IETF Logo Mail Archive

Re: [nvo3] Review of draft-ietf-nvo3-geneve-13

"Ganga, Ilango S" <ilango.s.ganga@intel.com> Thu, 01 August 2019 05:04 UTC

Return-Path: <ilango.s.ganga@intel.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 728DB120026 for <nvo3@ietfa.amsl.com>; Wed, 31 Jul 2019 22:04:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5HrXxPspCeb4 for <nvo3@ietfa.amsl.com>; Wed, 31 Jul 2019 22:04:31 -0700 (PDT)
Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EEEA12002E for <nvo3@ietf.org>; Wed, 31 Jul 2019 22:04:31 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Jul 2019 22:04:30 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.64,333,1559545200"; d="scan'208,217";a="184086770"
Received: from orsmsx105.amr.corp.intel.com ([10.22.225.132]) by orsmga002.jf.intel.com with ESMTP; 31 Jul 2019 22:04:30 -0700
Received: from orsmsx116.amr.corp.intel.com ([169.254.7.85]) by ORSMSX105.amr.corp.intel.com ([169.254.2.226]) with mapi id 14.03.0439.000; Wed, 31 Jul 2019 22:04:30 -0700
From: "Ganga, Ilango S" <ilango.s.ganga@intel.com>
To: Anoop Ghanwani <anoop@alumni.duke.edu>, Greg Mirsky <gregimirsky@gmail.com>
CC: Daniel Migault <daniel.migault@ericsson.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "nvo3@ietf.org" <nvo3@ietf.org>
Thread-Topic: [nvo3] Review of draft-ietf-nvo3-geneve-13
Thread-Index: AQHVMQ5zXCwv34AAQUmjH7hujLmoc6bb8bPQgAHoBICABfS9AIAAKiIAgAAVMgCAACuuAIABUdhQ
Date: Thu, 01 Aug 2019 05:04:29 +0000
Message-ID: <C5A274B25007804B800CB5B289727E35905C837B@ORSMSX116.amr.corp.intel.com>
References: <CAHbuEH66JZd1KOi5_mL8nzdTZ7WjSsOQP8a3B+oSwA6wNnfDKw@mail.gmail.com> <C5A274B25007804B800CB5B289727E35905C4AA0@ORSMSX116.amr.corp.intel.com> <CA+-tSzxD6u+KwEizhWBjQipm=dFVoXbPu2=Agj-sbyKm5Mcrwg@mail.gmail.com> <CADZyTk=bouYF_TmeDfUseAtU9nFMoS3RytmBB3f6z3v+Q-X3Xg@mail.gmail.com> <CA+-tSzyzhS8Gu2g8CKmNsaJHyEZm8AqcHLpCAL2DbdycTR1OaQ@mail.gmail.com> <CA+RyBmWPHYKBSF5tdKStbVG-ZoZjJ-gne1NQ2p4EsFhDLdQc9g@mail.gmail.com> <CA+-tSzyD=cJ_GhHJLz=yhwkN1K_3DOwusNLgggCofGKk82yhPQ@mail.gmail.com>
In-Reply-To: <CA+-tSzyD=cJ_GhHJLz=yhwkN1K_3DOwusNLgggCofGKk82yhPQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNzc3NDUwNGQtODZhMC00YTEyLWI1MWYtOTM5NmZhOTVmNGEyIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiT2c3eWNUTm9VcnM2MEo4OFBneFVROGowZjNYK0xOakRTdVB3T0k0VFhyZFZ2Z3pYcXBOekk2aDl6XC9yOGhlMzYifQ==
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
x-originating-ip: [10.22.254.140]
Content-Type: multipart/alternative; boundary="_000_C5A274B25007804B800CB5B289727E35905C837BORSMSX116amrcor_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/mJDmBw3ksdzFQPMhFU3sb-J8MoA>
Subject: Re: [nvo3] Review of draft-ietf-nvo3-geneve-13
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2019 05:04:35 -0000

Hi Anoop,
There is already text in Section 6.4 of Geneve draft that captures this information.
Thanks,
Ilango

>>I think that captures the essence of what I was suggesting. >>Thanks, >>Anoop
>>Transit devices may not be capable to process Geneve option content if the Geneve header is secured.


