On Sat, Feb 15, 2014 at 7:51 PM, Pankaj Garg <[email protected]> wrote: > For NVGRE, the 24-bit was chosen, to keep few reserved bits in the Key fields > for future use and 24-bit ID seemed enough, which we ended up reclaiming for > FlowId in a future revision. > Yes, but unfortunately nvgre shortchanges both the vni and flow ID. A new protocol without legacy constraints should do better than that!
> I am not sure I understand why reserve bits are needed for categorizing the > networks. Isn't it possible to use the range? in any case, I don't have a > good reason for 24-bit vs 32-bit vs 64-bit, beside the fact that 24-bit > seemed good enough and so far we haven't heard any problems with it, at > least, in the context of NVGRE. At one point IPv4 address space seemed large enough also! In any case, even if 24 bits were sufficient, why use the upper 24 bits of the word? If this was in the lower 24 bits then that would at least allow the option of expanding the space into the upper 8 bits with backwards compatibility. > > As you mention, if obfuscation based security is needed, even 32-bits won't > be sufficient. I don't believe we are trying to solve the security problem of > snooping VNI. However, if it needs to be solved, one option is to use IPsec > or some other encryption to make the header completely opaque to the transit > network as described in the NVGRE draft. > Security is a major issue, and I believe should be a top consideration in the development of these encapsulation protocols (personally I'm hoping encryption becomes ubiquitous in the lifetime of these protocols even within DC). Consider the real ramifications of using IPsec with something like vxlan. To secure the packet headers would entail doing IPsec over the UDP/vxlan header, for example we'd have something like IP-ESP-UDP-vxlan-inner_packet. This has several deficiencies: 1) We no longer have UDP in the outer header so we lose its usefulness to providing a flow hash in network devices. We can recover this by another UDP encapsulation giving IP-UDP-ESP-UDP-vxlan-inner_packet, but encap'ing packets twice in UDP is hardly elegant or efficient. 2) The vni is not in the outermost headers and might be encrypted anyway. This eliminates the ability to firewall within the network based on vni. Strict partitioning of tenants in the physical network will be an important feature even with the use of IPsec. 3) When inner headers are encrypted we lose visibility within the network for flows. This substantially impacts using sflow and other taps to diagnose networking issues within the fabric. What I think with we want in such a case looks like IP-UDP-encap-IPsec-inner_packet. That is have UDP and encap header in the outer header which includes vni and probably a flow identification token. In any case, whether or not IPsec is used, the encap header really needs to be secured somehow. Maintaining isolation between virtual networks is super critical, in the case of third party vms we can't assume the monitoring and detection which is already deployed in the native infrastructure. Thanks, Tom > Pankaj > ________________________________________ > From: Tom Herbert <[email protected]> > Sent: Sunday, February 16, 2014 3:51 > To: Pankaj Garg > Cc: [email protected] > Subject: Re: [nvo3] FW: New Version Notification for draft-gross-geneve-00.txt > > I have a general question on vsid, vnid's. > > nvgre, vxlan, and now Geneve all define a 24 bit virtual network > identifier in their packet formats. What is so magical about this > size? I can understand that nvgre needs to not use full 32 bits in > keyid and wants some bits for flow hash, but UDP based encapsulations > should not have that consideration. While on paper these might allow > 16M ids, in practice even a moderately large deployment will want to > do hierarchical allocation, reserve some high order bits for special > classes (like "trusted", "internal", etc.), and might do masked block > assignments for customers-- so with 24 bits we may be facing future > scaling issues. In GUE we defined a 32 bit vnid which should allow > more scaling, but if we need to obfuscate the vni for things like > security then even that might not be large enough! > > Thanks, > Tom > > > On Fri, Feb 14, 2014 at 4:22 PM, Pankaj Garg <[email protected]> > wrote: >> As a co-author on this draft, feedback is requested. >> >> Sent from my Windows Phone >> ________________________________ >> From: [email protected] >> Sent: 2/15/2014 4:05 AM >> To: T.Sridhar; Ilango Ganga; Jesse Gross; Ilango Ganga; Pankaj Garg; Chris >> Wright; Pankaj Garg; Chris Wright; T. Sridhar; Jesse Gross >> Subject: New Version Notification for draft-gross-geneve-00.txt >> >> >> A new version of I-D, draft-gross-geneve-00.txt >> has been successfully submitted by Jesse Gross and posted to the >> IETF repository. >> >> Name: draft-gross-geneve >> Revision: 00 >> Title: Geneve: Generic Network Virtualization Encapsulation >> Document date: 2014-02-14 >> Group: Individual Submission >> Pages: 23 >> URL: >> http://www.ietf.org/internet-drafts/draft-gross-geneve-00.txt >> Status: https://datatracker.ietf.org/doc/draft-gross-geneve/ >> Htmlized: http://tools.ietf.org/html/draft-gross-geneve-00 >> >> >> Abstract: >> Network virtualization involves the cooperation of devices with a >> wide variety of capabilities such as software and hardware tunnel >> endpoints, transit fabrics, and centralized control clusters. As a >> result of their role in tying together different elements in the >> system, the requirements on tunnels are influenced by all of these >> components. Flexibility is therefore the most important aspect of a >> tunnel protocol if it is keep pace with the evolution of the system. >> This draft describes Geneve, a protocol designed to recognize and >> accommodate these changing capabilities and needs. >> >> >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> The IETF Secretariat >> >> >> _______________________________________________ >> nvo3 mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/nvo3 >> _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
