Re: [secdir] Secdir review (early review) of draft-ietf-nvo3-geneve

"Ganga, Ilango S" <> Sat, 23 February 2019 00:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 98FCA130DE4; Fri, 22 Feb 2019 16:21:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PWkZpsAa4j_3; Fri, 22 Feb 2019 16:21:52 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 86320126C7E; Fri, 22 Feb 2019 16:21:51 -0800 (PST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Feb 2019 16:21:50 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.58,401,1544515200"; d="scan'208,217";a="118411657"
Received: from ([]) by with ESMTP; 22 Feb 2019 16:21:50 -0800
Received: from ([]) by ([]) with mapi id 14.03.0415.000; Fri, 22 Feb 2019 16:21:50 -0800
From: "Ganga, Ilango S" <>
To: =?utf-8?B?TWFnbnVzIE55c3Ryw7Zt?= <>, "" <>
CC: "" <>, "" <>, "" <>
Thread-Topic: Secdir review (early review) of draft-ietf-nvo3-geneve
Thread-Index: AQHUa05O1lkJPkWghUmTeaMFlyPdI6U4khKAgAGdQICACXZEUIAA3nKAgABDMiCAqHvjsA==
Date: Sat, 23 Feb 2019 00:21:49 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMGMyNDEyMzctOThjZC00NjQ5LTk4MTUtM2VmZDI2YjQ5Y2FhIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiXC81cDkzVDRYVVR5Ullrejc2QkkwVjJ3WXI1azhIZ1dFYVV3MkU1eXpnSVwvTGFqSVdqbHFvUDBZb0t2UzJmd2o5In0=
x-ctpclassification: CTP_NT
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_C5A274B25007804B800CB5B289727E3583D6B5E7ORSMSX116amrcor_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [secdir] Secdir review (early review) of draft-ietf-nvo3-geneve
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 23 Feb 2019 00:21:56 -0000

Hi Magnus,

Many thanks for your review and feedback. We have posted a new version of the document that addresses all your comments from the SECDIR early review. This version includes all the WG Last Call comments including TSVART and SECDIR early reviews.

Ilango Ganga
Editor, Geneve

From: Ganga, Ilango S []
Sent: Wednesday, November 7, 2018 11:30 AM
To: Magnus Nyström <>
Subject: RE: Secdir review (early review) of draft-ietf-nvo3-geneve

Hi Magnus,
Thanks for your review and feedback. We have addressed all 3 of your comments. We will be updating the draft to address these and WG LC comments, in the next week or two.

From: Magnus Nyström []
Sent: Tuesday, November 6, 2018 11:20 PM
To: Ganga, Ilango S <<>>
Subject: Re: Secdir review (early review) of draft-ietf-nvo3-geneve

Hi Ilango,
Thanks for your thorough follow-up. To me, the new text looks very good. You could shorten (and perhaps add clarity) by replacing "Hence an option..." with just "An option ..."
<Ilango> Yes, this should be fine.


On Tue, Nov 6, 2018 at 7:11 PM Ganga, Ilango S <<>> wrote:
Hi Magnus,

Here is our proposed text that we believe will satisfy your comment on 3.5.1:

In Section 2.2.1 add new highlighted text in paragraph that began with “Transit devices..”
Options, if present in the packet, MUST be generated and terminated by end points. Transit devices MAY be able to interpret the options, however, as
   non-terminating devices, transit devices do not originate or
   terminate the Geneve packet, hence MUST NOT insert or delete options,
   which is the responsibility of Geneve endpoints.  The participation
   of transit devices in interpreting options is OPTIONAL.

Section 3.5.1 - Remove the highlighted text:
o  Some options may be defined in such a way that the position in the
      option list is significant.  Options or their ordering, MUST NOT
      be changed by transit devices.

Section 3.5.1 - Add highlighted text to the last bullet:
   o  An option SHOULD NOT be dependent upon any other option in the packet,
 i.e., options can be processed independent of one another. Hence an option MUST NOT affect the parsing or interpretation of any other option.

Remove the following paragraph from 6.2:
Geneve supports Geneve Options, so an operator may choose to use a
   Geneve option TLV to provide a cryptographic data protection
   mechanism, to verify the data integrity of the Geneve header, Geneve
   options or the entire Geneve packet including the payload.
   Implementation of such a mechanism is beyond the scope of this

Introduce new section after 6.3 as follows:
6.4  Options Interpretation by Transit Devices

Options, if present in the packet, are generated and terminated by end points. As indicated in 2.2.1, transit devices may interpret the options. However, if the packet is protected by end point to end point encryption, for example through IPsec, transit devices will not have visibility into the Geneve header or options in the packet. In cases where options are interpreted by transit devices, the operator MUST ensure that transit devices are trusted and not compromised. Implementation of a mechanism to ensure this trust is beyond the scope of this document.

Please let us know if this addresses your comment on 3.5.1.  The other two comments have been satisfied as noted below.


From: Magnus Nyström [<>]
Sent: Wednesday, October 31, 2018 11:34 AM
To: Ganga, Ilango S <<>>;<>;<>
Subject: RE: Secdir review (early review) of draft-ietf-nvo3-geneve

Hi Ilango,
For 3.4, I think this may be sufficient.

For 6.2, I will defer to the IETF director/telechat discussion that will occur at some point for this draft. If the intent is interoperability and robustness of such an option, then I would recommend it to be specified in the IETF, but I can also see how you would prefer that such specification work occurs outside this particular draft – which should be doable. Perhaps staying silent on the option alternative and just recommend leveraging layer-provided infrastructure such as ipsec may be best for now?

I'll await your suggested updated language for 3.5.1.


Sent from my Windows 10 phone

From: Ganga, Ilango S<>
Sent: Tuesday, October 30, 2018 18:12
To: Magnus Nyström<>;<>;<>
Subject: RE: Secdir review (early review) of draft-ietf-nvo3-geneve

Hi Magnus,

Thanks for your review and feedback. Please see inline for my responses.


From: Magnus Nyström []
Sent: Tuesday, October 23, 2018 9:01 PM
Subject: Secdir review (early review) of draft-ietf-nvo3-geneve

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes "Geneve," a protocol for GEneric NEtwork Virtualization Encapsulation. The document is written in a clear manner and with a thorough Security Considerations section. I have just a few questions/comments:

- Section 3.4: The "MUST ignore" for the reserved bits should presumably state "SHALL be ignored for this version of the Geneve protocol." - as I imagine that in a future version, these bits may not be ignored?

<Ilango> In theory, a future version may change the behavior of any of the header fields including the reserved bits.  The header definition is for this version of the protocol.

Please see if the following text would satisfy the intent of your comment.
“Reserved field which MUST be zero on transmission and MUST be ignored on receipt.”

Or let us know if you still want to have this qualified with “for this version of the protocol”

- Section 3.5.1: I wonder about the simultaneous requirement that one option must not affect the parsing or interpretation of another option but that the sequencing (order) of options may be significant - they seem to be contradictory since if the sequencing *is* significant, then some option must be impacted by a previous one's value? From a security perspective, I also wonder if there could be security consequences of re-ordering options (and how to tell if someone did re-order - see below)?

<Ilango> You raise a good point. The intent of this statement is, parsing and interpretation of options should not be dependent on one another. We are discussing among the authors to see how we can include appropriate clarifying statements to address your point. I will update you shortly.

- Section 6.2, shouldn't such an Option be defined to reduce the risk of under-specified or subpar specifications of such integrity mechanisms? Or also from an interop perspective?

<Ilango> Using a Geneve option for the purpose of data integrity is more of an optimization. Otherwise data integrity could be provided by using existing mechanisms like IPsec (as stated in second paragraph of 6.2). We included the last paragraph to show other possibilities. We could remove this paragraph if it may cause any confusion.

We would like to keep the Geneve base specification independent of options specifications, options could be a defined in a future standards action.

-- Magnus

-- Magnus