Hi Daniel,

Please see my response below.
<Ilango> We will add appropriate clarification to indicate that Geneve header includes options.


Thanks,
Ilango



From: Daniel Migault [mailto:***@ericsson.com]
Sent: Monday, October 22, 2018 2:23 AM
To: Ganga, Ilango S <***@intel.com>
Cc: Bocci, Matthew (Nokia - GB) <***@nokia.com>; ***@ietf.org; draft-ietf-nvo3-***@ietf.org; T. Sridhar <***@vmware.com>
Subject: RE: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt

Hi,

If everyone agrees, this seems fine to me. Thanks for addressing them.

From your response, I understand “a Transit device can process a geneve header with no option”. If that is correct, I suggest this is clearly mentioned in the document as my initial understanding was that only geneve option were concerned.

OLD:
Transit devices MAY be able to interpret the options, however, as
non-terminating devices, transit devices do not originate or
terminate the Geneve packet, hence MUST NOT insert or delete options,
which is the responsibility of Geneve endpoints. The participation
of transit devices in interpreting options is OPTIONAL.

NEW:
s/options/geneve header including geneve options /

It may also be needed to specify what is possible for the transit device to perform on the geneve header excluding the options.


I would also suggest that draft-ietf-nvo3-security-requirements and draft-mglt-nvo3-geneve-security-requirements be referenced in the security consideration section as they provide more details. As these are informational reference, they should not block the publication of the current draft.

Yours,
Daniel

From: Ganga, Ilango S <***@intel.com<mailto:***@intel.com>>
Sent: Monday, October 22, 2018 12:22 AM
To: Daniel Migault <***@ericsson.com<mailto:***@ericsson.com>>
Cc: Bocci, Matthew (Nokia - GB) <***@nokia.com<mailto:***@nokia.com>>; ***@ietf.org<mailto:***@ietf.org>; draft-ietf-nvo3-***@ietf.org<mailto:draft-ietf-nvo3-***@ietf.org>; T. Sridhar <***@vmware.com<mailto:***@vmware.com>>
Subject: RE: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt

Hi Daniel,

Please see my responses inline. I think this should address all your comments.

Thanks,
Ilango


From: Daniel Migault [mailto:***@ericsson.com]
Sent: Wednesday, October 17, 2018 7:28 AM
To: Ganga, Ilango S <***@intel.com<mailto:***@intel.com>>
Cc: Bocci, Matthew (Nokia - GB) <***@nokia.com<mailto:***@nokia.com>>; ***@ietf.org<mailto:***@ietf.org>; draft-ietf-nvo3-***@ietf.org<mailto:draft-ietf-nvo3-***@ietf.org>; T. Sridhar <***@vmware.com<mailto:***@vmware.com>>
Subject: RE: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt

Hi Illango,

Thanks for the response, please see my comments. I believe they can be easily addressed in the next version.

Yours,
Daniel

From: Ganga, Ilango S <***@intel.com<mailto:***@intel.com>>
Sent: Wednesday, October 17, 2018 1:45 AM
To: Daniel Migault <***@ericsson.com<mailto:***@ericsson.com>>
Cc: Bocci, Matthew (Nokia - GB) <***@nokia.com<mailto:***@nokia.com>>; ***@ietf.org<mailto:***@ietf.org>; draft-ietf-nvo3-***@ietf.org<mailto:draft-ietf-nvo3-***@ietf.org>; T. Sridhar <***@vmware.com<mailto:***@vmware.com>>
Subject: RE: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt

Hi Daniel,

Thanks for your review and comments. Please see my responses inline.

Regards,
Ilango


From: Daniel Migault [mailto:***@ericsson.com]
Sent: Friday, October 12, 2018 2:57 PM
To: Ganga, Ilango S <***@intel.com<mailto:***@intel.com>>
Cc: Bocci, Matthew (Nokia - GB) <***@nokia.com<mailto:***@nokia.com>>; ***@ietf.org<mailto:***@ietf.org>; draft-ietf-nvo3-***@ietf.org<mailto:draft-ietf-nvo3-***@ietf.org>
Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt

Hi,

I reviewed the document. Please find my comments below.

