Re: [nvo3] Geneve architecture and question around transit devices (Threat Model)
Daniel Migault <daniel.migault@ericsson.com> Sat, 09 March 2019 03:02 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC892126F72 for <nvo3@ietfa.amsl.com>; Fri, 8 Mar 2019 19:02:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RIAmuefpZu6b for <nvo3@ietfa.amsl.com>; Fri, 8 Mar 2019 19:02:45 -0800 (PST)
Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com [209.85.208.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28E3B12796B for <nvo3@ietf.org>; Fri, 8 Mar 2019 19:02:45 -0800 (PST)
Received: by mail-lj1-f172.google.com with SMTP id g80so19042566ljg.6 for <nvo3@ietf.org>; Fri, 08 Mar 2019 19:02:44 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=n0CKSXuREVb0NYBy6rNuV/eMLP7XS5LGKSuVJOmNgak=; b=uYSP3X17PuISSEwgm6NPthDduJTci22v2vqXtcO2Xv5vLY+5PVQ8jDXfJlUiAxljnU X/SBkh95hcqgk1TYHv6XWXCM/JszSketlxZyrbckuKSWP+yXaDlnZfSFlIVCAoYfPWy3 9v7BU44SJQoneVJOMSI8OmH8s2YfPvL+K8g1FJgYbllXJDncDAyIJt2LbWZ1bmT2SmTe /UgDpx6zinezWLTpMv7hfhs4JJ1O4++R+TiSiJfkFtK8gGHrmPRW6uh5DINJMjsPDVvO BNM5/HPaikXw45heUUw23PdBg4ipnq91sf/nNUHYqRS9KlbBurshhD66qgNiFMCG1Rew FPWA==
X-Gm-Message-State: APjAAAUCZcugnBH9c86+UTtFQogGYrpZ29TITIw0ms7pNvxDRbIBekk4 M609yKw2VYEZ9dbraBEgc0vwbiDiz4kOwH/l94UwY4FV+e8HrQ==
X-Google-Smtp-Source: APXvYqyt2nhSo+1J6EeXXgks+xhNI3Lq3UwrC/g8MmT0RZWAnvaPRZNT5hweJsMBF3qFCFg4fR4xOzOzzXyjuVfzjUY=
X-Received: by 2002:a2e:7314:: with SMTP id o20mr10763951ljc.111.1552100563030; Fri, 08 Mar 2019 19:02:43 -0800 (PST)
MIME-Version: 1.0
References: <CADZyTkmzra0wMT_uXakOYkA7DaAvKHqhK8mAyGEWaMBco0H-SQ@mail.gmail.com> <5C7966D4.90704@aon.at> <CADZyTkns8EoStVQr4zjm6=wPRm=4rQJmAceHhTHU_rdfiaZ6ow@mail.gmail.com> <5C7D8645.8010304@aon.at>
In-Reply-To: <5C7D8645.8010304@aon.at>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Fri, 08 Mar 2019 22:02:31 -0500
Message-ID: <CADZyTkk3=xQC3YcWaXGbWpDPy4H+a+CNNfz1LEpZx1Hq9fqLMw@mail.gmail.com>
To: Michael Kafka <m.kafka@aon.at>
Cc: NVO3 <nvo3@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b71a750583a092f1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/-0WK1otetsjV6B89o1yQ2V6e8DU>
Subject: Re: [nvo3] Geneve architecture and question around transit devices (Threat Model)
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Mar 2019 03:02:48 -0000
Thanks for the feed back. We have a document [1] that provides the threat model and security requirements with the current Geneve specification. The threat model considers the read-only transit devices, however, it is very unclear to me how the document should evolve. This will depend on whether geneve moves more toward a end-to-end protocol versus a protocol with transit devices. In the latest case, if trasit device are so essential, it seems to unrealistic that these devices will remain read-only for a long time. As a result, the threat model may evolve toward its initial version. You are however more than welcome to comment on the threat model and see how group communication meets the requirements - or need additional requirements. Yours, Daniel [1] https://datatracker.ietf.org/doc/draft-mglt-nvo3-geneve-security-requirements/ On Mon, Mar 4, 2019 at 3:11 PM Michael Kafka <m.kafka@aon.at> wrote: > Hi Daniel, > > (some answers inline below) > > I believe secure group communication in the context of Geneve > will provide an additional level of trust/compliance in a typical > data center operation (where I see the primary focus of Geneve). > > What is the threat model in the context of Geneve? As you stated > just a few days ago: > > "The threat model seems to me very vague, so the current > security consideration is limited to solving a problem that > is not stated." > > Would it be beneficial for the nvo3-wg to define a threat model > so we can suggest solutions for a clearly defined problem? > > May I suggest as a seed for a discussion: > > Goal: Limit the possibility of Geneve end-points/transit-devices > to participate in an nvo-network with authenticated and encrypted > communication. > > Reason: Compliance with several industry standards (e.g. PCI) > to encrypt sensitive information in transit and limit access > to said information. > > Modern virtualization platforms allow to limit VM-migration > to a set of defined virtualization hosts (e.g. affinity rules) which > could support limitation to participate in nfv/nvo for selected > VMs/applications if aligned with host-affinity and secure group > communication. > > On 19/03/02/ 18:04, Daniel Migault wrote: > > Hi, > > > > Thanks for the response. In my view group communication does not > > address the threat model in the context of Geneve, more especially, I > > am not sure that group communication considers that some piece of > > information can be disclosed to a subset of the members of the group. > > GSAKMP has a group concept with a hierarchical key management (See > e.g. Appendix A1, A2: LKH, logical key hierarchy). In addition we > have merchant-silicon available to provide encryption for the needs of > data center communication scaling up 10s or 100s Gbit/s for AES-GCM > for the forwarding-plane. The control-plane in current network devices > is typically multi-core/GHz, capable to negotiate keys in a reasonable > time. Forwarding-plane encryption is currently implemented for 802.1AE > in hardware but I don't see much more complexity e.g. for > ESP-headers, allowing to communicate beyond L2-boundaries. > > > That said, if you believe that could be a way to address the threat > > model, I am more than happy to hear from you. The mls WG may also > > have interesting discussions related to group communications. > > Like mentioned above, we don't a clear definition of the threat > model yet. > > The mls-wg mostly focuses on federated services for the (mostly > untrusted) Internet services, mentioned are: S-MIME, PGP, TLS1.3. > IMHO Genve has a different scope. Please correct me if I'm wrong. > > > Instead, what I had in mind were all discussions/proposals/academic > > publications around TLS and the coexistence of middle boxes. > > Discussions includes but are not limited to an explicit signaling of > > the middle box, the disclosed information to the middle box versus > > the information not disclosed... > > I fully subscribe to this. Last year I had a talk at CERT.at, our > national CERT, discussing the mess of current practice for TLS- > intercept and alignment with PKI-concepts, TLS1.3 and the need > for "Rouge CAs". I hope we don't want to go this road for a new > IETF-standard. A secure group communication could be a solution, > we have the great opportunity now of defining green-field > standards without bowing our knees to decades of industry practice. > > > Yours, Daniel ~ > > > > On Fri, Mar 1, 2019 at 12:07 PM Michael Kafka <m.kafka@aon.at > > <mailto:m.kafka@aon.at>> wrote: > > > > On 19/03/01/ 17:23, Daniel Migault wrote: > > > >> As mentioned earlier, this cannot be true and providing end-to-end > >> security between three or more party has not yet been solved at > >> the IETF. > > > > Just off the top of my head: > > > > OSPFv3, 7. Key Management, static keys, > > https://tools.ietf.org/html/rfc4552#page-5 Static keys could be > > distributed in SDN environments through central controller. Requires > > mutual trust. > > > > Much older GSAKMP from the era of IKE/ISAKMP, still standards track, > > not obsoleted https://tools.ietf.org/html/rfc4535 > > > > Rgds, MiKa > > > > Best regards from Vienna, > > MiKa > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 >
- [nvo3] Geneve architecture and question around tr… Daniel Migault
- Re: [nvo3] Geneve architecture and question aroun… Michael Kafka
- Re: [nvo3] Geneve architecture and question aroun… Daniel Migault
- Re: [nvo3] Geneve architecture and question aroun… Michael Kafka
- Re: [nvo3] Geneve architecture and question aroun… Daniel Migault