NVO3 | D. Migault |
Internet-Draft | June 28, 2017 |
Intended status: Standards Track | |
Expires: December 30, 2017 |
Geneve Security Architecture
draft-mglt-nvo3-geneve-security-architecture-00
This document describes the Geneve Security Architecture.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 30, 2017.
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
[I-D.ietf-nvo3-encap] and [I-D.mglt-nvo3-security-requirements] clearly state the need to secure the Geneve overlay network and provide means to authenticate the Geneve Header as well as being able to encrypt the Geneve Payload.
Both of these requirements are fulfilled with specific Geneve Security Options. More explicitly, [I-D.mglt-nvo3-geneve-authentication-option] defines an option that authenticate the Geneve fixed Header and optionally a set of Geneve Option as well as a portion of the Geneve Payload. [I-D.mglt-nvo3-geneve-encryption-option] defines a Geneve Option that enables to encrypt a subset of Geneve Options as well as a portion of the Geneve Payload. Further descriptions on how an Geneve Security Option is treated is out of the scope of this document.
This document defines how the Geneve overlay can be secured properly. A Geneve Element may handle different Geneve overlay networks associated with different level of security. This document defines how to associate a level of security to an Geneve overlay network. In addition, a security level for a given overlay network may result in a combination of multiple Geneve Security Options. As the order these Geneve Security Options are processed matters, it is necessary the sending and receiving Geneve Element have similar behaviours in order to guarantee interoperability while securing a Geneve overlay Network.
This document explains how Geneve Security Policies and Geneve Security Associations are organized to associate a given level of security to an Geneve overlay network. In addition, this document also exposes how the Geneve Security Module implementing the security interacts with the Geneve architecture.
The Geneve Security Architecture is represented in figure Figure 1. Geneve security is enforced by the Geneve Security Module. The Geneve Security Policies (GSP) define which which flows inside a virtuial network needs to be secured by associating a action SECURE, BYPASS or DISCARD to each Geneve Packet. When a Geneve Packet is tagged as SECURE, the GSP provides specific structures known as Geneve Security Associations (GSA) that describe how the Geneve Packet MUST be secured. Typically, the GSA defines the type of option (Geneve Authentication Option (GAO) or the Geneve Encryption Option (GEO) to be computed or validated, as well as the necessary material such as the appropriated counters, the necessary keys to compute and validate the GSO. GSP and GSA are respectively stored in GSP Database (GSP DB) and GSA Database (GSA DB).
For outbound traffic, the Geneve Security Module receives a non secured Geneve Packet and is responsible to secure that Geneve Packet with the appropriated GSOs - as defined by the GSP/GSAs. Once the GSO have been added, Outer Encapsulation is performed as described in [I-D.ietf-nvo3-geneve] i.e. the Geneve Packet is being encapsulated with Outer Ethernet / Outer IPv4 or IPv6 / and Outer UDP.
For inbound traffic, the Geneve Security Module defines whether a incoming Geneve Packet must be secured or not as defined by the GSP. If a Geneve Packet does not have to be secured, any GSO found is ignored. Otherwise, the Geneve Security Module validates each GSO, and check the validated GSOs are conformed to the defined GSP. The last step is necessary to make sure that in addition to valid security options, the expected GSO were encountered.
This document assumes that all nodes GSP DB and GSA DB are appropriately provisioned by the control plane.
outbound packets inbound packets | ^ v | +-----------------------------+ +-------------------------------+ | Geneve | | Geneve | +-----------------------------+ +-------------------------------+ | Geneve Security Module | | Geneve Security Module | | +---------+| | +-----------+| | Computation | GSA DB || | Check | GSA DB || | |... || | ^ BYPASS |... || |+--------+ SECURE |+-------+|| |+--------+ SECURE |+---------+|| || GSP DB |------->|| GSA ||| || GSP DB |------->|| GSA ||| |+--------+ |+-------+|| |+--------+ |+---------+|| | v (DISCARD) +---------+| | ^ (DISCARD) +-----------+| | BYPASS | | | +-----------------------------+ +-------------------------------+ | Outer Encapsulation | | Outer Decapsulation | +-----------------------------+ +-------------------------------+ | ^ v | ----------------------------------------------------------------- Network
Figure 1: Geneve Security Architecture
The GSP DB contains a list of GSP that associates a Geneve Packet with a specific action BYPASS, DISCARD, SECURE.
