Software-Defined Networking (SDN)-based IPsec Flow Protection

Document Type Replaced Internet-Draft (candidate for i2nsf WG)
Authors Rafael Marin-Lopez  , Gabriel Lopez-Millan 
Last updated 2017-09-15 (latest revision 2017-05-04)
Replaced by RFC 9061
Stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Expired & archived
pdf htmlized bibtex
Yang Validation 0 errors, 0 warnings.
Stream WG state Call For Adoption By WG Issued
Document shepherd No shepherd assigned
IESG IESG state Replaced by draft-ietf-i2nsf-sdn-ipsec-flow-protection
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document describes the use case of providing IPsec-based flow protection by means of a Software-Defined Network (SDN) controller (aka. Security Controller) and establishes the requirements to support this service. It considers two main well-known scenarios in IPsec: (i) gateway-to-gateway and (ii) host-to-host. This document describes a mechanism based on the SDN paradigm to support the distribution and monitoring of IPsec information from a SDN controller to one or several flow-based Network Security Function (NSF). The NSFs implement IPsec to protect data traffic between network resources with IPsec. The document focuses in the NSF Facing Interface by providing models for Configuration and State data model required to allow the Security Controller to configure the IPsec databases (SPD, SAD, PAD) and IKE to establish security associations with a reduced intervention of the network administrator. NOTE: State data model will be developed as part of this work but it is still TBD.


Rafael Marin-Lopez (
Gabriel Lopez-Millan (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)