Dear Zhang Dacheng:
Now, in the middle network, we need to monitor the traffic basing on
the VNI. But if we use IPSec, we could not see VNI anymore.
So the users could monitor the traffic in the way of VNI, only can
monitor the vxlan tunnel overall traffic.
Another
Dear Tom:
The GUE can resolve the VNI to be shown, but GUE means another module,
not vxlan module. So the vxlan packet or vxlan payload should be encrypted into
the GUE payload.
I feel this is a little heavy for the device and network. But I am not sure
for it.
Best Regards
Ok, if there are really such requirements, maybe it is a good idea for us to
design a security mechanism for vxlan, which can protect the integrity of
the vxlan headers while encrypting the payloads.
Open for discussion… ^_^
Cheers
Dacheng
发件人: Liuyuanjiao liuyuanj...@huawei.com
日期:
On Wed, Jun 3, 2015 at 2:20 AM, Liuyuanjiao liuyuanj...@huawei.com wrote:
Dear Tom:
The GUE can resolve the VNI to be shown, but GUE means another
module, not vxlan module. So the vxlan packet or vxlan payload should be
encrypted into the GUE payload.
I feel this is a little
Dear Stephen:
If we want to keep the UDP to be un-encrypted, then we need to encrypt
the vxlan parts(body and header) or vxlan payload(body only).
Do we have some scenario that we need to show the UDP ports in the
middle network?
Because if we need the UDP ports to be
I think it is also important to keep the UDP header unencrypted since the
source port is the entropy.
Regards,
Stephen.
On Wed, Jun 3, 2015 at 5:15 AM, Liuyuanjiao liuyuanj...@huawei.com wrote:
Dear Zhang Dacheng:
Now, in the middle network, we need to monitor the traffic basing
I see a value of being able to see the UDP ports in the middle of the
network. But, it's even more so that the entropy is still can be used for
link aggregation group and/or ECMP hashing by transit routers.
Stephen.
On Wed, Jun 3, 2015 at 9:31 AM, Liuyuanjiao liuyuanj...@huawei.com wrote:
Agree!
One of the most significant reasons to deploy VxLAN is hashed source UDP port
used to enrich entropy on transit.
Cheers,
Jeff
From: Stephen Suryaputra
stephen.suryaputra@gmail.commailto:stephen.suryaputra@gmail.com
Reply-To: ssu...@ieee.orgmailto:ssu...@ieee.org
See draft-farinacci-lisp-crypto-01.txt. It addresses many of these concerns.
Dino
On Jun 3, 2015, at 7:55 AM, Dacheng Zhang dacheng@alibaba-inc.com wrote:
Ok, if there are really such requirements, maybe it is a good idea for us to
design a security mechanism for vxlan, which can
I know this draft, and I think you are right. Neither ipsec nor dtls can
fulfill the requirements. A security mechanism designed for vxlan could be
a good idea...
在 15-6-3 下午11:14, Dino Farinacci farina...@gmail.com 写入:
See draft-farinacci-lisp-crypto-01.txt. It addresses many of these
concerns.
Gue (draft-hy-gue-4-secuirty) leverages dtls for payload encryption, and option
for header integrity protection.
Lucy
-Original Message-
From: nvo3 [mailto:nvo3-boun...@ietf.org] On Behalf Of Dacheng Zhang
Sent: Wednesday, June 03, 2015 11:23 AM
To: Dino Farinacci
Cc: David Mozes;
Lucy,
I am not looking for explanation, rather wanted to make sure the suggested
sentence could be parsed by the reader. Having said that, you didn’t answer my
earlier question.
You need to provide in this format.
O ‘original text and location’
S ‘Suggested replacement’
If there is no
12 matches
Mail list logo