Re: [bess] Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 07 December 2015 12:00 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1CB41A3B9B; Mon, 7 Dec 2015 04:00:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eOzDP1YaryTb; Mon, 7 Dec 2015 04:00:29 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9599B1A8AB4; Mon, 7 Dec 2015 04:00:29 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 7C6A7BE32; Mon, 7 Dec 2015 12:00:27 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wqEBExPiGyBS; Mon, 7 Dec 2015 12:00:27 +0000 (GMT)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 9421BBE2F; Mon, 7 Dec 2015 12:00:26 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1449489627; bh=+3bqL+vtM5p5rPRKs3Sg3YeBqLlmmT3X8VcQ3vuWiFY=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=nnbp6y9TCpHt7anseI/xubUJopR4Z1vvMCa4OD5rLOUOyXcQzVCyDO8g7Cqku01tW FeCVBfvb0oGICmr5fdYZGTIP5s7WTmZbMzCQJsTrB3LUBGNJK8tClBlxATLF5G0lV4 khx98vWKmsShoyEl08357z33cvQVvD8OFfNlqbKs=
To: Xuxiaohu <xuxiaohu@huawei.com>, The IESG <iesg@ietf.org>
References: <20151203142601.21348.10762.idtracker@ietfa.amsl.com> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB53D79@NKGEML512-MBS.china.huawei.com> <56617BAD.6070906@cs.tcd.ie> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB54209@NKGEML512-MBS.china.huawei.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
X-Enigmail-Draft-Status: N1110
Message-ID: <566574D9.6030202@cs.tcd.ie>
Date: Mon, 07 Dec 2015 12:00:25 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB54209@NKGEML512-MBS.china.huawei.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/bess/-wwMI0m7HQhxzrQu6UyQHIUsXJs>
Cc: "draft-ietf-bess-virtual-subnet@ietf.org" <draft-ietf-bess-virtual-subnet@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "martin.vigoureux@alcatel-lucent.com" <martin.vigoureux@alcatel-lucent.com>, "bess@ietf.org" <bess@ietf.org>, "aretana@cisco.com" <aretana@cisco.com>
Subject: Re: [bess] Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2015 12:00:33 -0000
Hiya, On 07/12/15 03:15, Xuxiaohu wrote: > Hi Stephen, > >> -----Original Message----- From: Stephen Farrell >> [mailto:stephen.farrell@cs.tcd.ie] Sent: Friday, December 04, 2015 >> 7:40 PM To: Xuxiaohu; The IESG Cc: >> draft-ietf-bess-virtual-subnet@ietf.org; bess-chairs@ietf.org; >> martin.vigoureux@alcatel-lucent.com; bess@ietf.org; >> aretana@cisco.com Subject: Re: Stephen Farrell's Discuss on >> draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT) >> >> >> Hiya, >> >> On 04/12/15 02:08, Xuxiaohu wrote: >>> Hi Stephen, >>> >>> Thank a lot for your DISCUSS. I fully agree with you that >>> sensitive traffic being handled by VMs should be encrypted when >>> traversing across the Internet or even SP networks. Similarly, I >>> think you would also agree that sensitive traffic of VPN clients >>> should be encrypted as well in the existing MPLS/BGP IP VPN >>> [RFC4364] scenario. Hence, the security requirement should be the >>> same for RFC4364 and this draft, IMHO. Therefore, in the Security >>> Consideration section of this draft, it said " Since the BGP/MPLS >>> IP VPN signaling is reused without any change, those security >>> considerations as described in [RFC4364] are applicable to this >>> document. " >>> >>> Any further comments are more than welcome. >> >> Well, my further comment is that the above doesn't seem adequate at >> this point in time (to me:-) >> >> In 2006, the security considerations of RFC4364 said: >> >> " Cryptographic privacy is not provided by this architecture, nor >> by Frame Relay or ATM VPNs. These architectures are all compatible >> with the use of cryptography on a CE-CE basis, if that is desired. >> >> The use of cryptography on a PE-PE basis is for further study." >> >> In 2015, we know that people, can, should, and do, turn on crypto >> between data centres. >> >> Today's situation is not 2006's and that I think needs to be stated >> and this document seems like a fine place to do that. I would still >> think that were the statement clearly made elsewhere. > > How about adding the following text into the current security > consideration: > > "The use of cryptography on a PE-PE basis is related to the specific > tunnel technology which is used between PEs. For instance, if MPLS > LSPs are used between PE routers, the approach as described in > (https://tools.ietf.org/html/draft-ietf-mpls-opportunistic-encrypt-00) > should be considered, and if IP-base tunnels for transporting MPLS > are used between PE routers, those IP-based tunnels should be secured > with IPsec or DTLS (for more details, please refer to the > corresponding specification of a particular IP-based tunnel > technology). Of course, if the data traffic has been encrypted before > arriving at the ingress PE, the use of cryptography on a PE-PE basis > may not be necessary any more." That's definitely along the right lines but I think needs a few tweaks... First, even though I'm an author I think you're putting too much emphasis on the MPLS-OS stuff - we don't honestly know (yet) if that is something that'll see real deployment. And I'm told MACsec is also used for DC-DC security so referencing it as well as IPsec would be good. I'm not sure what DTLS based mechanism can be referenced here