IETF Logo Mail Archive

Re: [bess] Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 10 January 2016 22:23 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 107A21A070E; Sun, 10 Jan 2016 14:23:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.602
X-Spam-Level:
X-Spam-Status: No, score=-1.602 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lJwAEgIVcwh5; Sun, 10 Jan 2016 14:23:11 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C9921A0856; Sun, 10 Jan 2016 14:23:11 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 39100BE47; Sun, 10 Jan 2016 22:23:10 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PD40CtCJgIDc; Sun, 10 Jan 2016 22:23:08 +0000 (GMT)
Received: from [10.87.48.91] (unknown [86.46.21.60]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 25BADBE39; Sun, 10 Jan 2016 22:23:07 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1452464587; bh=TUNcOxrysAr6HzZBgqd1aEnVW7isBO6flzsC+UelGfQ=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=kHmjGK6D9g2WZdOMK4QjX86hplUw2aTnhNDCFedHTp5bU6wJ1deRWvciMAbB1ycSX pF1GvQ+f7oAeHOAK2URuL2aaOO8DyO+KC5NrzWoI0/VLv3yuUa5iQ3xmdU0sElLi8b m64zY0p73sVWUD0ZPbL4w6XyWx+pT/UjoKx2zO64=
To: Xuxiaohu <xuxiaohu@huawei.com>, "Alvaro Retana (aretana)" <aretana@cisco.com>, The IESG <iesg@ietf.org>
References: <20151203142601.21348.10762.idtracker@ietfa.amsl.com> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB53D79@NKGEML512-MBS.china.huawei.com> <56617BAD.6070906@cs.tcd.ie> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB54209@NKGEML512-MBS.china.huawei.com> <566574D9.6030202@cs.tcd.ie> <D2942F48.F093A%aretana@cisco.com> <566EC84E.7070600@cs.tcd.ie> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB55473@NKGEML512-MBS.china.huawei.com> <566FD680.2060901@cs.tcd.ie> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB56196@NKGEML512-MBS.china.huawei.com> <5673B3C3.7020300@cs.tcd.ie> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB5A07F@NKGEML512-MBS.china.huawei.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <5692D9CA.2090704@cs.tcd.ie>
Date: Sun, 10 Jan 2016 22:23:06 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB5A07F@NKGEML512-MBS.china.huawei.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/bess/PFQ0eLPnxcP4aBwLYRSZfoNd2Ek>
Cc: "draft-ietf-bess-virtual-subnet@ietf.org" <draft-ietf-bess-virtual-subnet@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "martin.vigoureux@alcatel-lucent.com" <martin.vigoureux@alcatel-lucent.com>, "bess@ietf.org" <bess@ietf.org>
Subject: Re: [bess] Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jan 2016 22:23:14 -0000

Hiya,

On 05/01/16 10:02, Xuxiaohu wrote:
> Hi Stephen,
> 
> I wonder whether the following explanation is fine to you.

Sorry for the slow response. I didn't manage to find a
reason to justify "forcing" mention of MACsec:-) So, I've
cleared the discuss. Thanks for adding the text you have
on securing inter-DC traffic,

Cheers,
S.