Yours,
Daniel
3.4. Tunnel Header Fields

C (1 bit): Critical options present. One or more options has the
critical bit set (see Section 3.5). If this bit is set then
tunnel endpoints MUST parse the options list to interpret any
critical options. On endpoints where option parsing is not
supported the packet MUST be dropped on the basis of the 'C' bit
in the base header. If the bit is not set tunnel endpoints MAY
strip all options using 'Opt Len' and forward the decapsulated
packet.
<mglt>
I am fine with the text, but this may contradict that Opt Len is compared to the sum of option len. (see my comment next section). I guess that is a clarification to be made next section.
</mglt>
<Ilango> The text in this section reads fine; since the option header is defined in next section 3.5, it is appropriate to keep the text in that section. Also, please see response to next section.
</>
<mglt2>I will see the next section. </mglt2>

3.5. Tunnel Options


Type (8 bits): Type indicating the format of the data contained in
this option. Options are primarily designed to encourage future
extensibility and innovation and so standardized forms of these
options will be defined in a separate document.

The high order bit of the option type indicates that this is a
critical option. If the receiving endpoint does not recognize
this option and this bit is set then the packet MUST be dropped.
If the critical bit is set in any option then the 'C' bit in the
Geneve base header MUST also be set. Transit devices MUST NOT
drop packets on the basis of this bit. The following figure shows
the location of the 'C' bit in the 'Type' field:

0 1 2 3 4 5 6 7 8
+-+-+-+-+-+-+-+-+
|C| Type |
+-+-+-+-+-+-+-+-+

The requirement to drop a packet with an unknown critical option
<mglt>
maybe s/an unknown critical option/an unknown option with the critical bit set would be clearer.
</mglt>

<Ilango> The term critical option is described in section 3.4 and used in 3.5, so use of this term here to refer to an unknown critical option reads fine. Though for consistency with the sentence in section 3.5.1, we could also say “unknown options with C-bit set”.
</>
<mglt2> I am fine with your proposed change. </mglt>

applies to the entire tunnel endpoint system and not a particular
component of the implementation. For example, in a system
comprised of a forwarding ASIC and a general purpose CPU, this
does not mean that the packet must be dropped in the ASIC. An
implementation may send the packet to the CPU using a rate-limited
control channel for slow-path exception handling.

R (3 bits): Option control flags reserved for future use. MUST be
zero on transmission and ignored on receipt.

Length (5 bits): Length of the option, expressed in four byte
multiples excluding the option header. The total length of each
option may be between 4 and 128 bytes. A value of 0 in the Length
field implies an option with only the option header without the
variable option data.

<mglt>
I understand the sentence below as a check between the sum of option length and Opt len. This does not seems related to the treatment of one option, and maybe should be moved up to the description of Opt Len in the Geneve Header section.

<Ilango> This section is where the Tunnel Options are defined hence this is the most appropriate and right place for this text.
</>

<mglt2>I am fine with that as well, as long as you believe that is the right place.</mglt2>

I also have an issue on how to interpret that sentence. When receiving a Geneve Packet, the following sentence prevent from jumping to Opt Len skipping off options. It could be understood as a mandatory check in which case (whether there is a C bit set in the Geneve Header or not) the terminating node to go through all options, read the Length sum them and them compare it to the Opt Len. If such check is mandatory, I am wondering if Opt Len in the Geneve Header is then limited for internal use of the terminating node. If that is something optional, maybe we should explicitly say it, or maybe detail when such comparison is expect to happen.
</mglt>

<Ilango> No, it does not prevent the nodes from skipping the options to reach the start of encapsulated payload. For example a transit node that does not process the options can skip over the options by using the Option length field in the Geneve header. The endpoints that process the options are the ones that need to do this check as stated in this sentence.
For better clarity, we could add clarifying text to the sentence as follows:
“
. invalid and MUST be silently dropped if received by an endpoint that processes the options.”
</>
<mglt2>I believe that is clarifying to add the text you proposed.</mglt2>

Packets in which the total length of all
options is not equal to the 'Opt Len' in the base header are
invalid and MUST be silently dropped if received by an endpoint.




