IETF Logo Mail Archive

Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt

"Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com> Fri, 01 March 2019 11:03 UTC

Return-Path: <matthew.bocci@nokia.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98491130E5A; Fri, 1 Mar 2019 03:03:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s7O1KQqHQQfa; Fri, 1 Mar 2019 03:03:27 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80123.outbound.protection.outlook.com [40.107.8.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A30E2130DE4; Fri, 1 Mar 2019 03:03:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RDZCQId2bg8B4yjkrEBa0p9I6JEAKeErN8kb89jZeYY=; b=I4RVnkAVuP5f9yOPLYMCdLyzXUB0U0EDLyQ0DtzUf6UBQGWcKUKbDZvVHSLtsUIcouNrq6i6BMk3/PZO5TEEcyDPtCCe/ioSExgb0Nsn5+FhLj7CLzS9bP+ibYU4UOiL5CmAo/PrMMGwyIWTzg3yXRrA5pQQK23PGopErKOrPos=
Received: from DB7PR07MB4106.eurprd07.prod.outlook.com (52.134.100.160) by DB7PR07MB5612.eurprd07.prod.outlook.com (20.178.45.206) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.11; Fri, 1 Mar 2019 11:03:23 +0000
Received: from DB7PR07MB4106.eurprd07.prod.outlook.com ([fe80::b532:3f6:ee71:7e59]) by DB7PR07MB4106.eurprd07.prod.outlook.com ([fe80::b532:3f6:ee71:7e59%6]) with mapi id 15.20.1665.012; Fri, 1 Mar 2019 11:03:23 +0000
From: "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>
To: Daniel Migault <daniel.migault@ericsson.com>, Pankaj Garg <pankajg=40microsoft.com@dmarc.ietf.org>
CC: NVO3 <nvo3@ietf.org>, "draft-ietf-nvo3-geneve@ietf.org" <draft-ietf-nvo3-geneve@ietf.org>
Thread-Topic: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt
Thread-Index: AQHUX6+cv3j1TD5e7EiDM7tmzabFlaX1Oh1ggAG+HICAAIUsAA==
Date: Fri, 01 Mar 2019 11:03:23 +0000
Message-ID: <97EAAD15-1A6C-4EBD-92A2-2FCFAC89AC62@nokia.com>
References: <C35AB375-99DA-4629-8D67-D8991FF69434@nokia.com> <MWHPR21MB01917E5CF224896CE3B49552B9750@MWHPR21MB0191.namprd21.prod.outlook.com> <CADZyTkmTZkkCQ-r4PcwuzYnevAQkq=iXPatG7LgMFKZ8Z59zdA@mail.gmail.com>
In-Reply-To: <CADZyTkmTZkkCQ-r4PcwuzYnevAQkq=iXPatG7LgMFKZ8Z59zdA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.16.1.190220
authentication-results: spf=none (sender IP is ) smtp.mailfrom=matthew.bocci@nokia.com;
x-originating-ip: [81.108.178.133]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 60e66e82-6f97-4da7-e1e1-08d69e3585c0
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7167020)(7193020); SRVR:DB7PR07MB5612;
x-ms-traffictypediagnostic: DB7PR07MB5612:
x-ms-exchange-purlcount: 5
