[nvo3] Comments on draft-ietf-nvo3-geneve
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 24 October 2019 11:23 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B73621200B5 for <nvo3@ietfa.amsl.com>; Thu, 24 Oct 2019 04:23:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1GiQiOLXzwYQ for <nvo3@ietfa.amsl.com>; Thu, 24 Oct 2019 04:23:57 -0700 (PDT)
Received: from mail-ot1-x342.google.com (mail-ot1-x342.google.com [IPv6:2607:f8b0:4864:20::342]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57A9812004E for <nvo3@ietf.org>; Thu, 24 Oct 2019 04:23:57 -0700 (PDT)
Received: by mail-ot1-x342.google.com with SMTP id 89so20268346oth.13 for <nvo3@ietf.org>; Thu, 24 Oct 2019 04:23:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=rfFVhvhWpSpkxcNZzrVqPzEJCNNFQHK/PdXTPMEOoY0=; b=jiKFrF7XdxIrIil10hCFnjxKU2deItrNsQEjEdWcKBClqhRdLiZN4S8MPkXk4eGJ1H mOIxlrgT+3Y4UJc36CV89YR812KfUY4saQZJ6Hro12ciVv6zsgiJ0qxSAZNKK1bzhpaR g6yzae3WuIcIUgwPsdDTk4q2tFXz1sk89rsBOi11OQ+v+wqth8wtvQGMpl5Khf1PALQ0 cgcXuwHMOJ3vQX4uolTE+A2PqFcm5dySoqxpv4IpIH1mgh78JF4NKbIO/8MIQ3CQqlQE 3lyFB57zTm8iQhHHIuHx8WnGOdQF3CRoG2OZO6uBHXv1nC2++LEGXhtAJLfYLOv2+kve 9KUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=rfFVhvhWpSpkxcNZzrVqPzEJCNNFQHK/PdXTPMEOoY0=; b=Ft64qOxrpIS1c4nm3qtjtHTX4GKX6wpTI9oooEmfS/AjUGMUVxIlDGGZ1Zw90mn3Ez lXvdnzGrBlZiT6pMmrUnso98tjEEAdxBHqtjtFRa2iT6Qn3eH1yS3oQpcawojSnAfzVb ZP94UAj0hYixJcUSMWcWqHZsQaN4j516XKMw2c/Xg3P2JO0tlRU+sLSyaPSj0b3EFbSF m0/A6doPG5kobDiCkAabdD+WhhmdExEFBYY2xGepTx/Kaf7T195xYvM8jc9o+mVWdI3H L5cxGHVp1PiitAocyd3BeVq/VvQRJG5nhL3ex+tASrXN/45tJGcuVbedrecT8W9F1LcA DUfg==
X-Gm-Message-State: APjAAAWXhMlj1yT2CE76VfGy3yqalREXRvPUESbAQoFxsXP+tB+6/RyU Rn721dDk+bYTLN5XxZ3tcVS7hYiaXpYSn3EIJM4=
X-Google-Smtp-Source: APXvYqxNEGWkUUJRq9gI6Al8Hmufvkb92ccpjVWfbN9ypoPgAux1tsxzHySOSEqIXdyo3wyRQjPPvpSzxFcQURR57qY=
X-Received: by 2002:a9d:53c4:: with SMTP id i4mr8935396oth.151.1571916236663; Thu, 24 Oct 2019 04:23:56 -0700 (PDT)
MIME-Version: 1.0
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Thu, 24 Oct 2019 07:23:20 -0400
Message-ID: <CAHbuEH6t96A9JyPt_FPxvfF+BKNp+qiqtrwj3RJ3Oa3Q-W=xCg@mail.gmail.com>
To: draft-ietf-nvo3-geneve.all@tools.ietf.org, NVO3 <nvo3@ietf.org>
Cc: jesse@kernel.org, tsridhar@vmware.com
Content-Type: multipart/alternative; boundary="000000000000e734cd0595a644ea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/RQMZf8hLpcvJGnjDOXts9Ouqn8I>
Subject: [nvo3] Comments on draft-ietf-nvo3-geneve
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 11:23:59 -0000
Hello, Thank you for a well written document! I know I am late to be offering comments, but with a quick read, I think calling out the ability to tamper with or alter packets should be made in the second sentence of the security considerations section. You do have the relevant text on integrity protections later in the section, but this should be considered an important enough problem to be in the sentence on possible problems due to no security mechanisms. OLD: As a result, an attacker with access to the underlay network transporting the IP packets has the ability to snoop or inject packets. NEW: As a result, an attacker with access to the underlay network transporting the IP packets has the ability to snoop, alter, or inject packets. And in the section on Data Integrity, it should be noted that the measures in this sentence would have no bearing on the integrity of GENEVE: OLD: A data center operator may choose to deploy any other data integrity mechanisms as applicable and supported in their underlay networks. NEW: A data center operator may choose to deploy any other data integrity mechanisms as applicable and supported in their underlay networks, although this will not protect the GENEVE portion of the packet from tampering. Thank you! The document is well written and I was glad to see these considerations already in the document. I do think this will help anyone deploying multi-tenant environments to think about the importance of integrity protection and not learn the hard way. -- Best regards, Kathleen
- [nvo3] Comments on draft-ietf-nvo3-geneve Kathleen Moriarty
- Re: [nvo3] Comments on draft-ietf-nvo3-geneve Ganga, Ilango S