A Data Center Profile for Software Defined Networking (SDN)-based IPsec
draft-nir-i2nsf-ipsec-dc-prof-00

Document Type Active Internet-Draft (individual)
Last updated 2019-07-23
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
I2NSF                                                             Y. Nir
Internet-Draft                                                   DellEMC
Intended status: Informational                             July 22, 2019
Expires: January 23, 2020

A Data Center Profile for Software Defined Networking (SDN)-based IPsec
                    draft-nir-i2nsf-ipsec-dc-prof-00

Abstract

   This document presents two profiles for configuring IPsec within a
   data center using an SDN controller and the YANG model described in
   the sdn-ipsec draft.

   Two profiles are described to allow both the IKE and IKE-less cases
   because some data centers may be required to use a standardized
   method of key exchange rather than SDN.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 23, 2020.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Nir                     Expires January 23, 2020                [Page 1]
Internet-Draft              IPsec DC Profile                   July 2019

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

1.  Introduction

   [sdn-ipsec] describes a YANG model that allows a software defined
   networking (SDN) controller to configure the use of IP security
   (IPsec - [RFC4301]) and optionally the Internet Key Exchange protocol
   (IKEv2 - [RFC7296]) to secure IP traffic between the hosts that it
   controls.

   The SDN-IPsec document allows for configuration of most of the
   options available in IPsec.  However, not every one of those options
   are appropriate for all use cases.

   The use case that is covered here is the need to encrypt traffic
   between hosts within a data center.  As explained in Section 2, data
   centers cannot be considered a secure environment where internal
   communications are safe behind the firewall.  One way to protect the
   internal traffic is to configure TLS pair-wise between the hosts, but
   [sdn-ipsec] provides a more convenient, automated solution.

   This document presents two profiles that are appropriate for
   encrypting traffic among the hosts in a data center, one with and one
   without the use of IKE.

1.1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP 14 [RFC2119]
   [RFC8174] when, and only when, they appear in all capitals, as shown
   here.

   "Security Controller" or "SC" is an SDN controller used to configure
   security policy.  For the purposes of this document, we limit the use
   of this term to an SDN controller that distributes IPsec policy.

   "Data center hosts" is the term we use for any machine in the data
   center that communicates using Internet Protocol (IP) with other
   machines, both within and outside the data center.

   "Network Security Functions" or NSF is the term used for a host in
   the data plane that implements a security function.  For the purposes
   of this document we will call a host that has an IPsec stack and the
   software necessary to be configured by an SC an "IPsec NSF".

Nir                     Expires January 23, 2020                [Page 2]
Internet-Draft              IPsec DC Profile                   July 2019

   "Control Domain" will be used here to mean the set of all IPsec NSFs
   controlled by a particular security controller.  The controller can
   set up security associations within the control domain, but any
   associations from within the domain to hosts or gateways outside of
   the domain have to be configured on the remote host as well.  The
   controller can, however, configure the local side of things, as
   mentioned in Section 3.4.

2.  Assumptions About The Evnironment
Show full document text