IETF Logo Mail Archive

Re: [nvo3] Review of draft-ietf-nvo3-geneve-13

Daniel Migault <daniel.migault@ericsson.com> Mon, 08 July 2019 18:44 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B332612038D for <nvo3@ietfa.amsl.com>; Mon, 8 Jul 2019 11:44:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.106
X-Spam-Level:
X-Spam-Status: No, score=-0.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.247, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nsTS-7k8lyiG for <nvo3@ietfa.amsl.com>; Mon, 8 Jul 2019 11:44:03 -0700 (PDT)
Received: from mail-ua1-f46.google.com (mail-ua1-f46.google.com [209.85.222.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2F0812035D for <nvo3@ietf.org>; Mon, 8 Jul 2019 11:44:02 -0700 (PDT)
Received: by mail-ua1-f46.google.com with SMTP id j2so5362931uaq.5 for <nvo3@ietf.org>; Mon, 08 Jul 2019 11:44:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+e/oUBYYYcbGcz0qmNixCfUw5n25pzI3iXKS/kpYXR0=; b=l0DZCy54W0bIrXRZUIshrVtMgDa+Iu4xC8xJLOruRGEY44AZvECAR6I2VPZB5GQm5K w6m2Q5PDXaI9C7OAwZMaqFb+bS+4imGdxG/aWFHH/ZoiR3vaPmPNgpUfKLIoyta86Mai yZLqHxs3jFH4q6PweDbUND72/rIZ+bNcglIp1tBUe0HiPIxS3qDjLjJXmltmw9qJbqci xd9MDFjXl2qKtbrTAUI0THQuzUYe6NYHObCi0LqT8kzBtExN6B7uCSdR3sEVWaIwRqTY Ue1/l0s1Q1mqnS+Yi7+icVOydYY+G7rVNbqV9XEpq7t+CFbuvlWUlUOz3rF7GfROOqUN qyBA==
X-Gm-Message-State: APjAAAU9dYFUhR3ARZtCTudPeyBFVV9CL0HphBOzsHdF2yTg/IplCgcn fAcCqRTwqsXu+yKhIcs5dnaXJbwe6bbkTj5BiS8=
X-Google-Smtp-Source: APXvYqx8cKhSYp0jG/72O53hhXROmUUHHXTNAI9F23muUPFsmSI4Rwodw+sI5iqv0lgX+ECSnanhB1TFGnpv1QE77cQ=
X-Received: by 2002:a9f:2e0e:: with SMTP id t14mr10778142uaj.119.1562611441481; Mon, 08 Jul 2019 11:44:01 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbuEH66JZd1KOi5_mL8nzdTZ7WjSsOQP8a3B+oSwA6wNnfDKw@mail.gmail.com> <CADZyTk=G5mYHf1f4zoaT7uebNwLO-uocxcuoocHc0ir3F5nbRQ@mail.gmail.com> <CAHbuEH6x_oyJmWtdXMEaqCo55wB1mUOt4jYLJ_JSwq3TZWcnmQ@mail.gmail.com>
In-Reply-To: <CAHbuEH6x_oyJmWtdXMEaqCo55wB1mUOt4jYLJ_JSwq3TZWcnmQ@mail.gmail.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Mon, 08 Jul 2019 14:43:50 -0400
Message-ID: <CADZyTkmQidU=tdzzes6+uCReoBK78GmaBGNTOeZBBmaHbvz46g@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Cc: NVO3 <nvo3@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e43ce8058d2fd331"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/F2QYRrzpoPR_lku7GeKicavn6OQ>
Subject: Re: [nvo3] Review of draft-ietf-nvo3-geneve-13
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2019 18:44:05 -0000

Hi,

I agree that Geneve is essentially a tunnel between NVEs. If NVEs are
considered as end points, the communication can be secured using IPsec or
DTLS from one NVE to the other NVE. However, the document specifies Transit
Devices that can interpret the Geneve packets (section 2.2.1). If the
Geneve communication between NVEs were protected by IPsec or DTLS, the
Transit Devices would not be able to access the Geneve packet as a result,
my understanding is that a Geneve tunnel cannot be secured with transit
device. In other words, securing a Geneve deployment with transit devices
will require to redesign the deployment - without transit devices - if
security should be enabled. I see this as a major issue.

When I mentioned that IPsec was used to secure the infrastructure,  I meant
that IPsec is used between the originating NVE and the transit device as
well as between the transit device and the terminating NVE - as opposed to
IPsec being used between NVEs. In this case, I would not consider IPsec
protecting the end-to-end Geneve tunnel, but instead IPsec would be used to
segments of the communications. The reason I mentioned infrastructure is
that NVEs and the transit devices could be seen as a mesh trusted platform
carrying the Geneve tunnel. I am not saying this is what I would recommend.

Your concern seems to be integrity protection. I have not found any mention
of AH or ESP in the document, so maybe there is a reference I am missing.
On the other hand, integrity protection-only might be the only case
compatible with transit devices as long as they are able to interpret
appropriately the packet. In this case, the transit device should support
AH, ESP, DTLS with authentication only. If that would be the case, a given
deployment including transit device, would be ale to provide integrity
protection by only activating integrity protection only at the NVEs. I am
not aware of transit device implementing this.

Yours,
Daniel




On Mon, Jul 8, 2019 at 12:37 PM Kathleen Moriarty <
kathleen.moriarty.ietf@gmail.com> wrote:

> HI Daniel,
>
> I read the document and saw that it was used as a tunnel and the end
> points were the ones that had access to the GENEVE information.  With this
> in mind, the UDP layer for GENEVE encapsulated in an IP packet could then
> use IPsec.  The security recommendations mentions the use of IPsec to fix
> many of the stated considerations.
>
> I don't understand your comment that IPsec is used to secure the
> infrastructure, what do you mean, can you provide an example?  I think the
> security considerations section says it's protecting GENEVE and that GENEVE
> is essentially a tunnel - you can use it over the Internet to join VLANs
> (this is a pretty obvious use case where IPsec would be used).
>
> Integrity protection on any routing overlay protocol should be a
> requirement, especially when the path of traffic can be altered by the
> routing overlay protocol from what would normally be used.  The document
> says (or I read somewhere) no AH only support, so I am guessing that
> vendors have not implemented that interoperably, hence the reason for the
> ESP recommendation.
>
> Thanks for any clarification.
>
> Best regards,
> Kathleen
>
> On Mon, Jul 8, 2019 at 10:56 AM Daniel Migault <
> daniel.migault@ericsson.com> wrote:
>
>> Hi Kathleen,
>>
>> My understanding of the document is that IPsec is not used to secure
>> Geneve. Instead, IPsec is used to secure the infrastructure on top of which
>> Geneve would be operated, thus lowering down the security of Geneve itself.
>> As far as I understand, Geneve is incompatible with en-to-end security
>> (IPsec, DTLS) to protect Geneve NVE-to-NVE communications. The document
>> defines Transit Devices that intercept on-path packets of an NVE-to-NVE
>> communications, which is not possible with DTLS or IPsec.
>>
>> Yours,
>> Daniel
>>
>>
>> On Tue, Jul 2, 2019 at 3:43 PM Kathleen Moriarty <
>> kathleen.moriarty.ietf@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> I just read through draft-ietf-nvo3-geneve, sorry I am out-of-cycle in
>>> the review process, but it looks like it has not started IETF last call
>>> yet.  I have what's really just a nit and request for a little more text.
>>>
>>> Section 4.3.1
>>>
>>> The value of the UDP checksum is overstated.  The text should note that
>>> corruption is still possible as this is a checksum and not a hash with low
>>> collision rates.  Corruption happens and goes undetected in normal
>>> operations today.
>>>
>>> The security considerations section does address the recommendation to
>>> use IPsec, but making the connection on the UDP checksum being inadequate
>>> could be helpful.
>>>
>>> Reality:
>>>
>>> The way this is written, I suspect there really are no plans to use
>>> IPsec with GENEVE, are there?  The MUST statements around not altering
>>> traffic can only be achieved with IPsec, so if the intent is really to
>>> enforce the early MUST statements in the document, sooner mention of IPsec
>>> would be good.  If this is more for detecting corruption (and not having
>>> that be 100% or close) that should be clear up front.
>>>
>>> I'm just envisioning use cases where the virtual path is set differently
>>> to the physical path for expected operations to route through desired
>>> security functions, then an attacker alters checksums to avoid detection of
>>> these changes.
>>>
>>> Thanks and sorry for a late review!
>>>
>>> --
>>>
>>> Best regards,
>>> Kathleen
>>> _______________________________________________
>>> nvo3 mailing list
>>> nvo3@ietf.org
>>> https://www.ietf.org/mailman/listinfo/nvo3
>>>
>>
>
> --
>
> Best regards,
> Kathleen
> _______________________________________________
> nvo3 mailing list
> nvo3@ietf.org
> https://www.ietf.org/mailman/listinfo/nvo3
>

v2.23.0 | Report a Bug | By Email