Re: [Detnet] Tsvart last call review of draft-ietf-detnet-ip-05

Balázs Varga A <balazs.a.varga@ericsson.com> Fri, 17 April 2020 14:32 UTC

Return-Path: <balazs.a.varga@ericsson.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AD2E3A0AE8; Fri, 17 Apr 2020 07:32:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.268
X-Spam-Level:
X-Spam-Status: No, score=-2.268 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.168, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZyVlUUbEnuey; Fri, 17 Apr 2020 07:32:55 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70051.outbound.protection.outlook.com [40.107.7.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C41103A0AD3; Fri, 17 Apr 2020 07:32:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AWZjVkkvpviCMpF2pqB6ELZQnHrwCpkPV7wbNIDYUzlmYd/qoEBgKUH7Dap8rkbYyVpHIA6uOuTm1l7C87g07NKwjOKuaafU0hQfshVYTorBoXmcBACeRpNJlb1n9JdR0kcjUNHi8c+dsm/GcCBF2oIHHws74FiIiRQmINpwqevEM6L3sNnpwTmjkda1eRK5o0yGYSwPl8oahgF73079oat49gznoSa/XOWSZLlHL2DgkACfQXXDiwTq7r/VroJlzHo1k6iiwdcL+CYjOff2BWFFqBCprLcbxGewohMcb6cbBuosnONkes86abgZWWJdmRUzyHu9MnvNLupapyBlbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WwVFgL6Ndpdcl22oeIg+eN33YWRTdqb4NrXEKUKdzZU=; b=dByo+aLc6fGCK6WuySZ9BVmXwRTb3z+s/JYIYMy+TAS4Uf34aSIvfKqb1Kn0Xx9K+SHaCuAfYPTwXHaXxVAIE9DRtEmcvL5oEuluaZpiES26T72O9m3SW6WvlY3zBBNnWFw58a2Qn+a++DCeOTM7qV9q3gbTURfjJIQmTmLDkUqh2U+kiw4Smdnu+7igRerhiK/UgbRDyla5FlfiEdloEWkmPuOYdke/crmmkeljWKY2U0zKwh+AP3m6yYJxmPu3WblHwuOEbMAspLppBFRw9iOcubDUwNYtFfys54nQ/YJutzTUwSfzEQ8KxE4h2K3ukGTk84JeL07ROnIKXuUuZg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WwVFgL6Ndpdcl22oeIg+eN33YWRTdqb4NrXEKUKdzZU=; b=XVcYOKLaH/w+gK1NGygGrQFkjQhbQR7TUPzaVkjwTNkcjs1nkChbOr97LoDse1C4ZX3uvdcEJBbsWkxbxZbtx7EwN0q9GJ5se1uZNNC7lkummvO3twOi6EW9MuH8AKjxRj1vKZM133H1FSJTb+/CEP2Bilr4JACavfMq4V0lFB0=
Received: from AM6PR0702MB3607.eurprd07.prod.outlook.com (2603:10a6:209:4::30) by AM6PR0702MB3670.eurprd07.prod.outlook.com (2603:10a6:209:2::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.6; Fri, 17 Apr 2020 14:32:48 +0000
Received: from AM6PR0702MB3607.eurprd07.prod.outlook.com ([fe80::359c:e503:ff55:662]) by AM6PR0702MB3607.eurprd07.prod.outlook.com ([fe80::359c:e503:ff55:662%5]) with mapi id 15.20.2921.024; Fri, 17 Apr 2020 14:32:48 +0000
From: Balázs Varga A <balazs.a.varga@ericsson.com>
To: Bob Briscoe <ietf@bobbriscoe.net>, "tsv-art@ietf.org" <tsv-art@ietf.org>
CC: "detnet@ietf.org" <detnet@ietf.org>, "draft-ietf-detnet-ip.all@ietf.org" <draft-ietf-detnet-ip.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: Tsvart last call review of draft-ietf-detnet-ip-05
Thread-Index: AQHV+x0icaBGVckpxEGgYrLeXLmpn6h9hHLA
Date: Fri, 17 Apr 2020 14:32:48 +0000
Message-ID: <AM6PR0702MB36077278499D8EF769602A6DACD90@AM6PR0702MB3607.eurprd07.prod.outlook.com>
References: <158431305121.17899.8139415906212448096@ietfa.amsl.com>
In-Reply-To: <158431305121.17899.8139415906212448096@ietfa.amsl.com>
Accept-Language: hu-HU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.a.varga@ericsson.com;
x-originating-ip: [94.21.166.163]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 696da739-4108-402f-622c-08d7e2dc33fd
x-ms-traffictypediagnostic: AM6PR0702MB3670:
x-microsoft-antispam-prvs: <AM6PR0702MB3670B5474A7CA3B437F69CE2ACD90@AM6PR0702MB3670.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0376ECF4DD
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR0702MB3607.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(39860400002)(396003)(136003)(376002)(366004)(4326008)(26005)(54906003)(110136005)(52536014)(186003)(2906002)(55016002)(316002)(9686003)(6506007)(7696005)(53546011)(478600001)(8676002)(85202003)(86362001)(64756008)(66446008)(8936002)(76116006)(66946007)(81156014)(66476007)(66556008)(5660300002)(33656002)(30864003)(85182001)(71200400001); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Cy2zTvisB52ONXkIj7Xuxo2NLlOncvyT4INATjuldccIW0e3NC/PTXvZkFD65t9MMLrZWL9xz7GYmsErX/kSTY38uCKW6iYBH/V8Pks8iZo92tqBVvhFbTrAcHUm3qfDxRwIM9btqAI6mAKhh7dcvKJ+KA4Si1OM3+Be3k4fLW5ceoyRb5yV94yAW9PW/aGw24qHQSftWFDxjmPdQYBNWIHrXY9ewCeHW2hRCZo5Q2q1pBKgBPspnjzPUkVC9YnjJr0qKHrTehFynrNzxrsjxxr+kgRI42rM6IdJnvWbIRXlVP1HcjmOzm9bhIG50bEzKA+H0F8yF2RE6yejWkDBfv0a+758MO8n4h6d3qfbKnOmgXApQeWu1iE+A3rH+niI7WrqdSfJP/t6YNH96ZfC9n++sYrgV5PmKMK6jud19wrsg26iKd4ZxEuSYqaCWFvT
x-ms-exchange-antispam-messagedata: 0EsP0U6NzxJf+Xn8pzwKR6f7KOTK+BA/BANiG1iPwZsc5f9ljHLqoRIYxSFPLjG0XB9jjAayfCJM/sy4cVB2Tz3doaqfxdfxUd4lb4LaDfrXym/w4ma1qog5Ziw+UGX5tLcz+FDH1KsLzeeUthgrVg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 696da739-4108-402f-622c-08d7e2dc33fd
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Apr 2020 14:32:48.8111 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: YOGygoH/daH9b/Rrg5bSrnhLsNgaLTsPlB/eN2oqWcNqA9FVwostC5kURLNOk6bHg740nxeniukIhPOJ/D4wOVkw0nC+VALrCRbPfOnMC1Q=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR0702MB3670
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/UliiAdY2G7Xt9eG9wm2HZRNBE3E>
Subject: Re: [Detnet] Tsvart last call review of draft-ietf-detnet-ip-05
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2020 14:32:58 -0000

