IETF Logo Mail Archive

Re: [nvo3] Review of draft-ietf-nvo3-geneve-13

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 30 July 2019 18:12 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5746A120248 for <nvo3@ietfa.amsl.com>; Tue, 30 Jul 2019 11:12:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HOPQPWVxfm8b for <nvo3@ietfa.amsl.com>; Tue, 30 Jul 2019 11:12:39 -0700 (PDT)
Received: from mail-ot1-x32e.google.com (mail-ot1-x32e.google.com [IPv6:2607:f8b0:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 474D512028E for <nvo3@ietf.org>; Tue, 30 Jul 2019 11:12:34 -0700 (PDT)
Received: by mail-ot1-x32e.google.com with SMTP id r21so61263423otq.6 for <nvo3@ietf.org>; Tue, 30 Jul 2019 11:12:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=veha7x/hUhyXGc+b/3wg00/Ad0/XIejrkR9tnKaJNHQ=; b=GQl14mrUf/yzc1ntBA1EdYYe7WWXDFjSeBRBbOa6r2KiCzCIUbu9mvJkkuYagyMopM gwLOAqVM7AzY8+CifDGSeZLaqeuRYRofvwwG+JI0TevUAE7qdH9OsuAUVHhPuBZQswlq ztNz9K836UzvB7t2AlsbtuuWvukzMDznSpn7gUmgKUaTMVyQ2FbC8FvNpWmbRgj+m3A7 UM3EZIupm3DY6qDcyMc8kTNJtMQYvMAVqhllXiun5nw3EV01iedEfBPKN9VC2TFxLqBa 07nikdhEMp7eCn0U5GwOgLo5G8pg3y+zt+9+UNCD00Z+9EV+iEjtS68czWIdniqvIswL z+0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=veha7x/hUhyXGc+b/3wg00/Ad0/XIejrkR9tnKaJNHQ=; b=dZ81vG0n/rfM2a1jPkxsW4K2EOIbqyl/kufiZdQqrxaIK0C96oXtKGfhe15KTpcg5x A+p8dcXPbF0O+3K8D2AvEiWJMjkojm8mc2u4/oO8Eh9Sffgfkt2xhU+LK59RHRgvKd0s oR9cprM6qFXSObNKIS2bUP1/TSSXKLPUi4VRey4OZTn55k3emghPWliAPhNtbva3jpiD YfwuuITsGGdf1lcdEErXHaDZMHvDR+6V8wTuoa+kHljkoKok3gA8TvSKDL6ETMla/Fji Mt69eC+iw/efLMz1I7SbHmO3KbOnl+cPvREtfJraTpaimH+ndXK4ePSMplg6+C71oiBd uTdg==
X-Gm-Message-State: APjAAAWk8aIq8xE3VhSOrIUnAY+40FDaL3NS22VSzGzWDhlyGQRgO1SW YZjP+wOhitao9jSI35hTuKaKriNLhk9lf9qQmZMQppyGLWE=
X-Google-Smtp-Source: APXvYqyqlmeLZuq0ME5teFUIkswSuJWYbzJKzb/llbIegRdb2JpExolB/bOaJjDyR4CgFrrhbyjwsh8l0/+qjuDe3eM=
X-Received: by 2002:a05:6830:1319:: with SMTP id p25mr58196643otq.224.1564510353591; Tue, 30 Jul 2019 11:12:33 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbuEH66JZd1KOi5_mL8nzdTZ7WjSsOQP8a3B+oSwA6wNnfDKw@mail.gmail.com> <C5A274B25007804B800CB5B289727E35905C4AA0@ORSMSX116.amr.corp.intel.com> <CA+-tSzxD6u+KwEizhWBjQipm=dFVoXbPu2=Agj-sbyKm5Mcrwg@mail.gmail.com>
In-Reply-To: <CA+-tSzxD6u+KwEizhWBjQipm=dFVoXbPu2=Agj-sbyKm5Mcrwg@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Tue, 30 Jul 2019 14:11:57 -0400
Message-ID: <CAHbuEH6EkHRxnB-fbkM1S9vtX5o4rx_=YY7KMF6b8bh3T6chUw@mail.gmail.com>
To: Anoop Ghanwani <anoop@alumni.duke.edu>
Cc: "Ganga, Ilango S" <ilango.s.ganga@intel.com>, "nvo3@ietf.org" <nvo3@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dfb99d058ee9f3a4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/ogN2544sOAmPn-mXKweJPWLA3Zk>
Subject: Re: [nvo3] Review of draft-ietf-nvo3-geneve-13
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2019 18:12:43 -0000

On Fri, Jul 26, 2019 at 2:52 PM Anoop Ghanwani <anoop@alumni.duke.edu>
wrote:

> Hi Ilango,
>
> What would be the recommended way to secure the Geneve header in cases
> where Geneve header extensions are used and routers in the underlay need to
> access/process the contents of the Geneve header?  For example, this
> proposal:
> https://tools.ietf.org/html/draft-brockners-ippm-ioam-geneve-02
>
>
Could IPsec AH or IPsec NULL encryption (https://tools.ietf.org/html/rfc2410)
be used for that purpose?  NULL encryption leaves the header untouched, so
more can be accessed than with AH.  In either case, integrity protection is
possible without confidentiality.

