Re: [Detnet] Benjamin Kaduk's No Objection on draft-ietf-detnet-mpls-11: (with COMMENT)
Balázs Varga A <balazs.a.varga@ericsson.com> Thu, 10 September 2020 09:47 UTC
Return-Path: <balazs.a.varga@ericsson.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56AF13A1274; Thu, 10 Sep 2020 02:47:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31IWh6umXMhC; Thu, 10 Sep 2020 02:47:05 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60087.outbound.protection.outlook.com [40.107.6.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0A9F3A128B; Thu, 10 Sep 2020 02:47:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LsOvj8wnFB5A2hGJl3qIZGP+g+AtVA4TGjeNPuZ8hlEqNyzVTD0L5kN6LTqng5LepxXmIMOVzBEXiq1uOJ4o9z9PCpG7T4Xg02SjwbTuOtuUvIY48Qy4fFrYZqsafWPHAJ31+Dh/LEB3gKnkDofUkUdrMYmgfHXC3aZQ2h3yYbTZ+cbKo9649g+UhgvaCWinpVVrPIUQu+w/iROvD5+4iqXrfAJ9ecPTkbaOaQskhSmaxBipSi/vshQqlWmu3KtXV9DK3u6JkMabbHib8W28sDhtNILzJtRJwNoKYHggcINjRrHkLICReoxUJdDEiTuMaY2H+EU2YZDul4BuBHI2AQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FDFWOsi50BE6CvjZPAMCNl2ZZSA6iDayefb/m1bvxsg=; b=oDPxPGeNYNtFBy2twMth7lv5Y0frECWjlg0+WO2a523R0uabfsGrAchv0T1Zntq/pCv+RVNVcLLRyjjqzMqjCxU504gQzBCw2uIcytzoPhOmV+8xQ5LK9gnNJ8CgkUkObqgetUDAafsqFwvNyEzvq60hTKJeKA9vp0mqJ2HGWk3wOpTCpxU/4FpSDctQ3g9oMxFwY3ucOfSuOZE3JkExLn+flEI9GQVwyKI7VhM7Rxr8iPjaD+x0KY5zNiCwfoRdFDlSY1s87V0mMAcsHHQrCUwWJpBX/tLP+Mb4mcXv9tksopbd6/Zm7UagalhBmimO/l6TuJWcH/gxcKToJoHDow==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FDFWOsi50BE6CvjZPAMCNl2ZZSA6iDayefb/m1bvxsg=; b=ESinkdTvhuCwNio48Itxc+/MjmfEolBcJwpg3n/cSanLADbHOL0APfniwprZgOQYAyk1vwrdecIM8cqtEIKtbFpatuNxF1DCnVVEuvziTEqHceH4AuaWbKkJCFB/sCD4QzQUj4Ngmu/om3oTKf+NqDbeQTPyXQjgr+1uVQPa7bY=
Received: from AM0PR0702MB3603.eurprd07.prod.outlook.com (2603:10a6:208:22::25) by AM0PR07MB3986.eurprd07.prod.outlook.com (2603:10a6:208:4a::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.5; Thu, 10 Sep 2020 09:47:00 +0000
Received: from AM0PR0702MB3603.eurprd07.prod.outlook.com ([fe80::59ca:540d:b7f3:58b9]) by AM0PR0702MB3603.eurprd07.prod.outlook.com ([fe80::59ca:540d:b7f3:58b9%6]) with mapi id 15.20.3370.016; Thu, 10 Sep 2020 09:47:00 +0000
From: Balázs Varga A <balazs.a.varga@ericsson.com>
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
CC: "draft-ietf-detnet-mpls@ietf.org" <draft-ietf-detnet-mpls@ietf.org>, "detnet-chairs@ietf.org" <detnet-chairs@ietf.org>, "detnet@ietf.org" <detnet@ietf.org>, Ethan Grossman <eagros@dolby.com>
Thread-Topic: Benjamin Kaduk's No Objection on draft-ietf-detnet-mpls-11: (with COMMENT)
Thread-Index: AQHWhybMF+1o6vj9hUqFifRvKH/j5qlhkoHg
Date: Thu, 10 Sep 2020 09:46:59 +0000
Message-ID: <AM0PR0702MB3603086AE6D39758230269EEAC270@AM0PR0702MB3603.eurprd07.prod.outlook.com>
References: <159971036659.9584.1635997157553102042@ietfa.amsl.com>
In-Reply-To: <159971036659.9584.1635997157553102042@ietfa.amsl.com>
Accept-Language: hu-HU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [185.29.82.162]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c6218af2-caf5-4803-5d4c-08d8556e76df
x-ms-traffictypediagnostic: AM0PR07MB3986:
x-microsoft-antispam-prvs: <AM0PR07MB3986CD8CE94DFDBFD7C7A4CBAC270@AM0PR07MB3986.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: M6LKFfEJPnk/kdqeU/prUQ7/0+/iB8FpCTqFffV9IBQqFWQTUoeMx+tj6dJ7MZXa/bcDZdNl8CPKz2RDxaAVE8Z123WVCjgR5MbDl1DHECh1JC3qGHHmgCiu/RH9DMQZ5qxqec2owU4DaSZHGWia0ZGHsXjpL8lmKWqJG82GEaFvRC8tvXuRJNURLltpdYvgayAZhN8WRcv+gNKiLXESHk1RZaON+Y/NE6dAPqfuASdHEsnQJiT4SM4h80LzgiLa3UERTaAWmxOd4CrTzw79LT9pp5lARB4Opi546hu70e+QpIqwJm32XyotP4CwqPd2X7HPgpHuActxok4kcgFMmOoFrpoPC+toRZhTBCelrsAQYg5BOGormup1PUG9tXUA/CsMNkBhssTwLqUaIaoZnbljDoxBd5O4d3VvVhHStwi5S0KuBntH1IjByW8XTE4dpB+Pg/S3Z9NOnmfS+3+ITQAogtnZDjo92i4GZpHr3yPLg3S8EAyeusRBUv4lBskN
