and not helpful at all. GUE already takes care of the security.
Lucy
-Original Message-
From: Liuyuanjiao
Sent: Friday, June 05, 2015 3:10 AM
To: Lucy yong; Dacheng Zhang; Dino Farinacci
Cc: David Mozes; Xuxiaohu; Michael Shieh; nvo3@ietf.org
Subject: 答复: [nvo3] 答复: VxLAN Security Consideration
Dear Zhang Dacheng:
Now, in the middle network, we need to monitor the traffic basing on
the VNI. But if we use IPSec, we could not see VNI anymore.
So the users could monitor the traffic in the way of VNI, only can
monitor the vxlan tunnel overall traffic.
Another
Dear Tom:
The GUE can resolve the VNI to be shown, but GUE means another module,
not vxlan module. So the vxlan packet or vxlan payload should be encrypted into
the GUE payload.
I feel this is a little heavy for the device and network. But I am not sure
for it.
Best Regards
3日 星期三 下午5:15
至: dacheng de dacheng@alibaba-inc.com, Michael Shieh
mich...@varmour.com, David Mozes dav...@mellanox.com
抄送: Xuxiaohu xuxia...@huawei.com, nvo3@ietf.org nvo3@ietf.org
主题: [nvo3] 答复: VxLAN Security Consideration
Dear Zhang Dacheng:
Now, in the middle network, we
On Wed, Jun 3, 2015 at 2:20 AM, Liuyuanjiao liuyuanj...@huawei.com wrote:
Dear Tom:
The GUE can resolve the VNI to be shown, but GUE means another
module, not vxlan module. So the vxlan packet or vxlan payload should be
encrypted into the GUE payload.
I feel this is a little
I think it is also important to keep the UDP header unencrypted since the
source port is the entropy.
Regards,
Stephen.
On Wed, Jun 3, 2015 at 5:15 AM, Liuyuanjiao liuyuanj...@huawei.com wrote:
Dear Zhang Dacheng:
Now, in the middle network, we need to monitor the traffic basing
...@mellanox.com
抄送: Xuxiaohu xuxia...@huawei.com, nvo3@ietf.org nvo3@ietf.org
主题: [nvo3] 答复: VxLAN Security Consideration
Dear Zhang Dacheng:
Now, in the middle network, we need to monitor the traffic basing on
the VNI. But if we use IPSec, we could not see VNI anymore.
So
for discussion… ^_^
Cheers
Dacheng
发件人: Liuyuanjiao liuyuanj...@huawei.com
日期: 2015年6月3日 星期三 下午5:15
至: dacheng de dacheng@alibaba-inc.com, Michael Shieh
mich...@varmour.com, David Mozes dav...@mellanox.com
抄送: Xuxiaohu xuxia...@huawei.com, nvo3@ietf.org nvo3@ietf.org
主题: [nvo3] 答复
; Xuxiaohu; Michael Shieh; Liuyuanjiao; nvo3@ietf.org
Subject: Re: [nvo3] 答复: VxLAN Security Consideration
I know this draft, and I think you are right. Neither ipsec nor dtls can
fulfill the requirements. A security mechanism designed for vxlan could be a
good idea...
在 15-6-3 下午11:14, Dino Farinacci