Towards a standard SDN-based IPsec management framework

•Scalable management of IPsec security associations.•IKE support at the network resources is optional.•YANG model for southbound interface under standardization.•Applicable to SD-WAN scenarios. The Software-defined Network (SDN) paradigm enables an efficient management of future networks by decoupling the control plane from the data plane. Specifically, network resources (e.g. switches or routers) only perform Internet Protocol (IP) packet forwarding in the data plane based on rules dictated by SDN controllers that implement the control plane. Despite the applicability of SDNs to manage network security is a hot topic, managing security associations using SDNs to protect data plane communications is not well covered in the literature. In this sense, the IP Security (IPsec) protocol is the standard to protect IP traffic at network level and it is foreseen a key element in the forthcoming 5G networks or Software-Defined WAN (SD-WAN). Traditionally, the IPsec operation is assisted by a key management protocol, such as the Internet Key Exchange (IKEv2), responsible for establishing IPsec Security Associations (IPsec SAs). Yet, manual configuration of IKEv2 is still required, which does not scale when the number of IPsec entities is high. In this paper we propose a solution to manage IPsec SAs using SDNs avoiding manual configuration in the network resources and enabling a reduced involvement of network administrators. We present two different cases, IKE case and IKE-less case, balancing between the participation of the SDN controller in the IPsec management and the complexity of the network resource. We provide a comprehensive explanation and deep analysis of the solution, which is undergoing standardization at the Internet Engineering Task Force (IETF), describing the interfaces, the operation and security aspects. Finally, we include a simple but significative performance analysis of both cases and a proof-of-concept implementation of the proposal.