Re: [IPsec] [I2nsf] draft-abad-i2nsf-sdn-ipsec-flow-protection

2017-07-19 Thread Rafa Marin-Lopez
Hi Tero: Thanks for this discussion. Really interesting and productive in my opinion. My comments inline > El 19 jul 2017, a las 10:17, Tero Kivinen escribió: > > Rafa Marin-Lopez writes: >>I.e. any TLA would love to get their hands on all the traffic keys in >>one location, and then be

Re: [IPsec] [I2nsf] draft-abad-i2nsf-sdn-ipsec-flow-protection

2017-07-19 Thread Rafa Marin-Lopez
Hi Valery, Gabi: A couple of comments inline. > El 19 jul 2017, a las 16:21, Gabriel Lopez escribió: > > Hi Valery, > >> El 19 jul 2017, a las 13:54, Valery Smyslov > > escribió: >> >> Hi Alejandro, >> >> It is more fragile too. You must perform periodical rekey

Re: [IPsec] [I2nsf] draft-abad-i2nsf-sdn-ipsec-flow-protection

2017-07-19 Thread Gabriel Lopez
Hi Valery, > El 19 jul 2017, a las 13:54, Valery Smyslov escribió: > > Hi Alejandro, > > It is more fragile too. You must perform periodical rekey (update keys) > and this must be done synchronously. You have to do it by pairs, does not seem that difficult. And, as IKE does, y

[IPsec] I-D Action: draft-ietf-ipsecme-split-dns-01.txt

2017-07-19 Thread internet-drafts
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Maintenance and Extensions of the IETF. Title : Split DNS Configuration for IKEv2 Authors : Tommy Pauly Paul Wo

Re: [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-protection

2017-07-19 Thread Valery Smyslov
Hi Alejandro, > >> > It is more fragile too. You must perform periodical rekey (update keys) > >> > and this must be done synchronously. > >> You have to do it by pairs, does not seem that difficult. And, as IKE > >> does, you create the new ones and, once created, delete the old ones. I > >>

Re: [IPsec] [I2nsf] draft-abad-i2nsf-sdn-ipsec-flow-protection

2017-07-19 Thread Tero Kivinen
Rafa Marin-Lopez writes: > I.e. any TLA would love to get their hands on all the traffic keys in > one location, and then be able to decrypt any traffic going inside any > of the IPsec tunnels. > > If controller only has the PSKs or similar to do the authentication > between

Re: [IPsec] draft-abad-i2nsf-sdn-ipsec-flow-protection

2017-07-19 Thread Alejandro Pérez Méndez
Hi Valery, Hi Alejandro, Hi Valery, all, > > In general, central distribution of session keys looks much less secure, > than running IKEv2 on them. That's arguable, yes. But being less secure does not mean being useless. Coming to my previous comment, we don't use RSA with 8192 bit keys