From: Anoop Ghanwani [mailto:anoop@alumni.duke.edu]
Sent: Tuesday, July 30, 2019 1:13 PM
To: Greg Mirsky <gregimirsky@gmail.com>
Cc: Daniel Migault <daniel.migault@ericsson.com>; Ganga, Ilango S <ilango.s.ganga@intel.com>; Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>; nvo3@ietf.org
Subject: Re: [nvo3] Review of draft-ietf-nvo3-geneve-13

Hi Greg,

I think that captures the essence of what I was suggesting.

Thanks,
Anoop

On Tue, Jul 30, 2019 at 10:36 AM Greg Mirsky <gregimirsky@gmail.com<mailto:gregimirsky@gmail.com>> wrote:
Hi Anoop,
thank you for pointing to iOAM as the use case of Geneve options. As I understand, the iOAM for Geneve document offers several options, including one that takes advantage of Geneve options. But such use of options must not, in my opinion, weaken the security in Geneve. We can emphasize that with the text you've proposed and minor, in my opinion, re-wording:
Transit devices may not be capable to process Geneve option content if the Geneve header is secured.


Regards,
Greg

On Tue, Jul 30, 2019 at 12:20 PM Anoop Ghanwani <anoop@alumni.duke.edu<mailto:anoop@alumni.duke.edu>> wrote:
Hi Daniel,

Perhaps what is causing confusion is that there's a difference between NVO3 OAM and I-OAM (the reference provided below).

From my understanding, NVO3 OAM will involve only NVEs processing those packets, while depending on other OAM methods for the underlay.

On the other hand, with I-OAM the idea is to gather information about all devices along the path.  There are several different encapsulation drafts (e.g. IOAM using Geneve, IOAM using VXLAN GPE, IOAM using NSH, etc.), so this is not NVO3-specific.

Perhaps what the Geneve document needs to note is that the Geneve header cannot be secured if there are devices other than NVEs that are required to process its contents.  Unless there is some non-obvious way of doing it and, if it exists, it would be helpful if a reference is provided.

Thanks,
Anoop

On Tue, Jul 30, 2019 at 6:49 AM Daniel Migault <daniel.migault@ericsson.com<mailto:daniel.migault@ericsson.com>> wrote:
Hi,

OAM has been raised during the meeting, so thank you for providing the appropriated references of OAM. My understanding is that OAM is a Geneve option that is updated by the OAM devices that are on path. Is that correct ?

IPsec or DTLS authenticate or encrypt the full Geneve packet ( Geneve Header, Geneve Options and Geneve payload) between the NVEs. If my assumption regarding the OAM devices is correct, the use of DTLS or IPsec would not make possible to authenticate or encrypt and Geneve packet with OAM enabled. Again if my assumption is correct, I believe that an appropriated way to address this concern might be to be able to leave some Geneve Option non authenticated. while other parts of the packet is authenticated or encrypted. Such mechanism needs to be implemented at the Geneve layer.

Yours,
Daniel

On Fri, Jul 26, 2019 at 2:52 PM Anoop Ghanwani <anoop@alumni.duke.edu<mailto:anoop@alumni.duke..edu>> wrote:
Hi Ilango,

What would be the recommended way to secure the Geneve header in cases where Geneve header extensions are used and routers in the underlay need to access/process the contents of the Geneve header?  For example, this proposal:
https://tools.ietf.org/html/draft-brockners-ippm-ioam-geneve-02

Thanks,
Anoop

On Thu, Jul 25, 2019 at 2:18 PM Ganga, Ilango S <ilango.s.ganga@intel.com<mailto:ilango.s.ganga@intel.com>> wrote:
Hello Kathleen,

Thanks for your review of draft-ietf-nvo3-geneve-13.  We could provide additional clarification in section 4.3 to address your comment. Please let us know if this satisfies your comment.