It would be good to represent the range of options (confidentiality as was
mentioned in another message in this thread and/or integrity and
authentication).

Best regards,
Kathleen

Thanks,
> Anoop
>
> On Thu, Jul 25, 2019 at 2:18 PM Ganga, Ilango S <ilango.s.ganga@intel.com>
> wrote:
>
>> Hello Kathleen,
>>
>>
>>
>> Thanks for your review of draft-ietf-nvo3-geneve-13.  We could provide
>> additional clarification in section 4.3 to address your comment. Please let
>> us know if this satisfies your comment.
>>
>>
>>
>> Current text in Section 4.3, first paragraph:
>>
>>    In order to provide integrity of Geneve headers, options and payload,
>>
>>    for example to avoid mis-delivery of payload to different tenant
>>
>>    systems in case of data corruption, outer UDP checksum SHOULD be used
>>
>>    with Geneve when transported over IPv4.  An operator MAY choose to
>>
>>    disable UDP checksum and use zero checksum if Geneve packet integrity
>>
>>    is provided by other data integrity mechanisms such as IPsec or
>>
>>    additional checksums or if one of the conditions in Section 4.3.1 <https://tools.ietf.org/html/draft-ietf-nvo3-geneve-13#section-4.3.1> a,
>>
>>    b, c are met.
>>
>>
>>
>> Proposed text to 4.3 that we believe would address your comments:
>>
>>
>>
>>    In order to provide integrity of Geneve headers, options and payload,
>>
>>    for example to avoid mis-delivery of payload to different tenant
>>
>>    systems in case of data corruption, outer UDP checksum SHOULD be used
>>
>>    with Geneve when transported over IPv4. "The UDP checksum provides a statistical guarantee that a payload was not corrupted in transit. These integrity checks are not strong from a coding or cryptographic perspective and are not designed to detect physical-layer errors or malicious modification of the datagram (see RFC 8085 section 3.4). In deployments where such a risk exists, an operator SHOULD use additional data integrity mechanisms such as offered by IPSec (see Section 6.2)."
>>
>>
>>
>>    An operator MAY choose to
>>
>>    disable UDP checksum and use zero checksum if Geneve packet integrity
>>
>>    is provided by other data integrity mechanisms such as IPsec or
>>
>>    additional checksums or if one of the conditions in Section 4.3.1 <https://tools.ietf.org/html/draft-ietf-nvo3-geneve-13#section-4.3.1> a,
>>
>>    b, c are met.
>>
>>
>>
>> Thanks,
>>
>> Ilango
>>
>>
>>
>>
>>
>> *From:* nvo3 [mailto:nvo3-bounces@ietf.org] *On Behalf Of *Kathleen
>> Moriarty
>> *Sent:* Tuesday, July 2, 2019 12:43 PM
>> *To:* nvo3@ietf.org
>> *Subject:* [nvo3] Review of draft-ietf-nvo3-geneve-13
>>
>>
>>
>> Hello,
>>
>>
>>
>> I just read through draft-ietf-nvo3-geneve, sorry I am out-of-cycle in
>> the review process, but it looks like it has not started IETF last call
>> yet.  I have what's really just a nit and request for a little more text.
>>
>>
>>
>> Section 4.3.1
>>
>> The value of the UDP checksum is overstated.  The text should note that
>> corruption is still possible as this is a checksum and not a hash with low
>> collision rates.  Corruption happens and goes undetected in normal
>> operations today.
>>
>> The security considerations section does address the recommendation to
>> use IPsec, but making the connection on the UDP checksum being inadequate
>> could be helpful.
>>
>>
>>
>> Reality:
>>
>>
>>
>> The way this is written, I suspect there really are no plans to use IPsec
>> with GENEVE, are there?  The MUST statements around not altering traffic
>> can only be achieved with IPsec, so if the intent is really to enforce the
>> early MUST statements in the document, sooner mention of IPsec would be
>> good.  If this is more for detecting corruption (and not having that be
>> 100% or close) that should be clear up front.
>>
>>
>>
>> I'm just envisioning use cases where the virtual path is set differently
>> to the physical path for expected operations to route through desired
>> security functions, then an attacker alters checksums to avoid detection of
>> these changes.
>>
>>
>>
>> Thanks and sorry for a late review!
>>
>>
>>
>> --
>>
>>
>>
>> Best regards,
>>
>> Kathleen
>> _______________________________________________
>> nvo3 mailing list
>> nvo3@ietf.org
>> https://www.ietf.org/mailman/listinfo/nvo3
>>
>

-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email