Internet DRAFT - draft-tsao-nvo3-auth-issues
draft-tsao-nvo3-auth-issues
Internet Engineering Task Force Z. Cao
Internet-Draft G. Chen
Intended status: Informational China Mobile
Expires: August 22, 2013 February 18, 2013
Authentication Issues in Network Virtualization Overlays
draft-tsao-nvo3-auth-issues-00
Abstract
This document describes the issues of authenticating a new end-device
in a virtual data center. This short document tries to initiate the
discussion about the authentication issues in the virtualized data
centers.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 22, 2013.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Cao & Chen Expires August 22, 2013 [Page 1]
Internet-Draft nvo authen February 2013
Table of Contents
1. Introduction and All . . . . . . . . . . . . . . . . . . . . . 3
2. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4
3. Security Considerations . . . . . . . . . . . . . . . . . . . . 4
4. References . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.1. Normative References . . . . . . . . . . . . . . . . . . . 4
4.2. Informative References . . . . . . . . . . . . . . . . . . 4
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 4
Cao & Chen Expires August 22, 2013 [Page 2]
Internet-Draft nvo authen February 2013
1. Introduction and All
IETF is developing technologies to use the overlay networks to
support large scale virtual data centers. [I-D.ietf-nvo3-framework]
provides a framework for Network Virtualization over L3 (NVO3), and
[I-D.ietf-nvo3-overlay-problem-statement] summarizes the problems of
the virtual data centers using layer-3 overlay technologies. Network
virtualization overlay in data centers essentially supports features
of truely virtualization and separation of virtual networking from
the physical devices. Virtual networking for a tenant is completely
decoupled from DC physical network in terms of configuration, address
allocation, location, mobility, etc.
This short document tries to initiate the discussion about the
authentication issues in the virtualized data centers. Although the
issue has not been mentioned in the problem statement document, we
believe this issue is necessary for the audience to look into.
The tenant in virtual data centers is a variant. Its capacity and
size, as well as its configuration may vary from time to time. When
the tenant owner plans to increase its network capacity and rent more
end-devices (could be both physical servers or virtual machines, or
contol devices such as firewall, security gateway), the tenant system
MUST be able to authenticate and authorize the new end device so that
the new devices can be integrated into the existing infrastructure.
The problems are listed as below.
1. Network-layer authentication. Service layer authentication by
using user account is not an ideal way, due to the lack of fine-
grained layer-3 traffic control. Network-layer authentication is
necessary to employ more accurate control of the devices and
flows in a tenant system. The newly added device can only get
the layer-3 connectivity after a successful authentication. This
way prevents many known attacks.
2. Access control. Before authentication, the newly added end-
device can have necessary control plane communication with the
centralized or distributed authentication control servers. After
authentication, the data communication capability is enabled.
The Network Virtualization Edge (NVE) should be able to
distinguish authenticated devices and un-authenticated devices
based on their network or lower layer identities.
3. Routing of authentication traffic. The intermediate device
should be able to route the authentication request to the correct
authentication server. In a virtualized data center, the ID and
overlay make this problem complex.
Cao & Chen Expires August 22, 2013 [Page 3]
Internet-Draft nvo authen February 2013
4. Secure service discovery. Service discovery is normally
broadcast or multicast in the domain. In virtual data centers,
to avoid the flooding of traffics in both the physical network
and virtual network, the broadcast domain design should be kept
intact and smart. Server discovery process MUST also be able to
filter out the invalid reply from unrelated repository.
2. IANA Considerations
This document does not have any IANA requests.
3. Security Considerations
This document analyzes the authentication issues in virtual overlay
data centers, and does not introduce any new security issues to the
problem space.
4. References
4.1. Normative References
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, "Extensible Authentication Protocol (EAP)",
RFC 3748, June 2004.
4.2. Informative References
[I-D.ietf-nvo3-framework]
Lasserre, M., Balus, F., Morin, T., Bitar, N., and Y.
Rekhter, "Framework for DC Network Virtualization",
draft-ietf-nvo3-framework-02 (work in progress),
February 2013.
[I-D.ietf-nvo3-overlay-problem-statement]
Narten, T., Gray, E., Black, D., Dutt, D., Fang, L.,
Kreeger, L., Napierala, M., and M. Sridharan, "Problem
Statement: Overlays for Network Virtualization",
draft-ietf-nvo3-overlay-problem-statement-02 (work in
progress), February 2013.
Cao & Chen Expires August 22, 2013 [Page 4]
Internet-Draft nvo authen February 2013
Authors' Addresses
Zhen Cao
China Mobile
China,
China
Phone:
Email: zehn.cao@gmail.com
Gang Chen
China Mobile
Xuanwumenxi Ave No.32
Beijing, 100053
P.R.China
Phone:
Fax:
Email: chengang@chinamobile.com
URI:
Cao & Chen Expires August 22, 2013 [Page 5]