Hi Bob,

Thanks for the review. I am working on the update of the 
document to address the received comments. Proposed 
resolutions are inline below.

Let me know if any of them needs further discussion.

Many thanks
Bala'zs

-----Original Message-----
From: Bob Briscoe via Datatracker <noreply@ietf.org> 
Sent: Sunday, March 15, 2020 11:58 PM
To: tsv-art@ietf.org
Cc: detnet@ietf.org; draft-ietf-detnet-ip.all@ietf.org; last-call@ietf.org
Subject: Tsvart last call review of draft-ietf-detnet-ip-05

Reviewer: Bob Briscoe
Review result: Ready with Issues

This document has been reviewed as part of the transport area review team's ongoing effort to review key IETF documents. These comments were written primarily for the transport area directors, but are copied to the document's authors and WG to allow them to address any issues raised and also to the IETF discussion list for information.

When done at the time of IETF Last Call, the authors should consider this review as part of the last-call comments they receive. Please always CC tsv-art@ietf.org if you reply to or forward this review.

This is a review of draft-ietf-detnet-ip-05 published on 3-Feb-2020.
The IETF review system said a new revision had been submitted on 13-Mar-2020, but I couldn't access it, if indeed it existed.

In general the document was easy to understand.
It seemed to say a lot, but commit to very little. More like an architecture document than a standards track data plane document.

This review is on the document's own terms. IOW, it reviews what the document says, not whether it is a good approach to the problem and so forth.

Review comments.

