Re: [secdir] Secdir review (early review) of draft-ietf-nvo3-geneve

"Ganga, Ilango S" <ilango.s.ganga@intel.com> Wed, 07 November 2018 03:12 UTC

Return-Path: <ilango.s.ganga@intel.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA7E9127332; Tue, 6 Nov 2018 19:12:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IVV2iHq4Otmo; Tue, 6 Nov 2018 19:11:57 -0800 (PST)
Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14BF0128CE4; Tue, 6 Nov 2018 19:11:57 -0800 (PST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Nov 2018 19:11:56 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.54,474,1534834800"; d="scan'208,217";a="278946741"
Received: from orsmsx104.amr.corp.intel.com ([10.22.225.131]) by fmsmga006.fm.intel.com with ESMTP; 06 Nov 2018 19:11:56 -0800
Received: from orsmsx115.amr.corp.intel.com (10.22.240.11) by ORSMSX104.amr.corp.intel.com (10.22.225.131) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 6 Nov 2018 19:11:55 -0800
Received: from orsmsx116.amr.corp.intel.com ([169.254.7.124]) by ORSMSX115.amr.corp.intel.com ([169.254.4.106]) with mapi id 14.03.0415.000; Tue, 6 Nov 2018 19:11:55 -0800
From: "Ganga, Ilango S" <ilango.s.ganga@intel.com>
To: =?utf-8?B?TWFnbnVzIE55c3Ryw7Zt?= <magnusn@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-nvo3-geneve@ietf.org" <draft-ietf-nvo3-geneve@ietf.org>
Thread-Topic: Secdir review (early review) of draft-ietf-nvo3-geneve
Thread-Index: AQHUa05O1lkJPkWghUmTeaMFlyPdI6U4khKAgAGdQICACXZEUA==
Date: Wed, 7 Nov 2018 03:11:54 +0000
Message-ID: <C5A274B25007804B800CB5B289727E3583D11BB5@ORSMSX116.amr.corp.intel.com>
References: <CADajj4Y82CwZSNC0pEYimpx4MGfDTfMD_LCzX5-Vnr1foe3vJA@mail.gmail.com> <C5A274B25007804B800CB5B289727E3583D0AC78@ORSMSX116.amr.corp.intel.com> <5bd9f599.1c69fb81.4fed7.d7cd@mx.google.com>
In-Reply-To: <5bd9f599.1c69fb81.4fed7.d7cd@mx.google.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNzQzOGZkOWEtMDdjNi00ZDEzLTg3MTgtNTU3YzE1OGEyYTRkIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoib2d0T2N0bkJJVFhOU3lTU1VsaFE1Y1J2Q3MyVStiZFdCRGNjZ1RtWTV2VmtUVnNzSEsxOVhudHBtSXpjNGlBcCJ9
x-ctpclassification: CTP_NT
x-originating-ip: [10.22.254.138]
Content-Type: multipart/alternative; boundary="_000_C5A274B25007804B800CB5B289727E3583D11BB5ORSMSX116amrcor_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/YFtzpXHUs70gfd6V075cbT67LK0>
Subject: Re: [secdir] Secdir review (early review) of draft-ietf-nvo3-geneve
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2018 03:12:01 -0000

Hi Magnus,

Here is our proposed text that we believe will satisfy your comment on 3.5.1:

In Section 2.2.1 add new highlighted text in paragraph that began with “Transit devices..”
Options, if present in the packet, MUST be generated and terminated by end points. Transit devices MAY be able to interpret the options, however, as
   non-terminating devices, transit devices do not originate or
   terminate the Geneve packet, hence MUST NOT insert or delete options,
   which is the responsibility of Geneve endpoints.  The participation
   of transit devices in interpreting options is OPTIONAL.


Section 3.5.1 - Remove the highlighted text:
o  Some options may be defined in such a way that the position in the
      option list is significant.  Options or their ordering, MUST NOT
      be changed by transit devices.

Section 3.5.1 - Add highlighted text to the last bullet:
   o  An option SHOULD NOT be dependent upon any other option in the packet,
 i.e., options can be processed independent of one another. Hence an option MUST NOT affect the parsing or interpretation of any other option.

Remove the following paragraph from 6.2:
Geneve supports Geneve Options, so an operator may choose to use a
   Geneve option TLV to provide a cryptographic data protection
   mechanism, to verify the data integrity of the Geneve header, Geneve
   options or the entire Geneve packet including the payload.
   Implementation of such a mechanism is beyond the scope of this
   document.

