Thanks for your review and comments. Several of the comments from reviewers came in in the last hours before the Telechat. We will review the comments and try to respond to each one of these as soon as we can in a day or two.
Thanks, Ilango -----Original Message----- From: Roman Danyliw via Datatracker <[email protected]> Sent: Wednesday, December 4, 2019 6:04 PM To: The IESG <[email protected]> Cc: [email protected]; Matthew Bocci <[email protected]>; [email protected]; [email protected]; [email protected] Subject: Roman Danyliw's Discuss on draft-ietf-nvo3-geneve-14: (with DISCUSS and COMMENT) Roman Danyliw has entered the following ballot position for draft-ietf-nvo3-geneve-14: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-nvo3-geneve/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- (1) The threat model assumed by geneve appears to be expressed in conflicting ways. Section 4.1 notes that RFC8085’s definition of “controlled environment” applies. However, - Section 6 notes “When crossing an untrusted link, such as the public Internet, …” - Section 6.1 notes “Geneve data traffic between tenant systems across such separated networks should be protected from threats when traversing public networks. Any Geneve overlay data leaving the data center network beyond the operator's security domain SHOULD be secured by encryption mechanisms such as IPsec or other VPN mechanisms to protect the communications between the NVEs when they are geographically separated over untrusted network links.” The advice provided in Section 6.x is sound. Nevertheless, it doesn’t appear to describe a “controlled environment”. (2) Section 6. Per “Compromised tunnel endpoints may also spoof identifiers in the tunnel header to gain access to networks owned by other tenants”, couldn’t compromised transit devices do the same? (3) Section 6.1. Similar to what is discussed in Section 6.2 (for integrity), please refer to the impact of a compromised node on confidentiality. For example (not verbatim) “A compromised network node or a transit device within a data center may passively monitor Geneve packet data between NVEs; or route traffic for further inspection.” (4) Section 6.1. Per “Due to the nature of multi-tenancy in such environments, a tenant system may expect data confidentiality to ensure its packet data is not tampered with (active attack) in transit or a target of unauthorized monitoring (passive attack).”, please provide additional precision on the confidentiality. It is only relative to other tenants, but not from the provider (who can engage in tampering and passive monitoring). ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I support Ben Kaduk’s DISCUSS position. To reiterate part of his write-up, the role of the transit device which is only permitted to inspect the geneve traffic isn’t clear, especially if end-to-end security is applied. RFC7365 didn’t provide insight into this architectural element. _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
