<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc='yes' ?>
<?rfc tocdepth='3' ?>
<?rfc sortrefs='yes' ?>
<rfc category="std" docName="draft-mglt-nvo3-geneve-encryption-option-00" ipr="trust200902">
  <front>
    <title>Geneve Header Encryption Option (GEO)</title>
    <author initials="D." surname="Migault" fullname="Daniel Migault">
      <address>
        <email>daniel.migault@ericsson.com</email>
      </address>
    </author>
    <date/>
    <area>Routing</area>
    <workgroup>NVO3</workgroup>
    <abstract>

<t>This document describes the Geneve Encryption Option
(GEO). This option enables a Geneve forwarding element to encrypt
the Geneve Header with selected associated Geneve Options as well as a
portion of the Geneve Payload.</t>

    </abstract>
  </front>
  <middle>
    <section title="Requirements notation">

<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119"/>.</t>

    </section>
    <section title="Introduction">
  
    </section>


<section title="GEO Description">


<t>For generic format of the Geneve Options is defined in <xref
target="fig-geneve-option"/>. The following values are expected:

<list style="symbols">

<t>Option Class: 0x0000</t>

<t>Type: C is unset as the GEO can simply be ignored by a NVE or a
transit node. The GSP will prevent to accept a GOA that is mandated by
the GSP and that has not been validated. </t>

<t>R is set to 0.</t>

<t>Length: This document only considers the algorithms recommended by
<xref target="I-D.ietf-ipsecme-rfc7321bis"/> ENCR_AES_GCM_16 or 
ENCR_CHACHA20_POLY1305. These algorithms are defined in <xref
target="RFC4106"/> and <xref target="RFC7539"/>.</t>


</list></t>

<figure anchor="fig-geneve-option" title="Geneve Option Format">
<artwork><![CDATA[ 
0                   1                   2
3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
|          Option Class         |      Type     |R|R|R| Length  |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
|                      Variable Option Data                     |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork> </figure>

<figure anchor="fig-geneve-data" title="Geneve Encryption Data">
<artwork><![CDATA[ 
0                   1                   2
3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
|                      Sequence Number                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
|           GEO-ID            |        Covered Length           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
|                                                               | 
|                       ICV  128/256 bits 16                    | 
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork> </figure>


</section>

<section title="GEO Processing">

<section title="GEO Placement">

<figure anchor="fig-geneve-GEO" title="Geneve Encryption Options Placement">
<artwork><![CDATA[[ 

Geneve Encryption Option      -----+           
                                   |     
                                   |           Covered Length
 <------------------->             v       <-------------------->
+---------------------+-------------+-----+------------+----------------+ 
| Geneve Fixed Header | Geneve Opt. | GEO | Geneve Opt.| Geneve Payload |
+---------------------+-------------+-----+------------+----------------+
 <--------+----------> <---------+-------> <----------+---------> <-+-->
          |                      |          xxxx encrypted xxxxx
          |                      |                    |             |
          +-------------------------------------------+             | 
       Fields covered            |                                  | 
       by the encryption         +----------------------------------+  
                                    Fields not covered
                                    by the encryption
]]></artwork>
</figure>

<t>GEO is a termination Geneve Option. The encrypted Geneve Options and
portion of the encrypted Geneve Payload are appended to the Geneve Header. 
They are not encoded as an Geneve Option.</t>

</section>

</section>

<section title="IANA Considerations">

<t>There are no IANA consideration for this document.</t>

</section>

<section anchor="sec-considerations" title="Security Considerations"/>

<section title="Acknowledgment"/>

</middle>

<back>

<references title="Normative References">

<?rfc include="reference.RFC.2119.xml"?>
<?rfc include="reference.RFC.4106.xml"?>
<?rfc include="reference.RFC.4302.xml"?>
<?rfc include="reference.RFC.4868.xml"?>
<?rfc include="reference.RFC.6347.xml"?>
<?rfc include="reference.I-D.ietf-ipsecme-rfc4307bis.xml"?>
<?rfc include="reference.I-D.ietf-ipsecme-rfc7321bis.xml"?>
<?rfc include="reference.I-D.ietf-nvo3-geneve"?>
<?rfc include="reference.I-D.ietf-tls-dtls13"?>

</references>


<references title="Informative References">
<?rfc include="reference.RFC.7364.xml"?>
<?rfc include="reference.RFC.7539.xml"?>

<?rfc include="reference.I-D.ietf-nvo3-encap"?>
<!-- <?rfc include="reference.I-D.ietf-nvo3-security-requirements"?>-->

      <reference anchor="I-D.mglt-nvo3-security-requirements"
target="https://tools.ietf.org/html/I-D.mglt-nvo3-security-requirements-00"
quote-title="true">
        <front>
          <title>Geneve Security Requirements</title>
          <author initials="D." surname="Migault" fullname="D.Migault">
            <organization/>
          </author>
          <date year="2017" month="July"/>
        </front>
      </reference>
<!--
      <reference anchor="I-D.mglt-nvo3-geneve-authentication-option"
target="https://tools.ietf.org/html/I-D.ietf-nvo3-geneve-authentication-option-00"
quote-title="true">
        <front>
          <title>Geneve Authentication Option</title>
          <author initials="D." surname="Migault" fullname="D.Migault">
            <organization/>
          </author>
          <date year="2017" month="July"/>
        </front>
      </reference>
-->
      <reference anchor="I-D.mglt-nvo3-geneve-security-architecture"
target="https://tools.ietf.org/html/I-D.ietf-nvo3-geneve-security-architecture-00"
quote-title="true">
        <front>
          <title>Geneve Security Architecture</title>
          <author initials="D." surname="Migault" fullname="D.Migault">
            <organization/>
          </author>
          <date year="2017" month="July"/>
        </front>
      </reference>


    </references>
  </back>
</rfc>

