flow granularity

[mglt]

21. Section 5.4 – Reproducing earlier comment from the list on previous version of this draft: “It is not clear as to what threat is being addressed by requiring flow level granularity. If communication between NVE to NVE need be encrypted/authenticated, then, at a minimum, security policy should be applied for the traffic between, for example, NVE A to NVE B or NVE A to NVE C, etc. Any granularity beyond that is not a requirement to address any threat. “ Hence remove SEC-OP-6.

[mglt]

SEC-OP-6 concerns anti-replay attack, not flow management.

I believe that the following text addresses the concern:

OLD:

• SEC-OP-6: A secure deployment of a Geneve overlay MUST evaluate the flows subject to replay attacks. Flows that are subject to this attacks MUST be authenticated with an anti replay mechanism. Note that when partial authentication is provided, the part not covered by the authentication remains a surface of attack. It is strongly RECOMMENDED that the Geneve Header is both authenticated with anti replay protection.

NEW:

• SEC-OP-6: A secure deployment of a Geneve overlay MUST evaluate the communications subject to replay attacks. Communications that are subject to this attacks MUST be authenticated with an anti replay mechanism. Note that when partial authentication is provided, the part not covered by the authentication remains a surface of attack. It is strongly RECOMMENDED that the Geneve Header is both authenticated with anti replay protection.