The matching between a Geneve Packet and an action is performed through Selectors. These Selectors associated to specific values defined whether a Geneve Packet match a given GSP. As GSO may result in encrypting a Selector, a GSP lookup is always performed with a "clear text" Geneve Packet. More specifically, the GSP lookup for a Geneve Packet associated with the SECURE action is performed before the GSO is being added or after the GSO has been validated. For outbound Geneve Packet, a GSP DB look up is performed using the Selectors' value before the GSO is computed. In that case, the GSP will even provide the required structure to generate the GSO. On the other hand, for incoming traffic, the GSO is identified by an identifier carried by the Geneve Packet, a GSP look up is performed once the GSO has been valiated / decryped. As a consequence, the same GSP DB is shared by the sending and the receiving Geneve Element.
When BYPASS is selected, then the Geneve Security Module forwards the matching Geneve to the next layer. As represented in Figure 1, the next layer of an outbound Geneve Packet is the Outer Encapsulation while the next layer of an incoming Geneve Packet is the Geneve layer . When DISCARD is selected, the Geneve Security Module is expected to drop the matching Geneve Packet. When a SECURE action is selected the associated GSAs MUST be provided. For outbound Geneve Packet, the GSAs provided will be used in order to appropriately generate the GSO. On the other hand, for incoming Geneve Packet, the GSAs are returned so the Geneve Security Module can validate the GSO present in the Geneve Packet are conform to the GSP.
It is worth noting that for incoming Geneve Packet, those not tagged as BYPASS or DISCARD are by default considered as tagged as SECURE. This means that the GSP DB may be split into sub databases that contains GSP associated to a specific action. GSP DB (DISCARD/BYPASS) may contain all GSP associated to the DISCARD and BYPASS rules while GSP DB (SECURE) contains all GSP associated to the action SECURE. By doing so, a incoming Geneve Packet may be associated to the SECURE action without performing a lookup on GSP DB (SECURE). This does not prevents the Geneve Security Module from validating the GSO found in the incoming Geneve Packet, as these GSO are carrying a specific Identifier. On the other hand, the GSP DB (SECURE) MUST be lookup in order to validate that all GSO defined by the security policies have been appropriately validated.
The Selectors are the elements read from the packet in order to match a GSP. When a Selector is expected to be found in the Geneve Packet, the Selectors values that match the condition are indicated with a range or a list of matching values. For clarity, this document uses ANY to indicate the full range. When the Selector may not exist or may not be accessible and must be ignored to evaluate the matching condition, it is qualified of being OPAQUE.
Geneve Header Selectors:
Additional Selectors are considered within the Geneve Payload. The Selectors provided below are expected to enable different GSP according to the protection of the traffic. Typically, the Geneve overlay network may protect differently traffic that is already protected by the tenants with IPsec, DTLS/TLS, or SSH.
Geneve Security Policies are unidirectional. A GSP is composed of:
The GSP DB is an ordered list of GSP.
According to [I-D.ietf-nvo3-geneve], the associated Geneve Version is 0, a sender MUST set Rsv and Reserved to zero. When the sender only supports [I-D.ietf-nvo3-geneve], it may performed a sanity check for its outbound packets. The rules can be places at the beginning of the GSP DB.
Selector | Value | Action ------------------------------------------------------- Geneve Version | [1 ... 4] (non-zero) | OAM | [0,1] (ANY) | Critical | [0,1] (ANY) | Rsv | [0, ... ,63] (ANY) | DISCARD Protocol | [0, ..., 65535] (ANY) | VNI | [0, ..., 16777215] (ANY) | Reserved | [0, ..., 255] (ANY) | Geneve Options | OPAQUE | Next Header | [0, ..., 255] (ANY) | Port Source | OPAQUE | Port Destination | OPAQUE | ------------------------------------------------------- Geneve Version | [0 ... 4] (ANY) | OAM | [0,1] (ANY) | Critical | [0,1] (ANY) | Rsv | [1, ... ,63] (non-zero) | DISCARD VNI | [0, ..., 65535] (ANY) | Reserved | [0, ..., 15] (ANY) | Geneve Options | OPAQUE | Next Header | [0, ..., 255] (ANY) | Port Source | OPAQUE | Port Destination | OPAQUE | ------------------------------------------------------- Geneve Version | [0 ... 4] (ANY) | OAM | [0,1] (ANY) | Critical | [0,1] (ANY) | Rsv | [1, ... ,63] (ANY) | DISCARD VNI | [0, ..., 65535] (ANY) | Reserved | [1, ..., 15] (non-zero) | Geneve Options | OPAQUE | Next Header | [0, ..., 255] (ANY) | Port Source | OPAQUE | Port Destination | OPAQUE | -------------------------------------------------------
Figure 2: Example 1: Geneve Security Policy for [I-D.ietf-nvo3-geneve] compliance (sender)
By default a Geneve Security Madule may DISCARD any Geneve packet that have no matching This is indicated by the following GSP at the end of the GSP DB.
