Re: [nvo3] Review of draft-ietf-nvo3-geneve-13
Anoop Ghanwani <anoop@alumni.duke.edu> Thu, 01 August 2019 15:44 UTC
Return-Path: <ghanwani@gmail.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FFDF120242 for <nvo3@ietfa.amsl.com>; Thu, 1 Aug 2019 08:44:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.695
X-Spam-Level:
X-Spam-Status: No, score=-1.695 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.201, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oNjx9Nmaijzp for <nvo3@ietfa.amsl.com>; Thu, 1 Aug 2019 08:43:59 -0700 (PDT)
Received: from mail-vs1-f43.google.com (mail-vs1-f43.google.com [209.85.217.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86B86120240 for <nvo3@ietf.org>; Thu, 1 Aug 2019 08:43:59 -0700 (PDT)
Received: by mail-vs1-f43.google.com with SMTP id u124so49202733vsu.2 for <nvo3@ietf.org>; Thu, 01 Aug 2019 08:43:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xwxWMQ4Q1i/UO/WElNEJhUu1Zpe9+yKtdSDGTKtW05I=; b=V1DdM46Qnn/TLWARuHKFu9rdLs5dxRDNDxXLCJJHvTtQtYfTJysWDwfaAutew4cD0b 6hRP8/Z4uepjkSmE/uwBb7whSZPms1NO5Nhve4ZUovqG1VnlAbWQDlKSU0RSQQ+ZWY52 HmmYrk/uIjprtHZyZO2IoNyxPXI9VDbbOQehBz1c5unYBkhOAuXRcyLs7vx1n4KJy5/m plkcq/y8bYIIELlO/mUfUJ/B2DwJ38Hbmr4OjHYEtd/5N1GrQqL+bDb6ZwgKqwKMqTeO DAB6t8HjyKiVpA9zV5/rsc2QvWbQyp3OUoRDUUzfY9fIg3JPxfYiry/zhsdrlVAVkW3A xjIw==
X-Gm-Message-State: APjAAAVZ12rNqm8FienxEwEhfqCUtU6FRcrecHW0YU3N6onLPKpRfGT5 1BPymwnyubDI/3gPZiBfZjLOPK+GUxdsdJ14Nv0=
X-Google-Smtp-Source: APXvYqzvinSDqNPz7vlo1dYzGjDAe9W07oENvDirlrVcsX1d2urGgjPYuPKw8v947uydSaGmnsc4SYhp8Pns84ut0pc=
X-Received: by 2002:a67:3116:: with SMTP id x22mr79250713vsx.228.1564674238578; Thu, 01 Aug 2019 08:43:58 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbuEH66JZd1KOi5_mL8nzdTZ7WjSsOQP8a3B+oSwA6wNnfDKw@mail.gmail.com> <C5A274B25007804B800CB5B289727E35905C4AA0@ORSMSX116.amr.corp.intel.com> <CA+-tSzxD6u+KwEizhWBjQipm=dFVoXbPu2=Agj-sbyKm5Mcrwg@mail.gmail.com> <CADZyTk=bouYF_TmeDfUseAtU9nFMoS3RytmBB3f6z3v+Q-X3Xg@mail.gmail.com> <CA+-tSzyzhS8Gu2g8CKmNsaJHyEZm8AqcHLpCAL2DbdycTR1OaQ@mail.gmail.com> <CA+RyBmWPHYKBSF5tdKStbVG-ZoZjJ-gne1NQ2p4EsFhDLdQc9g@mail.gmail.com> <CA+-tSzyD=cJ_GhHJLz=yhwkN1K_3DOwusNLgggCofGKk82yhPQ@mail.gmail.com> <C5A274B25007804B800CB5B289727E35905C837B@ORSMSX116.amr.corp.intel.com>
In-Reply-To: <C5A274B25007804B800CB5B289727E35905C837B@ORSMSX116.amr.corp.intel.com>
From: Anoop Ghanwani <anoop@alumni.duke.edu>
Date: Thu, 01 Aug 2019 08:43:47 -0700
Message-ID: <CA+-tSzyzCXPQT=jm6xg4nyA6AwvgiTeZqANMGzvEh6OQw2UYdw@mail.gmail.com>
To: "Ganga, Ilango S" <ilango.s.ganga@intel.com>
Cc: Greg Mirsky <gregimirsky@gmail.com>, Daniel Migault <daniel.migault@ericsson.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "nvo3@ietf.org" <nvo3@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002e037d058f101c47"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/xf5SKBZ-bmVUqh8ednT60TjDGZQ>
Subject: Re: [nvo3] Review of draft-ietf-nvo3-geneve-13
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2019 15:44:03 -0000
Thanks Ilango. Sorry I missed it. Anoop On Wed, Jul 31, 2019 at 10:04 PM Ganga, Ilango S <ilango.s.ganga@intel.com> wrote: > Hi Anoop, > > There is already text in Section 6.4 of Geneve draft that captures this > information. > > Thanks, > > Ilango > > > > >>I think that captures the essence of what I was suggesting. >>Thanks, > >>Anoop > > >>Transit devices may not be capable to process Geneve option content if > the Geneve header is secured. > > > > > > *From:* Anoop Ghanwani [mailto:anoop@alumni.duke.edu] > *Sent:* Tuesday, July 30, 2019 1:13 PM > *To:* Greg Mirsky <gregimirsky@gmail.com> > *Cc:* Daniel Migault <daniel.migault@ericsson.com>; Ganga, Ilango S < > ilango.s.ganga@intel.com>; Kathleen Moriarty < > kathleen.moriarty.ietf@gmail.com>; nvo3@ietf.org > *Subject:* Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 > > > > Hi Greg, > > > > I think that captures the essence of what I was suggesting. > > > > Thanks, > > Anoop > > > > On Tue, Jul 30, 2019 at 10:36 AM Greg Mirsky <gregimirsky@gmail.com> > wrote: > > Hi Anoop, > > thank you for pointing to iOAM as the use case of Geneve options. As I > understand, the iOAM for Geneve document offers several options, including > one that takes advantage of Geneve options. But such use of options must > not, in my opinion, weaken the security in Geneve. We can emphasize that > with the text you've proposed and minor, in my opinion, re-wording: > > Transit devices may not be capable to process Geneve option content if the > Geneve header is secured. > > > > > > Regards, > > Greg > > > > On Tue, Jul 30, 2019 at 12:20 PM Anoop Ghanwani <anoop@alumni.duke.edu> > wrote: > > Hi Daniel, > > > > Perhaps what is causing confusion is that there's a difference between > NVO3 OAM and I-OAM (the reference provided below). > > > > From my understanding, NVO3 OAM will involve only NVEs processing those > packets, while depending on other OAM methods for the underlay. > > > > On the other hand, with I-OAM the idea is to gather information about all > devices along the path. There are several different encapsulation drafts > (e.g. IOAM using Geneve, IOAM using VXLAN GPE, IOAM using NSH, etc.), so > this is not NVO3-specific. > > > > Perhaps what the Geneve document needs to note is that the Geneve header > cannot be secured if there are devices other than NVEs that are required to > process its contents. Unless there is some non-obvious way of doing it > and, if it exists, it would be helpful if a reference is provided. > > > > Thanks, > > Anoop > > > > On Tue, Jul 30, 2019 at 6:49 AM Daniel Migault < > daniel.migault@ericsson.com> wrote: > > Hi, > > > > OAM has been raised during the meeting, so thank you for providing the > appropriated references of OAM. My understanding is that OAM is a Geneve > option that is updated by the OAM devices that are on path. Is that correct > ? > > > > IPsec or DTLS authenticate or encrypt the full Geneve packet ( Geneve > Header, Geneve Options and Geneve payload) between the NVEs. If my > assumption regarding the OAM devices is correct, the use of DTLS or IPsec > would not make possible to authenticate or encrypt and Geneve packet with > OAM enabled. Again if my assumption is correct, I believe that an > appropriated way to address this concern might be to be able to leave some > Geneve Option non authenticated. while other parts of the packet is > authenticated or encrypted. Such mechanism needs to be implemented at the > Geneve layer. > > > > Yours, > > Daniel > > > > On Fri, Jul 26, 2019 at 2:52 PM Anoop Ghanwani <anoop@alumni.duke.edu > <anoop@alumni.duke..edu>> wrote: > > Hi Ilango, > > > > What would be the recommended way to secure the Geneve header in cases > where Geneve header extensions are used and routers in the underlay need to > access/process the contents of the Geneve header? For example, this > proposal: > > https://tools.ietf.org/html/draft-brockners-ippm-ioam-geneve-02 > > > > Thanks, > > Anoop > > > > On Thu, Jul 25, 2019 at 2:18 PM Ganga, Ilango S <ilango.s.ganga@intel.com> > wrote: > > Hello Kathleen, > > > > Thanks for your review of draft-ietf-nvo3-geneve-13. We could provide > additional clarification in section 4.3 to address your comment. Please let > us know if this satisfies your comment. > > > > Current text in Section 4.3, first paragraph: > > In order to provide integrity of Geneve headers, options and payload, > > for example to avoid mis-delivery of payload to different tenant > > systems in case of data corruption, outer UDP checksum SHOULD be used > > with Geneve when transported over IPv4. An operator MAY choose to > > disable UDP checksum and use zero checksum if Geneve packet integrity > > is provided by other data integrity mechanisms such as IPsec or > > additional checksums or if one of the conditions in Section 4.3.1 <https://tools.ietf.org/html/draft-ietf-nvo3-geneve-13#section-4.3.1> a, > > b, c are met. > > > > Proposed text to 4.3 that we believe would address your comments: > > > > In order to provide integrity of