Re: Benjamin Kaduk's Discuss on draft-ietf-bfd-vxlan-09: (with DISCUSS and COMMENT)
Jeffrey Haas <jhaas@pfrc.org> Wed, 18 December 2019 22:13 UTC
Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F410120836; Wed, 18 Dec 2019 14:13:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mTSfUv54uiQa; Wed, 18 Dec 2019 14:13:54 -0800 (PST)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 48FE5120089; Wed, 18 Dec 2019 14:13:54 -0800 (PST)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 320B61E2F6; Wed, 18 Dec 2019 17:18:24 -0500 (EST)
Date: Wed, 18 Dec 2019 17:18:24 -0500
From: Jeffrey Haas <jhaas@pfrc.org>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-bfd-vxlan@ietf.org, bfd-chairs@ietf.org, rtg-bfd@ietf.org
Subject: Re: Benjamin Kaduk's Discuss on draft-ietf-bfd-vxlan-09: (with DISCUSS and COMMENT)
Message-ID: <20191218221823.GG6488@pfrc.org>
References: <157653979360.24617.1864402887480503965.idtracker@ietfa.amsl.com> <20191218202448.GC6488@pfrc.org> <20191218220246.GK81833@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20191218220246.GK81833@kduck.mit.edu>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/cHh-4fIn8kbLinRPZtTUF9WO9ds>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Dec 2019 22:13:55 -0000
Ben, On Wed, Dec 18, 2019 at 02:02:46PM -0800, Benjamin Kaduk wrote: > On Wed, Dec 18, 2019 at 03:24:48PM -0500, Jeffrey Haas wrote: > > This is a clean summary of the considerations. At least a portion of the WG > > seems to be comfortable with "test to the management VNI". However, another > > (smaller, I believe) portion were wanting to test one layer further in. > > It is reassuring that I at least managed to summarize the situation > tolerably. Is it fair to say that testing "one layer further in" is a > superset of what "test to the managemenet VNI" can do? Fundamentally, this is all BFD. The issue is almost always considerations related to encapsulation. The meta concern here is that if you test to the management VNI, the operator has a lot of control over things that are clean from a security perspective. The minute you test one layer deeper, it's still the same thing... but you now have a lot of sharp edges you have to worry about. In all of these situations, the main consideration from a security perspective and an encapsulation perspective is "don't step on the toes of the user". But that said, vxlan environments are provided to contain tenants, have their own provisioning ecosystems, and security considerations in how they are provisioned and operated. As long as the security and operational considerations are understood by the operator, they can decide whether "testing one layer further in" gives them good benefit vs. the additional security considerations. And that said, two fundamental portions of BFD operations and security still apply here: - Discriminators need to be known to mess with existing sessions. This means the main consideration for someone not in the tenant environment is privacy. Such privacy is an overall consideration for vxlan environments. - Authentication mechanisms in BFD may still be deployed which further reduce the attack space. Basically, if your vxlan environment is appropriately operated and secured, the main attacker of this session is the tenant itself. And they have all sorts of bad things they can do to knock down their own reachability from one VTEP to another. I.e. it's a stupid attack. :-) -- Jeff
- Benjamin Kaduk's Discuss on draft-ietf-bfd-vxlan-… Benjamin Kaduk via Datatracker
- Re: Benjamin Kaduk's Discuss on draft-ietf-bfd-vx… Jeffrey Haas
- Re: Benjamin Kaduk's Discuss on draft-ietf-bfd-vx… Benjamin Kaduk
- Re: Benjamin Kaduk's Discuss on draft-ietf-bfd-vx… Jeffrey Haas
- Re: Benjamin Kaduk's Discuss on draft-ietf-bfd-vx… Benjamin Kaduk
- Re: Benjamin Kaduk's Discuss on draft-ietf-bfd-vx… Benjamin Kaduk