________________________________________ 发件人: Zu Qiang [[email protected]] 发送时间: 2014年3月3日 23:52 收件人: Zhangdacheng (Dacheng); [email protected] 主题: RE: [nvo3] I-D Action: draft-ietf-nvo3-security-requirements-02.txt >The attacks performed on both control plane and data plane should be >considered. > [Zu Qiang] Two questions: - is there a control plane between TS and NVO3 defined by framework draft or architecture draft? Dacheng: No. In the security requirement work, the control/plane protection between NVEs and hypervisors are discussed.
- is there any TS data security requirement added in your draft? If yes, which one can prevent such data plane attach from a TS? Dacheng: Actually, we do not try to introduce addition attacks that are not discussed before into the discussion. According to the comments in the last meeting, we just further break the outside attacks down into the attacks from compromised TSes and the attacks from underlying networks. Dacheng: Req6 specifies that a NVE only can send control packets to the NVA with a limited rate. This requirement can be used to deal with the cases where an attacker tries to perform DoS attacks by generating large amount of, for instance, fake ARP packets. If you think the requirements in the documents are not sufficient, please give your comments. Thanks. ^_^ >In addition, we also consider the possible attacks from compromised network >appliances which located in the middle of NVEs and hypervisors. That is why >we think the packet level protection for NVE-hypervisor data/control planes is >important. > [Zu Qiang] is this type of attack covered by any threat model in your draft? Dacheng: According to the terms specified in the framework draft, a TS is a physical or virtual system that can play the role of a host or a forwarding element (router, switch, or firewall). So, this type of attack could be covered in the attack from the compromised TSes. Comments? Dacheng Have a nice day Zu Qiang >If there is anything missed, pleaes feel free to let us know. > >Cheers > >Dacheng >________________________________________ >发件人: Zu Qiang [[email protected]] >发送时间: 2014年3月3日 22:11 >收件人: Zhangdacheng (Dacheng); [email protected] >主题: RE: [nvo3] I-D Action: draft-ietf-nvo3-security-requirements-02.txt > >The question I have given in the WG discussion is that you have added a new >threat model that "Attacks from malicious TSes". Do you mean this attack is >initiated by a TS. And the TS will attack the NVO3 directly using data plane. >Or >you mean the TS will try to crash the hypervisor and then attack the attached >NVE using the hypervisor-NVE control plane? Please clarify it. > >Have a nice day >Zu Qiang > >>-----Original Message----- >>From: nvo3 [mailto:[email protected]] On Behalf Of Zhangdacheng >>(Dacheng) >>Sent: Friday, January 24, 2014 4:40 AM >>To: [email protected] >>Subject: Re: [nvo3] I-D Action: >>draft-ietf-nvo3-security-requirements-02.txt >> >>Hello: >> >>We just finished an update of the security requirement document >>according to the comments we got in the list and the last meeting. >>In this update, we: >> >>1) update the diagram of the NOV3 overlay architecture >>2) propose a new classification of attacks >>3) re-write the contents related with key management >>4) add the discussion of NVA-NVA control plane >>5) re-write the scope of this work >>6) change the confidentiality requirements to optional >> >>In addition, we list some security issues (e.g., accountability, >>security protection on management interface) in section 8.2 for >>discussion. We need your suggestions before adding anything in the list >>into the document as requirements. >> >>So, please let us know if you have any comments or suggestions. ^_^ >> >>Cheers. >> >>Dacheng >> >> >>> -----Original Message----- >>> From: nvo3 [mailto:[email protected]] On Behalf Of >>> [email protected] >>> Sent: Friday, January 24, 2014 5:20 PM >>> To: [email protected] >>> Cc: [email protected] >>> Subject: [nvo3] I-D Action: >>> draft-ietf-nvo3-security-requirements-02.txt >>> >>> >>> A New Internet-Draft is available from the on-line Internet-Drafts >>directories. >>> This draft is a work item of the Network Virtualization Overlays >>> Working Group of the IETF. >>> >>> Title : Security Requirements of NVO3 >>> Authors : Sam Hartman >>> Dacheng Zhang >>> Margaret Wasserman >>> Filename : draft-ietf-nvo3-security-requirements-02.txt >>> Pages : 18 >>> Date : 2014-01-24 >>> >>> Abstract: >>> The draft describes a list of essential requirements in order to >>> benefit the design of NOV3 security solutions. In addition, this >>> draft introduces the candidate techniques which could be used to >>> construct a security solution fulfilling these security requirements. >>> >>> >>> >>> The IETF datatracker status page for this draft is: >>> https://datatracker.ietf.org/doc/draft-ietf-nvo3-security-requirement >>> s >>> / >>> >>> There's also a htmlized version available at: >>> http://tools.ietf.org/html/draft-ietf-nvo3-security-requirements-02 >>> >>> A diff from the previous version is available at: >>> http://www.ietf.org/rfcdiff?url2=draft-ietf-nvo3-security-requirement >>> s >>> -02 >>> >>> >>> Please note that it may take a couple of minutes from the time of >>> submission until the htmlized version and diff are available at >>> tools.ietf.org. >>> >>> Internet-Drafts are also available by anonymous FTP at: >>> ftp://ftp.ietf.org/internet-drafts/ >>> >>> _______________________________________________ >>> nvo3 mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/nvo3 >>_______________________________________________ >>nvo3 mailing list >>[email protected] >>https://www.ietf.org/mailman/listinfo/nvo3 Have a nice day Zu Qiang >If there is anything missed, pleaes feel free to let us know. > >Cheers > >Dacheng >________________________________________ >发件人: Zu Qiang [[email protected]] >发送时间: 2014年3月3日 22:11 >收件人: Zhangdacheng (Dacheng); [email protected] >主题: RE: [nvo3] I-D Action: draft-ietf-nvo3-security-requirements-02.txt > >The question I have given in the WG discussion is that you have added a new >threat model that "Attacks from malicious TSes". Do you mean this attack is >initiated by a TS. And the TS will attack the NVO3 directly using data plane. >Or >you mean the TS will try to crash the hypervisor and then attack the attached >NVE using the hypervisor-NVE control plane? Please clarify it. > >Have a nice day >Zu Qiang > >>-----Original Message----- >>From: nvo3 [mailto:[email protected]] On Behalf Of Zhangdacheng >>(Dacheng) >>Sent: Friday, January 24, 2014 4:40 AM >>To: [email protected] >>Subject: Re: [nvo3] I-D Action: >>draft-ietf-nvo3-security-requirements-02.txt >> >>Hello: >> >>We just finished an update of the security requirement document >>according to the comments we got in the list and the last meeting. >>In this update, we: >> >>1) update the diagram of the NOV3 overlay architecture >>2) propose a new classification of attacks >>3) re-write the contents related with key management >>4) add the discussion of NVA-NVA control plane >>5) re-write the scope of this work >>6) change the confidentiality requirements to optional >> >>In addition, we list some security issues (e.g., accountability, >>security protection on management interface) in section 8.2 for >>discussion. We need your suggestions before adding anything in the list >>into the document as requirements. >> >>So, please let us know if you have any comments or suggestions. ^_^ >> >>Cheers. >> >>Dacheng >> >> >>> -----Original Message----- >>> From: nvo3 [mailto:[email protected]] On Behalf Of >>> [email protected] >>> Sent: Friday, January 24, 2014 5:20 PM >>> To: [email protected] >>> Cc: [email protected] >>> Subject: [nvo3] I-D Action: >>> draft-ietf-nvo3-security-requirements-02.txt >>> >>> >>> A New Internet-Draft is available from the on-line Internet-Drafts >>directories. >>> This draft is a work item of the Network Virtualization Overlays >>> Working Group of the IETF. >>> >>> Title : Security Requirements of NVO3 >>> Authors : Sam Hartman >>> Dacheng Zhang >>> Margaret Wasserman >>> Filename : draft-ietf-nvo3-security-requirements-02.txt >>> Pages : 18 >>> Date : 2014-01-24 >>> >>> Abstract: >>> The draft describes a list of essential requirements in order to >>> benefit the design of NOV3 security solutions. In addition, this >>> draft introduces the candidate techniques which could be used to >>> construct a security solution fulfilling these security requirements. >>> >>> >>> >>> The IETF datatracker status page for this draft is: >>> https://datatracker.ietf.org/doc/draft-ietf-nvo3-security-requirement >>> s >>> / >>> >>> There's also a htmlized version available at: >>> http://tools.ietf.org/html/draft-ietf-nvo3-security-requirements-02 >>> >>> A diff from the previous version is available at: >>> http://www.ietf.org/rfcdiff?url2=draft-ietf-nvo3-security-requirement >>> s >>> -02 >>> >>> >>> Please note that it may take a couple of minutes from the time of >>> submission until the htmlized version and diff are available at >>> tools.ietf.org. >>> >>> Internet-Drafts are also available by anonymous FTP at: >>> ftp://ftp.ietf.org/internet-drafts/ >>> >>> _______________________________________________ >>> nvo3 mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/nvo3 >>_______________________________________________ >>nvo3 mailing list >>[email protected] >>https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
