scope of rogue device

[mglt]

7. Section 4.2 – “Rogue element on path of TS traffic” Identify with respect to Figure 1 where is the rogue element is located. For example in server system where a TS is directly connected to an NVE this may not be applicable, and hence are the requirements associated with this case. Also as per section 5, the Network connecting TSes and NVEs are out of scope and also an attacker controlling the underlying network device is out of scope.

[mglt]

The rogue elements are defined in section 4 - see concern 5.

The remaining of the comment seems to say that injecting traffic to a TS requires the rogue element to be NVE and the TS. This is not what we are trying to say.

Section 4.2 describes active attacks and mentions that injection attacks can target TS or the overlay. Active attacks targeting TS injects packets into the TS traffic. The document considers an attacker injection packets to the TS by crafting Geneve packets. How the TS are connected to the NVE does not change anything.

Section 4.2 is structured as follows:

• The first paragraph says that active attacks may concern the TS or the overlay.
• The second paragraph develops active attacks on TS
• The third paragraph develops active attacks on the overlay network.

To clarify I propose the following changes. I believe this address the concern.

OLD: Active attacks involve modifying packets, injecting packets, or interfering with packet delivery (such as by corrupting packet checksum). Active attack may target the Tenant System or the Geneve overlay.

NEW: Active attacks involve modifying Geneve packets, injecting Geneve packets, or interfering with Geneve packet delivery (such as by corrupting packet checksum). Active attack may target the Tenant System or the Geneve overlay.