Gross, et al. Expires April 10, 2019 [Page 15]

Internet-Draft Geneve Protocol October 2018


Variable Option Data: Option data interpreted according to 'Type'.


3.5.1. Options Processing

Geneve options are intended to be originated and processed by tunnel
endpoints. However, options MAY be interpreted by transit devices
along the tunnel path. Transit devices not processing Geneve headers
<mglt>
I am reading Genve header as a Geneve option of the Genve header, but not the fixed Geneve header. If that is correct, It may be clearer to use Genve option instead of Geneve header as to avoid confusion on the scope of transit device. From the text above, using Geneve header could mean the fix header, in which case it may make easier to figure out the difference between transit device and tunnel endpoint.
</mglt>
<Ilango> As illustrated clearly in sections 3.1 and 3.2 Geneve header includes fixed length headers and options. So in this statement, Geneve header includes options.
</>
<mglt2>
This is I believe English clarification and English is not my native language, so I am only providing my feed back, but differ to others on what to do.

The statement as I read it says that transit devices MAY interpret options. Which I interprete as the scope of transit device is limited to these options and transit device are not supposed to interprete the fix header.

The following sentence says transit devices not interpreting the Geneve Header
.” Which I read as fix header and option. While the statement is true, as header include option, I found it somehow confusing to introduce the fix header at that stage, as my understanding is that transit device are limited to the options.

Re-reading the text I also believe - if that is correct -, we should specify that transit devices MAY treat a subset of the options. </mglt2>

<Ilango2> The header may include options, and a transit device has to interpret the header to get to the options. We will rephrase the text to the following for clarity.
Transit devices not interpreting Geneve headers (that may or may not include Options)
SHOULD process Geneve packets as any other UDP packet and maintain
consistent forwarding behavior.
</Ilango2>

SHOULD process Geneve packets as any other UDP packet and maintain
consistent forwarding behavior.

In tunnel endpoints, the generation and interpretation of options is
determined by the control plane, which is out of the scope of this
document. However, to ensure interoperability between heterogeneous
devices some requirements are imposed on options and the devices that
process them:

o Receiving endpoints MUST drop packets containing unknown options
with the 'C' bit set in the option type. Conversely, transit
devices MUST NOT drop packets as a result of encountering unknown
options, including those with the 'C' bit set.

o Some options may be defined in such a way that the position in the
option list is significant. Options or their ordering, MUST NOT
be changed by transit devices.

o An option MUST NOT affect the parsing or interpretation of any
other option.


<mglt>
In case we have a option providing authentication, such option may affect the interpretation of the other options. s/interpretation/ndependance may not be better.... I think what we want to say is that option MUST be able to be processed in any order or in parallel. I am fine with the text if we do not find something better.
</mglt>

<Ilango> This is a good point, however we believe that this text captures the intent.
</>
<mglt2>The problem I have is that the current text prevents security options, so I guess some clarification should be brought to clarify the intent.</mglt2>
<Ilango2> The intent of this statement is, parsing and interpretation of options is not dependent on one another. It does not preclude processing of any security option.
</Ilango2>

6. Security Considerations

As encapsulated within an UDP/IP packet, Geneve does not have any
inherent security mechanisms. As a result, an attacker with access
to the underlay network transporting the IP packets has the ability
to snoop or inject packets.

<mglt>
I believe that monitoring is also an attack that should be mentioned.
</mglt>
<Ilango> Snooping covers the case of monitoring as well, so I don’t see a need for additional text.
</>

<mglt2>I understood “snoop” as being more active than passive monitoring. I am fine with the text.</mglt2>


Legitimate but malicious tunnel
endpoints may also spoof identifiers in the tunnel header to gain
access to networks owned by other tenants.