==Throughout==

   The use of normative text is uncharacteristic of IETF RFCs, where it is
   normally only used for interoperability requirements. For instance: "Quality
   of Service (QoS) for DetNet service flows carried in IP MUST be provided
   locally by the DetNet-aware hosts and routers supporting DetNet flows." This
   MUST is pretty meaningless, given it merely mandates that QoS has to be
   provided locally (how else could it be provided?). Another example of a
   meaningless SHALL in 5.2 says: "implementations of this document SHALL use
   management and control information to select the one or more outgoing
   interfaces" And another example from 5.3: "Implementations of this document
   MUST ensure that a DetNet flow receives the traffic treatment that is
   provisioned for it..."

   There are many other examples of meaningless normative statements. I suggest
   that the authors go through reviewing whether each one actually deserves
   normative text.

<BV> OK, we will review and omit meaningless parts.

==Section-by-Section==

1.  Introduction

   "The service sub-layer
   generally requires additional fields to provide its service; "
   It's not clear what "fields" are being talked about here.

<BV> OK, it means "header fields", so "header" will be inserted in the text.

   "Other than in the TSN case, the
   specific mechanisms used by a DetNet node to ensure DetNet service
   delivery requirements are met for supported DetNet flows is outside
   the scope of this document."
   I don't think the TSN case in in scope of this document either. I think this
   is meant to say that the TSN casse is the only one that's currently defined,
   not that it's the only one within the scope of this document.

<BV> OK, sentence was too busy. Intention was to refer that TSN and DetNet 
are using the same mechanisms.
OLD
   "Other than in the TSN case, the
   specific mechanisms used by a DetNet node to ensure DetNet service
   delivery requirements are met for supported DetNet flows is outside
   the scope of this document."
NEW
  "Other mechanisms than the ones used in the TSN case are outside the 
  scope of this document."
END

4.1.  End-system-specific Considerations

   "this means that packets are appropriately shaped on
   transmission"
   From the application's perspective, doesn't this mean that the delay just
   moves from the network to the shaper?

<BV> Yes, it means that.

   "In order to maximize reuse of existing mechanisms, DetNet-aware
   applications and end systems SHOULD NOT mix DetNet and non-DetNet
   traffic within a single 5-tuple."
   "maximize reuse of existing mechanisms" seems a strange rationale for not
   mixing (which is ironically the opposite of reuse).

<BV> This intends to say that existing mechanism using a 5-tuple to match traffic
cannot differentiate DetNet and non-DetNet traffic.

4.3.2 Quality of Service

   "From an encapsulation perspective, the combination
   of the 6-tuple i.e., the typical 5-tuple enhanced with the DSCP and
   previously mentioned optional field"

   The "optional field" has not been previously defined. The use of the IPv6
   flow label was earlier described as optional. Is that the field meant here?
   It wasn't the name given to the field. If it is, pls don't. Pls
   unambiguously call it the flow label, not the optional field, throughout.
   When the flow label is used, the IPv6 next header field is not necessarily
   used. So the latter could also be described as optional.

<BV> Yes, it means the flow label. I will change text.

   A few sentences further on it says
   "the DSCP, or optional, field"

   Which implies the "optional field" is an alternative term for the "Diffserv
   field". But then it would not have said "DSCP and optional field" earlier.

<BV> No, "optional field" is not an alternative term for the "Diffserv field"


4.4.  DetNet Flow Aggregation

   "an additional optional field defined in Section 5.1."
   There is no optional field defined in Section 5.1.

<BV> It means the flow label, defined in 5.1.1.5. I will change text.

   "From a resource
   allocation perspective, DetNet nodes must provide service to an
   aggregate and not on a component flow basis."
   It seems wrong to specifically preclude a single component flow. Does this
   preclude an aggregate consisting of a single flow? Or was the intention to
   say "DetNet nodes /ought to/ provide service to an aggregate rather than on
   a component flow basis."?

<BV> Yes, your assumption is correct. I will change text.

5.1.2.2.  IPsec AH and ESP

   Flows with the ESP header certainly have to be identified by the SPI,
   because the payload is encrypted. Whereas, although flows with the AH header
   could be identified by the SPI, this would unnecessarily lump together all
   the flows from one security principle on one IP to one security principle on
   another IP. This would be far less granular than the source and dest ports,
   which can be visible and accessible using the next header field of the AH
   header (because the AH payload is not encrypted).

<BV> Yes. The decision is at the end user. He/She may decide to use 
IPSec over UDP as well.

   6. Management and Control Information Summary

   "IPv4 protocol field.  A limited set of values is allowed,..."
   "IPv6 next header field.  A limited set of values is allowed, ..."
   Section 5.1.1.3, where use of these fields is defined, does not mention that
   a limited set of values is allowed. And if the limited set is not defined,
   how do different nodes in a network interoperate? This is surely one role of
   the present document?

