IETF Logo Mail Archive

Re: [Last-Call] Last Call: <draft-ietf-nvo3-geneve-14.txt> (Geneve: Generic Network Virtualization Encapsulation) to Proposed Standard

Daniel Migault <daniel.migault@ericsson.com> Wed, 27 November 2019 15:45 UTC

Return-Path: <daniel.migault@ericsson.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABCBF1209D8; Wed, 27 Nov 2019 07:45:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IthCCow_JSWl; Wed, 27 Nov 2019 07:45:37 -0800 (PST)
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (mail-eopbgr720041.outbound.protection.outlook.com [40.107.72.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AA611209C2; Wed, 27 Nov 2019 07:45:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C/tn4YNE3HzB6JSJOqZbUf+8IfDHMPHt/jjEwRk5XE5A56rHlRsRplPbfpny2BKak3dP03rh0NB8N1wqXSCfCI34a2uUp4V74OO0N0rbLVdKjrCBYJLHsY4+9GZsr0ILDCDWVk6qtaThqTfYyyZjf7DrGUFfBMo4jotTyWMyd43ZRirbqAX1EDgenXBOTnw8N9PM/jUYgWxDtIuRKsWJblc2ic53f/etmo/yFfMeBpjYKUzb5Ydo5yIqJnCR5PJPWHBZRC0ceX1inSM1be5N5SpxZ0Kfg0C4jRdYnDNZmxr66d5fm9Kbt/SwsFhsB+HXX1lzVUBsoAAmo2neqAwbiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=87NwHwSCJyd/JHOZmk4zeweDo/q1etWvNSxw+EJf8sU=; b=f7qOQpRUKdtWvCQlaCm5GFJ1cghy7qUGDjCcxQzc5sdYNQlBLheOLzekX1XRe99jDoBqioojg+eqBeMkIyK9YnMrQt0PQZKPrceIZTcagrqD6GFIfTe4U/VPhFdOkHMfS+V22E/BMPPDPvTpwz2RrANPZmyGtOT+WecJY4fvmz/N5HpQgOV++o/s4/tFLKA6oiKGHDSgT8zJHh5Hrx9JSZw/KRCyQCPAjzVwLuBnXtW/j4BxyTiQleEAQjzXj7kMAynJrqovAc7hEbyQQCdDxpdLi2ezObJdImWvCOViJ2gQbhjP5aPmxGeJm9nqRPNmhsJgXtLiHHsE4YPlkwhJhA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=87NwHwSCJyd/JHOZmk4zeweDo/q1etWvNSxw+EJf8sU=; b=gTAVk5ElhUas6sHjDHHBPImnXm0/IzR02B19W5Vcs5D3jHEp2G7dBdOIbF1Ngop5YK/PECDIyMehB6GqkRzudWXbDyCVqVrbfTXvMe9NAajDtlsagUjbJbT2KJFZwAra/Z7GDc7UFH2au2LJb/yBfeIXFeIqcyC8UAp0NxuGQ8g=
Received: from CH2PR15MB3525.namprd15.prod.outlook.com (52.132.229.213) by CH2PR15MB3719.namprd15.prod.outlook.com (52.132.228.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.19; Wed, 27 Nov 2019 15:45:34 +0000
Received: from CH2PR15MB3525.namprd15.prod.outlook.com ([fe80::2c0a:15a6:920c:77a]) by CH2PR15MB3525.namprd15.prod.outlook.com ([fe80::2c0a:15a6:920c:77a%6]) with mapi id 15.20.2474.023; Wed, 27 Nov 2019 15:45:34 +0000
From: Daniel Migault <daniel.migault@ericsson.com>
To: Sam Aldrin <aldrin.ietf@gmail.com>
CC: "last-call@ietf.org" <last-call@ietf.org>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>, "draft-ietf-nvo3-geneve@ietf.org" <draft-ietf-nvo3-geneve@ietf.org>, NVO3 <nvo3@ietf.org>, "nvo3-chairs@ietf.org" <nvo3-chairs@ietf.org>
Thread-Topic: [Last-Call] Last Call: <draft-ietf-nvo3-geneve-14.txt> (Geneve: Generic Network Virtualization Encapsulation) to Proposed Standard
Thread-Index: AQHVpSQBVmoU/UiJtEiTbfBBWf5sXKefCrhQ
Date: Wed, 27 Nov 2019 15:45:33 +0000
