Re: [bess] Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)
Xuxiaohu <xuxiaohu@huawei.com> Tue, 05 January 2016 10:03 UTC
Return-Path: <xuxiaohu@huawei.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 818A31B2A63; Tue, 5 Jan 2016 02:03:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ch5aWWKSGO-z; Tue, 5 Jan 2016 02:03:08 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 165871B2A5F; Tue, 5 Jan 2016 02:03:04 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml404-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CCN13528; Tue, 05 Jan 2016 10:03:02 +0000 (GMT)
Received: from LHREML706-CAH.china.huawei.com (10.201.5.182) by lhreml404-hub.china.huawei.com (10.201.5.218) with Microsoft SMTP Server (TLS) id 14.3.235.1; Tue, 5 Jan 2016 10:03:01 +0000
Received: from NKGEML410-HUB.china.huawei.com (10.98.56.41) by lhreml706-cah.china.huawei.com (10.201.5.182) with Microsoft SMTP Server (TLS) id 14.3.235.1; Tue, 5 Jan 2016 10:03:00 +0000
Received: from NKGEML512-MBS.china.huawei.com ([169.254.8.64]) by nkgeml410-hub.china.huawei.com ([10.98.56.41]) with mapi id 14.03.0235.001; Tue, 5 Jan 2016 18:02:55 +0800
From: Xuxiaohu <xuxiaohu@huawei.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "Alvaro Retana (aretana)" <aretana@cisco.com>, The IESG <iesg@ietf.org>
Thread-Topic: Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)
Thread-Index: AQHRLdaOLk8nhORYXUKrCN/X2riedp66D2jwgAAf9ICABKhN0IAAFESAgAsadwCAAAObAIABRkxQ///7zQCABQwf4P//jyyAgACaRjCAHGLKcA==
Date: Tue, 05 Jan 2016 10:02:54 +0000
Message-ID: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB5A07F@NKGEML512-MBS.china.huawei.com>
References: <20151203142601.21348.10762.idtracker@ietfa.amsl.com> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB53D79@NKGEML512-MBS.china.huawei.com> <56617BAD.6070906@cs.tcd.ie> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB54209@NKGEML512-MBS.china.huawei.com> <566574D9.6030202@cs.tcd.ie> <D2942F48.F093A%aretana@cisco.com> <566EC84E.7070600@cs.tcd.ie> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB55473@NKGEML512-MBS.china.huawei.com> <566FD680.2060901@cs.tcd.ie> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB56196@NKGEML512-MBS.china.huawei.com> <5673B3C3.7020300@cs.tcd.ie>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.99.55]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A0B0205.568B94D7.0082, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.8.64, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 636d13f7260e6fc54f0a0d46d7fffea7
Archived-At: <http://mailarchive.ietf.org/arch/msg/bess/brI3mC-9jUqG9NhWMES0i1i9Zkk>
Cc: "draft-ietf-bess-virtual-subnet@ietf.org" <draft-ietf-bess-virtual-subnet@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "martin.vigoureux@alcatel-lucent.com" <martin.vigoureux@alcatel-lucent.com>, "bess@ietf.org" <bess@ietf.org>
Subject: Re: [bess] Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2016 10:03:11 -0000
Hi Stephen, I wonder whether the following explanation is fine to you. Best regards, Xiaohu > -----Original Message----- > From: Xuxiaohu > Sent: Friday, December 18, 2015 5:27 PM > To: 'Stephen Farrell'; Alvaro Retana (aretana); The IESG > Cc: draft-ietf-bess-virtual-subnet@ietf.org; bess-chairs@ietf.org; > martin.vigoureux@alcatel-lucent.com; bess@ietf.org > Subject: RE: Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: (with > DISCUSS and COMMENT) > > > > > -----Original Message----- > > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > > Sent: Friday, December 18, 2015 3:21 PM > > To: Xuxiaohu; Alvaro Retana (aretana); The IESG > > Cc: draft-ietf-bess-virtual-subnet@ietf.org; bess-chairs@ietf.org; > > martin.vigoureux@alcatel-lucent.com; bess@ietf.org > > Subject: Re: Stephen Farrell's Discuss on > > draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT) > > > > > > > > On 18/12/15 06:25, Xuxiaohu wrote: > > > Hi Stephen, > > > > > > Sorry for my late response. The reason that I hesitated to add > > > MACsec as an additional example of a strong security mechanism is as > > > follows: MACsec is a layer2 encryption mechanism and therefore it > > > seems not much suitable to protect IP encapsulated traffic between > > > PE routers, unless these PE routers are directly connected to each > > > other at Layer2. > > > > My belief is that such a scenario can be the case for some inter-DC > > links. That's not based on real experience though so I'm open to > > correction. Hopefully, someone getting this mail knows the answer and > > can tell us if MACsec really is worth mentioning. (If not, I'm now > > curious enough to try go chase down the > > answer:-) > > > > Hi Stephen, > > The following are some materials related to MACsec and MPLS VPN: > > https://www.brocade.com/content/dam/common/documents/content-types/f > eature-guide/brocade-macsec-fg.pdf > http://www.juniper.net/techpubs/en_US/release-independent/nce/information > -products/pathway-pages/nce/nce-137-macsec-over-mpls-ccc-configuring.pdf > > It shows that MACsec is mainly applicable to MPLS L2VPN scenarios such as VLL > and VPLS rather than MPLS L3VPN. Since this draft is based on MPLS