Re: [IPsec] [I2nsf] draft-abad-i2nsf-sdn-ipsec-flow-protection

2017-07-21 Thread Gabriel Lopez
Hi Yoav, Valery, > El 20 jul 2017, a las 10:12, Yoav Nir escribió: > >> >> On 20 Jul 2017, at 9:56, Valery Smyslov > > wrote: >> >> Hi Gabriel, >> >> I think that at this point the discussion is not very productive. >> I

Re: [IPsec] [I2nsf] draft-abad-i2nsf-sdn-ipsec-flow-protection

2017-07-20 Thread Yoav Nir
> On 20 Jul 2017, at 9:56, Valery Smyslov wrote: > > Hi Gabriel, > > I think that at this point the discussion is not very productive. > I admit that I’m not very familiar with SDNs, so I have to > blindly trust you when you state that the SDN Controller > knows everything

Re: [IPsec] [I2nsf] draft-abad-i2nsf-sdn-ipsec-flow-protection

2017-07-20 Thread Valery Smyslov
Hi Gabriel, I think that at this point the discussion is not very productive. I admit that I’m not very familiar with SDNs, so I have to blindly trust you when you state that the SDN Controller knows everything and is able to control everything, so it is like God. Probably this is true.

Re: [IPsec] [I2nsf] draft-abad-i2nsf-sdn-ipsec-flow-protection

2017-07-19 Thread Rafa Marin-Lopez
Hi Tero: Thanks for this discussion. Really interesting and productive in my opinion. My comments inline > El 19 jul 2017, a las 10:17, Tero Kivinen escribió: > > Rafa Marin-Lopez writes: >>I.e. any TLA would love to get their hands on all the traffic keys in >>one

Re: [IPsec] [I2nsf] draft-abad-i2nsf-sdn-ipsec-flow-protection

2017-07-19 Thread Rafa Marin-Lopez
Hi Valery, Gabi: A couple of comments inline. > El 19 jul 2017, a las 16:21, Gabriel Lopez escribió: > > Hi Valery, > >> El 19 jul 2017, a las 13:54, Valery Smyslov > > escribió: >> >> Hi Alejandro, >> >> It is more fragile too.

Re: [IPsec] [I2nsf] draft-abad-i2nsf-sdn-ipsec-flow-protection

2017-07-19 Thread Gabriel Lopez
Hi Valery, > El 19 jul 2017, a las 13:54, Valery Smyslov escribió: > > Hi Alejandro, > > It is more fragile too. You must perform periodical rekey (update keys) > and this must be done synchronously. You have to do it by pairs, does not seem that difficult. And,

Re: [IPsec] [I2nsf] draft-abad-i2nsf-sdn-ipsec-flow-protection

2017-07-19 Thread Tero Kivinen
Rafa Marin-Lopez writes: > I.e. any TLA would love to get their hands on all the traffic keys in > one location, and then be able to decrypt any traffic going inside any > of the IPsec tunnels. > > If controller only has the PSKs or similar to do the authentication >

Re: [IPsec] [I2nsf] draft-abad-i2nsf-sdn-ipsec-flow-protection

2017-07-18 Thread Rafa Marin-Lopez
Hi Paul: >> It is more fragile too. You must perform periodical rekey (update keys) >> and this must be done synchronously. All the rekey problems that were >> solved by IKE will arise again. > > Indeed! For example, if the ESP algorithm is an AEAD, and the endpoint > reboots, and the central

Re: [IPsec] [I2nsf] draft-abad-i2nsf-sdn-ipsec-flow-protection

2017-07-18 Thread Rafa Marin-Lopez
Hi Tero, Valery: Please see inline. > El 18 jul 2017, a las 17:06, Tero Kivinen escribió: > > Valery Smyslov writes: >> I'm very much concerned with the IKE-less option presented in the >> draft. >> >> First, the Network Controller becomes a very attractive target for >>