Geneve headers, options and payload, > > for example to avoid mis-delivery of payload to different tenant > > systems in case of data corruption, outer UDP checksum SHOULD be used > > with Geneve when transported over IPv4. "The UDP checksum provides a statistical guarantee that a payload was not corrupted in transit. These integrity checks are not strong from a coding or cryptographic perspective and are not designed to detect physical-layer errors or malicious modification of the datagram (see RFC 8085 section 3.4). In deployments where such a risk exists, an operator SHOULD use additional data integrity mechanisms such as offered by IPSec (see Section 6.2)." > > > > An operator MAY choose to > > disable UDP checksum and use zero checksum if Geneve packet integrity > > is provided by other data integrity mechanisms such as IPsec or > > additional checksums or if one of the conditions in Section 4.3.1 <https://tools.ietf.org/html/draft-ietf-nvo3-geneve-13#section-4.3.1> a, > > b, c are met. > > > > Thanks, > > Ilango > > > > > > *From:* nvo3 [mailto:nvo3-bounces@ietf.org] *On Behalf Of *Kathleen > Moriarty > *Sent:* Tuesday, July 2, 2019 12:43 PM > *To:* nvo3@ietf.org > *Subject:* [nvo3] Review of draft-ietf-nvo3-geneve-13 > > > > Hello, > > > > I just read through draft-ietf-nvo3-geneve, sorry I am out-of-cycle in the > review process, but it looks like it has not started IETF last call yet. I > have what's really just a nit and request for a little more text. > > > > Section 4.3.1 > > The value of the UDP checksum is overstated. The text should note that > corruption is still possible as this is a checksum and not a hash with low > collision rates. Corruption happens and goes undetected in normal > operations today. > > The security considerations section does address the recommendation to use > IPsec, but making the connection on the UDP checksum being inadequate could > be helpful. > > > > Reality: > > > > The way this is written, I suspect there really are no plans to use IPsec > with GENEVE, are there? The MUST statements around not altering traffic > can only be achieved with IPsec, so if the intent is really to enforce the > early MUST statements in the document, sooner mention of IPsec would be > good. If this is more for detecting corruption (and not having that be > 100% or close) that should be clear up front. > > > > I'm just envisioning use cases where the virtual path is set differently > to the physical path for expected operations to route through desired > security functions, then an attacker alters checksums to avoid detection of > these changes. > > > > Thanks and sorry for a late review! > > > > -- > > > > Best regards, > > Kathleen > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > >
- [nvo3] Review of draft-ietf-nvo3-geneve-13 Kathleen Moriarty
- Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 Daniel Migault
- Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 Kathleen Moriarty
- Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 Daniel Migault
- Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 Ganga, Ilango S
- Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 Anoop Ghanwani
- Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 Dale R. Worley
- Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 Daniel Migault
- Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 Greg Mirsky
- Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 Anoop Ghanwani
- Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 Kathleen Moriarty
- Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 Greg Mirsky
- Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 Kathleen Moriarty
- Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 Kathleen Moriarty
- Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 Anoop Ghanwani
- Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 Ganga, Ilango S
- Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 Anoop Ghanwani
- Re: [nvo3] Review of draft-ietf-nvo3-geneve-13 Ganga, Ilango S