Message-ID: <CH2PR15MB352552DB83DBBF8883A58E13E3440@CH2PR15MB3525.namprd15.prod.outlook.com>
References: <157194251671.11379.15426111256317525739.idtracker@ietfa.amsl.com> <CADZyTk=-8GK8k5-XoXs-y3w1vSbCBYAmCG2+xEZkpeTsNt96gA@mail.gmail.com> <CA+C0YO3r=BjCYaNtXmPGff6HG+j0hV0CVimbZ+FhBBTnAuveWw@mail.gmail.com>
In-Reply-To: <CA+C0YO3r=BjCYaNtXmPGff6HG+j0hV0CVimbZ+FhBBTnAuveWw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=daniel.migault@ericsson.com;
x-originating-ip: [96.22.2.9]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6ccadf1f-c0eb-4a48-f37c-08d77350d723
x-ms-traffictypediagnostic: CH2PR15MB3719:
x-ms-exchange-purlcount: 9
x-microsoft-antispam-prvs: <CH2PR15MB3719E47DAF73AE52CB4D938DE3440@CH2PR15MB3719.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(376002)(39850400004)(366004)(346002)(136003)(51914003)(189003)(199004)(99286004)(14444005)(33656002)(55016002)(11346002)(790700001)(3846002)(446003)(6116002)(102836004)(6916009)(66476007)(64756008)(66946007)(66446008)(66556008)(25786009)(81156014)(76116006)(74316002)(54896002)(8676002)(9686003)(4326008)(7736002)(186003)(6306002)(236005)(81166006)(66066001)(7696005)(6506007)(86362001)(256004)(53546011)(229853002)(966005)(8936002)(6246003)(26005)(606006)(76176011)(6436002)(316002)(2906002)(9326002)(54906003)(52536014)(478600001)(44832011)(71200400001)(71190400001)(5660300002)(14454004)(41533002); DIR:OUT; SFP:1101; SCL:1; SRVR:CH2PR15MB3719; H:CH2PR15MB3525.namprd15.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 189jjwq9qu+WFpgYh/q7eGn+MTCBrZXxv4awQ8jQ9dB2zOolf9EuqETblQ5cDycNfIh9pVjakICsNLdZ6wPXgbh/egj9gqXAtq8K7hzqgFGEcm81LjNfnOYBvx33MW/3pv/x/LWl0gdwx2rF7qfUtNIooSxFe7JNvSdxbyGROnq2x35EOE52HJNH2EqW/ohQEsnbFdsK3xcu/Y7bM37c3e5s8u0eRQ2PZRJr1L1xg0wsx7kZ8YTqHtb2zoM6KrO61bZgoUWb314HvZfNxHqe2rpNB7tukdDR6aSuxSXXFHK/NHCrrQ67dLyD/VKOGMybNYT2i5tJWom3bbCSJAok0yTi3GS9NnhwQ4FRHvtI7Nl3mi8qrywSJszlM77tNtmfdxWVD70nwr98LSrPFYHuMMuPmOrIweyT+IC0eVh9eQ9STMA8ldJ0JPgDFDrvCawBXn8hi0J+7BzxuB872ZxYlVo3hsS/dskP4yZTexBIN6s=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CH2PR15MB352552DB83DBBF8883A58E13E3440CH2PR15MB3525namp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6ccadf1f-c0eb-4a48-f37c-08d77350d723
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Nov 2019 15:45:33.9130 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CKZWlmj4diGrFV2XPx7HQFcvMT1Y2AMuWKVnShIAaERG54u7ET6ibgcft6EPq5vODoHMbR8cOqBJMpBYYfLId4tOwv7+EON+rPlg8mwjERM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR15MB3719
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/pCQ02VOTjl_OXoRB15XvJTT-bYo>
Subject: Re: [Last-Call] Last Call: <draft-ietf-nvo3-geneve-14.txt> (Geneve: Generic Network Virtualization Encapsulation) to Proposed Standard
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 15:45:42 -0000

Hi Sam,

Thanks for the feed backs. See my responses.