L3VPN > (i.e., MPLS/BGP IP VPN), it seems that we don't have to mention it as one > ADDITIONAL example of a strong security mechanism. Is it fine for you? > > Best regards, > Xiaohu > > > > If my understand is wrong, would you please explain how to use > > > MACsec to protect the IP encapsulated traffic between PE routers > > > which are not directly connected? Or would you please provide me a > > > link to some RFC which talks about this usage? > > > > I don't believe there is. At that point you have to go up the stack to > > MPLS-OS maybe, or IPsec. But the text does already cover this. > > > > Cheers, > > S. > > > > > > > > > > Best regards, Xiaohu > > > > > >> -----Original Message----- From: Stephen Farrell > > >> [mailto:stephen.farrell@cs.tcd.ie] Sent: Tuesday, December 15, 2015 > > >> 5:00 PM To: Xuxiaohu; Alvaro Retana (aretana); The IESG Cc: > > >> draft-ietf-bess-virtual-subnet@ietf.org; bess-chairs@ietf.org; > > >> martin.vigoureux@alcatel-lucent.com; bess@ietf.org Subject: Re: > > >> Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: > > >> (with DISCUSS and COMMENT) > > >> > > >> > > >> Hiya, > > >> > > >> On 15/12/15 01:19, Xuxiaohu wrote: > > >>> Hi Stephen, > > >>> > > >>> It said "...using a strong security mechanism such as IPsec > > >>> [RFC4301]". Here IPsec is just mentioned as an example of a strong > > >>> security mechanism. Therefore, it doesn't exclude MACsec. > > >> > > >> Sure, but... > > >> > > >> The text that I suggested and that you said seemed good did include > > >> MACsec. > > >> > > >> On 09/12/15 07:47, Xuxiaohu wrote: > > >>>> So maybe something more like: > > >>>> > > >>>> "Inter data-centre traffic often carries highly sensitive > > >>>> information > > >> at higher > > >>>> layers that is not directly understood (parsed) within an egress > > >>>> or ingress PE. For example, migrating a VM > > >> will often > > >>>> mean moving private keys and other sensitive configuration > > >> information. For > > >>>> this reason inter data-centre traffic SHOULD always be protected > > >>>> for both confidentiality and integrity using a strong security > > >>>> mechanism such > > >> as IPsec [1] > > >>>> or MACsec [2] In future it may be feasible to protect that > > >>>> traffic > > >> within the MPLS > > >>>> layer [3] though at the time of writing the mechanism for that is > > >>>> not > > >> sufficiently > > >>>> mature to recommend. Exactly how such security mechanisms are > > >> deployed will > > >>>> vary from case to case, so securing the inter data-centre traffic > > >>>> may > > >> or may not > > >>>> involve deploying security mechanisms on the ingress/egress PEs > > >>>> or > > >> further > > >>>> "inside" the data centres concerned. Note though that if security > > >>>> is > > >> not deployed > > >>>> on the egress/ingress PEs there is a substantial risk that some > > >> sensitive traffic > > >>>> may be sent in clear and therefore be vulnerable to pervasive > > >> monitoring [4] or > > >>>> other attacks." > > >>> > > >>> Thanks a lot for your suggested text. If nobody object the above > > >>> text, I will add it in the next revision. > > >>> > > >> > > >> And indeed you added it all except for MACsec. > > >> > > >> And my question is not whether MACsec is excluded but rather why it > > >> was omitted, when afaik, it is what is most used for securing this > > >> particular kind of inter-DC traffic. (At least I believe that > > >> MACsec is what's most used there. If not, I'd be glad to know > > >> that.) > > >> > > >> So, why not include MACsec? Did someone object? If so, why? (And > > >> can you send a pointer to the WG list where that objection was > > >> raised so I can understand it better.) > > >> > > >> Thanks, S. > > >> > > >> > > >>> > > >>> Best regards, Xiaohu > > >>> > > >>>> -----Original Message----- From: Stephen Farrell > > >>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Monday, December 14, > > >>>> 2015 9:47 PM To: Alvaro Retana (aretana); Xuxiaohu; The IESG > > >>>> Cc: draft-ietf-bess-virtual-subnet@ietf.org; > > >>>> bess-chairs@ietf.org; martin.vigoureux@alcatel-lucent.com; > > >>>> bess@ietf.org Subject: Re: Stephen Farrell's Discuss on > > >>>> draft-ietf-bess-virtual-subnet-06: (with DISCUSS and COMMENT) > > >>>> > > >>>> > > >>>> Hi, > > >>>> > > >>>> Can someone say why the mention of MACsec wasn't included? As I > > >>>> understand it, MACsec is what's mostly usable for inter-DC > > >>>> security so omitting it seems like a bad idea (or perhaps I'm > > >>>> misinformed) > > >>>> > > >>>> Thanks, S. > > >>>> > > >>>> On 14/12/15 13:34, Alvaro Retana (aretana) wrote: > > >>>>> Stephen: > > >>>>> > > >>>>> Hi! > > >>>>> > > >>>>> Xiaohu posted an update that we hope addresses your concerns. > > >>>>> Pelase take a look. > > >>>>> > > >>>>> > > >>>>> Thanks! > > >>>>> > > >>>>> Alvaro. > > >>>>> > > >>>>>
- [bess] Stephen Farrell's Discuss on draft-ietf-be… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Alvaro Retana (aretana)
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Xuxiaohu
- Re: [bess] Stephen Farrell's Discuss on draft-iet… Stephen Farrell