mglt
commented
6 years ago I suspect the concern is whether Geneve deployment with NVE-to-NVE communications and TS communications encrypted can be considered secure. This is more related to a deployment. As this is a deployment it should be related to SEC-OP requirements. The case provided fulfill SEC-OP-1 as partial encryption comes with a MAY staus. I believe the concern is addressed.
That said, the concern may also be whether a security mechanism that does not provide partial encryption can be considered as a geneve security mechanism.
SEC-GEN provide requirements the mechanism to secure Geneve overlay needs to fulfill.
""" o SEC-GEN-2: Geneve security mechanism SHOULD provide the capability to partially encrypt the inner payload header. """
SEC-GEN-2 comes with a SHOULD statement that does not make it mandatory. SEC-GEN-1 requires the capability to encrypt and comes with a MUST statement. As a result a mechanism that encrypts fulfill SEC-GEN-1 and SEC-GEN-2.
I suppose that address the concern. I provided text to explain how requirements should be considered to match a deployment or a security mechanism.
Partial encryption (SEC-GEN-2 below) is an optimization (as had been indicated in a comment on the previous version of this draft) and should not be a requirement. The traffic between NVE pairs should be secured and operator may have a policy to encrypt the traffic irrespective of the any security mechanisms employed by the TSs. Also an NVE may handle traffic from multiple TSes and hence the service provider may enable encryption between NVE pairs. So partial encryption or selective encryption is more of an optimization that should not be mandated and should not be a requirement.