Yours,
Daniel

From: Sam Aldrin <aldrin.ietf@gmail.com>
Sent: Wednesday, November 27, 2019 8:10 AM
To: Daniel Migault <daniel.migault@ericsson.com>
Cc: last-call@ietf.org; Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com>; draft-ietf-nvo3-geneve@ietf.org; NVO3 <nvo3@ietf.org>; nvo3-chairs@ietf.org
Subject: Re: [Last-Call] Last Call: <draft-ietf-nvo3-geneve-14.txt> (Geneve: Generic Network Virtualization Encapsulation) to Proposed Standard

Hi Daniel,

Speaking as individual with chair hat off.

I'll let authors detail more responses. See
 inline for my comments.

On Wed, Nov 27, 2019, 2:35 AM Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote:
Hi,

I do have some architecture concerns regarding the Geneve specification. My concerns have already been raised to the WG but I have not been convinced these have been resolved. I am not claiming that I am not wrong nor that I am not on the rough but for more transparency, I prefer reiterating my concern.
These were discussed at the mic and I personally think the concerns were not valid or valid ones were already addressed. Neither does the WG shared the concerns you are expressing, reading from the comments from authors and folks at the mic (refer to meeting minutes).

<mglt > I agree with you this has been exposed / discussed in session and on the mailing list. I also agree that the WG did not shared my concerns. However it is hard for me to evaluate if the reason is that my concerns were not valid or because the security was under-represented. In any case, I have not been convinced my concerns did not applied and I am not in a position I can say I understand the design choice, that is a reasonable choice.

Early version of the “geneve security requirement” pointed out some complexity/flaws associated to the  transit devices. While some concerns raised are reflected in the current document, this work has not yet been completed yet and security of NVE-to-NVE communications in conjunction of transit device still remain unclear to me at that time.

From all discussions, in my perspective, transit devices should not be mentioned as they raise concerns – at least to me. That said, I would probably not have raised any concerns if they were described in the appendix in an non normative section, if necessary.
</mglt>


In my opinion, the transit devices that are not part of the generic NVO3 architecture RFC8014 should not be part of the Geneve specification as they do raise - at least to me - significant concerns.

Transit devices are placed on-path of a session established between end points (NVE) which results in a three parties communication.
You are assuming the requirement here, when there is none.


<mglt>I understand your comment as I am assuming any NVE-to-NVE sessions have a transit device. If I interpreter correctly your comment, this is not what I intended to say. Instead, I am saying that transit devices when they exist are placed on path of a NVE-to-NVE communication. If this is not correct, than I understand transit devices would be out of scope of the nvo3 architecture.</mglt>

The absence of explicit signaling between the the NVE and the transit device contradicts of rfc8558 - though mostly focused on TCP. The consequence I am concerned is, in my opinion, that the presence of transit devices will slow down or prevent securing NVE-to-NVE communications.
Says who?. Speaking with deployment experience of overlay network, what you mention is hypothesis. This is not how things work. Transit device is not in the mix when overlay dataplane is setup.

<mglt>I understand your comment as any administrator has a full control of NVEs and transit devices. In other words, because we are in a controlled environment, the information a transit device is on path is known. The problem however, appears to me similar as the core of the problem is the interaction between the transit devices and the security layer used to secure NVE-to-NVE communications. -- It basically moves the problem from securing communication that do not have on-path transit devices to configuring the network with transit devices out of the path of NVE-to-NVE communications that needs to be secured. In any case, securing these NVE-to-NVE communications will result in disabling the transit devices functions which represents, unless this transit devices functions are useless, a major operational change. The perspective of this change is likely to result in not securing the NVE-to-NVE communication.</mglt>

