IETF Logo Mail Archive

Re: [nvo3] [Last-Call] Last Call: <draft-ietf-nvo3-geneve-14.txt> (Geneve: Generic Network Virtualization Encapsulation) to Proposed Standard

Sam Aldrin <aldrin.ietf@gmail.com> Wed, 27 November 2019 13:10 UTC

Return-Path: <aldrin.ietf@gmail.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D9E71208B1; Wed, 27 Nov 2019 05:10:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OrBc-gNX_04u; Wed, 27 Nov 2019 05:10:00 -0800 (PST)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9CE7120872; Wed, 27 Nov 2019 05:09:59 -0800 (PST)
Received: by mail-ed1-x52a.google.com with SMTP id cy15so12035203edb.4; Wed, 27 Nov 2019 05:09:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UIMSKA0QH5/Gi+BOfbz6AsuWzxC11jdMuBSfI4EWnH4=; b=FSba/U6pEYbvI7GI/tKdiE8aYbo7JPRemlWGLUKfo4Xqrh9hRoVcIog0bKucYcxI1w dlcqFZFPpTmqpDPrfu7wKsamaFP4tq9xMVByutwYZNzijYsRbhT0whvx6TLG/UZyu/XA 680UrhsRgTC62UiVwCuA7a8c/Frag/5Ot1vaYrdlZmtOfC7OjRed7+leKoMhE3OuUTu5 PsrVguLrnwxxKQhfaRqRSijG1LzpyhzAhwg21ESVhWh7ss9z4gXiI2N6gCxVg2wy7i15 MqCvFOzNAQsIL1GwDMH5aISuVEpzX1VLqdsNM1j/GAY/S4vi06HX3s6+QMYt5CadD2mT DLbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UIMSKA0QH5/Gi+BOfbz6AsuWzxC11jdMuBSfI4EWnH4=; b=eLiEuM4rjr5F6OaDZmqgy1vDstRyBsI/otOTImS5wTU0KDEClF8YQfXNSDNj4Zwco3 RxYxysc9pM3ZJuAKRzOneOEoKK4OCqByqDBe2rkSPgPn/zerGdy3SkkhRS7mN3c3sFXG 70uBCP7toPEOOX2TAK4I09UGZRRaETfKIKn0F+/u8x7k4zLxTwECMwnC/WSyewLZQGbi R4DlJyRtP4vLgqcWSC3u3nPRxIHhEsxjbsq1wrXZJD8+yiaeQy1KRHly46x3w4hWtX1K C5UT3rKOQHOptxEdayNNlvE0fwkSexExJ7Iq/MgUW4Ow397Kzp9Vl7fOc+ysaOYJaeib 0Z/w==
X-Gm-Message-State: APjAAAVyA7op9T8FTiTRUnnnDnIo6ezVvQkEgEyGQHNvL8j14zc0LSBQ 4mzo3tZ6tmDcA5CDr7GQVSDbSqSBUuaV6d4nqb4=
X-Google-Smtp-Source: APXvYqxXG8mDQ8wPeh4ByDPKN3+R+lIxYjDtvorfpuHwJn4hUFU1sV8Hh/dmMO7I8E4a9mS/aOevpovUMn8MH7kMERo=
X-Received: by 2002:a50:fa87:: with SMTP id w7mr7208340edr.0.1574860198259; Wed, 27 Nov 2019 05:09:58 -0800 (PST)
MIME-Version: 1.0
References: <157194251671.11379.15426111256317525739.idtracker@ietfa.amsl.com> <CADZyTk=-8GK8k5-XoXs-y3w1vSbCBYAmCG2+xEZkpeTsNt96gA@mail.gmail.com>
In-Reply-To: <CADZyTk=-8GK8k5-XoXs-y3w1vSbCBYAmCG2+xEZkpeTsNt96gA@mail.gmail.com>
From: Sam Aldrin <aldrin.ietf@gmail.com>
Date: Wed, 27 Nov 2019 18:39:45 +0530
Message-ID: <CA+C0YO3r=BjCYaNtXmPGff6HG+j0hV0CVimbZ+FhBBTnAuveWw@mail.gmail.com>
To: Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org>
Cc: last-call@ietf.org, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>, draft-ietf-nvo3-geneve@ietf.org, NVO3 <nvo3@ietf.org>, nvo3-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b02eb5059853b683"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/2tjZnulKiFxjG-EmQrIZ83_GYl0>
Subject: Re: [nvo3] [Last-Call] Last Call: <draft-ietf-nvo3-geneve-14.txt> (Geneve: Generic Network Virtualization Encapsulation) to Proposed Standard
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 13:10:03 -0000

Hi Daniel,

Speaking as individual with chair hat off.

I'll let authors detail more responses. See
 inline for my comments.


