IETF Logo Mail Archive

Re: [nvo3] Review of draft-ietf-nvo3-geneve-13

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Mon, 08 July 2019 16:35 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0850A1201DA for <nvo3@ietfa.amsl.com>; Mon, 8 Jul 2019 09:35:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.702
X-Spam-Level:
X-Spam-Status: No, score=-0.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PXGjF_O71r04 for <nvo3@ietfa.amsl.com>; Mon, 8 Jul 2019 09:35:15 -0700 (PDT)
Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D3631202B2 for <nvo3@ietf.org>; Mon, 8 Jul 2019 09:34:55 -0700 (PDT)
Received: by mail-oi1-x234.google.com with SMTP id e189so13025520oib.11 for <nvo3@ietf.org>; Mon, 08 Jul 2019 09:34:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=T++lu+a6pbU3BithwgLNC19HCeEPflwLU0aDnGefOQ8=; b=cnMAuIEQy33P0ZOslGOgGfL5HnxkhDK8pMCx6+eJQVn7JRfhgrIyLQYDhO3uc/xfPv OQltf7vs4D4fFySlx2zw5Gv3gvutM9xzTz5Cb6Qx9hL6wTrGusSK+rtISpTj3dBpg/NZ C6tusfTgNXKoSmumsyNy7ykbXwo3KpUWjX+KzpRO9QKOJ/Qf3Rgs8n7YXXMPF54U2fTg zOeSkPAQdVad5qNrObH2CEkuPhfveYlOiu5OFleYaGLorD025IpG9bO1XTxO8KTh612u Csrx55SONYIt+Lwwas+OccX+cFEMYPzRhIcdmwGEr8SsTOmlti4okWMv3M0Q7FULqTX9 PWhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=T++lu+a6pbU3BithwgLNC19HCeEPflwLU0aDnGefOQ8=; b=pai/BQSZiOFcuKTHtiohNjdRDCLsxiOsjaoV/bb9jLqtQp4fIp8i/DonVPuFIGKCg6 AxyLWX3U+IrZu5CZfqROSbpH2ZU2DNRQq1xKP4XI5QsAo/miZI//UafNHrmnmFs6dzBf 3mDGTeJxg5nATkj3mwN900Wlt9NsDHqUFITPLovCwvKop2dV3znWF755ENU1LXu3hpz8 2ZR6AgR89eNy1x1H4pxvOAlHmEaOqh/nL7solCwIsZT6c8Mmm1J8Fj8skxjigIRAn84/ F8rMVW3nm4P3fiArkSVzx/hFJxFms2Ow10m5LnS0vo2qRJ4xMUvarmbXlRPRRbQMBDtu /pxA==
X-Gm-Message-State: APjAAAVKCThDkDD2rTWxzK6ohavH6IzeysGsgzuADUbS10eGTA8oBBgb vf6HRggCf2EeHhSPE6Y6iRzH8yg98q0wdkGCGs0=
X-Google-Smtp-Source: APXvYqzmuyQQPw+vG+PNH+aSlKEpW07CFaRKKO2KKUKevilDwwLOMBUNOG4eL29xGuW3zgbskO6y4C/muaPj1YY4JMI=
X-Received: by 2002:aca:3808:: with SMTP id f8mr9929848oia.158.1562603694646; Mon, 08 Jul 2019 09:34:54 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbuEH66JZd1KOi5_mL8nzdTZ7WjSsOQP8a3B+oSwA6wNnfDKw@mail.gmail.com> <CADZyTk=G5mYHf1f4zoaT7uebNwLO-uocxcuoocHc0ir3F5nbRQ@mail.gmail.com>
In-Reply-To: <CADZyTk=G5mYHf1f4zoaT7uebNwLO-uocxcuoocHc0ir3F5nbRQ@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Mon, 08 Jul 2019 12:34:18 -0400
Message-ID: <CAHbuEH6x_oyJmWtdXMEaqCo55wB1mUOt4jYLJ_JSwq3TZWcnmQ@mail.gmail.com>
To: Daniel Migault <daniel.migault@ericsson.com>
Cc: NVO3 <nvo3@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000024eb5b058d2e06ae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/x939xwuziAFuQ0-EaDTxx_rtK38>
Subject: Re: [nvo3] Review of draft-ietf-nvo3-geneve-13
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2019 16:35:26 -0000

HI Daniel,

I read the document and saw that it was used as a tunnel and the end points
were the ones that had access to the GENEVE information.  With this in
mind, the UDP layer for GENEVE encapsulated in an IP packet could then use
IPsec.  The security recommendations mentions the use of IPsec to fix many
of the stated considerations.

I don't understand your comment that IPsec is used to secure the
infrastructure, what do you mean, can you provide an example?  I think the
security considerations section says it's protecting GENEVE and that GENEVE
is essentially a tunnel - you can use it over the Internet to join VLANs
(this is a pretty obvious use case where IPsec would be used).

Integrity protection on any routing overlay protocol should be a
requirement, especially when the path of traffic can be altered by the
routing overlay protocol from what would normally be used.  The document
says (or I read somewhere) no AH only support, so I am guessing that
vendors have not implemented that interoperably, hence the reason for the
ESP recommendation.

Thanks for any clarification.

Best regards,
Kathleen

On Mon, Jul 8, 2019 at 10:56 AM Daniel Migault <daniel.migault@ericsson.com>
wrote:

> Hi Kathleen,
>
> My understanding of the document is that IPsec is not used to secure
> Geneve. Instead, IPsec is used to secure the infrastructure on top of which
> Geneve would be operated, thus lowering down the security of Geneve itself.
> As far as I understand, Geneve is incompatible with en-to-end security
> (IPsec, DTLS) to protect Geneve NVE-to-NVE communications. The document
> defines Transit Devices that intercept on-path packets of an NVE-to-NVE
> communications, which is not possible with DTLS or IPsec.
>
> Yours,
> Daniel
>
>
> On Tue, Jul 2, 2019 at 3:43 PM Kathleen Moriarty <
> kathleen.moriarty.ietf@gmail.com> wrote:
>
>> Hello,
>>
>> I just read through draft-ietf-nvo3-geneve, sorry I am out-of-cycle in
>> the review process, but it looks like it has not started IETF last call
>> yet.  I have what's really just a nit and request for a little more text.
>>
>> Section 4.3.1
>>
>> The value of the UDP checksum is overstated.  The text should note that
>> corruption is still possible as this is a checksum and not a hash with low
>> collision rates.  Corruption happens and goes undetected in normal
>> operations today.
>>
>> The security considerations section does address the recommendation to
>> use IPsec, but making the connection on the UDP checksum being inadequate
>> could be helpful.
>>
>> Reality:
>>
>> The way this is written, I suspect there really are no plans to use IPsec
>> with GENEVE, are there?  The MUST statements around not altering traffic
>> can only be achieved with IPsec, so if the intent is really to enforce the
>> early MUST statements in the document, sooner mention of IPsec would be
>> good.  If this is more for detecting corruption (and not having that be
>> 100% or close) that should be clear up front.
>>
>> I'm just envisioning use cases where the virtual path is set differently
>> to the physical path for expected operations to route through desired
>> security functions, then an attacker alters checksums to avoid detection of
>> these changes.
>>
>> Thanks and sorry for a late review!
>>
>> --
>>
>> Best regards,
>> Kathleen
>> _______________________________________________
>> nvo3 mailing list
>> nvo3@ietf.org
>> https://www.ietf.org/mailman/listinfo/nvo3
>>
>

-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email