IETF Logo Mail Archive

Re: [nvo3] TES-NVE attach/detach protocol security (mobility-issues draft)

Thomas Narten <narten@us.ibm.com> Wed, 11 July 2012 13:54 UTC

Return-Path: <narten@us.ibm.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25DD021F85D2 for <nvo3@ietfa.amsl.com>; Wed, 11 Jul 2012 06:54:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.524
X-Spam-Level:
X-Spam-Status: No, score=-110.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1zeF+V1fr5G7 for <nvo3@ietfa.amsl.com>; Wed, 11 Jul 2012 06:54:58 -0700 (PDT)
Received: from e37.co.us.ibm.com (e37.co.us.ibm.com [32.97.110.158]) by ietfa.amsl.com (Postfix) with ESMTP id 3663F21F8569 for <nvo3@ietf.org>; Wed, 11 Jul 2012 06:54:51 -0700 (PDT)
Received: from /spool/local by e37.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <nvo3@ietf.org> from <narten@us.ibm.com>; Wed, 11 Jul 2012 07:55:20 -0600
Received: from d01dlp03.pok.ibm.com (9.56.224.17) by e37.co.us.ibm.com (192.168.1.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 11 Jul 2012 07:55:04 -0600
Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236]) by d01dlp03.pok.ibm.com (Postfix) with ESMTP id 208FAC9006A for <nvo3@ietf.org>; Wed, 11 Jul 2012 09:55:02 -0400 (EDT)
Received: from d03av02.boulder.ibm.com (d03av02.boulder.ibm.com [9.17.195.168]) by d01relay04.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q6BDsxpq377628 for <nvo3@ietf.org>; Wed, 11 Jul 2012 09:54:59 -0400
Received: from d03av02.boulder.ibm.com (loopback [127.0.0.1]) by d03av02.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q6BDsteq006426 for <nvo3@ietf.org>; Wed, 11 Jul 2012 07:54:55 -0600
Received: from cichlid.raleigh.ibm.com (sig-9-76-159-134.mts.ibm.com [9.76.159.134]) by d03av02.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id q6BDsq2Z006065 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Jul 2012 07:54:53 -0600
Received: from cichlid.raleigh.ibm.com (localhost.localdomain [127.0.0.1]) by cichlid.raleigh.ibm.com (8.14.5/8.12.5) with ESMTP id q6BDspBU027084; Wed, 11 Jul 2012 09:54:51 -0400
Message-Id: <201207111354.q6BDspBU027084@cichlid.raleigh.ibm.com>
To: "Luyuan Fang (lufang)" <lufang@cisco.com>
In-reply-to: <0DB8F45437AB844CBB5102F807A0AD9301B12F@xmb-rcd-x03.cisco.com>
References: <8D3D17ACE214DC429325B2B98F3AE71208D3B170@MX15A.corp.emc.com> <CC223B30.188BE%kreeger@cisco.com> <0DB8F45437AB844CBB5102F807A0AD9301B093@xmb-rcd-x03.cisco.com> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0752ED29@szxeml525-mbs.china.huawei.com> <0DB8F45437AB844CBB5102F807A0AD9301B12F@xmb-rcd-x03.cisco.com>
Comments: In-reply-to "Luyuan Fang (lufang)" <lufang@cisco.com> message dated "Wed, 11 Jul 2012 04:07:11 -0000."
Date: Wed, 11 Jul 2012 09:54:51 -0400
From: Thomas Narten <narten@us.ibm.com>
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 12071113-7408-0000-0000-000006AB45E7
Cc: "nvo3@ietf.org" <nvo3@ietf.org>
Subject: Re: [nvo3] TES-NVE attach/detach protocol security (mobility-issues draft)
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "L2 \"Network Virtualization Over L3\" overlay discussion list \(nvo3\)" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nvo3>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2012 13:54:59 -0000

"Luyuan Fang (lufang)" <lufang@cisco.com> writes:

> My understanding VDP is a discovery protocol for bridging…

Note: VDP stands for VSI Discovery and Configuration Protocol (though
the "configuration" part is often dropped).

It does more than just "discover". E.g., see
http://blog.ioshints.info/2011/05/edge-virtual-bridging-evb-8021qbg-eases.html

> One of the most interesting parts of EVB is the VSI Discovery and
> Configuration Protocol (VDP). Using VDP, the EVB station (host) can
> inform the adjacent EVB Bridge (access switch) before a VM is deployed
> (started or moved). The host can also tell the switch which VLAN the
> VM needs and which MAC address (or set of MAC addresses) the VM
> uses. Blasting through the VLAN limits (4K VLANs allowed by 802.1Q),
> the VDP supports 4-byte long Group ID, which can be mapped dynamically
> into different access VLANs on as-needed basis (this is a recent
> addendum to 802.1Qbg and probably allows nice interworking with I-SID
> field in PBB/SPB).

Also, see draft-gu-nvo3-overlay-cp-arch-00.txt  and
draft-gu-nvo3-tes-nve-mechanism-00.txt which has text on VDP.

If anyone can point the WG to a good overview/summary of what VDP
does, that would be helpful.

> If you are using pure l3 end-system to end-system, there is no
> bridging, there is no need for VDP.

I'm not sure about that.

When you say L3 TES, what is the interface between the NVE and TES? My
assumption is that it is still L2, even if the service provided is
L3. You'd ignore the L2 stuff (mostly), but most VMs are already set
up to send L2 packets on their interfaces. 

Also VDP is between the Hypervisor and NVE. Thus, it may still be
needed, even if the service provided to the TES is L3 only.

Thomas

v2.23.0 | Report a Bug | By Email