SDN-based automated rekey of IPsec security associations: Design and practical validations

Abstract

The standard Request for Comments (RFC) 9061 defines a framework to autonomously manage IPsec security associations (SAs) in SDN environments. The standard describes two cases: the IKE case, in which the nodes use the Internet Key Exchange (IKEv2) protocol to negotiate IPsec SAs, and the IKE-less case, in which IKEv2 is not shipped in the network devices, and the SDN controller is in charge of distributing the IPsec SAs with all the information needed to secure the communications (cryptographic material, traffic selectors, algorithms, etc.). In both cases, for security reasons, the IPsec protocol requires the periodic renovation of the keys used by the IPsec SAs in a process named rekey. The IKE case already has an automatic rekey mechanism, the IKEv2 protocol, however the IKE-less case requires the definition of a rekey method, which is implemented by the controller. The use of the IKE-less case has been recognized useful in scenarios such as datacenters, with thousands of nodes requiring the management of SAs, or Internet of Things, with constrained devices that may not have enough resources to use IKEv2. Therefore, the definition of a suitable rekey process is a keystone for the IKE-less case. This work presents the design, implementation and validation of four different algorithms to perform a rekey process in the IKE-less case from the IPsec standard, taking to account performance, security and packet loss. We have also analyzed each algorithm’s behavior in representative network scenarios based on mesh or star topologies.