Current text in Section 4.3, first paragraph:

   In order to provide integrity of Geneve headers, options and payload,

   for example to avoid mis-delivery of payload to different tenant

   systems in case of data corruption, outer UDP checksum SHOULD be used

   with Geneve when transported over IPv4.  An operator MAY choose to

   disable UDP checksum and use zero checksum if Geneve packet integrity

   is provided by other data integrity mechanisms such as IPsec or

   additional checksums or if one of the conditions in Section 4.3.1<https://tools.ietf.org/html/draft-ietf-nvo3-geneve-13#section-4.3.1> a,

   b, c are met.

Proposed text to 4.3 that we believe would address your comments:


   In order to provide integrity of Geneve headers, options and payload,

   for example to avoid mis-delivery of payload to different tenant

   systems in case of data corruption, outer UDP checksum SHOULD be used

   with Geneve when transported over IPv4. "The UDP checksum provides a statistical guarantee that a payload was not corrupted in transit. These integrity checks are not strong from a coding or cryptographic perspective and are not designed to detect physical-layer errors or malicious modification of the datagram (see RFC 8085 section 3.4). In deployments where such a risk exists, an operator SHOULD use additional data integrity mechanisms such as offered by IPSec (see Section 6.2)."



   An operator MAY choose to

   disable UDP checksum and use zero checksum if Geneve packet integrity

   is provided by other data integrity mechanisms such as IPsec or

   additional checksums or if one of the conditions in Section 4.3.1<https://tools.ietf.org/html/draft-ietf-nvo3-geneve-13#section-4.3.1> a,

   b, c are met.

Thanks,
Ilango


From: nvo3 [mailto:nvo3-bounces@ietf.org<mailto:nvo3-bounces@ietf.org>] On Behalf Of Kathleen Moriarty
Sent: Tuesday, July 2, 2019 12:43 PM
To: nvo3@ietf.org<mailto:nvo3@ietf.org>
Subject: [nvo3] Review of draft-ietf-nvo3-geneve-13

Hello,

I just read through draft-ietf-nvo3-geneve, sorry I am out-of-cycle in the review process, but it looks like it has not started IETF last call yet.  I have what's really just a nit and request for a little more text.

Section 4.3.1

The value of the UDP checksum is overstated.  The text should note that corruption is still possible as this is a checksum and not a hash with low collision rates.  Corruption happens and goes undetected in normal operations today.

The security considerations section does address the recommendation to use IPsec, but making the connection on the UDP checksum being inadequate could be helpful.

Reality:

The way this is written, I suspect there really are no plans to use IPsec with GENEVE, are there?  The MUST statements around not altering traffic can only be achieved with IPsec, so if the intent is really to enforce the early MUST statements in the document, sooner mention of IPsec would be good.  If this is more for detecting corruption (and not having that be 100% or close) that should be clear up front.

I'm just envisioning use cases where the virtual path is set differently to the physical path for expected operations to route through desired security functions, then an attacker alters checksums to avoid detection of these changes.

Thanks and sorry for a late review!

--

Best regards,
Kathleen
_______________________________________________
nvo3 mailing list
nvo3@ietf.org<mailto:nvo3@ietf.org>
https://www.ietf.org/mailman/listinfo/nvo3
_______________________________________________
nvo3 mailing list
nvo3@ietf.org<mailto:nvo3@ietf.org>
https://www.ietf.org/mailman/listinfo/nvo3
_______________________________________________
nvo3 mailing list
nvo3@ietf.org<mailto:nvo3@ietf.org>
https://www.ietf.org/mailman/listinfo/nvo3

v2.23.0 | Report a Bug | By Email