On Wed, Nov 27, 2019, 2:35 AM Daniel Migault <daniel.migault=
40ericsson.com@dmarc.ietf.org> wrote:

> Hi,
>
> I do have some architecture concerns regarding the Geneve specification.
> My concerns have already been raised to the WG but I have not been
> convinced these have been resolved. I am not claiming that I am not wrong
> nor that I am not on the rough but for more transparency, I prefer
> reiterating my concern.
>
These were discussed at the mic and I personally think the concerns were
not valid or valid ones were already addressed. Neither does the WG shared
the concerns you are expressing, reading from the comments from authors and
folks at the mic (refer to meeting minutes)

>
> In my opinion, the transit devices that are not part of the generic NVO3
> architecture RFC8014 should not be part of the Geneve specification as they
> do raise - at least to me - significant concerns.
>
> Transit devices are placed on-path of a session established between end
> points (NVE) which results in a three parties communication.
>
You are assuming the requirement here, when there is none.

The absence of explicit signaling between the the NVE and the transit
> device contradicts of rfc8558 - though mostly focused on TCP. The
> consequence I am concerned is, in my opinion, that the presence of transit
> devices will slow down or prevent securing NVE-to-NVE communications.
>
Says who?. Speaking with deployment experience of overlay network, what you
mention is hypothesis. This is not how things work. Transit device is not
in the mix when overlay dataplane is setup.

Typically, the document recommends securing the NVE-to-NVE communication
> with DTLS or IPsec which results in "bypassing" the transit devices. While
> the draft specifies the transit devices should not block an encrypted
> communication, my concern is that encrypting communications makes transit
> devices useless.
>
It is intended and as per arch RFC.

In that sense, a NVE that is not aware that no transit devices are on its
> path will not secure the NVE-to-NVE communication.
>
Please do not make assumptions. Real deployment do not go by assumption.
Security of the traffic is by design and not because of transit device or
whether NVE has that info. You are introducing totally non-existent
requirement of NVEs being aware of transit devices. In my deployment,
traffic is secured, based on how we set up overlays, not because it has to
transit or not. That is outside the scope of dataplane.

As a result, my understanding is that with DTLS/IPsec: either the transit
> devices constitute a major obstacle to the deployment of securing
> NVE-to-NVE communications or transit devices have been designed to be
> useless.
>
Your assumption is wrong and not true.

>
> Note that communication security does not necessarily needs to be
> performed by DTLS or IPsec, and that securing at the overlay
> layer could accommodate the transit device. However, there has been no
> consensus on the security requirements yet, so in my opinion it is
> premature to rely on such mechanisms.
>
I would advise the authors of requirements draft (if there exists one)
publish and start building consensus with the WG, if certain new arch for
overlays has to be undertaken. Based on the adopted arch/rfc, the geneve
draft is inline with the arch.

Cheers
Sam

>
> Yours,
> Daniel
>
>
> On Thu, Oct 24, 2019 at 2:42 PM The IESG <iesg-secretary@ietf.org> wrote:
>
>>
>> The IESG has received a request from the Network Virtualization Overlays
>> WG
>> (nvo3) to consider the following document: - 'Geneve: Generic Network
>> Virtualization Encapsulation'
>>   <draft-ietf-nvo3-geneve-14.txt> as Proposed Standard
>>
>> The IESG plans to make a decision in the next few weeks, and solicits
>> final
>> comments on this action. Please send substantive comments to the
>> last-call@ietf.org mailing lists by 2019-11-07. Exceptionally, comments
>> may
>> be sent to iesg@ietf.org instead. In either case, please retain the
>> beginning
>> of the Subject line to allow automated sorting.
>>
>> Abstract
>>
>>
>>    Network virtualization involves the cooperation of devices with a
>>    wide variety of capabilities such as software and hardware tunnel
>>    endpoints, transit fabrics, and centralized control clusters.  As a
>>    result of their role in tying together different elements in the
>>    system, the requirements on tunnels are influenced by all of these
>>    components.  Flexibility is therefore the most important aspect of a
>>    tunnel protocol if it is to keep pace with the evolution of the
>>    system.  This document describes Geneve, an encapsulation protocol
>>    designed to recognize and accommodate these changing capabilities and
>>    needs.
>>
>>
>>
>>
>> The file can be obtained via
>> https://datatracker.ietf.org/doc/draft-ietf-nvo3-geneve/
>>
>> IESG discussion can be tracked via
>> https://datatracker.ietf.org/doc/draft-ietf-nvo3-geneve/ballot/
>>
>> The following IPR Declarations may be related to this I-D:
>>
>>    https://datatracker.ietf.org/ipr/2424/
>>    https://datatracker.ietf.org/ipr/2423/
>>
>>
>>
>>
>>
>> _______________________________________________
>> IETF-Announce mailing list
>> IETF-Announce@ietf.org
>> https://www.ietf.org/mailman/listinfo/ietf-announce
>>
> --
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call
>

v2.23.0 | Report a Bug | By Email