Skip to main content

Software-Defined Networking (SDN)-based IPsec Flow Protection

Document Type Replaced Internet-Draft (candidate for i2nsf WG)
Expired & archived
Authors Rafael Marin-Lopez , Gabriel Lopez-Millan
Last updated 2017-09-15 (Latest revision 2017-05-04)
Replaced by draft-ietf-i2nsf-sdn-ipsec-flow-protection
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Yang Validation 0 errors, 0 warnings
Additional resources Mailing list discussion
Stream WG state Call For Adoption By WG Issued
Document shepherd (None)
IESG IESG state Replaced by draft-ietf-i2nsf-sdn-ipsec-flow-protection
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document describes the use case of providing IPsec-based flow protection by means of a Software-Defined Network (SDN) controller (aka. Security Controller) and establishes the requirements to support this service. It considers two main well-known scenarios in IPsec: (i) gateway-to-gateway and (ii) host-to-host. This document describes a mechanism based on the SDN paradigm to support the distribution and monitoring of IPsec information from a SDN controller to one or several flow-based Network Security Function (NSF). The NSFs implement IPsec to protect data traffic between network resources with IPsec. The document focuses in the NSF Facing Interface by providing models for Configuration and State data model required to allow the Security Controller to configure the IPsec databases (SPD, SAD, PAD) and IKE to establish security associations with a reduced intervention of the network administrator. NOTE: State data model will be developed as part of this work but it is still TBD.


Rafael Marin-Lopez
Gabriel Lopez-Millan

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)