David, > > > > 2) If NVE and TES are not in the same physical device, but TES to > > > NVE using L3 protocols only, there is still no need for VDP or > > > VDP-alike protocol. > > > > More to the point, in a DC, when will an NVE and TES be separated by > a > > physical network link that is *only* running L3? Even if L3 is being > > used, it will surely also be running over L2, which I assume (in a DC > > environment) will be ethernet. Or is this assumption wrong? > > It's a good assumption - the next two questions are: > - How many Ethernet links are traversed? > - Is there any IP forwarding involved? > If the answer to the questions are "1" and "no" respectively, a single > Ethernet link is involved, and L2 access control looks like a > reasonable > approach for an L2 protocol such as VDP.
Actually, this is precisely what we want to avoid and not to be tied to a link-layer. > If either question has a different answer, an L2 protocol like VDP gets > more interesting, as pointed out in a thread between Dimitri and I > yesterday. > In particular: > - If multiple Ethernet links are involved, VDP has to somehow > be plumbed through the L2 bridges that connect the links. > - If there's an IP forwarding node between the End Device and > the NVE, VDP needs to be relayed through that node (this > has some analogies to the function of a DHCP relay). > Both of these result in a larger L2 scope for VDP and hence more things > that have to be checked to ensure that the access control is correct. > > An IP-based protocol avoids these L2 complications, Yes. > but it also cannot rely > on L2 topology for access control purposes. This is exactly what we want to avoid in a layer 3 solution. Maria > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On Behalf > Of Thomas > > Narten > > Sent: Wednesday, July 11, 2012 1:43 PM > > To: Luyuan Fang (lufang) > > Cc: Paul Unbehagen; [email protected]; Larry Kreeger (kreeger); Lucy > yong; > > NAPIERALA, MARIA H > > Subject: Re: [nvo3] TES-NVE attach/detach protocol security > (mobility-issues > > draft) > > > > Hi Luyuan. > > > > > Thanks for the discussion, and sharing the insight... > > > > > I'd like to get us on the same page on when VDP is needed and when > > > it is not, please help if the following points are not correct? > > > > Let me try, based on my understanding of things... > > > > > 1) If NVE and TES are in the same physical device - there is no > > > external wire between them, then no VDP or VDP-like protocol is > > > needed, regardless L2 or L3 is used. > > > > Agreed. This can all be done internal to the device. > > > > > 2) If NVE and TES are not in the same physical device, but TES to > > > NVE using L3 protocols only, there is still no need for VDP or > > > VDP-alike protocol. > > > > Not sure I agree with this. > > > > More to the point, in a DC, when will an NVE and TES be separated by > a > > physical network link that is *only* running L3? Even if L3 is being > > used, it will surely also be running over L2, which I assume (in a DC > > environment) will be ethernet. Or is this assumption wrong? > > > > Thus, VDP can also be used here. Or at least, I'd like to understand > > why it wouldn't be appropriate and why a different (and new) L3 > > protocol is needed. > > > > To be clear, I'm not wedded to using VDP (or any specific > > protocol). We need to figure out requirements and then do a gap > > analysis, so it's premature to be trying to be picking solutions > here. > > > > But, my assumption is: > > > > 1) VDP exists and is already being implemented. We do of course need > > to have the conversation about whether its implemented widely enough, > > etc. > > > > 2) Assuming VDP already exists, and we can add the needed NVO3 > > functionality to it (i.e., by defining the needed TLVs), isn't that > > preferred over inventing a new protocol, no matter how "simple" that > > new protocol would be? > > > > > 3) If NVE and TES are not in the same physical device, TES to NVE > > > using L2, then VDP or VDP-like protocol plays important role for > > > discovery and more. > > > > Same arguments as above. > > > > Thomas > > > > _______________________________________________ > > nvo3 mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
