Re: [nvo3] 答复: VxLAN Security Consideration

2015-06-05 Thread Lucy yong
and not helpful at all. GUE already takes care of the security. Lucy -Original Message- From: Liuyuanjiao Sent: Friday, June 05, 2015 3:10 AM To: Lucy yong; Dacheng Zhang; Dino Farinacci Cc: David Mozes; Xuxiaohu; Michael Shieh; nvo3@ietf.org Subject: 答复: [nvo3] 答复: VxLAN Security Consideration

[nvo3] 答复: VxLAN Security Consideration

2015-06-03 Thread Liuyuanjiao
Dear Zhang Dacheng: Now, in the middle network, we need to monitor the traffic basing on the VNI. But if we use IPSec, we could not see VNI anymore. So the users could monitor the traffic in the way of VNI, only can monitor the vxlan tunnel overall traffic. Another

[nvo3] 答复: VxLAN Security Consideration

2015-06-03 Thread Liuyuanjiao
Dear Tom: The GUE can resolve the VNI to be shown, but GUE means another module, not vxlan module. So the vxlan packet or vxlan payload should be encrypted into the GUE payload. I feel this is a little heavy for the device and network. But I am not sure for it. Best Regards

Re: [nvo3] 答复: VxLAN Security Consideration

2015-06-03 Thread Dacheng Zhang
3日 星期三 下午5:15 至: dacheng de dacheng@alibaba-inc.com, Michael Shieh mich...@varmour.com, David Mozes dav...@mellanox.com 抄送: Xuxiaohu xuxia...@huawei.com, nvo3@ietf.org nvo3@ietf.org 主题: [nvo3] 答复: VxLAN Security Consideration Dear Zhang Dacheng: Now, in the middle network, we

Re: [nvo3] 答复: VxLAN Security Consideration

2015-06-03 Thread Tom Herbert
On Wed, Jun 3, 2015 at 2:20 AM, Liuyuanjiao liuyuanj...@huawei.com wrote: Dear Tom: The GUE can resolve the VNI to be shown, but GUE means another module, not vxlan module. So the vxlan packet or vxlan payload should be encrypted into the GUE payload. I feel this is a little

Re: [nvo3] 答复: VxLAN Security Consideration

2015-06-03 Thread Stephen Suryaputra
I think it is also important to keep the UDP header unencrypted since the source port is the entropy. Regards, Stephen. On Wed, Jun 3, 2015 at 5:15 AM, Liuyuanjiao liuyuanj...@huawei.com wrote: Dear Zhang Dacheng: Now, in the middle network, we need to monitor the traffic basing

Re: [nvo3] 答复: VxLAN Security Consideration

2015-06-03 Thread Dino Farinacci
...@mellanox.com 抄送: Xuxiaohu xuxia...@huawei.com, nvo3@ietf.org nvo3@ietf.org 主题: [nvo3] 答复: VxLAN Security Consideration Dear Zhang Dacheng: Now, in the middle network, we need to monitor the traffic basing on the VNI. But if we use IPSec, we could not see VNI anymore. So

Re: [nvo3] 答复: VxLAN Security Consideration

2015-06-03 Thread Dacheng Zhang
for discussion… ^_^ Cheers Dacheng 发件人: Liuyuanjiao liuyuanj...@huawei.com 日期: 2015年6月3日 星期三 下午5:15 至: dacheng de dacheng@alibaba-inc.com, Michael Shieh mich...@varmour.com, David Mozes dav...@mellanox.com 抄送: Xuxiaohu xuxia...@huawei.com, nvo3@ietf.org nvo3@ietf.org 主题: [nvo3] 答复

Re: [nvo3] 答复: VxLAN Security Consideration

2015-06-03 Thread Lucy yong
; Xuxiaohu; Michael Shieh; Liuyuanjiao; nvo3@ietf.org Subject: Re: [nvo3] 答复: VxLAN Security Consideration I know this draft, and I think you are right. Neither ipsec nor dtls can fulfill the requirements. A security mechanism designed for vxlan could be a good idea... 在 15-6-3 下午11:14, Dino Farinacci