<mglt>
I think Legitimate and malicious are not compatible. This is probably a "corrupted legitimate tunnel endpoint. I think we should also add that securing the geneve tunnel cannot prevent this type of threat.
</mglt>
<Ilango> Yes, we could change this to “Compromised endpoints may also spoof 
.”.
The next paragraph states that tunnel endpoints should only be operated in environments controlled by the service provider, this could potentially mitigate the threat of endpoints from getting compromised.
</>


Within a particular security domain, such as a data center operated
by a single service provider, the most common and highest performing
security mechanism is isolation of trusted components. Tunnel
traffic can be carried over a separate VLAN and filtered at any
untrusted boundaries. In addition, tunnel endpoints should only be
operated in environments controlled by the service provider, such as
the hypervisor itself rather than within a customer VM.


When crossing an untrusted link, such as the public Internet, IPsec
[RFC4301] may be used to provide authentication and/or encryption of
the IP packets formed as part of Geneve encapsulation.

<mglt>
I understand the first paragraph as the one where the service provider owns the tenant, the geneve overlay as well as the infrastructure in which case, isolation and separation is performed by VLAN. The second paragraph mentions that the previously described data centers can be interconnected using a secure link. I consider this case as the one building a trusted environment to run Geneve overlay.

I believe the security considerations for Geneve may be more focused on Genve itself, that is how the Geneve overlay network may remain secure while not relying on the security provided by the infrastructure. In that extent it help to consider the case where tenants, Geneve overlay provider, infrastructure providers are different entities.
</mglt>
<Ilango>The operator could use multiple security mechanisms, which could span across layers. For example, the operator could very well choose security mechanisms already provided by the underlay to secure their overlay networks. </>
<mglt2>I understand, but it seems to me that the important things here are :

* Corrupted legitimate tunnel endpoint is not expected to be addressed by Geneve security mechanisms.
* Geneve overlay deployment relies on reliable (trusted) tunnel endpoints. This later point may be achieved in one or the other ways. You provide one way to do it, another way could be simply trusting your infrastructure provider.
I believe that it may be more helpful to explicitly provide a trust model, illustrating it and leave the door open to other solutions. My current reading is that one way is proposed, but we may lack some information to evaluate if other ways can be acceptable as well.</mglt2>
<Ilango2> I am not sure where you are going with this. The intent is to highlight potential risks and outline how to mitigate such risks, this paragraph describes the best practices used to secure a tunnel endpoint. We believe that this is sufficiently illustrated in the description.
</Ilango2>


Geneve does not otherwise affect the security of the encapsulated
packets. As per the guidelines of BCP72 [RFC3552], the following
sections describe potential security risks that may be applicable to
Geneve deployments and approaches to mitigate such risks. It is also
noted that not all such risks are applicable to all Geneve deployment
scenarios, i.e., only a subset may be applicable to certain
deployments. So an operator has to make an assessment based on their
network environment and determine the risks that are applicable to
their specific environment and use appropriate mitigation approaches
as applicable.



Gross, et al. Expires April 10, 2019 [Page 21]

Internet-Draft Geneve Protocol October 2018


6.1. Data Confidentiality

Geneve is a network virtualization overlay encapsulation protocol
designed to establish tunnels between network virtualization end
points (NVE) over an existing IP network. It can be used to deploy
multi-tenant overlay networks over an existing IP underlay network in
a public or private data center. The overlay service is typically
provided by a service provider, for example a cloud services provider
or a private data center operator.

<mglt>
The text above seems to assume that the service overlay is always provided by the cloud provider (i.e. infrastructure provider). I do not believe this assumption is always true.

A company may sell a system based on Geneve and may be willing to provide some protection against the infrastructure provider.
</mglt>
<Ilango> Yes, “typically” means not always, but it is the most common use case.</>
<mglt2> I believe it is good we mention a use case we envisioned as being the most common use case, but I also think the security consideration should not only be based on one deployment. </mglt2>
<Ilango2> We will add the following statement to the end of this paragraph for clarification.
“This may or not may be the same provider as an underlay service provider”
</Ilango2>

Due to the nature of multi-
tenancy in such environments, a tenant system may expect data
confidentiality to ensure its packet data is not tampered with
(active attack) in transit or a target of unauthorized monitoring
(passive attack). A tenant may expect the overlay service provider
to provide data confidentiality as part of the service or a tenant
may bring its own data confidentiality mechanisms like IPsec or TLS
to protect the data end to end between its tenant systems.
<mglt>
When a tenant is securing its communication using TLS or IPsec, there are still some metadata that the Geneve overlay MAY protect - typically (IP, ports).
</mglt>
<Ilango> The intent of this statement is a tenant may bring its own data confidentiality mechanism to protect its data without relying on the service provider. This is irrespective of security mechanisms provided by the service provider.</>

<mglt2>I would suggest that we clearly state that data confidentiality provided by the tenant does not prevent the geneve overlay to provide it. From my reading of the text, it seems that tenant security is sufficient.I believe that is a bit misleading. </mglt2>
<Ilango2>The text does not preclude a service provider to provide security mechanisms when the tenant brings its own security. I am not sure where you are getting this interpretation. If needed we can remove the last sentence of the second paragraph, if that addresses your concern.

<Delete the following sentence from the end of next paragraph>

The operator may choose not to enable the encryption if,

for example, the packet data is already encrypted by the tenant

system.

</Ilango2>

If an operator determines data confidentiality is necessary in their
environment based on their risk analysis, for example as in multi-
tenant environments, then an encryption mechanism SHOULD be used to
encrypt the tenant data end to end between the NVEs. The NVEs may
use existing well established encryption mechanisms such as IPsec,
DTLs, etc., The operator may choose not to enable the encryption if,
for example, the packet data is already encrypted by the tenant
system.

6.1.1. Inter-data center traffic

A tenant system in a customer premises (private data center) may want
to connect to tenant systems on their tenant overlay network in a
public cloud data center or a tenant may want to have its tenant
systems located in multiple geographically separated data centers for
high availability. Geneve data traffic between tenant systems across
such separated networks should be protected from threats when
traversing public networks. Any Geneve overlay data leaving the data
center network beyond the operator's security domain, for example
over the public Internet, SHOULD be secured by encryption mechanisms
such as IPsec or other VPN mechanisms to protect the communications
between the NVEs when they are geographically separated over
untrusted network links. Implementation of specific data protection
mechanisms employed between data centers is beyond the scope of this
document.

<mglt>
I see that inter-data center traffic protection is more IP traffic protection than specific to Geneve. I think we can also safely go for a MUST be secured when the traffic is sent to the wild Internet.
</mglt>
<Ilango> Inter-data center need not always mean internet, for example it could be dedicated secure links. In which case the operator may decide to rely on the underlying security of the dedicated links, so we believe “SHOULD” is more appropriate here.</>
<mglt2>I am reading this as two different implementations of a secure link between the data center. The requirement is that this link MUST be secured. One way to provide a secure link is to have a dedicated line in which case we SHOULD encrypt the traffic. Another way to establish a connection over the internet in which case the traffic MUST be encrypted.
I believe it would help to clarify why SHOULD is mentioned here. One reason of the confusion is that only the link over internet is mentioned. </mglt2>
<Ilango2>The operator based on their risk assessment should enable appropriate security mechanism.
We could remove “for example over public Internet” from this sentence and this should address your concern.
</Ilango2>

6.2. Data Integrity

Geneve encapsulation is used between NVEs to establish overlay
tunnels over an existing IP underlay network. In a multi-tenant data
center, a rogue or compromised tenant system may try to launch a



Gross, et al. Expires April 10, 2019 [Page 22]

Internet-Draft Geneve Protocol October 2018


passive attack such as monitoring the traffic of other tenants, or an
active attack such as spoofing or trying to inject unauthorized
Geneve encapsulated traffic into the network. To prevent such
attacks, an NVE MUST not propagate Geneve packets beyond the NVE to
tenant systems and SHOULD employ packet filtering mechanisms so as
not to forward unauthorized traffic between TSs in different tenant
networks.

