Sdwan-sec -- Handling IPsec configurations in large scale SD-WAN deployment with constrained resources

 

About Sdwan-sec
English (USA)

SDWAN-SEC Mailing Listing is for discussing optimized or simplified (and in some sense compromised) mechanisms in securing large scale SD-WAN deployment with constrained resources, especially the risks associated with various simplification of IPsec protocol by utilizing SD-WAN central controller. The traditional IPsec scheme requires that in a fully meshed network, each device has to manage n2 key exchanges and (n-1) keys. As an example, in a 1,000-node network, 1,000,000 key exchanges are required to authenticate the devices, and each node is responsible for maintaining and managing 999 keys. In addition, when an edge node has multiple tenants attached, the edge node has to establish multiple tunnels for tenants. For example, for a network with N nodes, a node A has 5 tenants app attached to it, then the node A has to maintain 5*(N-1) number of keys if each tenant needs to communicate with all other nodes. Therefore, simplification facilitated by SD-WAN controller is needed for large scale deployment. However, it is necessary identify the associated risks, so that the industry can make the informed decision on risks that can be tolerated for their specific environment.

To see the collection of prior postings to the list, visit the Sdwan-sec Archives or Sdwan-sec MHonArc Archives.

Using Sdwan-sec
To post a message to all the list members, send email to sdwan-sec@ietf.org.

You can subscribe to the list, or change your existing subscription, in the sections below.

Subscribing to Sdwan-sec

Subscribe to Sdwan-sec by filling out the following form. You will be sent email requesting confirmation, to prevent others from gratuitously subscribing you. This is a private list, which means that the list of members is not available to non-members.

    Your email address:  
    Your name (optional):  
    You may enter a privacy password below. This provides only mild security, but should prevent others from messing with your subscription. Do not use a valuable password as it will occasionally be emailed back to you in cleartext.

    If you choose not to enter a password, one will be automatically generated for you, and it will be sent to you once you've confirmed your subscription. You can always request a mail-back of your password when you edit your personal options.
    Pick a password:  
    Reenter password to confirm:  
    Which language do you prefer to display your messages? English (USA)  
    Would you like to receive list mail batched in a daily digest? No Yes
Sdwan-sec Subscribers
(The subscribers list is only available to the list members.)

Enter your address and password to visit the subscribers list:

Address: Password:   

To unsubscribe from Sdwan-sec, get a password reminder, or change your subscription options enter your subscription email address:

If you leave the field blank, you will be prompted for your email address


Sdwan-sec list run by sdwan-sec-owner at ietf.org
Sdwan-sec administrative interface (requires authorization)
Overview of all ietf.org mailing lists

Delivered by Mailman
version 2.1.29
Python Powered GNU's Not Unix