Hi Pat, Thanks for pointing this out. See below.
- Larry From: Pat Thaler <[email protected]<mailto:[email protected]>> Date: Thursday, September 12, 2013 5:52 PM To: Larry Kreeger <[email protected]<mailto:[email protected]>>, Zu Qiang <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>, Thomas Narten <[email protected]<mailto:[email protected]>>, David Black <[email protected]<mailto:[email protected]>> Subject: RE: Comment on draft-kreeger-nvo3-hypervisor-nve-cp-01 See my comment below From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Larry Kreeger (kreeger) Sent: Friday, August 30, 2013 3:43 PM To: Zu Qiang; [email protected]<mailto:[email protected]>; Thomas Narten; Black, David Subject: Re: [nvo3] Comment on draft-kreeger-nvo3-hypervisor-nve-cp-01 Hi Zu, See my responses inline. - Larry From: Zu Qiang <[email protected]<mailto:[email protected]>> Date: Friday, August 30, 2013 12:30 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>, Larry Kreeger <[email protected]<mailto:[email protected]>>, Thomas Narten <[email protected]<mailto:[email protected]>>, David Black <[email protected]<mailto:[email protected]>> Subject: Comment on draft-kreeger-nvo3-hypervisor-nve-cp-01 <snip> * 4.2: The two ways of TS address discovery is for MAC address discovery? IP address discovery or both? Do we allow the VM to inform the NVE directly at VN address association? Can we cover it in the text as well? LK> Our goal is the make the implementation of the VN completely hidden from the TS (VM). There should be no requirement to modify the TS to participate in address advertisement. There is also an issue of trust, we should try to avoid trusting a TS to advertise its address. <PAT> Larry, I agree, but the NVO3 Security draft which has the following in 5.1 isn’t consistent with this: “Apart from data traffics, the NVE and the TSes also need to exchange signaling messages in order to facilitate, e.g., VM online detection, VM migration detection, or auto-provisioning/ service discovery [I-D.ietf-nvo3-framework].“ The messages for these purposes should be between the NVE and the hypervisor, not the NVE and the TS. <snip> LK> I agree with you, Pat (and disagree with this statement in the security draft). We should avoid trusting Tenant Systems. Furthermore, I don't see how a TS implemented as a VM would have any idea whether it was being migrated. Maybe this is just a terminology issue because it seems like the signaling mentioned would be performed by a hypervisor, not a VM. Have a nice day Zu Qiang
_______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
