IPsec Experts: Our draft (https://datatracker.ietf.org/doc/draft-dunbar-secdispatch-ligthtweight-authenticate/ describes lightweight authentication methods to prevent malicious actors from tampering with IP encapsulation headers or the metadata carried by the UDP Option Header. The IP encapsulation header is for steering encrypted payloads through the Cloud backbone without requiring the Cloud Gateway to decrypt or re-encrypt the payload as outlined in the https://datatracker.ietf.org/doc/draft-ietf-rtgwg-multisegment-sdwan/ .
The proposed method is for environments where there are IPsec tunnels between SD-WAN Customer Premises Equipment (CPEs) and the Cloud Gateway (GW). For traffic originating from SD-WAN CPEs and terminating within the Cloud Data Center (DC), the Cloud GW decrypts the IPsec traffic. For traffic that needs to be routed via the Cloud Backbone to remote CPEs, the proposed lightweight authentication method is used. This method enables the Cloud GW to selectively authenticate the GENEVE header added to the encrypted traffic between CPEs, ensuring integrity and security during transit. Need your feedback on which of the following ways is better for distributing Authentication Keys: 1. The IPsec tunnel itself provides a secure channel for transmitting the authentication keys. This ensures that the keys are protected from eavesdropping or tampering during distribution. 2. Reuse the existing IPsec keys as input to a key derivation function (KDF). The KDF generates unique authentication keys that are cryptographically linked to the IPsec keys but not directly exposed. This adds a layer of protection, even if the IPsec keys are compromised. The proposed authentication method requires less processing compared to adding another layer of IPsec Authentication Header (AH) on top of IPsec Encapsulating Security Payload (ESP) traffic. This efficiency is achieved by focusing on authenticating only the GENEVE headers, rather than the entire packet, thereby reducing computational overhead and latency. Any thoughts are greatly appreciated. Linda Dunbar
_______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org