On 7/11/12 8:51 AM, Larry Kreeger (kreeger) wrote:
For example, I assume that the switches/routers providing the underlying network are owned/secured/administrated by the trusted data center administrators who also control what ports on those devices connect to their own trusted devices vs tenant devices which would be considered to not be trusted.
I think that's a critical distinction when thinking about how to secure this mechanism.
Based on that, I suppose you could extrapolate to say that the outer headers sent across the underlying network are trusted since the data center administrator can control what devices connect to the underlying network.
This is pretty far outside my comfort zone but it seems to be a common assumption in actual deployments, so let me ask this: Do you want to put that particular constraint (that it always be deployed in "trusted" environments) on the protocol? My feeling is that since the concept of a "trusted data center network" and a "trusted data center administrator" are, in general (there are exceptions), pretty bogus, that's an unrealistic constraint, and because it can be anticipated that there will be some number of deployments that ignore that constraint anyway, nvo3 needs to be somewhat more responsible about security than "it's all on a trusted network, anyway" would suggest. Melinda _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
