IETF Logo Mail Archive

Re: [nvo3] Review of draft-ietf-nvo3-geneve-13

Anoop Ghanwani <anoop@alumni.duke.edu> Tue, 30 July 2019 20:12 UTC

Return-Path: <ghanwani@gmail.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8E5312001A for <nvo3@ietfa.amsl.com>; Tue, 30 Jul 2019 13:12:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.557
X-Spam-Level:
X-Spam-Status: No, score=-1.557 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.091, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z-exfdyR6ruu for <nvo3@ietfa.amsl.com>; Tue, 30 Jul 2019 13:12:42 -0700 (PDT)
Received: from mail-vs1-f47.google.com (mail-vs1-f47.google.com [209.85.217.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E3F3120024 for <nvo3@ietf.org>; Tue, 30 Jul 2019 13:12:42 -0700 (PDT)
Received: by mail-vs1-f47.google.com with SMTP id u124so44532298vsu.2 for <nvo3@ietf.org>; Tue, 30 Jul 2019 13:12:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3LFwsJK6e7bIo9OZLtcj5t5CGmKS5S1EMQNqAYcVVXs=; b=L76HHbXPveTSp82TNvZsWC59JIcdyVv5YmPV6a0nWryRep7tM06XUWwhUTuud1HJTA QoiaZ1BzUsnd1z5ofjg3dg7PV82ONM4AF4K+hPZBUdfuJlxttBD1mjUQB2hhxL0iFNdB 2VUyLuYFWLNzhEB/1Rplxgdl8yEk8aEt7FrnWM1snuVNcCXZjmKDowZdI6o6UoPdnY1T iNa2tgwac+fV+QVOsb6xQhf8iMtS9bLQ97G5+M2Lu7Roxu+J1DNBlhioTRoontLmijR9 vbJMizdm641uwSQpDDxN0WUDbXLo3efVC1c6XZ/j//7HYFxhKpROtwrde5IbtyyVjQfv oKKA==
X-Gm-Message-State: APjAAAUK7dpsjuhpCnuoLnIdRLDhnh1I0YhbXMXvj0G/EzlRy132tVAd qbUwzNTAyJxAOda+t7Q2A55wSMjf/Del4JQN96k=
X-Google-Smtp-Source: APXvYqwfWCODAP073xc7s/mbEcOE2NvO1PfsXY/e2EJAdSqwfzWmtHQlOFIR1fJx6/0e//ElU0sLYFA1euhF3p1DXdM=
X-Received: by 2002:a67:eb12:: with SMTP id a18mr53742028vso.119.1564517561551; Tue, 30 Jul 2019 13:12:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbuEH66JZd1KOi5_mL8nzdTZ7WjSsOQP8a3B+oSwA6wNnfDKw@mail.gmail.com> <C5A274B25007804B800CB5B289727E35905C4AA0@ORSMSX116.amr.corp.intel.com> <CA+-tSzxD6u+KwEizhWBjQipm=dFVoXbPu2=Agj-sbyKm5Mcrwg@mail.gmail.com> <CADZyTk=bouYF_TmeDfUseAtU9nFMoS3RytmBB3f6z3v+Q-X3Xg@mail.gmail.com> <CA+-tSzyzhS8Gu2g8CKmNsaJHyEZm8AqcHLpCAL2DbdycTR1OaQ@mail.gmail.com> <CA+RyBmWPHYKBSF5tdKStbVG-ZoZjJ-gne1NQ2p4EsFhDLdQc9g@mail.gmail.com>
In-Reply-To: <CA+RyBmWPHYKBSF5tdKStbVG-ZoZjJ-gne1NQ2p4EsFhDLdQc9g@mail.gmail.com>
From: Anoop Ghanwani <anoop@alumni.duke.edu>
Date: Tue, 30 Jul 2019 13:12:30 -0700
Message-ID: <CA+-tSzyD=cJ_GhHJLz=yhwkN1K_3DOwusNLgggCofGKk82yhPQ@mail.gmail.com>
To: Greg Mirsky <gregimirsky@gmail.com>
Cc: Daniel Migault <daniel.migault@ericsson.com>, "Ganga, Ilango S" <ilango.s.ganga@intel.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "nvo3@ietf.org" <nvo3@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000805260058eeba125"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/DlQ-QVOXByO5LI2NbV3930NsN-I>
Subject: Re: [nvo3] Review of draft-ietf-nvo3-geneve-13
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2019 20:12:45 -0000

Hi Greg,

I think that captures the essence of what I was suggesting.

