See draft-farinacci-lisp-crypto-01.txt. It addresses many of these concerns.
Dino > On Jun 3, 2015, at 7:55 AM, Dacheng Zhang <[email protected]> wrote: > > Ok, if there are really such requirements, maybe it is a good idea for us to > design a security mechanism for vxlan, which can protect the integrity of the > vxlan headers while encrypting the payloads. > > Open for discussion… ^_^ > > Cheers > > Dacheng > > > 发件人: Liuyuanjiao <[email protected]> > 日期: 2015年6月3日 星期三 下午5:15 > 至: dacheng de <[email protected]>, Michael Shieh > <[email protected]>, David Mozes <[email protected]> > 抄送: Xuxiaohu <[email protected]>, "[email protected]" <[email protected]> > 主题: [nvo3] 答复: VxLAN Security Consideration > > Dear Zhang Dacheng: > > Now, in the middle network, we need to monitor the traffic basing on > the VNI. But if we use IPSec, we could not see VNI anymore. > So the users could monitor the traffic in the way of VNI, only can > monitor the vxlan tunnel overall traffic. > > Another scenario is: we want to adjust the users traffic basing on > VNI into different underlay paths. But if VNI do not see, we could not do it. > Because in one vxlan tunnel, we may have server VNIs. > > > Best Regards > Liu Yuanjiao > > > > 发件人: Dacheng Zhang [mailto:[email protected]] > 发送时间: 2015年6月3日 9:57 > 收件人: Michael Shieh; David Mozes > 抄送: Xuxiaohu; [email protected]; Liuyuanjiao > 主题: Re: [nvo3] VxLAN Security Consideration > > I think both ipsec and dtls would work. > > The middle network is not controlled by customer and the service > provider, it’s provided by 3nd company, so the environment is not trusted, we > need to encrypt the VxLAN packets or VxLAN payload for our user data.Dear > Currently, no such specific method, I think we need to provide one way to > resolve it. > A question for Yuanjian, are there any cases in which we need to only encrypt > the vxlan payloads while transporting the headers in plain text? If so, the > condition could be a little more complex. > > Cheers > > Dacheng >> >> >> >> Best Regards >> Liu Yuanjiao >> >> _______________________________________________ >> nvo3 mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/nvo3 >> > > > This message is for the designated and authorized recipient only and may > contain privileged, proprietary, confidential or otherwise private > information relating to vArmour Networks, Inc. and is the sole property of > vArmour Networks, Inc. Any views or opinions expressed are solely those of > the author and do not necessarily represent those of vArmour Networks, Inc. > If you have received this message in error, or if you are not authorized to > receive it, please notify the sender immediately and delete the original > message and any attachments from your system immediately. If you are not a > designated or authorized recipient, any other use or retention of this > message or its contents is prohibited. > _______________________________________________ nvo3 mailing list > [email protected]https://www.ietf.org/mailman/listinfo/nvo3 > _______________________________________________ nvo3 mailing list > [email protected] https://www.ietf.org/mailman/listinfo/nvo3 > _______________________________________________ > nvo3 mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