Typically, the document recommends securing the NVE-to-NVE communication with DTLS or IPsec which results in "bypassing" the transit devices. While the draft specifies the transit devices should not block an encrypted communication, my concern is that encrypting communications makes transit devices useless.
It is intended and as per arch RFC.
<mglt>If the arch RFC is 8014, I do not see any transit devices, thought I may have missed them in the document or consider an inappropriate document </mglt>

In that sense, a NVE that is not aware that no transit devices are on its path will not secure the NVE-to-NVE communication.
Please do not make assumptions. Real deployment do not go by assumption. Security of the traffic is by design and not because of transit device or whether NVE has that info. You are introducing totally non-existent requirement of NVEs being aware of transit devices. In my deployment, traffic is secured, based on how we set up overlays, not because it has to transit or not. That is outside the scope of dataplane.

<mglt>As mentioned above the problem is related to the interaction between transit device and end-to-end security protocols, not the way these are deployed. </mglt>

As a result, my understanding is that with DTLS/IPsec: either the transit devices constitute a major obstacle to the deployment of securing NVE-to-NVE communications or transit devices have been designed to be useless.
Your assumption is wrong and not true.

<mglt> As mentioned above, the problem is due to interactions between DTLS and transit devices. </mglt>

Note that communication security does not necessarily needs to be performed by DTLS or IPsec, and that securing at the overlay
layer could accommodate the transit device. However, there has been no consensus on the security requirements yet, so in my opinion it is premature to rely on such mechanisms.
I would advise the authors of requirements draft (if there exists one) publish and start building consensus with the WG, if certain new arch for overlays has to be undertaken. Based on the adopted arch/rfc, the geneve draft is inline with the arch.

<mglt> This comment seems to indicate a commitment that security will be addressed the security concerns. The history of security in this working group is relatively bad. “nvo3 security requirements” [1] is an abandoned wg document since 2016  and the “geneve security requirements” [2] did not pass the call for adoption. As a result, a commitment related to security seems to me unrealistic for now. </mglt>

[1] https://tools.ietf.org/html/draft-ietf-nvo3-security-requirements-07
[2] https://datatracker.ietf.org/doc/draft-mglt-nvo3-geneve-security-requirements/
[3] https://mailarchive.ietf.org/arch/msg/nvo3/AfwANpWA3sfH_TMVuQp0GhWWOOw

Cheers
Sam

Yours,
Daniel


On Thu, Oct 24, 2019 at 2:42 PM The IESG <iesg-secretary@ietf.org<mailto:iesg-secretary@ietf.org>> wrote:

The IESG has received a request from the Network Virtualization Overlays WG
(nvo3) to consider the following document: - 'Geneve: Generic Network
Virtualization Encapsulation'
  <draft-ietf-nvo3-geneve-14.txt> as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org<mailto:last-call@ietf.org> mailing lists by 2019-11-07. Exceptionally, comments may
be sent to iesg@ietf.org<mailto:iesg@ietf.org> instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


   Network virtualization involves the cooperation of devices with a
   wide variety of capabilities such as software and hardware tunnel
   endpoints, transit fabrics, and centralized control clusters.  As a
   result of their role in tying together different elements in the
   system, the requirements on tunnels are influenced by all of these
   components.  Flexibility is therefore the most important aspect of a
   tunnel protocol if it is to keep pace with the evolution of the
   system.  This document describes Geneve, an encapsulation protocol
   designed to recognize and accommodate these changing capabilities and
   needs.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-nvo3-geneve/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-nvo3-geneve/ballot/

The following IPR Declarations may be related to this I-D:

   https://datatracker.ietf.org/ipr/2424/
   https://datatracker.ietf.org/ipr/2423/





_______________________________________________
IETF-Announce mailing list
IETF-Announce@ietf.org<mailto:IETF-Announce@ietf.org>
https://www.ietf.org/mailman/listinfo/ietf-announce
--
last-call mailing list
last-call@ietf.org<mailto:last-call@ietf.org>
https://www.ietf.org/mailman/listinfo/last-call

v2.23.0 | Report a Bug | By Email