Re: [bess] Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)
Xuxiaohu <xuxiaohu@huawei.com> Fri, 18 December 2015 06:25 UTC
Return-Path: <xuxiaohu@huawei.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 115651B339F; Thu, 17 Dec 2015 22:25:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m4nMVgOvlt8H; Thu, 17 Dec 2015 22:25:56 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D3951B339D; Thu, 17 Dec 2015 22:25:55 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml405-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CBS92951; Fri, 18 Dec 2015 06:25:52 +0000 (GMT)
Received: from NKGEML404-HUB.china.huawei.com (10.98.56.35) by lhreml405-hub.china.huawei.com (10.201.5.242) with Microsoft SMTP Server (TLS) id 14.3.235.1; Fri, 18 Dec 2015 06:25:51 +0000
Received: from NKGEML512-MBS.china.huawei.com ([169.254.8.64]) by nkgeml404-hub.china.huawei.com ([10.98.56.35]) with mapi id 14.03.0235.001; Fri, 18 Dec 2015 14:25:43 +0800
From: Xuxiaohu <xuxiaohu@huawei.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "Alvaro Retana (aretana)" <aretana@cisco.com>, The IESG <iesg@ietf.org>
Thread-Topic: Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)
Thread-Index: AQHRLdaOLk8nhORYXUKrCN/X2riedp66D2jwgAAf9ICABKhN0IAAFESAgAsadwCAAAObAIABRkxQ///7zQCABQwf4A==
Date: Fri, 18 Dec 2015 06:25:43 +0000
Message-ID: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB56196@NKGEML512-MBS.china.huawei.com>
References: <20151203142601.21348.10762.idtracker@ietfa.amsl.com> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB53D79@NKGEML512-MBS.china.huawei.com> <56617BAD.6070906@cs.tcd.ie> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB54209@NKGEML512-MBS.china.huawei.com> <566574D9.6030202@cs.tcd.ie> <D2942F48.F093A%aretana@cisco.com> <566EC84E.7070600@cs.tcd.ie> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB55473@NKGEML512-MBS.china.huawei.com> <566FD680.2060901@cs.tcd.ie>
In-Reply-To: <566FD680.2060901@cs.tcd.ie>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.99.55]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020205.5673A6F0.012A, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.8.64, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 636d13f7260e6fc54f0a0d46d7fffea7
Archived-At: <http://mailarchive.ietf.org/arch/msg/bess/RLzglxiwD0uZrnj4OxSau09-6aU>
Cc: "draft-ietf-bess-virtual-subnet@ietf.org" <draft-ietf-bess-virtual-subnet@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "martin.vigoureux@alcatel-lucent.com" <martin.vigoureux@alcatel-lucent.com>, "bess@ietf.org" <bess@ietf.org>
Subject: Re: [bess] Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2015 06:25:59 -0000
Hi Stephen, Sorry for my late response. The reason that I hesitated to add MACsec as an additional example of a strong security mechanism is as follows: MACsec is a layer2 encryption mechanism and therefore it seems not much suitable to protect IP encapsulated traffic between PE routers, unless these PE routers are directly connected to each other at Layer2. If my understand is wrong, would you please explain how to use MACsec to protect the IP encapsulated traffic between PE routers which are not directly connected? Or would you please provide me a link to some RFC which talks about this usage? Best regards, Xiaohu > -----Original Message----- > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > Sent: Tuesday, December 15, 2015 5:00 PM > To: Xuxiaohu; Alvaro Retana (aretana); The IESG > Cc: draft-ietf-bess-virtual-subnet@ietf.org; bess-chairs@ietf.org; > martin.vigoureux@alcatel-lucent.com; bess@ietf.org > Subject: Re: Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with > DISCUSS and COMMENT) > > > Hiya, > > On 15/12/15 01:19, Xuxiaohu wrote: > > Hi Stephen, > > > > It said "...using a strong security mechanism such as IPsec > > [RFC4301]". Here IPsec is just mentioned as an example of a strong > > security mechanism. Therefore, it doesn't exclude MACsec. > > Sure, but... > > The text that I suggested and that you said seemed good did include MACsec. > > On 09/12/15 07:47, Xuxiaohu wrote: > >> So maybe something more like: > >> > >> "Inter data-centre traffic often carries highly sensitive information > at higher > >> layers that is not directly understood > >> (parsed) within an egress or ingress PE. For example, migrating a VM > will often > >> mean moving private keys and other sensitive configuration > information. For > >> this reason inter data-centre traffic SHOULD always be protected for > >> both confidentiality and integrity using a strong security mechanism > >> such > as IPsec [1] > >> or MACsec [2] In future it may be feasible to protect that traffic > within the MPLS > >> layer [3] though at the time of writing the mechanism for that is not > sufficiently > >> mature to recommend. Exactly how such security mechanisms are > deployed will > >> vary from case to case, so securing the inter data-centre traffic may > or may not > >> involve deploying security mechanisms on the ingress/egress PEs or > further > >> "inside" the data centres concerned. Note though that if security is > not deployed > >> on the egress/ingress PEs there is a substantial risk that some > sensitive traffic > >> may be sent in clear and therefore be vulnerable to pervasive > monitoring [4] or > >> other attacks." > > > > Thanks a lot for your suggested text. If nobody object the above text, > > I will add it in the next revision. > > > > And indeed you added it all except for MACsec. > > And my question is not whether MACsec is excluded but rather why it was > omitted, when afaik, it is what is most used for securing this particular kind of > inter-DC traffic. (At least I believe that MACsec is what's most used there. If not, > I'd be glad to know that.) > > So, why not include MACsec? Did someone object? If so, why? > (And can you send a pointer to the WG list where that objection was raised so I > can understand it better.) > > Thanks, > S. > > > > > > Best regards, Xiaohu > > > >> -----Original Message----- From: Stephen Farrell > >> [mailto:stephen.farrell@cs.tcd.ie] Sent: Monday, December 14, 2015 > >> 9:47 PM To: Alvaro Retana (aretana); Xuxiaohu; The IESG Cc: > >> draft-ietf-bess-virtual-subnet@ietf.org; bess-chairs@ietf.org; > >> martin.vigoureux@alcatel-lucent.com; bess@ietf.org Subject: Re: > >> Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: > >> (with DISCUSS and COMMENT) > >> > >> > >> Hi, > >> > >> Can someone say why the mention of MACsec wasn't included? As I > >> understand it, MACsec is what's mostly usable for inter-DC security > >> so omitting it seems like a bad idea (or perhaps I'm misinformed) > >> > >> Thanks, S. > >> > >> On 14/12/15 13:34, Alvaro Retana (aretana) wrote: > >>> Stephen: > >>> > >>> Hi! > >>> > >>> Xiaohu posted an update that we hope addresses your concerns. > >>> Pelase take a look. > >>> > >>> > >>> Thanks! > >>> > >>> Alvaro. > >>> > >>>
- [bess] Stephen Farrell's Discuss on draft-ietf-be… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Alvaro Retana (aretana)
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell