Re: [bess] Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 10 January 2016 22:23 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 107A21A070E; Sun, 10 Jan 2016 14:23:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.602
X-Spam-Level:
X-Spam-Status: No, score=-1.602 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lJwAEgIVcwh5; Sun, 10 Jan 2016 14:23:11 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C9921A0856; Sun, 10 Jan 2016 14:23:11 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 39100BE47; Sun, 10 Jan 2016 22:23:10 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PD40CtCJgIDc; Sun, 10 Jan 2016 22:23:08 +0000 (GMT)
Received: from [10.87.48.91] (unknown [86.46.21.60]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 25BADBE39; Sun, 10 Jan 2016 22:23:07 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1452464587; bh=TUNcOxrysAr6HzZBgqd1aEnVW7isBO6flzsC+UelGfQ=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=kHmjGK6D9g2WZdOMK4QjX86hplUw2aTnhNDCFedHTp5bU6wJ1deRWvciMAbB1ycSX pF1GvQ+f7oAeHOAK2URuL2aaOO8DyO+KC5NrzWoI0/VLv3yuUa5iQ3xmdU0sElLi8b m64zY0p73sVWUD0ZPbL4w6XyWx+pT/UjoKx2zO64=
To: Xuxiaohu <xuxiaohu@huawei.com>, "Alvaro Retana (aretana)" <aretana@cisco.com>, The IESG <iesg@ietf.org>
References: <20151203142601.21348.10762.idtracker@ietfa.amsl.com> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB53D79@NKGEML512-MBS.china.huawei.com> <56617BAD.6070906@cs.tcd.ie> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB54209@NKGEML512-MBS.china.huawei.com> <566574D9.6030202@cs.tcd.ie> <D2942F48.F093A%aretana@cisco.com> <566EC84E.7070600@cs.tcd.ie> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB55473@NKGEML512-MBS.china.huawei.com> <566FD680.2060901@cs.tcd.ie> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB56196@NKGEML512-MBS.china.huawei.com> <5673B3C3.7020300@cs.tcd.ie> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB5A07F@NKGEML512-MBS.china.huawei.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <5692D9CA.2090704@cs.tcd.ie>
Date: Sun, 10 Jan 2016 22:23:06 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB5A07F@NKGEML512-MBS.china.huawei.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/bess/PFQ0eLPnxcP4aBwLYRSZfoNd2Ek>
Cc: "draft-ietf-bess-virtual-subnet@ietf.org" <draft-ietf-bess-virtual-subnet@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "martin.vigoureux@alcatel-lucent.com" <martin.vigoureux@alcatel-lucent.com>, "bess@ietf.org" <bess@ietf.org>
Subject: Re: [bess] Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jan 2016 22:23:14 -0000
Hiya, On 05/01/16 10:02, Xuxiaohu wrote: > Hi Stephen, > > I wonder whether the following explanation is fine to you. Sorry for the slow response. I didn't manage to find a reason to justify "forcing" mention of MACsec:-) So, I've cleared the discuss. Thanks for adding the text you have on securing inter-DC traffic, Cheers, S. > > Best regards, > Xiaohu > >> -----Original Message----- >> From: Xuxiaohu >> Sent: Friday, December 18, 2015 5:27 PM >> To: 'Stephen Farrell'; Alvaro Retana (aretana); The IESG >> Cc: draft-ietf-bess-virtual-subnet@ietf.org; bess-chairs@ietf.org; >> martin.vigoureux@alcatel-lucent.com; bess@ietf.org >> Subject: RE: Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with >> DISCUSS and COMMENT) >> >> >> >>> -----Original Message----- >>> From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] >>> Sent: Friday, December 18, 2015 3:21 PM >>> To: Xuxiaohu; Alvaro Retana (aretana); The IESG >>> Cc: draft-ietf-bess-virtual-subnet@ietf.org; bess-chairs@ietf.org; >>> martin.vigoureux@alcatel-lucent.com; bess@ietf.org >>> Subject: Re: Stephen Farrell's Discuss on >>> draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT) >>> >>> >>> >>> On 18/12/15 06:25, Xuxiaohu wrote: >>>> Hi Stephen, >>>> >>>> Sorry for my late response. The reason that I hesitated to add >>>> MACsec as an additional example of a strong security mechanism is as >>>> follows: MACsec is a layer2 encryption mechanism and therefore it >>>> seems not much suitable to protect IP encapsulated traffic between >>>> PE routers, unless these PE routers are directly connected to each >>>> other at Layer2. >>> >>> My belief is that such a scenario can be the case for some inter-DC >>> links. That's not based on real experience though so I'm open to >>> correction. Hopefully, someone getting this mail knows the answer and >>> can tell us if MACsec really is worth mentioning. (If not, I'm now >>> curious enough to try go chase down the >>> answer:-) >>> >> >> Hi Stephen, >> >> The following are some materials related to MACsec and MPLS VPN: >> >> https://www.brocade.com/content/dam/common/documents/content-types/f >> eature-guide/brocade-macsec-fg.pdf >> http://www.juniper.net/techpubs/en_US/release-independent/nce/information >> -products/pathway-pages/nce/nce-137-macsec-over-mpls-ccc-configuring.pdf >> >> It shows that MACsec is mainly applicable to MPLS L2VPN scenarios such as VLL >> and VPLS rather than MPLS