Internet Engineering Task Force Z. Cao Internet-Draft G. Chen Intended status: Informational China Mobile Expires: August 22, 2013 February 18, 2013 Authentication Issues in Network Virtualization Overlays draft-tsao-nvo3-auth-issues-00 Abstract This document describes the issues of authenticating a new end-device in a virtual data center. This short document tries to initiate the discussion about the authentication issues in the virtualized data centers. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on August 22, 2013. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Cao & Chen Expires August 22, 2013 [Page 1] Internet-Draft nvo authen February 2013 Table of Contents 1. Introduction and All . . . . . . . . . . . . . . . . . . . . . 3 2. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4 3. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 4. References . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. Normative References . . . . . . . . . . . . . . . . . . . 4 4.2. Informative References . . . . . . . . . . . . . . . . . . 4 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 4 Cao & Chen Expires August 22, 2013 [Page 2] Internet-Draft nvo authen February 2013 1. Introduction and All IETF is developing technologies to use the overlay networks to support large scale virtual data centers. [I-D.ietf-nvo3-framework] provides a framework for Network Virtualization over L3 (NVO3), and [I-D.ietf-nvo3-overlay-problem-statement] summarizes the problems of the virtual data centers using layer-3 overlay technologies. Network virtualization overlay in data centers essentially supports features of truely virtualization and separation of virtual networking from the physical devices. Virtual networking for a tenant is completely decoupled from DC physical network in terms of configuration, address allocation, location, mobility, etc. This short document tries to initiate the discussion about the authentication issues in the virtualized data centers. Although the issue has not been mentioned in the problem statement document, we believe this issue is necessary for the audience to look into. The tenant in virtual data centers is a variant. Its capacity and size, as well as its configuration may vary from time to time. When the tenant owner plans to increase its network capacity and rent more end-devices (could be both physical servers or virtual machines, or contol devices such as firewall, security gateway), the tenant system MUST be able to authenticate and authorize the new end device so that the new devices can be integrated into the existing infrastructure. The problems are listed as below. 1. Network-layer authentication. Service layer authentication by using user account is not an ideal way, due to the lack of fine- grained layer-3 traffic control. Network-layer authentication is necessary to employ more accurate control of the devices and flows in a tenant system. The newly added device can only get the layer-3 connectivity after a successful authentication. This way prevents many known attacks. 2. Access control. Before authentication, the newly added end- device can have necessary control plane communication with the centralized or distributed authentication control servers. After authentication, the data communication capability is enabled. The Network Virtualization Edge (NVE) should be able to distinguish authenticated devices and un-authenticated devices based on their network or lower layer identities. 3. Routing of authentication traffic. The intermediate device should be able to route the authentication request to the correct authentication server. In a virtualized data center, the ID and overlay make this problem complex. Cao & Chen Expires August 22, 2013 [Page 3] Internet-Draft nvo authen February 2013 4. Secure service discovery. Service discovery is normally broadcast or multicast in the domain. In virtual data centers, to avoid the flooding of traffics in both the physical network and virtual network, the broadcast domain design should be kept intact and smart. Server discovery process MUST also be able to filter out the invalid reply from unrelated repository. 2. IANA Considerations This document does not have any IANA requests. 3. Security Considerations This document analyzes the authentication issues in virtual overlay data centers, and does not introduce any new security issues to the problem space. 4. References 4.1. Normative References [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004. 4.2. Informative References [I-D.ietf-nvo3-framework] Lasserre, M., Balus, F., Morin, T., Bitar, N., and Y. Rekhter, "Framework for DC Network Virtualization", draft-ietf-nvo3-framework-02 (work in progress), February 2013. [I-D.ietf-nvo3-overlay-problem-statement] Narten, T., Gray, E., Black, D., Dutt, D., Fang, L., Kreeger, L., Napierala, M., and M. Sridharan, "Problem Statement: Overlays for Network Virtualization", draft-ietf-nvo3-overlay-problem-statement-02 (work in progress), February 2013. Cao & Chen Expires August 22, 2013 [Page 4] Internet-Draft nvo authen February 2013 Authors' Addresses Zhen Cao China Mobile China, China Phone: Email: zehn.cao@gmail.com Gang Chen China Mobile Xuanwumenxi Ave No.32 Beijing, 100053 P.R.China Phone: Fax: Email: chengang@chinamobile.com URI: Cao & Chen Expires August 22, 2013 [Page 5]