I think it is also important to keep the UDP header unencrypted since the source port is the entropy.
Regards, Stephen. On Wed, Jun 3, 2015 at 5:15 AM, Liuyuanjiao <[email protected]> wrote: > Dear Zhang Dacheng: > > > > Now, in the middle network, we need to monitor the traffic basing > on the VNI. But if we use IPSec, we could not see VNI anymore. > > So the users could monitor the traffic in the way of VNI, only > can monitor the vxlan tunnel overall traffic. > > > > Another scenario is: we want to adjust the users traffic basing > on VNI into different underlay paths. But if VNI do not see, we could not > do it. Because in one vxlan tunnel, we may have server VNIs. > > > > > > Best Regards > > Liu Yuanjiao > > > > > > > > *发件人:* Dacheng Zhang [mailto:[email protected]] > *发送时间:* 2015年6月3日 9:57 > *收件人:* Michael Shieh; David Mozes > *抄送:* Xuxiaohu; [email protected]; Liuyuanjiao > *主题:* Re: [nvo3] VxLAN Security Consideration > > > > I think both ipsec and dtls would work. > > > > The middle network is not controlled by customer and the service > provider, it’s provided by 3nd company, so the environment is not > trusted, we need to encrypt the VxLAN packets or VxLAN payload for our user > data.Dear > > Currently, no such specific method, I think we need to provide one way > to resolve it. > > A question for Yuanjian, are there any cases in which we need to only > encrypt the vxlan payloads while transporting the headers in plain text? If > so, the condition could be a little more complex. > > > > Cheers > > > > Dacheng > > > > > > > > Best Regards > > Liu Yuanjiao > > > _______________________________________________ > nvo3 mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/nvo3 > > > > > > This message is for the designated and authorized recipient only and may > contain privileged, proprietary, confidential or otherwise private > information relating to vArmour Networks, Inc. and is the sole property of > vArmour Networks, Inc. Any views or opinions expressed are solely those of > the author and do not necessarily represent those of vArmour Networks, Inc. > If you have received this message in error, or if you are not authorized to > receive it, please notify the sender immediately and delete the original > message and any attachments from your system immediately. If you are not a > designated or authorized recipient, any other use or retention of this > message or its contents is prohibited. > > _______________________________________________ nvo3 mailing list > [email protected] https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/nvo3 > >
_______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
