Keying for network resources is highly complicated and will likely have little adoption. While I see the reasons why we would be interested in providing a useful framework to accomplish the said task; remember how far we got with secure origin BGP and related protocols.
We could do it, but today's trust boundaries typically live on the NVE/PE/ToR/etc, and are not truly multi-org, but rather multiple projects that can be authorized at the application level. Truman On Thu, Aug 22, 2013 at 10:56 PM, Melinda Shore <[email protected]>wrote: > On 8/22/13 6:05 PM, Zhangdacheng (Dacheng) wrote: > > Hi, thanks a lot for the comments. I agree that it is reasonable to > > allow the VNs of a same tenant to share a group key in order to > > secure their communication. I will add this into the new version of > > the draft. > > I'm generally a fan of group keying but I think it's important to > understand that it's not just a plug-and-play replacement for > pairwise keying, and that in particular you'll need to pay more > attention to authorization issues, as well as give some thought > to the implications of sharing certain pieces of data among all > members of a group. > > It may or may not be the right technology to solve a given problem, > and any text proposing the use of group keys should be tightly scoped > and constrained. I'm somewhat concerned that there's an "ooh, shiny!" > thing going on here. > > Melinda > _______________________________________________ > nvo3 mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/nvo3 >
_______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
