IETF Logo Mail Archive

[nvo3] Review of draft-ietf-nvo3-geneve-13

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 02 July 2019 19:43 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35F0B12016D for <nvo3@ietfa.amsl.com>; Tue, 2 Jul 2019 12:43:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SoRXyCbNp90s for <nvo3@ietfa.amsl.com>; Tue, 2 Jul 2019 12:43:24 -0700 (PDT)
Received: from mail-ot1-x336.google.com (mail-ot1-x336.google.com [IPv6:2607:f8b0:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CDB9120712 for <nvo3@ietf.org>; Tue, 2 Jul 2019 12:43:24 -0700 (PDT)
Received: by mail-ot1-x336.google.com with SMTP id n5so18468478otk.1 for <nvo3@ietf.org>; Tue, 02 Jul 2019 12:43:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=E2X9v0xQOAur6R5Ao+cyKhISa2VwkfvbiivsdIfytfA=; b=LuYfaXuuCxlvA0tKwYZotJwGqeV1iKXPeCotZPZn6+2pexs780aSJ7+CMEAi16tRWm l55bToRKolfjbWr3bl07XZOi5oT3FJuNOLKDQW8Sv2AnsyOsZp41KwubSRC0DQnl+Hgq K6SdjbTvXWstGlVA6T4PyBSahEvv2dGEzAxRYXxVnNPZFd5RCkDMwd2WBywk8SZmJ7YO QcV3Dl3x3ssuvTbWGindOiKbD/PVSWxw9sT2iWMpFl5QQut9mc1QGUgNd91T8pBNiPQD uHTUsbVL0EhL3uf6W0Ubn48UZfnkM2Opb1w+mJC8uwobEpsLS1e21jIcf2Bnrto6hEre RHMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=E2X9v0xQOAur6R5Ao+cyKhISa2VwkfvbiivsdIfytfA=; b=jLv3MREwZ8WNC7z2bDPXD4fCtwxR0NupoHxOhA2kkS+HxwJCl6VIBhlL3aao6iyk9K I+KapKu30RjlOG4zILxAayNETb5QSCl2Mvwr4rldvPdOIIFg47RI3C/kI9DeBjkqvV4D ZAYYaLE32KhCfIZniFIGNcHGou6QKyChmupPAKCFaKE/4pvbrV7BCw7q2KqvAkgQClCL LmJXSkSBVihsVYbeEpGu1+6kr47eqZfCIpaeORTpPvbRiwd2Efk9traiG6TQ7K8aM9J3 k7OsuWOFDiqNFVt/Opt4ZyLzniSd+QMb40cdOkPvsMYHblTimKH/wSthE4Nng+mKIxU2 bSzA==
X-Gm-Message-State: APjAAAUAcyb/ndswO4vNbP9z7kelZnCYqvQ+eTjIRLUEPAeVTEy+4SHk KVfSoHEPcR63OprhmGAVUABgbZw6uBfE62BKyJk8ZGd+
X-Google-Smtp-Source: APXvYqyH7hFfn3v1/WmpWTIZjQ43n6bZuvacodK1OhVl3jd27HmiS3B3wWA7Jg79Vt4IQ3WkYbs78GDa1nIb9mdESEk=
X-Received: by 2002:a05:6830:1319:: with SMTP id p25mr16891482otq.224.1562096603393; Tue, 02 Jul 2019 12:43:23 -0700 (PDT)
MIME-Version: 1.0
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Tue, 02 Jul 2019 15:42:47 -0400
Message-ID: <CAHbuEH66JZd1KOi5_mL8nzdTZ7WjSsOQP8a3B+oSwA6wNnfDKw@mail.gmail.com>
To: nvo3@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002672b4058cb7f589"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/fVBvcDhP1evI-HcVlWdJHji0emo>
Subject: [nvo3] Review of draft-ietf-nvo3-geneve-13
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2019 19:43:26 -0000

Hello,

I just read through draft-ietf-nvo3-geneve, sorry I am out-of-cycle in the
review process, but it looks like it has not started IETF last call yet.  I
have what's really just a nit and request for a little more text.

Section 4.3.1

The value of the UDP checksum is overstated.  The text should note that
corruption is still possible as this is a checksum and not a hash with low
collision rates.  Corruption happens and goes undetected in normal
operations today.

The security considerations section does address the recommendation to use
IPsec, but making the connection on the UDP checksum being inadequate could
be helpful.

Reality:

The way this is written, I suspect there really are no plans to use IPsec
with GENEVE, are there?  The MUST statements around not altering traffic
can only be achieved with IPsec, so if the intent is really to enforce the
early MUST statements in the document, sooner mention of IPsec would be
good.  If this is more for detecting corruption (and not having that be
100% or close) that should be clear up front.

I'm just envisioning use cases where the virtual path is set differently to
the physical path for expected operations to route through desired security
functions, then an attacker alters checksums to avoid detection of these
changes.

Thanks and sorry for a late review!

-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email