On Wed, Oct 15, 2014 at 2:02 PM, Linda Dunbar <linda.dun...@huawei.com> wrote: > Tom, > > I am a bit confused of your comments. See questions inserted below: > > > -----Original Message----- > From: nvo3 [mailto:nvo3-boun...@ietf.org] On Behalf Of Tom Herbert > > Security should be considered here also. Security is strongest when applied > end-to-end. For example, if we are encrypting at the ingress NVE, decryption > should happen at the final NVE-- if the NVEs are on host then this implies > packets are encrypted during all of transit. > Also, when encrypting this may be over the full inner packet so that virtual > addresses are not visible to intermediate devices. With ESP/GUE the header > stack might be IP/UDP/GUE/ESP/IP; vnid is visible, but virtual addresses > aren't. Even if we are just using a security cookie to validate a VNID, the > outer IP addresses can be considered for anti-spoofing. Triangular routing > convolutes both of these cases I believe. > > [Linda] I would think the L3 address migration is orthogonal to "ingress NVE > encryption & egress NVE decryption". Can you elaborate how those two issues > related?
I'll use a simple example to demonstrate this... Suppose we have a customer that has requested encryption for data in flight. So for communications between their two NVEs we need to have an established SA between them (one SA should be sufficient between the NVEs, we probably don't need an SA for each VN or virtual address). So if V1 and V2 are communicating endpoints, and E1 and E2 are the corresponding NVEs, then we would have something like: V1->E1->E2->V2 where communications between E1, E2 are encrypted-- V1 to E1 and E2 to V2 are plaintext (where if they are co-resident with the respective NVEs on a host that all communications are encrypted). So now if we have triangular routing, then the path looks like: V1->E1->X->E2->V2. So the question is how to encrypt packets with this path. We can't use an SA between E1 and E2 since E1 doesn't know that that it's peer is E2 (if it did then we wouldn't be doing triangular routing). So in order to encrypt end to end, it seems like we need to encrypt using one SA between E1 and X, and another between X and E2-- but this is not really end to end and I would assume it's a lot more load on X than it bargained for. > > > >> In theory, host hosting by every NVE (including the DCBR) can achieve >> the optimal path forwarding in very fragmented network. But host >> routing can be challenging in a very large and highly virtualized data >> center, there could be hundreds of thousands of hosts/VMs, sometimes >> in millions, due to business demand and highly advanced server >> virtualization technologies. >> > This is true, but there are some mitigating factors favoring host routes. 1) > a particular NVE should only be communicating with a subset of virtual > addresses at a given time. 2) Migrations are fairly rare events and latency > to adapt is already assumed to be in 10's of msecs. > An extra round trip or so to relearn a host route after migration is not > unreasonable. > > So the host routes could be in a cache containing the working set where there > is a mechanism to resolve them. > > [Linda] I'd assume that NVA can always send update when a host is moved to a > different NVE. So I am not concerned with the time taken to learn the new > route. The text is intended to describe other options when the cache of a > switch/router in a Data Center can't have individual mappings for all VMs in > the VNs supported (especially the gateway). > > > > >> ECMP can be used by the DCBR or any NVEs that don’t support host >> routing or can’t access NVA to distribute traffic equally to any of >> the NVEs that support the subnet (VN). If an NVE doesn’t have the >> destination of a data packet directly attached, it can query NVA for >> the target NVE to which the destination is attached, and encapsulate >> the packet with the target NVE as outer destination before sending it out. >> >> Another approach is to designate one or two NVEs as designated >> forwarder for a specific subnet when the subnet is spread across many >> NVEs. For example, if high percentage of TSs of one subnet is attached >> to NVE “X”, the remaining small percentage of the subnet is spread around >> many NVEs. >> Designating NVE “X” as the designated forwarder for the subnet can >> greatly reduce the “triangular routing” for the traffic destined to >> TSs in this subnet. >> > I'm not sure this is practical. While there are reasons to schedule VMs with > physical locality in the DC, there are also reasons we wouldn't do this (like > we don't want a single device failure to be able to take out all VM's of a > customer). Also, I don't think we want to constrain the job scheduler any > more than it already is-- it's likely over enough time that entropy will > prevail so that VMs for particular subnets are randomly distributed across > the DC. > > If we designate NVE "X" as a forwarder like you suggest, then when it gets a > packet for which there is a better route it could send the equivalent of an > ICMP redirect to back to the originator to eliminate the triangular routing. > Furthermore, if instead of acting as a forwarder, NVE "X" is a resolver then > a resolution protocol could be implemented (ARP model) so that packets might > never forwarded using triangular routing which could address the end to end > security issue I posed above. > > [Linda] agree with you. I will update the text. The second option will incur > triangular routing for hosts that are not attached to the designated NVE "X". > This option is only intended for a scenario where host routing is not > feasible on some NVEs. > It would be good if you can quantify what you mean by "host routing is not feasible"? Are you envisioning NVEs that never use host routes but always rely on triangular routing? Tom > Thanks, > Tom > >> >> >> Linda Dunbar >> >> > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list nvo3@ietf.org https://www.ietf.org/mailman/listinfo/nvo3
