IETF Logo Mail Archive

Re: [nvo3] Review of draft-ietf-nvo3-geneve-13

Anoop Ghanwani <anoop@alumni.duke.edu> Fri, 26 July 2019 18:52 UTC

Return-Path: <ghanwani@gmail.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBA281200C1 for <nvo3@ietfa.amsl.com>; Fri, 26 Jul 2019 11:52:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.557
X-Spam-Level:
X-Spam-Status: No, score=-1.557 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.091, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NdoyRufEbVgC for <nvo3@ietfa.amsl.com>; Fri, 26 Jul 2019 11:52:27 -0700 (PDT)
Received: from mail-vs1-f53.google.com (mail-vs1-f53.google.com [209.85.217.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96EF9120173 for <nvo3@ietf.org>; Fri, 26 Jul 2019 11:52:27 -0700 (PDT)
Received: by mail-vs1-f53.google.com with SMTP id k9so36731523vso.5 for <nvo3@ietf.org>; Fri, 26 Jul 2019 11:52:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ReAsS+/6R/RuoklGRTXwxG43RF/i/emtkPFx0O8f+qc=; b=QdCk7rs0cX8wpGWh3pISMir5rcxomtkgITYVojF9batRS33jnYJZ9lWCFG7lNJMG8A Mye8efUXrnQwe7COb7YPl9pAZ/O62RMMCXKT4k8vc+/Z4USYtuZ/83S43WS4bQjp4Rll dkZx6pnGn/5CFhIv57K6quz1/KkA94grJvNW+KBCpMoVFiHLkmxaiKSuuL5uTDxsSWbL smzBa8hG/gdzbYFzYpceORpzmDhdqkxn8U35PB9HJkZ2HSlf7s8vnqgSt/vXswVr0pbZ Vu+HsDG35Y9N4o+LuPl5WVhoJyTy7pgic/ERe/eROr/1OShTt5fs1ZO9NRG/D2niuAqG SVLg==
X-Gm-Message-State: APjAAAWUhXNZ5nXWAuW5ME0CW23t2TmsgM38hU3S2Ml7zSa16YdwkY1C pOvKatlhn7mh9dChPPycR05eJXjhN2lgfLnHudg=
X-Google-Smtp-Source: APXvYqw11fIvCbl5TXotW50X4xPwTw3XjUrmWuXDU3jSolRV7czRyGpkzoSe7/9ATnS8vzBpZCftwsR92u6ydkTYlzM=
X-Received: by 2002:a67:8042:: with SMTP id b63mr63921813vsd.23.1564167146584; Fri, 26 Jul 2019 11:52:26 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbuEH66JZd1KOi5_mL8nzdTZ7WjSsOQP8a3B+oSwA6wNnfDKw@mail.gmail.com> <C5A274B25007804B800CB5B289727E35905C4AA0@ORSMSX116.amr.corp.intel.com>
In-Reply-To: <C5A274B25007804B800CB5B289727E35905C4AA0@ORSMSX116.amr.corp.intel.com>
From: Anoop Ghanwani <anoop@alumni.duke.edu>
Date: Fri, 26 Jul 2019 11:52:15 -0700
Message-ID: <CA+-tSzxD6u+KwEizhWBjQipm=dFVoXbPu2=Agj-sbyKm5Mcrwg@mail.gmail.com>
To: "Ganga, Ilango S" <ilango.s.ganga@intel.com>
Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "nvo3@ietf.org" <nvo3@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002447f7058e9a0b1f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/zrhUlc-WAxDGBWMqeuu5kY8ykMw>
Subject: Re: [nvo3] Review of draft-ietf-nvo3-geneve-13
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jul 2019 18:52:30 -0000

Hi Ilango,

What would be the recommended way to secure the Geneve header in cases
where Geneve header extensions are used and routers in the underlay need to
access/process the contents of the Geneve header?  For example, this
proposal:
https://tools.ietf.org/html/draft-brockners-ippm-ioam-geneve-02