Thanks,
Anoop

On Tue, Jul 30, 2019 at 10:36 AM Greg Mirsky <gregimirsky@gmail.com> wrote:

> Hi Anoop,
> thank you for pointing to iOAM as the use case of Geneve options. As I
> understand, the iOAM for Geneve document offers several options, including
> one that takes advantage of Geneve options. But such use of options must
> not, in my opinion, weaken the security in Geneve. We can emphasize that
> with the text you've proposed and minor, in my opinion, re-wording:
>
> Transit devices may not be capable to process Geneve option content if the
> Geneve header is secured.
>
>
>
> Regards,
> Greg
>
> On Tue, Jul 30, 2019 at 12:20 PM Anoop Ghanwani <anoop@alumni.duke.edu>
> wrote:
>
>> Hi Daniel,
>>
>> Perhaps what is causing confusion is that there's a difference between
>> NVO3 OAM and I-OAM (the reference provided below).
>>
>> From my understanding, NVO3 OAM will involve only NVEs processing those
>> packets, while depending on other OAM methods for the underlay.
>>
>> On the other hand, with I-OAM the idea is to gather information about all
>> devices along the path.  There are several different encapsulation drafts
>> (e.g. IOAM using Geneve, IOAM using VXLAN GPE, IOAM using NSH, etc.), so
>> this is not NVO3-specific.
>>
>> Perhaps what the Geneve document needs to note is that the Geneve header
>> cannot be secured if there are devices other than NVEs that are required to
>> process its contents.  Unless there is some non-obvious way of doing it
>> and, if it exists, it would be helpful if a reference is provided.
>>
>> Thanks,
>> Anoop
>>
>> On Tue, Jul 30, 2019 at 6:49 AM Daniel Migault <
>> daniel.migault@ericsson.com> wrote:
>>
>>> Hi,
>>>
>>> OAM has been raised during the meeting, so thank you for providing the
>>> appropriated references of OAM. My understanding is that OAM is a Geneve
>>> option that is updated by the OAM devices that are on path. Is that correct
>>> ?
>>>
>>> IPsec or DTLS authenticate or encrypt the full Geneve packet ( Geneve
>>> Header, Geneve Options and Geneve payload) between the NVEs. If my
>>> assumption regarding the OAM devices is correct, the use of DTLS or IPsec
>>> would not make possible to authenticate or encrypt and Geneve packet with
>>> OAM enabled. Again if my assumption is correct, I believe that an
>>> appropriated way to address this concern might be to be able to leave some
>>> Geneve Option non authenticated. while other parts of the packet is
>>> authenticated or encrypted. Such mechanism needs to be implemented at the
>>> Geneve layer.
>>>
>>> Yours,
>>> Daniel
>>>
>>> On Fri, Jul 26, 2019 at 2:52 PM Anoop Ghanwani <anoop@alumni.duke.edu
>>> <anoop@alumni.duke..edu>> wrote:
>>>
>>>> Hi Ilango,
>>>>
>>>> What would be the recommended way to secure the Geneve header in cases
>>>> where Geneve header extensions are used and routers in the underlay need to
>>>> access/process the contents of the Geneve header?  For example, this
>>>> proposal:
>>>> https://tools.ietf.org/html/draft-brockners-ippm-ioam-geneve-02
>>>>
>>>> Thanks,
>>>> Anoop
>>>>
>>>> On Thu, Jul 25, 2019 at 2:18 PM Ganga, Ilango S <
>>>> ilango.s.ganga@intel.com> wrote:
>>>>
>>>>> Hello Kathleen,
>>>>>
>>>>>
>>>>>
>>>>> Thanks for your review of draft-ietf-nvo3-geneve-13.  We could provide
>>>>> additional clarification in section 4.3 to address your comment. Please let
>>>>> us know if this satisfies your comment.
>>>>>
>>>>>
>>>>>
>>>>> Current text in Section 4.3, first paragraph:
>>>>>
>>>>>    In order to provide integrity of Geneve headers, options and payload,
>>>>>
>>>>>    for example to avoid mis-delivery of payload to different tenant
>>>>>
>>>>>    systems in case of data corruption, outer UDP checksum SHOULD be used
>>>>>
>>>>>    with Geneve when transported over IPv4.  An operator MAY choose to
>>>>>
>>>>>    disable UDP checksum and use zero checksum if Geneve packet integrity
>>>>>
>>>>>    is provided by other data integrity mechanisms such as IPsec or
