Hi Magnus, Many thanks for your review and feedback. We have posted a new version of the document that addresses all your comments from the SECDIR early review. This version includes all the WG Last Call comments including TSVART and SECDIR early reviews.
https://mailarchive.ietf.org/arch/msg/nvo3/oTY8e6XTRP67Mso7-dKopWNqo4Y Regards, Ilango Ganga Editor, Geneve From: Ganga, Ilango S [mailto:[email protected]] Sent: Wednesday, November 7, 2018 11:30 AM To: Magnus Nyström <[email protected]> Cc: [email protected]; [email protected]; [email protected] Subject: RE: Secdir review (early review) of draft-ietf-nvo3-geneve Hi Magnus, Thanks for your review and feedback. We have addressed all 3 of your comments. We will be updating the draft to address these and WG LC comments, in the next week or two. Regards, Ilango From: Magnus Nyström [mailto:[email protected]] Sent: Tuesday, November 6, 2018 11:20 PM To: Ganga, Ilango S <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: Re: Secdir review (early review) of draft-ietf-nvo3-geneve Hi Ilango, Thanks for your thorough follow-up. To me, the new text looks very good. You could shorten (and perhaps add clarity) by replacing "Hence an option..." with just "An option ..." <Ilango> Yes, this should be fine. Thanks, /M On Tue, Nov 6, 2018 at 7:11 PM Ganga, Ilango S <[email protected]<mailto:[email protected]>> wrote: Hi Magnus, Here is our proposed text that we believe will satisfy your comment on 3.5.1: In Section 2.2.1 add new highlighted text in paragraph that began with “Transit devices..” Options, if present in the packet, MUST be generated and terminated by end points. Transit devices MAY be able to interpret the options, however, as non-terminating devices, transit devices do not originate or terminate the Geneve packet, hence MUST NOT insert or delete options, which is the responsibility of Geneve endpoints. The participation of transit devices in interpreting options is OPTIONAL. Section 3.5.1 - Remove the highlighted text: o Some options may be defined in such a way that the position in the option list is significant. Options or their ordering, MUST NOT be changed by transit devices. Section 3.5.1 - Add highlighted text to the last bullet: o An option SHOULD NOT be dependent upon any other option in the packet, i.e., options can be processed independent of one another. Hence an option MUST NOT affect the parsing or interpretation of any other option. Remove the following paragraph from 6.2: Geneve supports Geneve Options, so an operator may choose to use a Geneve option TLV to provide a cryptographic data protection mechanism, to verify the data integrity of the Geneve header, Geneve options or the entire Geneve packet including the payload. Implementation of such a mechanism is beyond the scope of this document. Introduce new section after 6.3 as follows: 6.4 Options Interpretation by Transit Devices Options, if present in the packet, are generated and terminated by end points. As indicated in 2.2.1, transit devices may interpret the options. However, if the packet is protected by end point to end point encryption, for example through IPsec, transit devices will not have visibility into the Geneve header or options in the packet. In cases where options are interpreted by transit devices, the operator MUST ensure that transit devices are trusted and not compromised. Implementation of a mechanism to ensure this trust is beyond the scope of this document. Please let us know if this addresses your comment on 3.5.1. The other two comments have been satisfied as noted below. Thanks, Ilango From: Magnus Nyström [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, October 31, 2018 11:34 AM To: Ganga, Ilango S <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: RE: Secdir review (early review) of draft-ietf-nvo3-geneve Hi Ilango, For 3.4, I think this may be sufficient. For 6.2, I will defer to the IETF director/telechat discussion that will occur at some point for this draft. If the intent is interoperability and robustness of such an option, then I would recommend it to be specified in the IETF, but I can also see how you would prefer that such specification work occurs outside this particular draft – which should be doable. Perhaps staying silent on the option alternative and just recommend leveraging layer-provided infrastructure such as ipsec may be best for now? I'll await your suggested updated language for 3.5.1. Thanks, Sent from my Windows 10 phone From: Ganga, Ilango S<mailto:[email protected]> Sent: Tuesday, October 30, 2018 18:12 To: Magnus Nyström<mailto:[email protected]>; [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: RE: Secdir review (early review) of draft-ietf-nvo3-geneve Hi Magnus, Thanks for your review and feedback. Please see inline for my responses. Regards, Ilango From: Magnus Nyström [mailto:[email protected]] Sent: Tuesday, October 23, 2018 9:01 PM To: [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: Secdir review (early review) of draft-ietf-nvo3-geneve I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes "Geneve," a protocol for GEneric NEtwork Virtualization Encapsulation. The document is written in a clear manner and with a thorough Security Considerations section. I have just a few questions/comments: - Section 3.4: The "MUST ignore" for the reserved bits should presumably state "SHALL be ignored for this version of the Geneve protocol." - as I imagine that in a future version, these bits may not be ignored? <Ilango> In theory, a future version may change the behavior of any of the header fields including the reserved bits. The header definition is for this version of the protocol. Please see if the following text would satisfy the intent of your comment. “Reserved field which MUST be zero on transmission and MUST be ignored on receipt.” Or let us know if you still want to have this qualified with “for this version of the protocol” </> - Section 3.5.1: I wonder about the simultaneous requirement that one option must not affect the parsing or interpretation of another option but that the sequencing (order) of options may be significant - they seem to be contradictory since if the sequencing *is* significant, then some option must be impacted by a previous one's value? From a security perspective, I also wonder if there could be security consequences of re-ordering options (and how to tell if someone did re-order - see below)? <Ilango> You raise a good point. The intent of this statement is, parsing and interpretation of options should not be dependent on one another. We are discussing among the authors to see how we can include appropriate clarifying statements to address your point. I will update you shortly. </> - Section 6.2, shouldn't such an Option be defined to reduce the risk of under-specified or subpar specifications of such integrity mechanisms? Or also from an interop perspective? <Ilango> Using a Geneve option for the purpose of data integrity is more of an optimization. Otherwise data integrity could be provided by using existing mechanisms like IPsec (as stated in second paragraph of 6.2). We included the last paragraph to show other possibilities. We could remove this paragraph if it may cause any confusion. We would like to keep the Geneve base specification independent of options specifications, options could be a defined in a future standards action. </> Thanks. -- Magnus -- -- Magnus
_______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
