[Detnet] Magnus Westerlund's Discuss on draft-ietf-detnet-mpls-12: (with DISCUSS)
Magnus Westerlund via Datatracker <noreply@ietf.org> Thu, 10 September 2020 13:23 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: detnet@ietf.org
Delivered-To: detnet@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2259A3A09EE; Thu, 10 Sep 2020 06:23:45 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Magnus Westerlund via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-detnet-mpls@ietf.org, detnet-chairs@ietf.org, detnet@ietf.org, Ethan Grossman <eagros@dolby.com>, eagros@dolby.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.16.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Magnus Westerlund <magnus.westerlund@ericsson.com>
Message-ID: <159974422465.29824.16341844595557587838@ietfa.amsl.com>
Date: Thu, 10 Sep 2020 06:23:45 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/QcL8EeM4GwZunN_R3sr09Za8FhU>
Subject: [Detnet] Magnus Westerlund's Discuss on draft-ietf-detnet-mpls-12: (with DISCUSS)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 13:23:45 -0000
Magnus Westerlund has entered the following ballot position for draft-ietf-detnet-mpls-12: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-detnet-mpls/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- I like to thank TSV-ART reviewer Michael Tüxen for helping me consider one aspect of the issue I see needing some discussion for this document. Updated and extended discuss to clarify the issues I see. Please note that D below is new and a consequence in my trying to clarify C. why it matters. A. The need for latency bounding the POF to enable the MPLS S-Label path to be bounded if reordering protection service is needed. To my understanding in an MPLS network the controller can determine an upper bound of the latency for a path by adding together the path latencies, the packet buffer depths based on the forwarding behavior applied, and the POF buffer depth. However, as currently described it is not made clear that the POF needs to have a configuration for an upper bound of how long a packet may maximum remain in the buffer since arrival. This requirement is somewhat discussed in So https://datatracker.ietf.org/doc/draft-ietf-detnet-data-plane-framework/: 3.5.2.2. Path Differential Delay In the preceding example, proper working of duplicate elimination and reordering of packets are dependent on the number of out-of-order packets that can be buffered and the delay difference of arriving packets. DetNet uses flow-specific requirements (e.g., maximum number of out-of-order packets, maximum latency of the flow) for configuration of POF-related buffers. If the differential delay between paths is excessively large or there is excessive mis-ordering of the packets, then packets may be dropped instead of being reordered. Likewise, PEF uses the sequence number to identify duplicate packets, and large differential delays combined with high numbers of packets may exceed the ability of the PEF to work properly. So this configuration needs to be required on the MPLS POF implementation to enable the controller to bound the latency between ingress and egress when POF is used. And it needs to be done in time, per the below paragraph. So given that the buffer is specified in either bytes or simply packets to be buffered will result in that the POF buffering time becomes packet flow dependent and not bounded in time. So if you make the calculation for a DETNET flow thinking it will send 500 packets per second evenly spaced. Then the a buffer of 5 packets would represent an upper limit 1/100th of second. If then the flow sends only 100 packet per second then suddendly the 5-packet buffering would represent 1/20th of a second. Thus defining it in packets or size doesn't work, the upper buffering time needs to be defined in time to provide a bounded latency. I would note that soley configuring an upper bound between arrival in POF buffer until latest release is more fragile than actually having actual timestamp applied at egress to each packet. But, it can ensure bounded delay as long as the other functions do keep to their boundary. However, I think the solution here is to clarify the configuration requirement on the POF in Section 4.2.2.3. B. On the relation of the PEF to the POF. The document does not discuss this, and maybe this is fairly obvious but a relation ship exists. The PEF state needs to be deeper than the POFs when both are used. Otherwise duplicates may be forwarded. If the PEF is at least as deep as the POF, then any duplicate that is more out of order than what the POF allows will be discarded. However, as the POF is not that explicitly specified, even if the information document do define that is what should be done. I would recommend that the text is made more clear on this relationship and also are explicit about the discard of out of order in the POF. C. On the implementation details of the PEF and POF in regards to how they accept packets. So the PEF is likely implemented with a basic data structure which tracks the N latest received packets and keep state if these packets have been seen or not. However, an important implementation detail for this is how this handles when a packet received are significantly higher than previous seen. So does that result in that highest seen are advanced forward to this value? So the 16-bit and 28-bit sequence numbers define a circular space. I assume one tracks the highest sequence number received (H_SN). Based on that one usually consider packets in the range [(H_SN-2^15) MOD 2^16, HSN-1] as older packets not updating the H_SN (for 16-bit sequence numbers) and can consider packets in the range [H_SN+1, H_SN + 2^15-1] as newer. However as N (number of actually tracked packets) are only a sub-set of the fully sequence number the PEF will consider a packet that falls into the range of older packets but outside of the N packets where one have state as to old, and will discard as one lack information about if it is a duplicate or not. As you may seen this implementation would cause packet loss in the event that packets for this S-Label has passed the ingress and the PRF have put in sequence number and duplicating them and then the packet have been lost due to failure in forwarding the traffic. Then when the network have recovered from this failure there are a significant risk that the packets are outside of the window of validity that would trigger the H_SN to be updated and instead cause all packets to be dropped. Thus in case of failures there appear to exist a need to be able to reset this state and require the sequence number that is current. And if the details of how these filters are impelementation specific and do not use the ranges I specify the controller would have to potentially cause a reset of the functions for any disturbance as the impact is unknown. Maybe this is a minor risk in this environment, but the need to reset the POF and PEF state appears necessary for recovery. D. Denial of service risk with attacker modifying sequence number or performing packet injection between ingress and egrees. Based on what is written in C I would also note that there exist a serious Denial of Service attack on the Detnet flow. If the attacker is capable of either periodically modify the sequence number of an MPLS packet for a particular S-label or inject a MPLS packet into the system that will traverse to the S-Labels PEF or POF at egress with a crafted sequence number. In either of these cases the attacker can advance the acceptance window periodically so that the actual traffic falls into the range that is discarded by the PEF and POF. Thus, cheaply accomplishing a total denial of service. I think this risk due to the PEF and POF should be made explicit in the security considerations. Mitigations needs to be in place to prevent packet modification or injection inside the MPLS network. Some of these appears to be already discussed.
- [Detnet] Magnus Westerlund's Discuss on draft-iet… Magnus Westerlund via Datatracker
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Stewart Bryant
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Benjamin Kaduk
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Magnus Westerlund
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Stewart Bryant
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Magnus Westerlund
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Toerless Eckert