Selector | Value | Action ------------------------------------------------------- Geneve Version | [0 ... 4] (ANY) | OAM | [0,1] (ANY) | Critical | [0,1] (ANY) | Rsv | [0, ... ,63] (ANY) | DISCARD Protocol | [0, ..., 65535] (ANY) | VNI | [0, ..., 16777215] (ANY) | Reserved | [0, ..., 255] (ANY) | Geneve Options | OPAQUE | Next Header | [0, ..., 255] (ANY) | Port Source | OPAQUE | Port Destination | OPAQUE | -------------------------------------------------------
Figure 3: Example 2: Geneve Security Policy for [I-D.ietf-nvo3-geneve] compliance (sender)
The example below details a GSP that proceeds to a specific treatment to the traffic between tenant using ESP. The specific treatment could typically only authenticate the Geneve Packet or partially encrypt the Geneve Payload, in order to only hide the Inner headers - including the ESP header - up to the ESP payload.
In the example, the GSP apply the same GSAs whatever the Geneve Header informations are. More specifically, all virtualized network share the same GSAs.
Selector | Value | Action ------------------------------------------------------- Geneve Version | [0 ... 4] (ANY) | OAM | [0,1] (ANY) | Critical | [0,1] (ANY) | Rsv | [0, ... ,63] (ANY) | SECURE Protocol | [0, ..., 65535] (ANY) | [GSA1, GSA2] VNI | [0, ..., 16777215] (ANY) | Reserved | [0, ..., 255] (ANY) | Geneve Options | OPAQUE | Next Header | [50] (ESP) | Port Source | OPAQUE | Port Destination | OPAQUE | -------------------------------------------------------
Figure 4: Example 3: Geneve Security Policy for ESP protect traffic
GSA DB contains all GSAs. GSA are expected to contain all the necessary information for the Geneve Security Module to compute the GSO by both the sender and teh receiver. This includes for example the cryptographic keys to encrypt ( resp. authenticate) as well as to decrypt (resp. validate) the Geneve Packet. In addition, the GSA also contains parameters associated to the protection of the security option such as the anti-replay mechanisms as well as the management of that options such as its lifetime.
For outbound traffic, the concerned GSA are provided by the GSP. In this case, it is the purpose of the implementation of Geneve Security Module to provide that appropriated reference. Most likely, the appropriated GSAs will be designated using a memory address.
For inbound traffic, the concerned GSA is designated by the associated GSO with a GSO-ID. In that case the appropriated GSA is retrieved using this index.
A GSA contains the following information:
When the security option includes some encryption operation, the following parameters are provided. Note that as recommended by [I-D.ietf-ipsecme-rfc7321bis], encryption is authenticated encryption.
When the security option includes a dedicated authentication operation ( that is not part of the encryption), the following parameters are provided:
The following parameters indicate the coverage of the security
In order to implement the anti replay mechanisms the following parameters are provided:
In order to check the conformity with the GSP:
This section assumes that the GSA is valid. Unvalid GSA MUST be deleted or considered as non existing by either the sender or the receiver.
For inbound Geneve Packets:
When the Geneve Packet is believed to be SECURed.
When all Geneve Security Options have been validated, the Geneve Packet is matched against the GSP DB to validate the GSA-ID listed in the security context match those returned by the GSP DB. Note that the receiver and the sender MUST have the same GSA-IDs, however, computation and validation are processed in a different order.
There are no IANA consideration for this document.
[I-D.ietf-ipsecme-rfc7321bis] | Wouters, P., Migault, D., Mattsson, J., Nir, Y. and T. Kivinen, "Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)", Internet-Draft draft-ietf-ipsecme-rfc7321bis-06, June 2017. |
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
[I-D.ietf-nvo3-encap] | Boutros, S., Ganga, I., Garg, P., Manur, R., Mizrahi, T., Mozes, D. and E. Nordmark, "NVO3 Encapsulation Considerations", Internet-Draft draft-ietf-nvo3-encap-00, June 2017. |
[I-D.ietf-nvo3-geneve] | Gross, J., Ganga, I. and T. Sridhar, "Geneve: Generic Network Virtualization Encapsulation", Internet-Draft draft-ietf-nvo3-geneve-04, March 2017. |
[I-D.mglt-nvo3-geneve-authentication-option] | Migault, D., "Geneve Authentication Option", July 2017. |
[I-D.mglt-nvo3-geneve-encryption-option] | Migault, D., "Geneve Encryption Option", July 2017. |
[I-D.mglt-nvo3-security-requirements] | Migault, D., "Geneve Security Requirements", July 2017. |