Re: [nvo3] Comments on draft-ietf-nvo3-geneve
"Ganga, Ilango S" <ilango.s.ganga@intel.com> Sun, 17 November 2019 22:31 UTC
Return-Path: <ilango.s.ganga@intel.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B74412008C for <nvo3@ietfa.amsl.com>; Sun, 17 Nov 2019 14:31:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kB7Obyni7B6i for <nvo3@ietfa.amsl.com>; Sun, 17 Nov 2019 14:31:10 -0800 (PST)
Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57CAF120013 for <nvo3@ietf.org>; Sun, 17 Nov 2019 14:31:10 -0800 (PST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Nov 2019 14:31:10 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.68,318,1569308400"; d="scan'208,217";a="208913233"
Received: from orsmsx101.amr.corp.intel.com ([10.22.225.128]) by orsmga006.jf.intel.com with ESMTP; 17 Nov 2019 14:31:09 -0800
Received: from orsmsx121.amr.corp.intel.com (10.22.225.226) by ORSMSX101.amr.corp.intel.com (10.22.225.128) with Microsoft SMTP Server (TLS) id 14.3.439.0; Sun, 17 Nov 2019 14:31:09 -0800
Received: from orsmsx116.amr.corp.intel.com ([169.254.7.11]) by ORSMSX121.amr.corp.intel.com ([169.254.10.169]) with mapi id 14.03.0439.000; Sun, 17 Nov 2019 14:31:09 -0800
From: "Ganga, Ilango S" <ilango.s.ganga@intel.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "draft-ietf-nvo3-geneve.all@tools.ietf.org" <draft-ietf-nvo3-geneve.all@tools.ietf.org>, NVO3 <nvo3@ietf.org>
CC: "jesse@kernel.org" <jesse@kernel.org>, "tsridhar@vmware.com" <tsridhar@vmware.com>
Thread-Topic: [nvo3] Comments on draft-ietf-nvo3-geneve
Thread-Index: AQHVil2PsRNxb6YkvUiQ0loX2NiDdaeQDc/A
Date: Sun, 17 Nov 2019 22:31:09 +0000
Message-ID: <C5A274B25007804B800CB5B289727E3590674A6B@ORSMSX116.amr.corp.intel.com>
References: <CAHbuEH6t96A9JyPt_FPxvfF+BKNp+qiqtrwj3RJ3Oa3Q-W=xCg@mail.gmail.com>
In-Reply-To: <CAHbuEH6t96A9JyPt_FPxvfF+BKNp+qiqtrwj3RJ3Oa3Q-W=xCg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNzExMTkyYTEtYTM2Yy00NTQ2LWJjMmEtYjk5NjA4NTFkNzE4IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiWmEzaUpkR3U0N0JxU2tuYTlwKytqZko4aFhZOFB1Q0wyNEo1Wm5pUFwvUzlKRE9XUjRNaTNqOUJXWFl5VGxyMWYifQ==
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
x-originating-ip: [10.22.254.140]
Content-Type: multipart/alternative; boundary="_000_C5A274B25007804B800CB5B289727E3590674A6BORSMSX116amrcor_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/TEBBSogvLvIbulJhYok2tp604us>
Subject: Re: [nvo3] Comments on draft-ietf-nvo3-geneve
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Nov 2019 22:31:12 -0000
Hello Kathleen, Thanks for your review of draft-ietf-nvo3-geneve-14. We are fine with your suggestion for comment #1 and we suggest a revised text for comment #2 to provide better clarity. Please see our responses in-line below, enclosed in <Response> </Response>. Regards, Ilango Ganga Geneve Editor From: nvo3 <nvo3-bounces@ietf.org> On Behalf Of Kathleen Moriarty Sent: Thursday, October 24, 2019 4:23 AM To: draft-ietf-nvo3-geneve.all@tools.ietf.org; NVO3 <nvo3@ietf.org> Cc: jesse@kernel.org; tsridhar@vmware.com Subject: [nvo3] Comments on draft-ietf-nvo3-geneve Hello, Thank you for a well written document! I know I am late to be offering comments, but with a quick read, I think calling out the ability to tamper with or alter packets should be made in the second sentence of the security considerations section. You do have the relevant text on integrity protections later in the section, but this should be considered an important enough problem to be in the sentence on possible problems due to no security mechanisms. OLD: As a result, an attacker with access to the underlay network transporting the IP packets has the ability to snoop or inject packets. NEW: As a result, an attacker with access to the underlay network transporting the IP packets has the ability to snoop, alter, or inject packets. <Response> Yes, this looks fine. </Response> And in the section on Data Integrity, it should be noted that the measures in this sentence would have no bearing on the integrity of GENEVE: OLD: A data center operator may choose to deploy any other data integrity mechanisms as applicable and supported in their underlay networks. NEW: A data center operator may choose to deploy any other data integrity mechanisms as applicable and supported in their underlay networks, although this will not protect the GENEVE portion of the packet from tampering. <Response> We propose the revised text below to provide better clarity. NEW REVISED: A data center operator may choose to deploy any other data integrity mechanisms as applicable and supported in their underlay networks, although non-cryptographic mechanisms may not protect the Geneve portion of the packet from tampering. </Response> Thank you! The document is well written and I was glad to see these considerations already in the document. I do think this will help anyone deploying multi-tenant environments to think about the importance of integrity protection and not learn the hard way. -- Best regards, Kathleen
- [nvo3] Comments on draft-ietf-nvo3-geneve Kathleen Moriarty
- Re: [nvo3] Comments on draft-ietf-nvo3-geneve Ganga, Ilango S