>>>>>
>>>>>    additional checksums or if one of the conditions in Section 4.3.1 <https://tools.ietf.org/html/draft-ietf-nvo3-geneve-13#section-4.3.1> a,
>>>>>
>>>>>    b, c are met.
>>>>>
>>>>>
>>>>>
>>>>> Proposed text to 4.3 that we believe would address your comments:
>>>>>
>>>>>
>>>>>
>>>>>    In order to provide integrity of Geneve headers, options and payload,
>>>>>
>>>>>    for example to avoid mis-delivery of payload to different tenant
>>>>>
>>>>>    systems in case of data corruption, outer UDP checksum SHOULD be used
>>>>>
>>>>>    with Geneve when transported over IPv4. "The UDP checksum provides a statistical guarantee that a payload was not corrupted in transit. These integrity checks are not strong from a coding or cryptographic perspective and are not designed to detect physical-layer errors or malicious modification of the datagram (see RFC 8085 section 3.4). In deployments where such a risk exists, an operator SHOULD use additional data integrity mechanisms such as offered by IPSec (see Section 6.2)."
>>>>>
>>>>>
>>>>>
>>>>>    An operator MAY choose to
>>>>>
>>>>>    disable UDP checksum and use zero checksum if Geneve packet integrity
>>>>>
>>>>>    is provided by other data integrity mechanisms such as IPsec or
>>>>>
>>>>>    additional checksums or if one of the conditions in Section 4.3.1 <https://tools.ietf.org/html/draft-ietf-nvo3-geneve-13#section-4.3.1> a,
>>>>>
>>>>>    b, c are met.
>>>>>
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Ilango
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *From:* nvo3 [mailto:nvo3-bounces@ietf.org] *On Behalf Of *Kathleen
>>>>> Moriarty
>>>>> *Sent:* Tuesday, July 2, 2019 12:43 PM
>>>>> *To:* nvo3@ietf.org
>>>>> *Subject:* [nvo3] Review of draft-ietf-nvo3-geneve-13
>>>>>
>>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>>
>>>>>
>>>>> I just read through draft-ietf-nvo3-geneve, sorry I am out-of-cycle in
>>>>> the review process, but it looks like it has not started IETF last call
>>>>> yet.  I have what's really just a nit and request for a little more text.
>>>>>
>>>>>
>>>>>
>>>>> Section 4.3.1
>>>>>
>>>>> The value of the UDP checksum is overstated.  The text should note
>>>>> that corruption is still possible as this is a checksum and not a hash with
>>>>> low collision rates.  Corruption happens and goes undetected in normal
>>>>> operations today.
>>>>>
>>>>> The security considerations section does address the recommendation to
>>>>> use IPsec, but making the connection on the UDP checksum being inadequate
>>>>> could be helpful.
>>>>>
>>>>>
>>>>>
>>>>> Reality:
>>>>>
>>>>>
>>>>>
>>>>> The way this is written, I suspect there really are no plans to use
>>>>> IPsec with GENEVE, are there?  The MUST statements around not altering
>>>>> traffic can only be achieved with IPsec, so if the intent is really to
>>>>> enforce the early MUST statements in the document, sooner mention of IPsec
>>>>> would be good.  If this is more for detecting corruption (and not having
>>>>> that be 100% or close) that should be clear up front.
>>>>>
>>>>>
>>>>>
>>>>> I'm just envisioning use cases where the virtual path is set
>>>>> differently to the physical path for expected operations to route through
>>>>> desired security functions, then an attacker alters checksums to avoid
>>>>> detection of these changes.
>>>>>
>>>>>
>>>>>
>>>>> Thanks and sorry for a late review!
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Kathleen
>>>>> _______________________________________________
>>>>> nvo3 mailing list
>>>>> nvo3@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/nvo3
>>>>>
>>>> _______________________________________________
>>>> nvo3 mailing list
>>>> nvo3@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/nvo3
>>>>
>>> _______________________________________________
>> nvo3 mailing list
>> nvo3@ietf.org
>> https://www.ietf.org/mailman/listinfo/nvo3
>>
>

v2.23.0 | Report a Bug | By Email