Software-Defined Networking (SDN)-based IPsec Flow Protection
draft-ietf-i2nsf-sdn-ipsec-flow-protection-07
|
| Document |
Type |
|
Active Internet-Draft (i2nsf WG)
|
|
Last updated |
|
2019-11-20
(latest revision 2019-08-05)
|
|
Replaces |
|
draft-abad-i2nsf-sdn-ipsec-flow-protection
|
|
Stream |
|
IETF
|
|
Intended RFC status |
|
Proposed Standard
|
|
Formats |
|
plain text
xml
pdf
htmlized
bibtex
|
|
Yang Validation |
|
☯
0 errors, 0 warnings.
draft-ietf-i2nsf-sdn-ipsec-flow-protection-07.txt:
xym 0.4.4:
Extracting 'ietf-ipsec-common@2019-08-05.yang'
Removed 0 empty lines
Extracting 'ietf-ipsec-ike@2019-08-05.yang'
Removed 3 empty lines
Extracting 'ietf-ipsec-ikeless@2019-08-05.yang'
Removed 2 empty lines
ietf-ipsec-common@2019-08-05.yang:
pyang 2.1.1: pyang --verbose --ietf -p {libs} {model}:
# read ietf-ipsec-common@2019-08-05.yang (CL)
# read /a/www/ietf-datatracker/6.118.0/env/share/yang/modules/ietf/ietf-inet-types.yang
# read /a/www/ietf-ftp/yang/draftmod/ietf-inet-types@2019-11-04.yang
# read /a/www/ietf-datatracker/6.118.0/env/share/yang/modules/ietf/ietf-yang-types.yang
# read /a/www/ietf-ftp/yang/draftmod/ietf-yang-types@2019-11-04.yang
yanglint SO 1.6.7: yanglint --verbose -p {rfclib} -p {draftlib} -p {tmplib} {model} -i:
No validation errors
ietf-ipsec-ikeless@2019-08-05.yang:
pyang 2.1.1: pyang --verbose --ietf -p {libs} {model}:
# read ietf-ipsec-ikeless@2019-08-05.yang (CL)
# read /a/www/ietf-datatracker/6.118.0/env/share/yang/modules/ietf/ietf-yang-types.yang
# read /a/www/ietf-ftp/yang/draftmod/ietf-yang-types@2019-11-04.yang
# read /a/www/ietf-ftp/yang/draftmod/ietf-ipsec-common@2019-08-05.yang
# read /a/www/ietf-datatracker/6.118.0/env/share/yang/modules/ietf/ietf-inet-types.yang
# read /a/www/ietf-ftp/yang/draftmod/ietf-inet-types@2019-11-04.yang
# read /a/www/ietf-datatracker/6.118.0/env/share/yang/modules/ietf/ietf-netconf-acm.yang
# read /a/www/ietf-ftp/yang/rfcmod/ietf-netconf-acm@2018-02-14.yang
yanglint SO 1.6.7: yanglint --verbose -p {rfclib} -p {draftlib} -p {tmplib} {model} -i:
No validation errors
ietf-ipsec-ike@2019-08-05.yang:
pyang 2.1.1: pyang --verbose --ietf -p {libs} {model}:
# read ietf-ipsec-ike@2019-08-05.yang (CL)
# read /a/www/ietf-datatracker/6.118.0/env/share/yang/modules/ietf/ietf-inet-types.yang
# read /a/www/ietf-ftp/yang/draftmod/ietf-inet-types@2019-11-04.yang
# read /a/www/ietf-datatracker/6.118.0/env/share/yang/modules/ietf/ietf-yang-types.yang
# read /a/www/ietf-ftp/yang/draftmod/ietf-yang-types@2019-11-04.yang
# read /a/www/ietf-ftp/yang/draftmod/ietf-crypto-types@2019-11-20.yang
# read /a/www/ietf-datatracker/6.118.0/env/share/yang/modules/ietf/ietf-netconf-acm.yang
# read /a/www/ietf-ftp/yang/rfcmod/ietf-netconf-acm@2018-02-14.yang
# read /a/www/ietf-ftp/yang/draftmod/iana-symmetric-algs@2019-11-20.yang
# read /a/www/ietf-ftp/yang/draftmod/iana-asymmetric-algs@2019-11-20.yang
# read /a/www/ietf-ftp/yang/draftmod/ietf-ipsec-common@2019-08-05.yang
yanglint SO 1.6.7: yanglint --verbose -p {rfclib} -p {draftlib} -p {tmplib} {model} -i:
No validation errors
|
|
Reviews |
|
|
|
Additional URLs |
|
|
| Stream |
WG state
|
|
Submitted to IESG for Publication
|
|
Document shepherd |
