Re: [secdir] Secdir review of draft-ietf-nvo3-arch-06

"Black, David" <> Fri, 12 August 2016 15:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EECF712D59E; Fri, 12 Aug 2016 08:51:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=hK/rIUIs; dkim=pass (1024-bit key) header.b=SoiHpT/j
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N9vxbulmEgUJ; Fri, 12 Aug 2016 08:51:12 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0849212D176; Fri, 12 Aug 2016 08:51:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=jan2013; t=1471017072; x=1502553072; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=iMyte+q+PzcrRt7Z8OHwRONEpz9GzYEMqWzoo4b17tQ=; b=hK/rIUIsxiApq+wHvsWw9ebwWH/GLR8OWU2GY8DnbEElvUweecX/ms7l abyq7FdnlbTvWoHPqC+9FKuaaFA/vUP82wpm3wtSgsmrvwZQryUXJUyfO 0cv9z064vAlX/GyK10gsJhCCkF6w/4Hn/U3krapKeU5Zp+B37/2dqVmTN M=;
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Aug 2016 10:51:10 -0500
Received: from ( []) by (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id u7CFp9Xm005278 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 12 Aug 2016 11:51:09 -0400
X-DKIM: OpenDKIM Filter v2.4.3 u7CFp9Xm005278
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;; s=jan2013; t=1471017069; bh=XKsKJxSnC8K6ntIlRWX04KGjMNA=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:MIME-Version; b=SoiHpT/j2WM8wQZy2MySiChY9rDS3Q/yzy6QWVI/umm27rtEhJTykQteaS4j64sik z61QyfNpkZD5oa8YROv4VA3cxJTERi3LtZpsdMNaSUKzjJd0vsmev92DYtIKym1Owa dt12AZ//ncn4er7VmQXteOxtoy5nj0nyRGQ8RZuY=
X-DKIM: OpenDKIM Filter v2.4.3 u7CFp9Xm005278
Received: from ( []) by (RSA Interceptor); Fri, 12 Aug 2016 11:50:47 -0400
Received: from ( []) by (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id u7CFp1TA021501 (version=TLSv1.2 cipher=AES128-SHA256 bits=128 verify=FAIL); Fri, 12 Aug 2016 11:51:02 -0400
Received: from ([fe80::849f:5da2:11b:4385]) by ([]) with mapi id 14.03.0266.001; Fri, 12 Aug 2016 11:51:01 -0400
From: "Black, David" <>
To: Takeshi Takahashi <>, "" <>
Thread-Topic: Secdir review of draft-ietf-nvo3-arch-06
Thread-Index: AdH0qsTgaG4vD7ROT6y/ONbw1H4BGgABFwhQ
Date: Fri, 12 Aug 2016 15:51:00 +0000
Message-ID: <>
References: <225101d1f4ab$be76d9a0$3b648ce0$>
In-Reply-To: <225101d1f4ab$be76d9a0$3b648ce0$>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_CE03DB3D7B45C245BCA0D243277949362F63B90FMX307CL04corpem_"
MIME-Version: 1.0
X-RSA-Classifications: public
Archived-At: <>
Cc: "Black, David" <>, "" <>, "" <>, "" <>
Subject: Re: [secdir] Secdir review of draft-ietf-nvo3-arch-06
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 Aug 2016 15:51:14 -0000


Thank you for the review.   I've made changes to address all of your comments in my working copy of this draft that will be posted as the -07 version next week.

The minor comment on information leakage affects both the data plane and control plane and hence I've made changes to address it in two paragraphs in the Security Considerations section.  Here are the revised versions of both paragraphs:

For the data plane, tunneled application traffic may need protection against being misdelivered, modified, or having its content exposed to an inappropriate third party. In all cases, encryption between authenticated tunnel endpoints and enforcing policies that control which endpoints and VNs are permitted to exchange traffic can be used to mitigate risks.


Leakage of sensitive information about users or other entities associated with VMs whose traffic is virtualized can also be covered by using encryption for the control plane protocols and enforcing policies that control which NVO3 components are permitted to exchange control plane traffic.

Thanks, --David

From: Takeshi Takahashi []
Sent: Friday, August 12, 2016 11:11 AM
Subject: Secdir review of draft-ietf-nvo3-arch-06

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security area directors.
Document editors and WG chairs should treat these comments just like any other last call comments.

[General summary]
This document is ready.

[Topic of this draft]
This informational document describes a high-level overview architecture for building data center network viatualization overlay (NVO3) networks.
It breaks down the architecture and defines several components needed for realizing the architecture, such as Network Virtualization Edge (NVE) and Network Virtualization Authority (NVA).

[Minor Comment]
In Section 16 "Security Considerations", you could consider addressing the policy enforcement issue you've discussed in Section 5.4.
The sentence starting with "Leakage of sensitive information" could be, for instance, changed from " using encryption" to " using encryption and ensuring policy enforcement".

[Editorial Comment]
In Page 9, there is a sentence "NVAs provide a service, and NVEs access that service via an NVE-to-NVA protocol as discussed in Section 4.3."
This current sentence is fine, but referring Section 8 "NVE-to-NVA Protocol" (instead of Section 4.3 "NVE State") could be better.

In Section 2, definition of "VLAN": "are used in this document denote a C-VLAN", could be "are used in this document to denote a C-VLAN".

I enjoyed reading the draft.

Thank you.