x-microsoft-exchange-diagnostics: 1;DB7PR07MB5612;23:fJeh/0mje2EpUfR41mpDM3RH+Da3FP9tlffVjUftJ5VjkoJt8DAOszK8OMxMSBUgqxRI2/w6StICiaJ8y4epQXU6U63yfxAUcXyn3YP9mUl/FQBoLxG7oBSmhVA9mt6ic9/3uZNdZmYfYPDbWRrlGe+xEHAJ/64dDWZb681caR5yhejBtYY0GIPn/MUzA3Jx4lRuHPp/M7a3DDDFGXmCF8ahiA/MwTeeM79Jb5ZJ/avoh3bziDfUBVwoccPwx0rp11nJ5vjaPGDMUy1QILm8CrmBVkm/93OFa4PYtM9ViZB/aobVbyTZfxV4/Tbj+GfbOaDsAx1yvh/CUgDfRNQi2poHUtoKcfMCnoqOCuk+Vd+jbtgDPFLrawEuiib3z02+340xv+DMWbWdjQDP2vbCRcbJDojobbYQ/5ln7JhWrzzR9aVg8kNhEX/kbOrz+5gXjbdxUpfDFz7xSF/jRjWoc0zHYolpyWOKOqFF0T1p0iNsLIVFafFRw8yw1ECoVbSmyALzufFm0sId681oupfWldp6Iwr3ekLADtb6E+anMWYGcrK3FtD4dGODJr2lce5+o5uGsdPKLgVROicAKLdgzD+3woMxPxfI0B4PZXi9cYf/2/0VSZ7JmCbwOA2jElYO3L5Ya61Q5bwUB9Cl+F/e+vRRG5XiGp/DF7bL20pVvyerRz1X7chuzYnhTOsi+lSkGcyg2A29lD561uN/N329edVpAAXQ/VHe+2PtUhVDLappVhAlEOKxZB+7Zd0PaOKoMDtkAmWW/4AdQOpy6b6mp24U9Nnc66P22iu6hnj46ONQF5x1K8keWtwXtJLMZKWhRtbLe38/fF0vTleDVa00J01pAg10LRmWCAkMsi3tkNkKZtVQak3o61BqJMPJvZLbuZnKomhcCUQIOTRT8MfrIFm/NvuVMhRy0csyhOboKv4MrJnDgUizLxkZe9sWxvfalxUlKQBPUJWHTqN8KOk9nTpGohfbUlrrDnVAjtRSHwfe3RAsOxHq0zlH1kWt5F7v7UYlELbg1241BzrmpwmxWt6uS85I515VKWpa1jU228nJ0kk+2XlEYB7E++uAZuvE1ebyWVxPHqaq+ki74j+QVEVlB2n5QAydiHNLI/fx1byfwnAAV1nJZGKgNn5ZDy1oDXhqhPOdb3LdeWdPUiqYVwQYbMRs3LtKeBFQUIXbbB3R1imM1uGaSSfISsRo1DaIy30MzDq4g9bXhuUk5RowZbVsliuYDlM1CtLeZh4UZRaZQXdE9tGsIsB3d51uyUegDjc0nkrqB2tM5s6Ufe1CkilU/dHrxy9FIrbJuvr48Y7nvJirN8eXOhtw9FUUR4473vGU7PHWrPRg5kWZUCh8dVhdR5q8z9Fz9fZWOo6wq9yQXjyX+tMqniAdaGtgnWbk
x-microsoft-antispam-prvs: <DB7PR07MB5612C1B980478155797AE54CEB760@DB7PR07MB5612.eurprd07.prod.outlook.com>
x-forefront-prvs: 09634B1196
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(396003)(376002)(346002)(39860400002)(366004)(51444003)(199004)(189003)(54906003)(86362001)(33656002)(110136005)(316002)(106356001)(6246003)(6116002)(3846002)(6506007)(8676002)(55236004)(53546011)(26005)(5660300002)(186003)(4326008)(2616005)(486006)(476003)(102836004)(14444005)(256004)(58126008)(71200400001)(71190400001)(446003)(105586002)(83716004)(11346002)(68736007)(82746002)(25786009)(229853002)(97736004)(6486002)(2906002)(81166006)(53936002)(6436002)(6306002)(54896002)(8936002)(236005)(99286004)(6512007)(76176011)(66066001)(81156014)(478600001)(966005)(7736002)(606006)(14454004)(36756003); DIR:OUT; SFP:1102; SCL:1; SRVR:DB7PR07MB5612; H:DB7PR07MB4106.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 6VAxQUd28n9XIaoBlolc7ZQbYa9bnoYSIUtFF3BmsDp21+3knmzXVXDeQ6kK1i6L+ELsYCbHhfbOEKEKij9uivrlCNipsWu8RmZRHdrN4JgFg1ecmfkbvbWBm6lc2HUHkcRY2rRlpCg/uSyNFyGz7RuUJ5osYNb9PWbMBwA1h+F8O5pXwB5n9osgOKQ/eobCHoE/oVVvsdDdZ/SaQgO4YGGLJSPddzjFoJcyp/NHYXMDno2d1E9fyOmZyYTf74hLTA+8mX1kQqxb4RjIE0/rQVVXU9PKQTSgFy0Oa9kR/K8yTzvLU9sDDqi1IButPeJ7Bi6vW65+bD5LSs3kpTbAPXXULTNzw+YeoEt9e7wWny230ZWIG8X1Nx0eALp5GG6UXw/TckS6vBwZYK78ROy098CEe2E4r9QVyif9WOoV4Uo=
Content-Type: multipart/alternative; boundary="_000_97EAAD151A6C4EBD92A22FCFAC89AC62nokiacom_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 60e66e82-6f97-4da7-e1e1-08d69e3585c0
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2019 11:03:23.2368 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB5612
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/x1AIvQVUWMfrHNVXqkbLbLwuaNY>
Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2019 11:03:31 -0000

