Ok, I think you are right. The description in the security draft is not clear and may cause confusions. I will re-write this part according to your comments.
Thanks a lot for your advice. Dacheng > -----Original Message----- > From: Pat Thaler [mailto:[email protected]] > Sent: Friday, September 13, 2013 9:55 AM > To: David Meyer > Cc: Zu Qiang; Zhangdacheng (Dacheng); [email protected] > Subject: RE: [nvo3] draft-hartman-nvo3-security-requirements > > A comment on the security draft that came up during discussion of > draft-kreeger-nvo3-hypervisor-nve-cp-01. Resending with this subject so those > interested in the security draft don't miss it. > > In 5.1, the signaling to the NVE to help it follow VM state and migration > shouldn't be from the TS. It should be from the hypervisor. The key therefore > should be a hypervisor key, not a tenant or TS key. See an excerpt from the > other email below. > > <snip> > LK> Our goal is the make the implementation of the VN completely hidden from > the TS (VM). There should be no requirement to modify the TS to participate > in address advertisement. There is also an issue of trust, we should try to > avoid trusting a TS to advertise its address. > > <PAT> Larry, I agree, but the NVO3 Security draft which has the following in > 5.1 > isn't consistent with this: > "Apart from data traffics, the NVE and the TSes also > need to exchange signaling messages in order to facilitate, e.g., VM > online detection, VM migration detection, or auto-provisioning/ > service discovery [I-D.ietf-nvo3-framework]." > The messages for these purposes should be between the NVE and the > hypervisor, not the NVE and the TS. > > LK> I agree with you, Pat (and disagree with this statement in the security > draft). We should avoid trusting Tenant Systems. Furthermore, I don't see > how a TS implemented as a VM would have any idea whether it was being > migrated. Maybe this is just a terminology issue because it seems like the > signaling mentioned would be performed by a hypervisor, not a VM. > _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
