IETF Logo Mail Archive

Re: [bess] Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 04 December 2015 11:40 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C420A1B307A; Fri, 4 Dec 2015 03:40:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2KIuPd2RKsgH; Fri, 4 Dec 2015 03:40:38 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 283991B3078; Fri, 4 Dec 2015 03:40:37 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 6EECABE3E; Fri, 4 Dec 2015 11:40:35 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M65qmIpM-ydt; Fri, 4 Dec 2015 11:40:32 +0000 (GMT)
Received: from [10.87.48.95] (unknown [86.46.20.32]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 236C6BE38; Fri, 4 Dec 2015 11:40:31 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1449229232; bh=dTu8BFLpqYaDrEYtLcPZSzj/emIJKBEWQsg45J4yKLM=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=gxGJhF2wnRT0SkWDgw2yBC7WmIq+94KfxnGqph+GtOux9VVp+It5gUsWpzc8bKoSV G0zmoF/z319EKC7OIM9ZW/D4XuIIExLnBP/Ea0OH/mb5PsutBnTYmUTZ8RGPyuWjy9 ajwemSKgTpIBrsxMXtCV7itZiSj/yBaNIV3yfaKk=
To: Xuxiaohu <xuxiaohu@huawei.com>, The IESG <iesg@ietf.org>
References: <20151203142601.21348.10762.idtracker@ietfa.amsl.com> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB53D79@NKGEML512-MBS.china.huawei.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <56617BAD.6070906@cs.tcd.ie>
Date: Fri, 04 Dec 2015 11:40:29 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB53D79@NKGEML512-MBS.china.huawei.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/bess/Rxi_BKjcRL9ZdVEXYTAGC_0iwss>
Cc: "draft-ietf-bess-virtual-subnet@ietf.org" <draft-ietf-bess-virtual-subnet@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "martin.vigoureux@alcatel-lucent.com" <martin.vigoureux@alcatel-lucent.com>, "bess@ietf.org" <bess@ietf.org>, "aretana@cisco.com" <aretana@cisco.com>
Subject: Re: [bess] Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 11:40:40 -0000

Hiya,

On 04/12/15 02:08, Xuxiaohu wrote:
> Hi Stephen,
> 
> Thank a lot for your DISCUSS. I fully agree with you that sensitive
> traffic being handled by VMs should be encrypted when traversing
> across the Internet or even SP networks. Similarly, I think you would
> also agree that sensitive traffic of VPN clients should be encrypted
> as well in the existing MPLS/BGP IP VPN [RFC4364] scenario. Hence,
> the security requirement should be the same for RFC4364 and this
> draft, IMHO. Therefore, in the Security Consideration section of this
> draft, it said " Since the BGP/MPLS IP VPN signaling is reused
> without any change, those security considerations as described in
> [RFC4364] are applicable to this document. "
> 
> Any further comments are more than welcome.

Well, my further comment is that the above doesn't seem adequate
at this point in time (to me:-)

In 2006, the security considerations of RFC4364 said:

" Cryptographic privacy is not provided by this architecture, nor by
   Frame Relay or ATM VPNs.  These architectures are all compatible with
   the use of cryptography on a CE-CE basis, if that is desired.

   The use of cryptography on a PE-PE basis is for further study."

In 2015, we know that people, can, should, and do, turn on crypto
between data centres.

Today's situation is not 2006's and that I think needs to be stated
and this document seems like a fine place to do that. I would still
think that were the statement clearly made elsewhere.

Cheers,
S.


> 
> Best regards, Xiaohu
> 
>> -----Original Message----- From: Stephen Farrell
>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Thursday, December 03,
>> 2015 10:26 PM To: The IESG Cc:
>> draft-ietf-bess-virtual-subnet@ietf.org; aretana@cisco.com; 
>> bess-chairs@ietf.org; martin.vigoureux@alcatel-lucent.com;
>> bess@ietf.org Subject: Stephen Farrell's Discuss on
>> draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)
>> 
>> Stephen Farrell has entered the following ballot position for 
>> draft-ietf-bess-virtual-subnet-06: Discuss
>> 
>> When responding, please keep the subject line intact and reply to
>> all email addresses included in the To and CC lines. (Feel free to
>> cut this introductory paragraph, however.)
>> 
>> 
>> Please refer to
>> https://www.ietf.org/iesg/statement/discuss-criteria.html for more
>> information about IESG DISCUSS and COMMENT positions.
>> 
>> 
>> The document, along with other ballot positions, can be found
>> here: 
>> https://datatracker.ietf.org/doc/draft-ietf-bess-virtual-subnet/
>> 
>> 
>> 
>> ----------------------------------------------------------------------
>>
>> 
DISCUSS:
>> ----------------------------------------------------------------------
>>
>>
>>
>> 
(1) Surely extending a subnet from one to many data centres should only be
>> done if inter-data-centre traffic is all encrypted and
>> authenticated? I don't get why there isn't a MUST-like statement
>> here for such protection, and going a bit further, why some
>> interoperable form of protection for such traffic (e.g. IPsec, 
>> MACsec) isn't recommended as being MTI in such cases. The huge
>> variety of potentially and actually sensitive traffic being handled
>> by VMs these days and which ought not be, and probably is not,
>> understood by folks doing routing seems to very strongly imply that
>> such protection should in fact be turned on all of the time. (But
>> stating that would be going beyond current IETF consenus on MTI
>> security as expressed in BCP61.  It'd still be a good idea I think 
>> though.)
>> 
>> (2) I'm guessing one reaction to the above discuss point could be
>> "sure, but this is the wrong document." In that case, please show
>> me the right document and then tell me why a reference to that is
>> not needed here.
>> 
>> Note: none of the above is about RFC2119 MUST/SHOULD etc terms
>> even though I use them above. Just normal english that makes the
>> point would be fine.
>> 
>> 
>> ----------------------------------------------------------------------
>>
>> 
COMMENT:
>> ----------------------------------------------------------------------
>>
>>
>>
>> 
The secdir-review [1] raised a similar issue, but I don't think
>> the response to that is sufficient really. (The secdir reviewer did
>> think so.)
>> 
>> [1]
>> https://www.ietf.org/mail-archive/web/secdir/current/msg06217.html
>> 
>

v2.23.0 | Report a Bug | By Email