Thanks,
Anoop

On Thu, Jul 25, 2019 at 2:18 PM Ganga, Ilango S <ilango.s.ganga@intel.com>
wrote:

> Hello Kathleen,
>
>
>
> Thanks for your review of draft-ietf-nvo3-geneve-13.  We could provide
> additional clarification in section 4.3 to address your comment. Please let
> us know if this satisfies your comment.
>
>
>
> Current text in Section 4.3, first paragraph:
>
>    In order to provide integrity of Geneve headers, options and payload,
>
>    for example to avoid mis-delivery of payload to different tenant
>
>    systems in case of data corruption, outer UDP checksum SHOULD be used
>
>    with Geneve when transported over IPv4.  An operator MAY choose to
>
>    disable UDP checksum and use zero checksum if Geneve packet integrity
>
>    is provided by other data integrity mechanisms such as IPsec or
>
>    additional checksums or if one of the conditions in Section 4.3.1 <https://tools.ietf.org/html/draft-ietf-nvo3-geneve-13#section-4.3.1> a,
>
>    b, c are met.
>
>
>
> Proposed text to 4.3 that we believe would address your comments:
>
>
>
>    In order to provide integrity of Geneve headers, options and payload,
>
>    for example to avoid mis-delivery of payload to different tenant
>
>    systems in case of data corruption, outer UDP checksum SHOULD be used
>
>    with Geneve when transported over IPv4. "The UDP checksum provides a statistical guarantee that a payload was not corrupted in transit. These integrity checks are not strong from a coding or cryptographic perspective and are not designed to detect physical-layer errors or malicious modification of the datagram (see RFC 8085 section 3.4). In deployments where such a risk exists, an operator SHOULD use additional data integrity mechanisms such as offered by IPSec (see Section 6.2)."
>
>
>
>    An operator MAY choose to
>
>    disable UDP checksum and use zero checksum if Geneve packet integrity
>
>    is provided by other data integrity mechanisms such as IPsec or
>
>    additional checksums or if one of the conditions in Section 4.3.1 <https://tools.ietf.org/html/draft-ietf-nvo3-geneve-13#section-4.3.1> a,
>
>    b, c are met.
>
>
>
> Thanks,
>
> Ilango
>
>
>
>
>
> *From:* nvo3 [mailto:nvo3-bounces@ietf.org] *On Behalf Of *Kathleen
> Moriarty
> *Sent:* Tuesday, July 2, 2019 12:43 PM
> *To:* nvo3@ietf.org
> *Subject:* [nvo3] Review of draft-ietf-nvo3-geneve-13
>
>
>
> Hello,
>
>
>
> I just read through draft-ietf-nvo3-geneve, sorry I am out-of-cycle in the
> review process, but it looks like it has not started IETF last call yet.  I
> have what's really just a nit and request for a little more text.
>
>
>
> Section 4.3.1
>
> The value of the UDP checksum is overstated.  The text should note that
> corruption is still possible as this is a checksum and not a hash with low
> collision rates.  Corruption happens and goes undetected in normal
> operations today.
>
> The security considerations section does address the recommendation to use
> IPsec, but making the connection on the UDP checksum being inadequate could
> be helpful.
>
>
>
> Reality:
>
>
>
> The way this is written, I suspect there really are no plans to use IPsec
> with GENEVE, are there?  The MUST statements around not altering traffic
> can only be achieved with IPsec, so if the intent is really to enforce the
> early MUST statements in the document, sooner mention of IPsec would be
> good.  If this is more for detecting corruption (and not having that be
> 100% or close) that should be clear up front.
>
>
>
> I'm just envisioning use cases where the virtual path is set differently
> to the physical path for expected operations to route through desired
> security functions, then an attacker alters checksums to avoid detection of
> these changes.
>
>
>
> Thanks and sorry for a late review!
>
>
>
> --
>
>
>
> Best regards,
>
> Kathleen
> _______________________________________________
> nvo3 mailing list
> nvo3@ietf.org
> https://www.ietf.org/mailman/listinfo/nvo3
>

v2.23.0 | Report a Bug | By Email