<BV> Intention was to say, that supporting protocols listed in 5.1.2 is mandatory (UDP, TCP, IPSec). 
Other protocol values may be implemented, but not discussed by this document. This is what was 
meant by the "limited set".

   7. Security Considerations

   The following would seem to need to be addressed for an IP data plane:

   * Privacy - There seems to be a fundamental dilemma between privacy of the
   IP payload and flow identification. Use of port numbers is fine if privacy
   is not a concern. But if privacy is of concern, then you need encryption.
   However, the SPI in the ESP header is not meant to identify anything less
   than the full set of flows between two security principles on two IP nodes.
   But that is not granular enough for the QoS of each layer-4 flow. If that is
   solved by defining multiple SPIs, then that compromises privacy. This
   section at least needs to say that is a security Limitiation.

   * Authorization to use Detnet services. Would it be possible to restrict the
   use of DetNet services to particular nodes or users? Specifically how are
   the identifiers used for flow identification bound to those held in any
   authorization system. A particular concern with an IP data plane will be
   source address spoofing

   * Denial of Service mitigation. How is the data plane protected from:
     o deliberate fast churn of reservations?
     o excessive incoming traffic to all the policers?
     (For instance, Intserv had a blockade state facility at the edge that held
     reservations from reaching aggregated parts of the network.)

     I believe the above are IP-data-plane-specific issues. So section 7 should
     at least mention them, if only to admit that they haven't been considered.

   "From a data plane perspective this document does not add or modify
   any header information."
   Not true, the DSCP can be altered.

   "To prevent DetNet packets
   from being delayed by an entity external to a DetNet domain, DetNet
   technology definition can allow for the mitigation of Man-In-The-
   Middle attacks, for example through use of authentication and
   authorization of devices within the DetNet domain."
   Eh? What does mitigation of MITM attacks mean? Either they're prevented or
   they're not. Mitigated implies just slightly prevented. How does mitigation
   of MITM attacks prevent delay? Seems a rather big jump.

<BV> Many thanks for the security related comments. We have a draft dedicated 
to detnet security [I-D.ietf-detnet-security] covering most of these aspects. We 
intend to discuss what is really needed in this document to avoid unnecessary 
overlaps.

==Nits==

<BV> Many thanks. All nits will be addressed in the next version. 

1. Intro
s/DetNet provides these flows extremely low/  /DetNet provides these flows with extremely low/

Repetition: functions as two sub-layers: functions into two sub-layers:

   s/group(referred/group (referred/

3. DetNet IP Data Plane Overview

s/however modification of these fields is allowed, for example to a DSCP value/  /however modification of these fields is allowed, for example changing the  DSCP value/

I don't undertand the sentence below, which seems to be a fusion of two or more sentences. May be s/those are/that is/. And maybe "relay nodes" is meant to start a new sentence.

 The DetNet enabled
   end systems originate IP encapsulated traffic those are identified
   within the DetNet domain as DetNet flows, relay nodes understand the
   forwarding requirements of the DetNet flow and ensure that node,
   interface and sub-network resources are allocated to ensure DetNet
   service requirements.

Pls expand PREOF and TSN on first use, not just in the Terminology section.

Missing word: "and ensures that the receives the proper traffic
   treatment"

   Fig 4: Top line of ASCII Art has been shifted to the right.

4.3.1 (and probably throughout)
   "differentiated services code point (DSCP) field"
   Should be "differentiated services field" or "Diffserv field". The DSCP is
   the value in the field [RFC3260]. Also, in S.6. there is an incorrect
   mention of "IPv4 Type of Service", which means the combination of the
   Diffserv field and the ECN field. It is unlikely this is meant, so please
   correct to "Diffserv field"

5. DetNet IP Data Plane Procedures

   "these are referred in this section."
   I would say "referenced" or "referred to" But this might be valid US English?

   s/since applies/since it applies/

6. Management and Control Information Summary

   "If the DSCP field is to be used in flow identification.
    Ignoring the DSCP filed is optional."
   Does the first sentence mean "Whether the Diffserv field is to be used"?
   The second sentence needs to be expressed in a way that's more relevant to
   how management info will express whether the field is ignored.

   s/DSCP filed [sic]/Diffserv field/

   "IPv6 flow label field.  This field can be optionally used for
      matching.  When used, can be used instead of matching against the
      Next Header field."
   The second sentence needs to be expressed in a way that's more relevant to
   how management info will say which is used or whether both are used.