling IPsec configuration
Call it IPsec provisioning ?
- Examples are using less prefered and slower algorithms
* Change AES-CBC-256 with SHA-384. to AES-GCM-256 or CHACHA20_POLY1305
* Change NULL-SHA256 to NULL-AES-GMAC
- 1/128 and 2/128 ?
For 1/128 (VPN-IPv4 Labeled Unicast), 2/128 (VPN-IPv6 Labeled
Unicast), these NLRI has embedded label, which cause the payload
packet can't be encapsulated in ESP packet,
I don't understand why 1/128 or 2/128 are special ?
Open questions:
- If the IKEv2 protocol fails, what happens with packets? Release in clear or
drop?
Is this something the BGP should configure/provision ? If not, it should state
which of the two is expected
- If a router R1 and R2 have an ipsec tunnel for some traffic, and R1
crashes/reboots,
how do things recover? R2 will send packets and might not know something is
wrong, unless
it is configured for liveness. What happens when R1 comes back up? If all BGP
routes
are taken away via another mechanism, then I guess R2 would simply delete its
tunnel.
- Performance: if routes are large (eg 0/128) then very few tunnels would cover
lots of
routes. In general, having more parallel smaller CHILD SA's outperforms a
single or two
CHILD SA's by far. This could introduce performance issues.
- Some IPsec options not mentioned could prevent a tunnel from being setup,
such as
whether to use Extended Sequence Numbers (ESN), or Perfect Forward Secrecry
(PFS).
Some of these could be locked down in the document (PFS=yes) but things like
ESN
really depend on the bandwidth of the tunnel.
- Maybe some advise on replay-window size would be good. Larger is better but
takes more
memory. Matters mostly for highspeed links.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
