Re: [bess] Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 04 December 2015 11:40 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C420A1B307A; Fri, 4 Dec 2015 03:40:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2KIuPd2RKsgH; Fri, 4 Dec 2015 03:40:38 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 283991B3078; Fri, 4 Dec 2015 03:40:37 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 6EECABE3E; Fri, 4 Dec 2015 11:40:35 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M65qmIpM-ydt; Fri, 4 Dec 2015 11:40:32 +0000 (GMT)
Received: from [10.87.48.95] (unknown [86.46.20.32]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 236C6BE38; Fri, 4 Dec 2015 11:40:31 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1449229232; bh=dTu8BFLpqYaDrEYtLcPZSzj/emIJKBEWQsg45J4yKLM=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=gxGJhF2wnRT0SkWDgw2yBC7WmIq+94KfxnGqph+GtOux9VVp+It5gUsWpzc8bKoSV G0zmoF/z319EKC7OIM9ZW/D4XuIIExLnBP/Ea0OH/mb5PsutBnTYmUTZ8RGPyuWjy9 ajwemSKgTpIBrsxMXtCV7itZiSj/yBaNIV3yfaKk=
To: Xuxiaohu <xuxiaohu@huawei.com>, The IESG <iesg@ietf.org>
References: <20151203142601.21348.10762.idtracker@ietfa.amsl.com> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB53D79@NKGEML512-MBS.china.huawei.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <56617BAD.6070906@cs.tcd.ie>
Date: Fri, 04 Dec 2015 11:40:29 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB53D79@NKGEML512-MBS.china.huawei.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/bess/Rxi_BKjcRL9ZdVEXYTAGC_0iwss>
Cc: "draft-ietf-bess-virtual-subnet@ietf.org" <draft-ietf-bess-virtual-subnet@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "martin.vigoureux@alcatel-lucent.com" <martin.vigoureux@alcatel-lucent.com>, "bess@ietf.org" <bess@ietf.org>, "aretana@cisco.com" <aretana@cisco.com>
Subject: Re: [bess] Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 11:40:40 -0000
Hiya, On 04/12/15 02:08, Xuxiaohu wrote: > Hi Stephen, > > Thank a lot for your DISCUSS. I fully agree with you that sensitive > traffic being handled by VMs should be encrypted when traversing > across the Internet or even SP networks. Similarly, I think you would > also agree that sensitive traffic of VPN clients should be encrypted > as well in the existing MPLS/BGP IP VPN [RFC4364] scenario. Hence, > the security requirement should be the same for RFC4364 and this > draft, IMHO. Therefore, in the Security Consideration section of this > draft, it said " Since the BGP/MPLS IP VPN signaling is reused > without any change, those security considerations as described in > [RFC4364] are applicable to this document. " > > Any further comments are more than welcome. Well, my further comment is that the above doesn't seem adequate at this point in time (to me:-) In 2006, the security considerations of RFC4364 said: " Cryptographic privacy is not provided by this architecture, nor by Frame Relay or ATM VPNs. These architectures are all compatible with the use of cryptography on a CE-CE basis, if that is desired. The use of cryptography on a PE-PE basis is for further study." In 2015, we know that people, can, should, and do, turn on crypto between data centres. Today's situation is not 2006's and that I think needs to be stated and this document seems like a fine place to do that. I would still think that were the statement clearly made elsewhere. Cheers, S. > > Best regards, Xiaohu > >> -----Original Message----- From: Stephen Farrell >> [mailto:stephen.farrell@cs.tcd.ie] Sent: Thursday, December 03, >> 2015 10:26 PM To: The IESG Cc: >> draft-ietf-bess-virtual-subnet@ietf.org; aretana@cisco.com; >> bess-chairs@ietf.org; martin.vigoureux@alcatel-lucent.com; >> bess@ietf.org Subject: Stephen Farrell's Discuss on >> draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT) >> >> Stephen Farrell has entered the following ballot position for >> draft-ietf-bess-virtual-subnet-06: Discuss >> >> When responding, please keep the subject line intact and reply to >> all email addresses included in the To and CC lines. (Feel free to >> cut this introductory paragraph, however.) >> >> >> Please refer to >> https://www.ietf.org/iesg/statement/discuss-criteria.html for more >> information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found >> here: >> https://datatracker.ietf.org/doc/draft-ietf-bess-virtual-subnet/ >> >> >> >> ---------------------------------------------------------------------- >> >> DISCUSS: >> ---------------------------------------------------------------------- >> >> >> >> (1) Surely extending a subnet from one to many data centres should only be >> done if inter-data-centre traffic is all encrypted and >> authenticated? I don't get why there isn't a MUST-like statement >> here for such protection, and going a bit further, why some >> interoperable form of protection for such traffic (e.g. IPsec, >> MACsec) isn't recommended as being MTI in such cases. The huge >> variety of potentially and actually sensitive traffic being handled >> by VMs these days and which ought not be, and probably is not, >> understood by folks doing routing seems to very strongly imply that >> such protection should in fact be turned on all of the time. (But >> stating that would be going beyond current IETF consenus on MTI >> security as expressed in BCP61. It'd still be a good idea I think >> though.) >> >> (2) I'm guessing one reaction to the above discuss point could be >> "sure, but this is the wrong document." In that case, please show >> me the right document and then tell me why a reference to that is >> not needed here. >> >> Note: none of the above is about RFC2119 MUST/SHOULD etc terms >> even though I use them above. Just normal english that makes the >> point would be fine. >> >> >> ---------------------------------------------------------------------- >> >> COMMENT: >> ---------------------------------------------------------------------- >> >> >> >> The secdir-review [1] raised a similar issue, but I don't think >> the response to that is sufficient really. (The secdir reviewer did >> think so.) >> >> [1] >> https://www.ietf.org/mail-archive/web/secdir/current/msg06217.html >> >
- [bess] Stephen Farrell's Discuss on draft-ietf-be… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Alvaro Retana (aretana)
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell