I see a value of being able to see the UDP ports in the middle of the network. But, it's even more so that the entropy is still can be used for link aggregation group and/or ECMP hashing by transit routers.
Stephen. On Wed, Jun 3, 2015 at 9:31 AM, Liuyuanjiao <[email protected]> wrote: > Dear Stephen: > > > > If we want to keep the UDP to be un-encrypted, then we need to > encrypt the vxlan parts(body and header) or vxlan payload(body only). > > > > Do we have some scenario that we need to show the UDP ports in the > middle network? > > Because if we need the UDP ports to be shown for special usage, > then we could not use IPSec or Transport layer security method to do do > encryption. > > > > > > Best Regards > > Liu Yuanjiao > > > > *发件人:* Stephen Suryaputra [mailto:[email protected]] > *发送时间:* 2015年6月3日 21:20 > *收件人:* Liuyuanjiao > *抄送:* Dacheng Zhang; Michael Shieh; David Mozes; Xuxiaohu; [email protected] > *主题:* Re: [nvo3] 答复: VxLAN Security Consideration > > > > I think it is also important to keep the UDP header unencrypted since the > source port is the entropy. > > Regards, > > Stephen. > > > > On Wed, Jun 3, 2015 at 5:15 AM, Liuyuanjiao <[email protected]> > wrote: > > Dear Zhang Dacheng: > > > > Now, in the middle network, we need to monitor the traffic basing > on the VNI. But if we use IPSec, we could not see VNI anymore. > > So the users could monitor the traffic in the way of VNI, only > can monitor the vxlan tunnel overall traffic. > > > > Another scenario is: we want to adjust the users traffic basing > on VNI into different underlay paths. But if VNI do not see, we could not > do it. Because in one vxlan tunnel, we may have server VNIs. > > > > > > Best Regards > > Liu Yuanjiao > > > > > > > > *发件人:* Dacheng Zhang [mailto:[email protected]] > *发送时间:* 2015年6月3日 9:57 > *收件人:* Michael Shieh; David Mozes > *抄送:* Xuxiaohu; [email protected]; Liuyuanjiao > *主题:* Re: [nvo3] VxLAN Security Consideration > > > > I think both ipsec and dtls would work. > > > > The middle network is not controlled by customer and the service > provider, it’s provided by 3nd company, so the environment is not trusted, > we need to encrypt the VxLAN packets or VxLAN payload for our user data.Dear > > > Currently, no such specific method, I think we need to provide one way > to resolve it. > > A question for Yuanjian, are there any cases in which we need to only > encrypt the vxlan payloads while transporting the headers in plain text? If > so, the condition could be a little more complex. > > > > Cheers > > > > Dacheng > > > > > > > > Best Regards > > Liu Yuanjiao > > > _______________________________________________ > nvo3 mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/nvo3 > > > > > > This message is for the designated and authorized recipient only and may > contain privileged, proprietary, confidential or otherwise private > information relating to vArmour Networks, Inc. and is the sole property of > vArmour Networks, Inc. Any views or opinions expressed are solely those of > the author and do not necessarily represent those of vArmour Networks, Inc. > If you have received this message in error, or if you are not authorized to > receive it, please notify the sender immediately and delete the original > message and any attachments from your system immediately. If you are not a > designated or authorized recipient, any other use or retention of this > message or its contents is prohibited. > > _______________________________________________ nvo3 mailing list > [email protected] https://www.ietf.org/mailman/listinfo/nvo3 > > > _______________________________________________ > nvo3 mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/nvo3 > > > > _______________________________________________ > nvo3 mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/nvo3 > >
_______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