L3VPN. Since this draft is based on MPLS L3VPN >> (i.e., MPLS/BGP IP VPN), it seems that we don't have to mention it as one >> ADDITIONAL example of a strong security mechanism. Is it fine for you? >> >> Best regards, >> Xiaohu >> >>>> If my understand is wrong, would you please explain how to use >>>> MACsec to protect the IP encapsulated traffic between PE routers >>>> which are not directly connected? Or would you please provide me a >>>> link to some RFC which talks about this usage? >>> >>> I don't believe there is. At that point you have to go up the stack to >>> MPLS-OS maybe, or IPsec. But the text does already cover this. >>> >>> Cheers, >>> S. >>> >>> >>>> >>>> Best regards, Xiaohu >>>> >>>>> -----Original Message----- From: Stephen Farrell >>>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Tuesday, December 15, 2015 >>>>> 5:00 PM To: Xuxiaohu; Alvaro Retana (aretana); The IESG Cc: >>>>> draft-ietf-bess-virtual-subnet@ietf.org; bess-chairs@ietf.org; >>>>> martin.vigoureux@alcatel-lucent.com; bess@ietf.org Subject: Re: >>>>> Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: >>>>> (with DISCUSS and COMMENT) >>>>> >>>>> >>>>> Hiya, >>>>> >>>>> On 15/12/15 01:19, Xuxiaohu wrote: >>>>>> Hi Stephen, >>>>>> >>>>>> It said "...using a strong security mechanism such as IPsec >>>>>> [RFC4301]". Here IPsec is just mentioned as an example of a strong >>>>>> security mechanism. Therefore, it doesn't exclude MACsec. >>>>> >>>>> Sure, but... >>>>> >>>>> The text that I suggested and that you said seemed good did include >>>>> MACsec. >>>>> >>>>> On 09/12/15 07:47, Xuxiaohu wrote: >>>>>>> So maybe something more like: >>>>>>> >>>>>>> "Inter data-centre traffic often carries highly sensitive >>>>>>> information >>>>> at higher >>>>>>> layers that is not directly understood (parsed) within an egress >>>>>>> or ingress PE. For example, migrating a VM >>>>> will often >>>>>>> mean moving private keys and other sensitive configuration >>>>> information. For >>>>>>> this reason inter data-centre traffic SHOULD always be protected >>>>>>> for both confidentiality and integrity using a strong security >>>>>>> mechanism such >>>>> as IPsec [1] >>>>>>> or MACsec [2] In future it may be feasible to protect that >>>>>>> traffic >>>>> within the MPLS >>>>>>> layer [3] though at the time of writing the mechanism for that is >>>>>>> not >>>>> sufficiently >>>>>>> mature to recommend. Exactly how such security mechanisms are >>>>> deployed will >>>>>>> vary from case to case, so securing the inter data-centre traffic >>>>>>> may >>>>> or may not >>>>>>> involve deploying security mechanisms on the ingress/egress PEs >>>>>>> or >>>>> further >>>>>>> "inside" the data centres concerned. Note though that if security >>>>>>> is >>>>> not deployed >>>>>>> on the egress/ingress PEs there is a substantial risk that some >>>>> sensitive traffic >>>>>>> may be sent in clear and therefore be vulnerable to pervasive >>>>> monitoring [4] or >>>>>>> other attacks." >>>>>> >>>>>> Thanks a lot for your suggested text. If nobody object the above >>>>>> text, I will add it in the next revision. >>>>>> >>>>> >>>>> And indeed you added it all except for MACsec. >>>>> >>>>> And my question is not whether MACsec is excluded but rather why it >>>>> was omitted, when afaik, it is what is most used for securing this >>>>> particular kind of inter-DC traffic. (At least I believe that >>>>> MACsec is what's most used there. If not, I'd be glad to know >>>>> that.) >>>>> >>>>> So, why not include MACsec? Did someone object? If so, why? (And >>>>> can you send a pointer to the WG list where that objection was >>>>> raised so I can understand it better.) >>>>> >>>>> Thanks, S. >>>>> >>>>> >>>>>> >>>>>> Best regards, Xiaohu >>>>>> >>>>>>> -----Original Message----- From: Stephen Farrell >>>>>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Monday, December 14, >>>>>>> 2015 9:47 PM To: Alvaro Retana (aretana); Xuxiaohu; The IESG >>>>>>> Cc: draft-ietf-bess-virtual-subnet@ietf.org; >>>>>>> bess-chairs@ietf.org; martin.vigoureux@alcatel-lucent.com; >>>>>>> bess@ietf.org Subject: Re: Stephen Farrell's Discuss on >>>>>>> draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT) >>>>>>> >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> Can someone say why the mention of MACsec wasn't included? As I >>>>>>> understand it, MACsec is what's mostly usable for inter-DC >>>>>>> security so omitting it seems like a bad idea (or perhaps I'm >>>>>>> misinformed) >>>>>>> >>>>>>> Thanks, S. >>>>>>> >>>>>>> On 14/12/15 13:34, Alvaro Retana (aretana) wrote: >>>>>>>> Stephen: >>>>>>>> >>>>>>>> Hi! >>>>>>>> >>>>>>>> Xiaohu posted an update that we hope addresses your concerns. >>>>>>>> Pelase take a look. >>>>>>>> >>>>>>>> >>>>>>>> Thanks! >>>>>>>> >>>>>>>> Alvaro. >>>>>>>> >>>>>>>>
- [bess] Stephen Farrell's Discuss on draft-ietf-be… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Alvaro Retana (aretana)
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell