IETF Logo Mail Archive

Re: [nvo3] Review of draft-ietf-nvo3-geneve-13

Daniel Migault <daniel.migault@ericsson.com> Mon, 08 July 2019 14:56 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02E67120265 for <nvo3@ietfa.amsl.com>; Mon, 8 Jul 2019 07:56:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.107
X-Spam-Level:
X-Spam-Status: No, score=-0.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.247, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nw6xNmdk-D12 for <nvo3@ietfa.amsl.com>; Mon, 8 Jul 2019 07:56:19 -0700 (PDT)
Received: from mail-vs1-f45.google.com (mail-vs1-f45.google.com [209.85.217.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6115B12026F for <nvo3@ietf.org>; Mon, 8 Jul 2019 07:56:06 -0700 (PDT)
Received: by mail-vs1-f45.google.com with SMTP id v6so8385403vsq.4 for <nvo3@ietf.org>; Mon, 08 Jul 2019 07:56:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pfh93Y3eyo/e/hzGwCnYcxyhw1bOz5qT/wrPZ+Kups8=; b=jwtnI4Dq0HSDNzMOgjR6y9UFqd9UhA2W4d0WOBL+ZfRJFVbwF1raKzUQfgW49tXv+6 6uSMCetH5ysE56LwApWDI7X3eNGzJPTlZzgr+rttXb788uSL9vIQJ5aGzVUiFrjK/2Jv LVLfUdv1NbdmGYdp5FvUsqa95b581k3GoA5M0eXfGbo4X6rXT3V9zUI2hlRy/cw45HeX +mPkPRZH0OqP/s8E61B4BLqbklgD9+3hpjlnz3OHNCB7EybXXkq87xapMbkd3UZcc3LM 5xZtf3an1hLHPw9KiIk89KeKT+ojZuEnwIf1G9oohmSC40XGBdPiZzNCSaW7FRTAIpcl l4yQ==
X-Gm-Message-State: APjAAAV0lWZ8t0BPEYTiC0hD2vbchD7n/PBlXdXN+vxrgiUescPtS9eB ePDEaUfi+/zARPV/gxDTwa/tveSwyI/IFlKPQTs=
X-Google-Smtp-Source: APXvYqyhQGC1+0wJolyj7SKuOAdcbfLsjlXCJXUsWkq8zU1ZKJThVJzc1FU5A7cNB5fJoImBxEs8l0TldA0SNKbxPUY=
X-Received: by 2002:a67:33c1:: with SMTP id z184mr10193543vsz.169.1562597765160; Mon, 08 Jul 2019 07:56:05 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbuEH66JZd1KOi5_mL8nzdTZ7WjSsOQP8a3B+oSwA6wNnfDKw@mail.gmail.com>
In-Reply-To: <CAHbuEH66JZd1KOi5_mL8nzdTZ7WjSsOQP8a3B+oSwA6wNnfDKw@mail.gmail.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Mon, 08 Jul 2019 10:55:54 -0400
Message-ID: <CADZyTk=G5mYHf1f4zoaT7uebNwLO-uocxcuoocHc0ir3F5nbRQ@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Cc: NVO3 <nvo3@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b826ee058d2ca401"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/Qqk_uPez4dcAPjOlyXjeZUCAxq8>
Subject: Re: [nvo3] Review of draft-ietf-nvo3-geneve-13
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2019 14:56:28 -0000

Hi Kathleen,

My understanding of the document is that IPsec is not used to secure
Geneve. Instead, IPsec is used to secure the infrastructure on top of which
Geneve would be operated, thus lowering down the security of Geneve itself.
As far as I understand, Geneve is incompatible with en-to-end security
(IPsec, DTLS) to protect Geneve NVE-to-NVE communications. The document
defines Transit Devices that intercept on-path packets of an NVE-to-NVE
communications, which is not possible with DTLS or IPsec.

Yours,
Daniel


On Tue, Jul 2, 2019 at 3:43 PM Kathleen Moriarty <
kathleen.moriarty.ietf@gmail.com> wrote:

> Hello,
>
> I just read through draft-ietf-nvo3-geneve, sorry I am out-of-cycle in the
> review process, but it looks like it has not started IETF last call yet.  I
> have what's really just a nit and request for a little more text.
>
> Section 4.3.1
>
> The value of the UDP checksum is overstated.  The text should note that
> corruption is still possible as this is a checksum and not a hash with low
> collision rates.  Corruption happens and goes undetected in normal
> operations today.
>
> The security considerations section does address the recommendation to use
> IPsec, but making the connection on the UDP checksum being inadequate could
> be helpful.
>
> Reality:
>
> The way this is written, I suspect there really are no plans to use IPsec
> with GENEVE, are there?  The MUST statements around not altering traffic
> can only be achieved with IPsec, so if the intent is really to enforce the
> early MUST statements in the document, sooner mention of IPsec would be
> good.  If this is more for detecting corruption (and not having that be
> 100% or close) that should be clear up front.
>
> I'm just envisioning use cases where the virtual path is set differently
> to the physical path for expected operations to route through desired
> security functions, then an attacker alters checksums to avoid detection of
> these changes.
>
> Thanks and sorry for a late review!
>
> --
>
> Best regards,
> Kathleen
> _______________________________________________
> nvo3 mailing list
> nvo3@ietf.org
> https://www.ietf.org/mailman/listinfo/nvo3
>

v2.23.0 | Report a Bug | By Email