Introduce new section after 6.3 as follows:
6.4  Options Interpretation by Transit Devices

Options, if present in the packet, are generated and terminated by end points. As indicated in 2.2.1, transit devices may interpret the options. However, if the packet is protected by end point to end point encryption, for example through IPsec, transit devices will not have visibility into the Geneve header or options in the packet. In cases where options are interpreted by transit devices, the operator MUST ensure that transit devices are trusted and not compromised. Implementation of a mechanism to ensure this trust is beyond the scope of this document.

Please let us know if this addresses your comment on 3.5.1.  The other two comments have been satisfied as noted below.

Thanks,
Ilango


From: Magnus Nyström [mailto:magnusn@gmail.com]
Sent: Wednesday, October 31, 2018 11:34 AM
To: Ganga, Ilango S <ilango.s.ganga@intel.com>om>; secdir@ietf.org; draft-ietf-nvo3-geneve@ietf.org
Subject: RE: Secdir review (early review) of draft-ietf-nvo3-geneve

Hi Ilango,
For 3.4, I think this may be sufficient.

For 6.2, I will defer to the IETF director/telechat discussion that will occur at some point for this draft. If the intent is interoperability and robustness of such an option, then I would recommend it to be specified in the IETF, but I can also see how you would prefer that such specification work occurs outside this particular draft – which should be doable. Perhaps staying silent on the option alternative and just recommend leveraging layer-provided infrastructure such as ipsec may be best for now?

I'll await your suggested updated language for 3.5.1.

Thanks,

Sent from my Windows 10 phone

From: Ganga, Ilango S<mailto:ilango.s.ganga@intel.com>
Sent: Tuesday, October 30, 2018 18:12
To: Magnus Nyström<mailto:magnusn@gmail.com>; secdir@ietf.org<mailto:secdir@ietf.org>; draft-ietf-nvo3-geneve@ietf.org<mailto:draft-ietf-nvo3-geneve@ietf.org>
Subject: RE: Secdir review (early review) of draft-ietf-nvo3-geneve

Hi Magnus,

Thanks for your review and feedback. Please see inline for my responses.

Regards,
Ilango


From: Magnus Nyström [mailto:magnusn@gmail.com]
Sent: Tuesday, October 23, 2018 9:01 PM
To: secdir@ietf.org<mailto:secdir@ietf.org>; draft-ietf-nvo3-geneve@ietf.org<mailto:draft-ietf-nvo3-geneve@ietf.org>
Subject: Secdir review (early review) of draft-ietf-nvo3-geneve

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes "Geneve," a protocol for GEneric NEtwork Virtualization Encapsulation. The document is written in a clear manner and with a thorough Security Considerations section. I have just a few questions/comments:

- Section 3.4: The "MUST ignore" for the reserved bits should presumably state "SHALL be ignored for this version of the Geneve protocol." - as I imagine that in a future version, these bits may not be ignored?

<Ilango> In theory, a future version may change the behavior of any of the header fields including the reserved bits.  The header definition is for this version of the protocol.

Please see if the following text would satisfy the intent of your comment.
“Reserved field which MUST be zero on transmission and MUST be ignored on receipt.”

Or let us know if you still want to have this qualified with “for this version of the protocol”
</>

- Section 3.5.1: I wonder about the simultaneous requirement that one option must not affect the parsing or interpretation of another option but that the sequencing (order) of options may be significant - they seem to be contradictory since if the sequencing *is* significant, then some option must be impacted by a previous one's value? From a security perspective, I also wonder if there could be security consequences of re-ordering options (and how to tell if someone did re-order - see below)?

<Ilango> You raise a good point. The intent of this statement is, parsing and interpretation of options should not be dependent on one another. We are discussing among the authors to see how we can include appropriate clarifying statements to address your point. I will update you shortly.
</>

- Section 6.2, shouldn't such an Option be defined to reduce the risk of under-specified or subpar specifications of such integrity mechanisms? Or also from an interop perspective?

<Ilango> Using a Geneve option for the purpose of data integrity is more of an optimization. Otherwise data integrity could be provided by using existing mechanisms like IPsec (as stated in second paragraph of 6.2). We included the last paragraph to show other possibilities. We could remove this paragraph if it may cause any confusion.

We would like to keep the Geneve base specification independent of options specifications, options could be a defined in a future standards action.
</>


Thanks.
-- Magnus