|
Yoav Nir
|
|
Shepherd write-up |
|
Show
(last changed 2019-08-06)
|
| IESG |
IESG state |
|
Publication Requested
|
|
Consensus Boilerplate |
|
Yes
|
|
Telechat date |
|
|
|
Responsible AD |
|
Roman Danyliw
|
|
Send notices to |
|
Yoav Nir <ynir.ietf@gmail.com>
|
I2NSF R. Marin-Lopez
Internet-Draft G. Lopez-Millan
Intended status: Standards Track University of Murcia
Expires: February 6, 2020 F. Pereniguez-Garcia
University Defense Center
August 5, 2019
Software-Defined Networking (SDN)-based IPsec Flow Protection
draft-ietf-i2nsf-sdn-ipsec-flow-protection-07
Abstract
This document describes how providing IPsec-based flow protection by
means of a Software-Defined Network (SDN) controller (aka. Security
Controller) and establishes the requirements to support this service.
It considers two main well-known scenarios in IPsec: (i) gateway-to-
gateway and (ii) host-to-host. The SDN-based service described in
this document allows the distribution and monitoring of IPsec
information from a Security Controller to one or several flow-based
Network Security Function (NSF). The NSFs implement IPsec to protect
data traffic between network resources.
The document focuses on the NSF Facing Interface by providing models
for configuration and state data required to allow the Security
Controller to configure the IPsec databases (SPD, SAD, PAD) and IKEv2
to establish Security Associations with a reduced intervention of the
network administrator.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 6, 2020.
Marin-Lopez, et al. Expires February 6, 2020 [Page 1]
Internet-Draft SDN-based IPsec Flow Protection Services August 2019
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . 6
5. SDN-based IPsec management description . . . . . . . . . . . 6
5.1. IKE case: IKE/IPsec in the NSF . . . . . . . . . . . . . 6
5.1.1. Interface Requirements for IKE case . . . . . . . . . 7
5.2. IKE-less case: IPsec (no IKEv2) in the NSF. . . . . . . . 7
5.2.1. Interface Requirements for IKE-less case . . . . . . 8
5.3. IKE case vs IKE-less case . . . . . . . . . . . . . . . . 9
5.3.1. Rekeying process. . . . . . . . . . . . . . . . . . . 10
5.3.2. NSF state loss. . . . . . . . . . . . . . . . . . . . 12
5.3.3. NAT Traversal . . . . . . . . . . . . . . . . . . . . 12
5.3.4. NSF Discovery . . . . . . . . . . . . . . . . . . . . 13
6. YANG configuration data models . . . . . . . . . . . . . . . 13
6.1. IKE case model . . . . . . . . . . . . . . . . . . . . . 14
6.2. IKE-less case model . . . . . . . . . . . . . . . . . . . 17
7. Use cases examples . . . . . . . . . . . . . . . . . . . . . 20
7.1. Host-to-host or gateway-to-gateway under the same
Security Controller . . . . . . . . . . . . . . . . . . . 20
7.2. Host-to-host or gateway-to-gateway under different
Security Controllers . . . . . . . . . . . . . . . . . . 24
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26
9. Security Considerations . . . . . . . . . . . . . . . . . . . 27
9.1. IKE case . . . . . . . . . . . . . . . . . . . . . . . . 28
9.2. IKE-less case . . . . . . . . . . . . . . . . . . . . . . 29
9.3. YANG modules . . . . . . . . . . . . . . . . . . . . . . 29
Show full document text