Hi, Zu: Thank you for the question and your previous comments on this work.
The attacks performed on both control plane and data plane should be considered. For instance, a malicious VM may try to compromise an attacker to perform attacks. The requirement related with the key management is used to confine this type of attack. A malicious VM may also try to trigger a NVE to send large amount of control data by keep requiring the addresses of none-existing hosts. The requirement dealing with DoS attacks can be used to deal with this type attacks. In addition, we also consider the possible attacks from compromised network appliances which located in the middle of NVEs and hypervisors. That is why we think the packet level protection for NVE-hypervisor data/control planes is important. If there is anything missed, pleaes feel free to let us know. Cheers Dacheng ________________________________________ 发件人: Zu Qiang [[email protected]] 发送时间: 2014年3月3日 22:11 收件人: Zhangdacheng (Dacheng); [email protected] 主题: RE: [nvo3] I-D Action: draft-ietf-nvo3-security-requirements-02.txt The question I have given in the WG discussion is that you have added a new threat model that "Attacks from malicious TSes". Do you mean this attack is initiated by a TS. And the TS will attack the NVO3 directly using data plane. Or you mean the TS will try to crash the hypervisor and then attack the attached NVE using the hypervisor-NVE control plane? Please clarify it. Have a nice day Zu Qiang >-----Original Message----- >From: nvo3 [mailto:[email protected]] On Behalf Of Zhangdacheng >(Dacheng) >Sent: Friday, January 24, 2014 4:40 AM >To: [email protected] >Subject: Re: [nvo3] I-D Action: draft-ietf-nvo3-security-requirements-02.txt > >Hello: > >We just finished an update of the security requirement document according >to the comments we got in the list and the last meeting. >In this update, we: > >1) update the diagram of the NOV3 overlay architecture >2) propose a new classification of attacks >3) re-write the contents related with key management >4) add the discussion of NVA-NVA control plane >5) re-write the scope of this work >6) change the confidentiality requirements to optional > >In addition, we list some security issues (e.g., accountability, security >protection on management interface) in section 8.2 for discussion. We need >your suggestions before adding anything in the list into the document as >requirements. > >So, please let us know if you have any comments or suggestions. ^_^ > >Cheers. > >Dacheng > > >> -----Original Message----- >> From: nvo3 [mailto:[email protected]] On Behalf Of >> [email protected] >> Sent: Friday, January 24, 2014 5:20 PM >> To: [email protected] >> Cc: [email protected] >> Subject: [nvo3] I-D Action: >> draft-ietf-nvo3-security-requirements-02.txt >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts >directories. >> This draft is a work item of the Network Virtualization Overlays >> Working Group of the IETF. >> >> Title : Security Requirements of NVO3 >> Authors : Sam Hartman >> Dacheng Zhang >> Margaret Wasserman >> Filename : draft-ietf-nvo3-security-requirements-02.txt >> Pages : 18 >> Date : 2014-01-24 >> >> Abstract: >> The draft describes a list of essential requirements in order to >> benefit the design of NOV3 security solutions. In addition, this >> draft introduces the candidate techniques which could be used to >> construct a security solution fulfilling these security requirements. >> >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-nvo3-security-requirements >> / >> >> There's also a htmlized version available at: >> http://tools.ietf.org/html/draft-ietf-nvo3-security-requirements-02 >> >> A diff from the previous version is available at: >> http://www.ietf.org/rfcdiff?url2=draft-ietf-nvo3-security-requirements >> -02 >> >> >> Please note that it may take a couple of minutes from the time of >> submission until the htmlized version and diff are available at >> tools.ietf.org. >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> _______________________________________________ >> nvo3 mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/nvo3 >_______________________________________________ >nvo3 mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
