Re: [nvo3-dt-encap] [nvo3] Encap draft published by design team

Sami Boutros <sboutros@vmware.com> Wed, 15 February 2017 17:36 UTC

From: Sami Boutros <sboutros@vmware.com>
To: Tom Herbert <tom@herbertland.com>, Sam Aldrin <aldrin.ietf@gmail.com>
Thread-Topic: [nvo3-dt-encap] [nvo3] Encap draft published by design team
Thread-Index: AQHSgxQJtXs78HeFw0KWUNBaH5/Q/KFp18cA
Date: Wed, 15 Feb 2017 17:36:18 +0000
Message-ID: <F80D14D0-57B0-4768-9405-4AF99526E439@vmware.com>
References: <CA+C0YO0yz4KBe=w+EXHVBA=XWErRAtTzdCNsca7h-BjJ2Bwdxg@mail.gmail.com> <CALx6S37AeS8QEtm1SJsFe9dAnEoCdPZodPJyr7jfYxxEnM040g@mail.gmail.com>
In-Reply-To: <CALx6S37AeS8QEtm1SJsFe9dAnEoCdPZodPJyr7jfYxxEnM040g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [50.240.199.3]
x-ms-office365-filtering-correlation-id: bff3a65a-f8f8-46ec-5dee-08d455c92645
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:CY4PR05MB3014;
x-microsoft-exchange-diagnostics: 1; CY4PR05MB3014; 7:EJjtV0ZTOO5+9zL++TyNm9sLa7SCKyLo2h0tDdh7KieNXiUeRP+DNWvA32iQPyAUWpZ76gQCqSnn10Wmqb8k5zIfyTDFBCHrxLGvL4ZWXOBq40PANrta7/h8QORxJbQjnC012YFVRCNUbjvPshv2kSa/LC4qz36TloeEsJI77Yz/QcUnz+Sbrj1EKJesunbmJSCWBNAlWggldIwOQthna8y/M90Raz9Ts8fMIfKiG9wnH6lxzGoSJLahbU75V85pxAIfXdzBdxd0MXTnqCjqXsH9czH9AHu5Idh9y7Fn6fTq6+nr/n9k+qFCtvQxfqVPnrVypInPHwIaESKzm28IZHGL9IMxQwZPk7w2Xd1CFf7TlVn7AEd4BwHthM70qdu5kETzHUPxBwh2kwywb3J6T/qfXaY8wpnNLhPc3mQmMPdZAXwaKXmIQQ1E7jwXGsMxwNv2dqzM+D7M18N6uX6XPPtdCwoveGUAbb+UL+QyfuZe6UhQTo1C3PCWKeZVikMG0EltHcxvBg/YrRbnhT71cw==; 20:mHI1FHaJrTsOa/IhuQnL5YmcJC+sSvvhmTJ5qvyLrMgleVJhKdriqLkd1PcZC7IW+gogZXosYytkk12kS6oGvi+nCNPg/64nhVJbagjVIVoEJUMCuOnCqdipbbl3F4XKmk0KQm+k3BSGqUn+C1JQiF/wfnPjU6HAU7+l2W7Jv4w=
x-microsoft-antispam-prvs: <CY4PR05MB3014853F333088D74E56DC0EBE5B0@CY4PR05MB3014.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6041248)(20161123560025)(20161123555025)(20161123562025)(20161123564025)(20161123558025)(6072148); SRVR:CY4PR05MB3014; BCL:0; PCL:0; RULEID:; SRVR:CY4PR05MB3014;
x-forefront-prvs: 021975AE46
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(39450400003)(189002)(199003)(7736002)(305945005)(77096006)(102836003)(6486002)(229853002)(3846002)(2950100002)(6512007)(54906002)(6506006)(6116002)(5660300001)(25786008)(105586002)(106116001)(106356001)(38730400002)(99286003)(122556002)(6436002)(39060400002)(33656002)(92566002)(66066001)(4326007)(81156014)(54356999)(2900100001)(53936002)(189998001)(97736004)(230783001)(3280700002)(2906002)(68736007)(8936002)(3660700001)(82746002)(76176999)(8676002)(86362001)(81166006)(6246003)(83716003)(36756003)(50986999)(101416001)(389900002)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR05MB3014; H:CY4PR05MB3013.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: vmware.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <F60184492B0C5F44ACD9611D87C8C432@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: vmware.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Feb 2017 17:36:18.4159 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR05MB3014
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3-dt-encap/Z79_vJflHvVsd9Y8N4J8x03zbfI>
Cc: "nvo3@ietf.org" <nvo3@ietf.org>, "nvo3-dt-encap@ietf.org" <nvo3-dt-encap@ietf.org>, "nvo3-chairs@ietf.org" <nvo3-chairs@ietf.org>
Subject: Re: [nvo3-dt-encap] [nvo3] Encap draft published by design team
X-BeenThere: nvo3-dt-encap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Private mailing list for internal NVO3 Encapsulation Design Team discussions <nvo3-dt-encap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3-dt-encap>, <mailto:nvo3-dt-encap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3-dt-encap/>
List-Post: <mailto:nvo3-dt-encap@ietf.org>
List-Help: <mailto:nvo3-dt-encap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3-dt-encap>, <mailto:nvo3-dt-encap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Feb 2017 17:36:21 -0000

Hi Tom,



>The Security Considerations section needs content. First and foremost,
>in a multi-tenant data center ensuring strict isolation between
>different tenants traffic seems fundamental and the mechanisms for
>doing that should be explicit in the description of an encapsulation.
>Bear in mind that when we use UDP for encapsulation there is typically
>nothing in a host to prevent an unprivileged application from spoofing
>well formed nvo3 packets and sending them to arbitrary destinations
>(this is harder to do with other protocols such as TCP or GRE). A
>24-bit VNI is not sufficient to provide any guarantee of virtual
>network isolation.


Can you please elaborate more on why 24- bit is not sufficient to provide network isolation?
We have the section 6.2.2 on security and integrity that we borrowed the text you supplied for it’s content.
We can refer in the security considerations to the 6.2.2 section? Is this what you are looking for?

Thanks,

Sami
>
>Tom

[nvo3-dt-encap] Encap draft published by design t… Sam Aldrin
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Tom Herbert
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Tom Herbert
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Tom Herbert
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Tom Herbert
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Tom Herbert
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Joe Touch
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Joe Touch
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Joe Touch
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Joe Touch
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Sami Boutros
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Tom Herbert
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Sami Boutros
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Tom Herbert
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Joe Touch
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Tom Herbert
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Joe Touch
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Tom Herbert
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Joe Touch
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Tom Herbert
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Joe Touch
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Tom Herbert
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Joe Touch
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Tom Herbert
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Joe Touch
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Tom Herbert
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Joe Touch
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Tom Herbert
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Joe Touch
Re: [nvo3-dt-encap] [nvo3] Encap draft published … Greg Mirsky