Hi Daniel

Thanks for reviewing the latest version. At this stage it would be helpful if you could be much more concrete and give specifics.

I think that the main issue is whether the design of Geneve prevents future security extensions.

However, in [1], you stated that you were comfortable with the text if nothing else could be found.

What specifically do you want to change in the following, bearing in mind that there are already claimed implementations of Geneve:
"""
   o  An option SHOULD NOT be dependent upon any other option in the
      packet, i.e., options can be processed independent of one another.
      An option MUST NOT affect the parsing or interpretation of any
      other option.
"""


Matthew


From: Daniel Migault <daniel.migault@ericsson.com>
Date: Friday, 1 March 2019 at 03:06
To: Pankaj Garg <pankajg=40microsoft.com@dmarc.ietf.org>
Cc: "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>, NVO3 <nvo3@ietf.org>, "draft-ietf-nvo3-geneve@ietf.org" <draft-ietf-nvo3-geneve@ietf.org>
Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt

Hi,

I just briefly went through the document quickly and in my opinion, the document still faces some security issues.

The current text (in my opinion) prevents any geneve security related
options. Currently Geneve cannot be secured and this prevents future
work to eventually secure Geneve. In my opinion the current text
mandates Geneve to remain unsecure.

Geneve security option that are willing to authenticate/encrypt a part
of the Geneve Header will affect the parsing of the protected option and
will affect the order in which option needs to be process. Typically a
protected option (authenticated, encrypted) cannot or should not be
processed before authenticated or decrypted.

This has already been mentioned in [1], and the text needs in my opinion
further clarifications.

"""
   o  An option SHOULD NOT be dependent upon any other option in the
      packet, i.e., options can be processed independent of one another.
      An option MUST NOT affect the parsing or interpretation of any
      other option.
"""



As stated in [2] it remains unclear to me why this section is not
referencing and leveraging on the security analysis [3-4] performed by
two different independent teams.

My reading of the security consideration is that the message is that
IPsec or TLS could be used to protect a geneve overlay network. This is
- in my opinion- not correct as this does not consider the transit
device. In addition, the security consideration only considers the case
where the cloud provider and the overlay network provider are a single
entity, which I believe oversimplifies the problem.

The threat model seems to me very vague, so the current security
consideration is limited to solving a problem that is not stated.

My reading of the text indicates the tenant can handle by itself the
confidentiality of its information without necessarily relying on the
overlay service provider. This is not correct. Even when the tenant uses
IPsec/TLS, it still leaks some information. The current text contradicts
[3] section 6.2 and [4] section 5.1.

My reading is that the text indicates that IPsec/DTLS could be used to
protect the overlay service for both confidentiality and integrity.
While this could be used in some deployment this is not compatible with
transit devices. As such the generic statement is not correct. Section
6.4 indicates that transit device must be trusted which is incorrect.
Instead the transit device with all nodes between the transit device and
the NVE needs to be trusted.  Overall the impression provided is that
IPsec (or TLS) can be used by the service overlay provider, which is (in
my opinion) not true.

It is unclear to me how authentication of NVE peers differs from the
authentication communication as the latest usually rely on the first.
Maybe the section should insist on mutual authentication.

Yours,
Daniel


[1] https://mailarchive.ietf.org/arch/msg/nvo3/RFFjYHAUUlMvOsYwRNtdOJOIk9o
[2] https://mailarchive.ietf.org/arch/msg/nvo3/e7YHFlqIuOwIJoL2ep7jyHIrSGw
[3] https://tools.ietf.org/html/draft-ietf-nvo3-security-requirements-07
[4] https://tools.ietf.org/html/draft-mglt-nvo3-geneve-security-requirements-05





On Wed, Feb 27, 2019 at 7:30 PM Pankaj Garg <pankajg=40microsoft.com@dmarc.ietf.org<mailto:40microsoft.com@dmarc.ietf.org>> wrote:
I am not aware of any IP related to draft-ietf-nvo3-geneve which has not already been disclosed.

Thanks
Pankaj

From: Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com<mailto:matthew.bocci@nokia.com>>
Sent: Tuesday, October 9, 2018 2:08 AM
To: NVO3 <nvo3@ietf.org<mailto:nvo3@ietf.org>>
Cc: draft-ietf-nvo3-geneve@ietf.org<mailto:draft-ietf-nvo3-geneve@ietf.org>
Subject: Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt

This email begins a two-week working group last call for draft-ietf-nvo3-geneve-08.txt.

Please review the draft and post any comments to the NVO3 working group list. If you have read the latest version of the draft but have no comments and believe it is ready for publication as a standards track RFC, please also indicate so to the WG email list.

We are also polling for knowledge of any undisclosed IPR that applies to this document, to ensure that IPR has been disclosed in compliance with IETF IPR rules (see RFCs 3979, 4879, 3669 and 5378 for more details).
If you are listed as an Author or a Contributor of this document, please respond to this email and indicate whether or not you are aware of any relevant undisclosed IPR. The Document won't progress without answers from all the Authors and Contributors.

Currently there are two IPR disclosures against this document.

If you are not listed as an Author or a Contributor, then please explicitly respond only if you are aware of any IPR that has not yet been disclosed in conformance with IETF rules.

This poll will run until Friday 26th October.

Regards

Matthew and Sam
_______________________________________________
nvo3 mailing list
nvo3@ietf.org<mailto:nvo3@ietf.org>
https://www.ietf.org/mailman/listinfo/nvo3

v2.23.0 | Report a Bug | By Email