Decentralised Identity for Secure Connectivity in Software-defined Networking Environments

Telco operators are using Software Defined Networks (SDN) and Network Function Virtualisation (NFV) to virtualise a wide range of network functions and link or chain them together to create, deploy and deliver network connectivity services. 
In such a distributed software networking environment, operators use Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2) to provide secure connectivity between container network functions running on different computing nodes in their infrastructure. This paper discusses the adoption of the Self-Sovereign Identity (SSI) model in IKEv2 for authentication purposes to avoid the high costs associated with identity management of IPsec endpoints using Public-Key Infrastructure (PKI) and X.509 certificates, while preserving all the security features of the protocol. The paper presents a novel design of the IKEv2 message flow with Verifiable Credentials (VCs), its open source implementation as a fork of the strongSwan library, and the successful experimental validation.