mglt
commented
5 years ago I believe the text you refer to is the one below: """ Selectively providing integrity / authentication, confidentiality / encryption of only portions of the Geneve packet is in scope. This will be the case if the Tenant Systems uses security protocol to protect its communications. """
The text does not provide any requirement. The requirements are provided in section 5.1. with SEC-GEN-1 and SEC-GEN-2.
I understand the concern as: Does these SEC-GEN-1 and SEC-GEN-2 - see below - prevents using IPsec as a Geneve Security Mechanism ? As SEC-GEN-2 does not mandate partial encryption, SEC-GEN-1 and SEC-GEN-2 does not prevent using IPsec as a Geneve security mechanisms. I suppose this addresses the concern.
""" A Geneve security mechanism must fulfill the requirements below:
o SEC-GEN-1: Geneve security mechanism MUST provide the capability to encrypt the inner payload.
o SEC-GEN-2: Geneve security mechanism SHOULD provide the capability to partially encrypt the inner payload header. """
Section 5. Selectively protecting portions of the Geneve packet, because tenant is already protecting the packet is more of an optimization and not an essential requirement as the security can be provide by protecting the entire Geneve packet for example using IPsec. Also an NVE may service multiple tenant systems and may have a policy to protect all packets from tenant systems irrespective of whether a tenant systems uses other mechanism at the payload level.