Please read this draft https://tools.ietf.org/id/draft-hy-gue-4-secure-transport-02.txt
GUE provides the security mechanism for NVO3 encapsulation. Any VxLAN enhancement requirements are for GUE, VXLAN-GPE, and Geneve. Lucy From: nvo3 [mailto:[email protected]] On Behalf Of Dacheng Zhang Sent: Wednesday, June 03, 2015 9:56 AM To: Liuyuanjiao; Michael Shieh; David Mozes Cc: Xuxiaohu; [email protected] Subject: Re: [nvo3] 答复: VxLAN Security Consideration Ok, if there are really such requirements, maybe it is a good idea for us to design a security mechanism for vxlan, which can protect the integrity of the vxlan headers while encrypting the payloads. Open for discussion… ^_^ Cheers Dacheng 发件人: Liuyuanjiao <[email protected]<mailto:[email protected]>> 日期: 2015年6月3日 星期三 下午5:15 至: dacheng de <[email protected]<mailto:[email protected]>>, Michael Shieh <[email protected]<mailto:[email protected]>>, David Mozes <[email protected]<mailto:[email protected]>> 抄送: Xuxiaohu <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> 主题: [nvo3] 答复: VxLAN Security Consideration Dear Zhang Dacheng: Now, in the middle network, we need to monitor the traffic basing on the VNI. But if we use IPSec, we could not see VNI anymore. So the users could monitor the traffic in the way of VNI, only can monitor the vxlan tunnel overall traffic. Another scenario is: we want to adjust the users traffic basing on VNI into different underlay paths. But if VNI do not see, we could not do it. Because in one vxlan tunnel, we may have server VNIs. Best Regards Liu Yuanjiao 发件人: Dacheng Zhang [mailto:[email protected]] 发送时间: 2015年6月3日 9:57 收件人: Michael Shieh; David Mozes 抄送: Xuxiaohu; [email protected]<mailto:[email protected]>; Liuyuanjiao 主题: Re: [nvo3] VxLAN Security Consideration I think both ipsec and dtls would work. The middle network is not controlled by customer and the service provider, it’s provided by 3nd company, so the environment is not trusted, we need to encrypt the VxLAN packets or VxLAN payload for our user data.Dear Currently, no such specific method, I think we need to provide one way to resolve it. A question for Yuanjian, are there any cases in which we need to only encrypt the vxlan payloads while transporting the headers in plain text? If so, the condition could be a little more complex. Cheers Dacheng Best Regards Liu Yuanjiao _______________________________________________ nvo3 mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/nvo3 This message is for the designated and authorized recipient only and may contain privileged, proprietary, confidential or otherwise private information relating to vArmour Networks, Inc. and is the sole property of vArmour Networks, Inc. Any views or opinions expressed are solely those of the author and do not necessarily represent those of vArmour Networks, Inc. If you have received this message in error, or if you are not authorized to receive it, please notify the sender immediately and delete the original message and any attachments from your system immediately. If you are not a designated or authorized recipient, any other use or retention of this message or its contents is prohibited. _______________________________________________ nvo3 mailing list [email protected]<mailto:[email protected]>https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/nvo3
_______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
