On Thu, Feb 9, 2017 at 9:03 AM, Sam Aldrin <[email protected]> wrote: > Hello NVo3 WG, > > NVo3 Design Team for encap has put in quite a bit of effort to meet, discuss > and hashout various requirements and issues and coming up with a draft on > proposed encap. Thanks to all who have participated and made it possible. > > This document could be found at > URL: > https://www.ietf.org/internet-drafts/draft-dt-nvo3-encap-00.txt > Status: https://datatracker.ietf.org/doc/draft-dt-nvo3-encap/ > Htmlized: https://tools.ietf.org/html/draft-dt-nvo3-encap-00 > > Kindly go through the document and review thoroughly and provide your > comments. > This will enable DT to close any issues or pending gaps. > The Security Considerations section needs content. First and foremost, in a multi-tenant data center ensuring strict isolation between different tenants traffic seems fundamental and the mechanisms for doing that should be explicit in the description of an encapsulation. Bear in mind that when we use UDP for encapsulation there is typically nothing in a host to prevent an unprivileged application from spoofing well formed nvo3 packets and sending them to arbitrary destinations (this is harder to do with other protocols such as TCP or GRE). A 24-bit VNI is not sufficient to provide any guarantee of virtual network isolation.
Tom > cheers > Sam & Matthew > > _______________________________________________ > nvo3 mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/nvo3 > _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