> 
> Best regards,
> Xiaohu
> 
>> -----Original Message-----
>> From: Xuxiaohu
>> Sent: Friday, December 18, 2015 5:27 PM
>> To: 'Stephen Farrell'; Alvaro Retana (aretana); The IESG
>> Cc: draft-ietf-bess-virtual-subnet@ietf.org; bess-chairs@ietf.org;
>> martin.vigoureux@alcatel-lucent.com; bess@ietf.org
>> Subject: RE: Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with
>> DISCUSS and COMMENT)
>>
>>
>>
>>> -----Original Message-----
>>> From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
>>> Sent: Friday, December 18, 2015 3:21 PM
>>> To: Xuxiaohu; Alvaro Retana (aretana); The IESG
>>> Cc: draft-ietf-bess-virtual-subnet@ietf.org; bess-chairs@ietf.org;
>>> martin.vigoureux@alcatel-lucent.com; bess@ietf.org
>>> Subject: Re: Stephen Farrell's Discuss on
>>> draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)
>>>
>>>
>>>
>>> On 18/12/15 06:25, Xuxiaohu wrote:
>>>> Hi Stephen,
>>>>
>>>> Sorry for my late response. The reason that I hesitated to add
>>>> MACsec as an additional example of a strong security mechanism is as
>>>> follows: MACsec is a layer2 encryption mechanism and therefore it
>>>> seems not much suitable to protect IP encapsulated traffic between
>>>> PE routers, unless these PE routers are directly connected to each
>>>> other at Layer2.
>>>
>>> My belief is that such a scenario can be the case for some inter-DC
>>> links. That's not based on real experience though so I'm open to
>>> correction. Hopefully, someone getting this mail knows the answer and
>>> can tell us if MACsec really is worth mentioning. (If not, I'm now
>>> curious enough to try go chase down the
>>> answer:-)
>>>
>>
>> Hi Stephen,
>>
>> The following are some materials related to MACsec and MPLS VPN:
>>
>> https://www.brocade.com/content/dam/common/documents/content-types/f
>> eature-guide/brocade-macsec-fg.pdf
>> http://www.juniper.net/techpubs/en_US/release-independent/nce/information
>> -products/pathway-pages/nce/nce-137-macsec-over-mpls-ccc-configuring.pdf
>>
>> It shows that MACsec is mainly applicable to MPLS L2VPN scenarios such as VLL
>> and VPLS rather than MPLS L3VPN.  Since this draft is based on MPLS L3VPN
>> (i.e., MPLS/BGP IP VPN), it seems that we don't have to mention it as one
>> ADDITIONAL example of a strong security mechanism. Is it fine for you?
>>
>> Best regards,
>> Xiaohu
>>
>>>> If my understand is wrong, would you please explain how to use
>>>> MACsec to protect the IP encapsulated traffic between PE routers
>>>> which are not directly connected? Or would you please provide me a
>>>> link to some RFC which talks about this usage?
>>>
>>> I don't believe there is. At that point you have to go up the stack to
>>> MPLS-OS maybe, or IPsec. But the text does already cover this.
>>>
>>> Cheers,
>>> S.
>>>
>>>
>>>>
>>>> Best regards, Xiaohu
>>>>
>>>>> -----Original Message----- From: Stephen Farrell
>>>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Tuesday, December 15, 2015
>>>>> 5:00 PM To: Xuxiaohu; Alvaro Retana (aretana); The IESG Cc:
>>>>> draft-ietf-bess-virtual-subnet@ietf.org; bess-chairs@ietf.org;
>>>>> martin.vigoureux@alcatel-lucent.com; bess@ietf.org Subject: Re:
>>>>> Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06:
>>>>> (with DISCUSS and COMMENT)
>>>>>
>>>>>
>>>>> Hiya,
>>>>>
>>>>> On 15/12/15 01:19, Xuxiaohu wrote:
>>>>>> Hi Stephen,
>>>>>>
>>>>>> It said "...using a strong security mechanism such as IPsec
>>>>>> [RFC4301]". Here IPsec is just mentioned as an example of a strong
>>>>>> security mechanism. Therefore, it doesn't exclude MACsec.
>>>>>
>>>>> Sure, but...
>>>>>
>>>>> The text that I suggested and that you said seemed good did include
>>>>> MACsec.
>>>>>
>>>>> On 09/12/15 07:47, Xuxiaohu wrote:
>>>>>>> So maybe something more like:
>>>>>>>
>>>>>>> "Inter data-centre traffic often carries highly sensitive
>>>>>>> information
>>>>> at higher
>>>>>>> layers that is not directly understood (parsed) within an egress
>>>>>>> or ingress PE. For example, migrating a VM
>>>>> will often
>>>>>>> mean moving private keys and other sensitive configuration
>>>>> information. For
>>>>>>> this reason inter data-centre traffic SHOULD always be protected
>>>>>>> for both confidentiality and integrity using a strong security
>>>>>>> mechanism such
>>>>> as IPsec [1]
>>>>>>> or MACsec [2] In future it may be feasible to protect that
>>>>>>> traffic
>>>>> within the MPLS
>>>>>>> layer [3] though at the time of writing the mechanism for that is
>>>>>>> not
>>>>> sufficiently
>>>>>>> mature to recommend. Exactly how such security mechanisms are
>>>>> deployed will
>>>>>>> vary from case to case, so securing the inter data-centre traffic
>>>>>>> may
>>>>> or may not
>>>>>>> involve deploying security mechanisms on the ingress/egress PEs
>>>>>>> or
>>>>> further
>>>>>>> "inside" the data centres concerned. Note though that if security
>>>>>>> is
>>>>> not deployed
>>>>>>> on the egress/ingress PEs there is a substantial risk that some
>>>>> sensitive traffic
>>>>>>> may be sent in clear and therefore be vulnerable to pervasive
>>>>> monitoring [4] or
>>>>>>> other attacks."
>>>>>>
>>>>>> Thanks a lot for your suggested text. If nobody object the above
>>>>>> text, I will add it in the next revision.
>>>>>>
>>>>>
>>>>> And indeed you added it all except for MACsec.
>>>>>
>>>>> And my question is not whether MACsec is excluded but rather why it
>>>>> was omitted, when afaik, it is what is most used for securing this
>>>>> particular kind of inter-DC traffic. (At least I believe that
>>>>> MACsec is what's most used there. If not, I'd be glad to know
>>>>> that.)
>>>>>
>>>>> So, why not include MACsec? Did someone object? If so, why? (And
>>>>> can you send a pointer to the WG list where that objection was
>>>>> raised so I can understand it better.)
>>>>>
>>>>> Thanks, S.
>>>>>
>>>>>
>>>>>>
>>>>>> Best regards, Xiaohu
>>>>>>
>>>>>>> -----Original Message----- From: Stephen Farrell
>>>>>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Monday, December 14,
>>>>>>> 2015 9:47 PM To: Alvaro Retana (aretana); Xuxiaohu; The IESG
>>>>>>> Cc: draft-ietf-bess-virtual-subnet@ietf.org;
>>>>>>> bess-chairs@ietf.org; martin.vigoureux@alcatel-lucent.com;
>>>>>>> bess@ietf.org Subject: Re: Stephen Farrell's Discuss on
>>>>>>> draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)
>>>>>>>
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Can someone say why the mention of MACsec wasn't included? As I
>>>>>>> understand it, MACsec is what's mostly usable for inter-DC
>>>>>>> security so omitting it seems like a bad idea (or perhaps I'm
>>>>>>> misinformed)
>>>>>>>
>>>>>>> Thanks, S.
>>>>>>>
>>>>>>> On 14/12/15 13:34, Alvaro Retana (aretana) wrote:
>>>>>>>> Stephen:
>>>>>>>>
>>>>>>>> Hi!
>>>>>>>>
>>>>>>>> Xiaohu posted an update that we hope addresses your concerns.
>>>>>>>> Pelase take a look.
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>>
>>>>>>>> Alvaro.
>>>>>>>>
>>>>>>>>

v2.23.0 | Report a Bug | By Email