Hi Stephen, Thank you for the review and comments. Please see inline below.
-----Original Message----- From: Stephen Farrell [mailto:[email protected]] Sent: Wednesday, January 18, 2017 4:39 PM To: The IESG Cc: [email protected]; Matthew Bocci; [email protected]; [email protected]; [email protected] Subject: Stephen Farrell's No Objection on draft-ietf-nvo3-use-case-15: (with COMMENT) Stephen Farrell has entered the following ballot position for draft-ietf-nvo3-use-case-15: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-nvo3-use-case/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- The security considerations text is pretty trite and not very useful. The secdir review [1] makes some good points that ought be reflected in the draft. An author seems to agree to that's probably fine. In addition as a use-cases draft, the use-case of hiring a VM in order to attack other VMs in the DC ought be at least mentioned, and there has been substantial work on such attacks, e.g., [2] is a new instance of such and [3] has links to many published papers. [Lucy] Agree that the section should mention these treat attack cases. Thank you to provide the reference. Presumably NVO3 intends to at least consider such attacks and that probably warrants a mention here or else we risk building new networks that are highly vulnerable to other VMs in the DC. (Whether or not such consideration leads to changes in NVO3 protocols is an open question for me, but I do hope that the WG consider the issues and that the IESG check that that has happened at the relevant time.) [Lucy] comments are valid, perhaps the draft can mention some in terms of requirements. The nvo3 protocol is outside the scope of the doc. [1] https://www.ietf.org/mail-archive/web/secdir/current/msg07055.html [2] https://media.ccc.de/v/33c3-8044-what_could_possibly_go_wrong_with_insert_x86_instruction_here [3] https://scholar.google.com/scholar?as_ylo=2013&q=virtual+machine+cache+side+covert+channel+&hl=en&as_sdt=0,5 Thanks, Lucy _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