though one could of course exist or be defined in future. I'd say if there's no good reference for such, then maybe that's best omitted for now. If there's a goohttps://tools.ietf.org/html/rfc7258d reference then adding it would be good. And your text also avoids recommending securing traffic between data centres, which I think is needed, and is the main point for this text (for this informational document). So maybe something more like: "Inter data-centre traffic often carries highly sensitive information at higher layers that is not directly understood (parsed) within an egress or ingress PE. For example, migrating a VM will often mean moving private keys and other sensitive configuration information. For this reason inter data-centre traffic SHOULD always be protected for both confidentiality and integrity using a strong security mechanism such as IPsec [1] or MACsec [2] In future it may be feasible to protect that traffic within the MPLS layer [3] though at the time of writing the mechanism for that is not sufficiently mature to recommend. Exactly how such security mechanisms are deployed will vary from case to case, so securing the inter data-centre traffic may or may not involve deploying security mechanisms on the ingress/egress PEs or further "inside" the data centres concerned. Note though that if security is not deployed on the egress/ingress PEs there is a substantial risk that some sensitive traffic may be sent in clear and therefore be vulnerable to pervasive monitoring [4] or other attacks." [1] https://tools.ietf.org/html/rfc4301 [2] http://www.ieee802.org/1/pages/802.1ae.html [3] https://tools.ietf.org/html/draft-ietf-mpls-opportunistic-encrypt [4] https://tools.ietf.org/html/rfc7258 Note - I'm not sure if [2] is the best reference for MACsec, but I bet some of you will know better. If you want to s/SHOULD/MUST/ above I'd be fine with that. And if this document isn't using 2119 terminology (I forget) that's also fine just s/SHOULD/should/ (or "must":-). Cheers, S. > > Best regards, Xiaohu > >> Cheers, S. >> >> >>> >>> Best regards, Xiaohu >>> >>>> -----Original Message----- From: Stephen Farrell >>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Thursday, December >>>> 03, 2015 10:26 PM To: The IESG Cc: >>>> draft-ietf-bess-virtual-subnet@ietf.org; aretana@cisco.com; >>>> bess-chairs@ietf.org; martin.vigoureux@alcatel-lucent.com; >>>> bess@ietf.org Subject: Stephen Farrell's Discuss on >>>> draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT) >>>> >>>> Stephen Farrell has entered the following ballot position for >>>> draft-ietf-bess-virtual-subnet-06: Discuss >>>> >>>> When responding, please keep the subject line intact and reply >>>> to all email addresses included in the To and CC lines. (Feel >>>> free to cut this introductory paragraph, however.) >>>> >>>> >>>> Please refer to >>>> https://www.ietf.org/iesg/statement/discuss-criteria.html for >>>> more information about IESG DISCUSS and COMMENT positions. >>>> >>>> >>>> The document, along with other ballot positions, can be found >>>> here: >>>> https://datatracker.ietf.org/doc/draft-ietf-bess-virtual-subnet/ >>>> >>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> - >>>> >>>> >> DISCUSS: >>>> --------------------------------------------------------------------- >>>> >>>> - >>>> >>>> >>>> >>>> >> (1) Surely extending a subnet from one to many data centres should >> only be >>>> done if inter-data-centre traffic is all encrypted and >>>> authenticated? I don't get why there isn't a MUST-like >>>> statement here for such protection, and going a bit further, >>>> why some interoperable form of protection for such traffic >>>> (e.g. IPsec, MACsec) isn't recommended as being MTI in such >>>> cases. The huge variety of potentially and actually sensitive >>>> traffic being handled by VMs these days and which ought not be, >>>> and probably is not, understood by folks doing routing seems to >>>> very strongly imply that such protection should in fact be >>>> turned on all of the time. (But stating that would be going >>>> beyond current IETF consenus on MTI security as expressed in >>>> BCP61. It'd still be a good idea I think though.) >>>> >>>> (2) I'm guessing one reaction to the above discuss point could >>>> be "sure, but this is the wrong document." In that case, please >>>> show me the right document and then tell me why a reference to >>>> that is not needed here. >>>> >>>> Note: none of the above is about RFC2119 MUST/SHOULD etc terms >>>> even though I use them above. Just normal english that makes >>>> the point would be fine. >>>> >>>> >>>> --------------------------------------------------------------------- >>>> >>>> - >>>> >>>> >> COMMENT: >>>> --------------------------------------------------------------------- >>>> >>>> - >>>> >>>> >>>> >>>> >> The secdir-review [1] raised a similar issue, but I don't think >>>> the response to that is sufficient really. (The secdir reviewer >>>> did think so.) >>>> >>>> [1] >>>> https://www.ietf.org/mail-archive/web/secdir/current/msg06217.html >>>> >>>
- [bess] Stephen Farrell's Discuss on draft-ietf-be… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Alvaro Retana (aretana)
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell