Hiya, On 15/12/15 01:19, Xuxiaohu wrote: > Hi Stephen, > > It said "...using a strong security mechanism such as IPsec > [RFC4301]". Here IPsec is just mentioned as an example of a strong > security mechanism. Therefore, it doesn't exclude MACsec.
Sure, but... The text that I suggested and that you said seemed good did include MACsec. On 09/12/15 07:47, Xuxiaohu wrote: >> So maybe something more like: >> >> "Inter data-centre traffic often carries highly sensitive information at higher >> layers that is not directly understood >> (parsed) within an egress or ingress PE. For example, migrating a VM will often >> mean moving private keys and other sensitive configuration information. For >> this reason inter data-centre traffic SHOULD always be protected for both >> confidentiality and integrity using a strong security mechanism such as IPsec [1] >> or MACsec [2] In future it may be feasible to protect that traffic within the MPLS >> layer [3] though at the time of writing the mechanism for that is not sufficiently >> mature to recommend. Exactly how such security mechanisms are deployed will >> vary from case to case, so securing the inter data-centre traffic may or may not >> involve deploying security mechanisms on the ingress/egress PEs or further >> "inside" the data centres concerned. Note though that if security is not deployed >> on the egress/ingress PEs there is a substantial risk that some sensitive traffic >> may be sent in clear and therefore be vulnerable to pervasive monitoring [4] or >> other attacks." > > Thanks a lot for your suggested text. If nobody object the > above text, I will add it in the next revision. > And indeed you added it all except for MACsec. And my question is not whether MACsec is excluded but rather why it was omitted, when afaik, it is what is most used for securing this particular kind of inter-DC traffic. (At least I believe that MACsec is what's most used there. If not, I'd be glad to know that.) So, why not include MACsec? Did someone object? If so, why? (And can you send a pointer to the WG list where that objection was raised so I can understand it better.) Thanks, S. > > Best regards, Xiaohu > >> -----Original Message----- From: Stephen Farrell >> [mailto:[email protected]] Sent: Monday, December 14, 2015 >> 9:47 PM To: Alvaro Retana (aretana); Xuxiaohu; The IESG Cc: >> [email protected]; [email protected]; >> [email protected]; [email protected] Subject: Re: >> Stephen Farrell's Discuss on draft-ietf-bess-virtual-subnet-06: >> (with DISCUSS and COMMENT) >> >> >> Hi, >> >> Can someone say why the mention of MACsec wasn't included? As I >> understand it, MACsec is what's mostly usable for inter-DC security >> so omitting it seems like a bad idea (or perhaps I'm misinformed) >> >> Thanks, S. >> >> On 14/12/15 13:34, Alvaro Retana (aretana) wrote: >>> Stephen: >>> >>> Hi! >>> >>> Xiaohu posted an update that we hope addresses your concerns. >>> Pelase take a look. >>> >>> >>> Thanks! >>> >>> Alvaro. >>> >>> _______________________________________________ BESS mailing list [email protected] https://www.ietf.org/mailman/listinfo/bess