<mglt>I believe that replayed traffic is also unauthorized in this case and may be considered in the description.</mglt>
<Ilango> Unauthorized traffic should include all type of unauthorized traffic including traffic such as spoofing, replay, etc.,. This is minor editorial, if need be we could rephrase to provide clarity “unauthorized traffic such as spoofing, replay, etc.”
</>
<mglt2>I agree this is minor editorial, but the use of UDP eases such attacks, so I think it is important this appears in the security consideration.</mglt2>
<Ilango2> Ok, we will rephrase to provide clarity
“unauthorized traffic such as spoofing, replay, etc.”
</Ilango2>

<END>

On Thu, Oct 11, 2018 at 1:34 PM Ganga, Ilango S <***@intel.com<mailto:***@intel.com>> wrote:
As a co-author, I believe the document is ready for publication as a standards track RFC.

Thanks,
Ilango


From: Bocci, Matthew (Nokia - GB) [mailto:***@nokia.com<mailto:***@nokia.com>]
Sent: Tuesday, October 9, 2018 2:08 AM
To: NVO3 <***@ietf.org<mailto:***@ietf.org>>
Cc: draft-ietf-nvo3-***@ietf.org<mailto:draft-ietf-nvo3-***@ietf.org>
Subject: Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt

This email begins a two-week working group last call for draft-ietf-nvo3-geneve-08.txt.

Please review the draft and post any comments to the NVO3 working group list. If you have read the latest version of the draft but have no comments and believe it is ready for publication as a standards track RFC, please also indicate so to the WG email list.

We are also polling for knowledge of any undisclosed IPR that applies to this document, to ensure that IPR has been disclosed in compliance with IETF IPR rules (see RFCs 3979, 4879, 3669 and 5378 for more details).
If you are listed as an Author or a Contributor of this document, please respond to this email and indicate whether or not you are aware of any relevant undisclosed IPR. The Document won't progress without answers from all the Authors and Contributors.

Currently there are two IPR disclosures against this document.

If you are not listed as an Author or a Contributor, then please explicitly respond only if you are aware of any IPR that has not yet been disclosed in conformance with IETF rules.

This poll will run until Friday 26th October.

Regards

Matthew and Sam
_______________________________________________
nvo3 mailing list
***@ietf.org<mailto:***@ietf.org>
https://www.ietf.org/mailman/listinfo/nvo3

Hi Greg,

One example of this use case is described in draft-brockners-ippm-ioam-geneve

Jesse

Hi Matthew,
a very promising idea, thank you. But I'll note that "not all OAM packets
created equal", i.e., some, like BFD, usually don't go to the control plane
and handled by a bump-in-a-wire of specialized ACIS altogether. If we are
entertaining the idea to re-purpose the O-bit, may I propose the following:

- remove references to OAM from the Geneve specification and handle OAM
in the separate document (I already have an idea to use EtherType OAM and
light Geneve OAM shim to demux OAM protocols);
- regarding the O-bit I see two options:
- either release it to the Reserved pool;
- or re-name as Mark and one of the possible users would be the
Alternate Marking method.

Regards,
Greg

On Fri, Oct 19, 2018 at 3:26 AM Bocci, Matthew (Nokia - GB) <

Hi Matthew,

Thank you for the suggestion. We've been thinking about it and believe
that this can address everyone's concerns. The description of this bit
already references control messages rather than OAM, so that name
seems like a more accurate reflection of its purpose. It also allows
the flexibility for OAM to be specified separately by not commingling
the two concepts, as Greg mentioned.

We will edit the text to read:

O (1 bit): Control packet. This packet contains a control message.
Control messages are sent between
Geneve endpoints. Endpoints MUST NOT forward the payload and
transit devices MUST NOT attempt to interpret or process it.
Since these are infrequent control messages, it is RECOMMENDED
that endpoints direct these packets to a high priority control
queue (for example, to direct the packet to a general purpose CPU
from a forwarding ASIC or to separate out control traffic on a
NIC). Transit devices MUST NOT alter forwarding behavior on the
basis of this bit, such as ECMP link selection.

Jesse

On Fri, Oct 19, 2018 at 3:26 AM Bocci, Matthew (Nokia - GB)