Re: [nvo3-dt-encap] Question on NVO3 header security/integrity
Tom Herbert <tom@herbertland.com> Sat, 14 January 2017 00:11 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: nvo3-dt-encap@ietfa.amsl.com
Delivered-To: nvo3-dt-encap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADDEA129FC9 for <nvo3-dt-encap@ietfa.amsl.com>; Fri, 13 Jan 2017 16:11:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_TVD_FUZZY_SECURITIES=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gLf1_-dy92xP for <nvo3-dt-encap@ietfa.amsl.com>; Fri, 13 Jan 2017 16:11:10 -0800 (PST)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B896129FC7 for <nvo3-dt-encap@ietf.org>; Fri, 13 Jan 2017 16:11:10 -0800 (PST)
Received: by mail-qk0-x229.google.com with SMTP id u25so70570441qki.2 for <nvo3-dt-encap@ietf.org>; Fri, 13 Jan 2017 16:11:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=DKK5cYUKTlfM7hymUs+cjjmjeE2/Oz1+zL9SjwFb730=; b=v0hD/lDJPVYwzgVSQLEVON03hfjBwDQkXu6Htn+wDFjt8KXR3ovrySF4GBzpJtTJe/ 7RmHsXdvvrOAFFE6NrLbTKCAXYPcC7u/drTCyhQ/Km3/9RtCldtd2bSdsd0iQekF72TW BZ+rY4gHM6zWf9fCCUsGzoDTyMd7XaViJ6Olg4I0Ic4XXFMMa9BdT53V74dFCgmjBPbm zVfNtbY1CXYcS3B0k0tEPHgb1spLT313V45F+vDcYkNAT690ig8iwSdmwb3WQFz53mAO PVprJ5nbzGGbujcorzzelZOhFH6EVTo27UX6tobfdwFtzOo+nmijzsK3+at5L3JpTAHQ +SbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=DKK5cYUKTlfM7hymUs+cjjmjeE2/Oz1+zL9SjwFb730=; b=ZOFCrWza1aCrFegzcYhEZez7FJ+oA5N7m3NGfqR7cGvNdLZN9kjbiL2BFcJIMZwfHW NMm5pkFLBGMiDfKD3l+esoe5q0D99WmsEorvZ/jLEIJgLcGkqmOAa8eqpdnwhJG6+B2d 3AinlCkLmmeVdtY/mIBhPQr4715NV/1DNoaGiDbvKeNEmltWDv7Jf5Ril8JXT4rGd383 /kA99K4U2yno/Sl6yYI3iXLcJ/05grvh/NXRjLa4Xzqu2N6iZJDOIbu/Bg7sK7uf9y6H uGF6NyoVT3yEAX+p3xCpfkg5tH/rynrbPHj0xi/C+bxl8kHuhdc22/sxuBnAXqdxmLeb eOJw==
X-Gm-Message-State: AIkVDXJuJYBAK0a6T7XmB+mje9C0oX17F2jnAC85VmrQM1umYRudoLLCIsk4iOYpLWBDx9rAOxhfO4DZd/Od8w==
X-Received: by 10.55.165.76 with SMTP id o73mr20932838qke.32.1484352669253; Fri, 13 Jan 2017 16:11:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.237.36.136 with HTTP; Fri, 13 Jan 2017 16:11:08 -0800 (PST)
In-Reply-To: <CAM-NV-rTfDgEn_tidYnX-xsQ1tNOt6nOUEE0tpH31ML4FcNGvw@mail.gmail.com>
References: <CAM-NV-rTfDgEn_tidYnX-xsQ1tNOt6nOUEE0tpH31ML4FcNGvw@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 13 Jan 2017 16:11:08 -0800
Message-ID: <CALx6S35PpjuPStcN-GEsv_EhCVRWoP849s7aRv8+YfyQ2VU+tA@mail.gmail.com>
To: Pankaj Garg <ipankajg@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3-dt-encap/bULOJqc66QS4i8kivsIVfTLhZw0>
X-Mailman-Approved-At: Sat, 14 Jan 2017 08:16:03 -0800
Cc: nvo3-dt-encap@ietf.org
Subject: Re: [nvo3-dt-encap] Question on NVO3 header security/integrity
X-BeenThere: nvo3-dt-encap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Private mailing list for internal NVO3 Encapsulation Design Team discussions <nvo3-dt-encap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3-dt-encap>, <mailto:nvo3-dt-encap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3-dt-encap/>
List-Post: <mailto:nvo3-dt-encap@ietf.org>
List-Help: <mailto:nvo3-dt-encap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3-dt-encap>, <mailto:nvo3-dt-encap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jan 2017 00:11:11 -0000
On Wed, Jan 11, 2017 at 7:29 AM, Pankaj Garg <ipankajg@gmail.com> wrote: > Tom - > > Recently a design team for NVO3 was formed to propose one > encapsulation for standardization by NVO3. As part of this design > team, we have been looking for a use case of extensions around NVO3 > header security/integrity. In the past, you have brought up this use > case. Would you be able to describe this use case for us and how > extensions can be used to enable this? > > We would appreciate this and use this example, along with 1-2 other > examples to ensure that proposed encapsulation format meets the > requirements of such use cases. > Hi Pankaj, The need for security for nvo3 came up when I was working on the Google Cloud networking protocol. We initially used GRE with keyid as VNI (basically nvgre). At that point we didn't have spoofing enabled on the switches so we were concerned about spoofing packets for particular virtual networks or even the possibility that simple bit corruption of VNI could deliver a packet to the wrong tenant. The solution then was to overload the csum and seqno fields in GRE as a 64 bit security cookie. None of the hardware we tested had a problem with using and overloading the GRE fields so this was a deployable solution. The problem though was that there are no more bits available in GRE so we hit the wall with any more extensions or to use any more sophisticated security. This is why we invented GUE as a extensible replacement for GRE. The possibility of VNI spoofing with an nvo3 protocol is exacerbated by the use of UDP. Systems typically have no restrictions on applications being able to send to any UDP port so an unprivileged application can trivially spoof VXLAN packets for instance (this is harder to do in non-UDP protocols like GRE). To that end we've added HMAC support in GUE that authenticates the header and IP addresses. The other aspect of security that we support in GUE is payload security. Essentially this is to make packets that look like IP|UDP|GUE|DTLS|payload. GUE indicates the payload is secured (in the transform option). This is nice since we still have the UDP header for ECMP, the GUE header is in plane text so it can by read by network elements, and different security or other payload transforms can be supported on a single UDP port (we don't need a separate UDP for DTLS in GUE for instance). Tom > Thanks > Pankaj
- [nvo3-dt-encap] Question on NVO3 header security/… Pankaj Garg
- Re: [nvo3-dt-encap] Question on NVO3 header secur… Tom Herbert