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR0702MB3603.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(396003)(366004)(136003)(376002)(346002)(54906003)(52536014)(4326008)(86362001)(85182001)(8676002)(30864003)(9686003)(186003)(85202003)(26005)(478600001)(8936002)(64756008)(6506007)(7696005)(83380400001)(110136005)(5660300002)(66556008)(33656002)(966005)(66946007)(66476007)(71200400001)(76116006)(55016002)(316002)(2906002)(66446008)(53546011)(87944003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: FONjNXhwj7eW6XX3B+PkNehWhJTbjl6CCxsZ+yl1ZZcfxOI/Lz8D3KNYXlCm+8z2v7hmEhDBNdLmi7sZ7j0Wy/N7RD8uf83alKG0kvesT8r124KPbCjOSx0Tn8Si/mpyAwIHUSirwZ6Yo0L5hFHj+Axmc6a8FeWBfIc/seJPuvXdYYvMSmN9Lh3E4DSw7oi6DoN5hgFwoXyUd8xhh4dkYAjdqOgLdi+5iEt0PcA4m+/20J6b/MIH3/ejLURCerur+AqSy1dyfYhZYim1y5mwVXe8YqvEMBn1QaUgJ3G2NjfNYbnkGIw+oMEGrtlkPdHyA7JAfLtXfb+KAwxd45lRzsLWKc1wlqtbIRYvKKcnXqMBvtf2nZ3oXbNkSNHJXRVcyhLZgTQkVfuVhOC9jwT/CnSFQFHoD9d3w27vS5fWdaT8vhZosLBo9c0Ch5dJ4Rh9gZQMz8IMI7JT4O6ZyvqXF4YxxGNygBMGJWntl9Fmmvfz/4uN4vOSg/opVELXi5LxTMljnhNRMEabIXCpeThm7+szgbdmoI5AB1WaaHTuj6vjnqh9/NxxOQKQAtwCE/SkX4762v5D4bfsCxL9rIy/0vkeoS3O4pC1oaq+2yQ6XOPoaNjLMuKbuZjM+alP2pev+3wvB/0VrE1kJ/bRje2DgQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR0702MB3603.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c6218af2-caf5-4803-5d4c-08d8556e76df
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Sep 2020 09:46:59.9999 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kM8KE2/phrjJlZuvtoyMZMWQY1Yr1vthetcv8eFcwVHrpj4nmDo5Vn/GU8rMEcDwU7pYWZOUYGIHY90Fz9e5LprMdiZDlCFOy3gla50F598=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB3986
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/OkCD_vMbjV4rXDy-myXG2N-xQP0>
Subject: Re: [Detnet] Benjamin Kaduk's No Objection on draft-ietf-detnet-mpls-11: (with COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 09:47:15 -0000
Hi Benjamin, Many thanks for the comments. My reactions/comments inline. Thanks & Cheers Bala'zs -----Original Message----- From: Benjamin Kaduk via Datatracker <noreply@ietf.org> Sent: Thursday, September 10, 2020 5:59 AM To: The IESG <iesg@ietf.org> Cc: draft-ietf-detnet-mpls@ietf.org; detnet-chairs@ietf.org; detnet@ietf.org; Ethan Grossman <eagros@dolby.com>; eagros@dolby.com Subject: Benjamin Kaduk's No Objection on draft-ietf-detnet-mpls-11: (with COMMENT) Benjamin Kaduk has entered the following ballot position for draft-ietf-detnet-mpls-11: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-detnet-mpls/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- There's nothing particularly earth-shattering in these remarks; just some things to double-check and potential minor improvements. (The combination of generic DetNet and MPLS security considerations cover just about everything that's going on here.) I also have a number of nit-level notes that I'll send to the authors separately. Section 2.2 I agree with the directorate reviewer that references for at least some of these terms would be useful. <Bala'zs> Ok. Thanks Section 3.1 I trust there's a reason for the figure to have "bottom of stack" at the top of the figure (and vice versa). <Bala'zs> Yes. :--))) The DetNet MPLS data plane representation is illustrated in Figure 1. The service sub-layer includes a DetNet control word (d-CW) and an identifying service label (S-Label). The DetNet control word (d-CW) conforms to the Generic PW MPLS Control Word (PWMCW) defined in [RFC4385]. An aggregation label (A-Label) is a special case of Just to check my understanding: we conform to the generic format from RFC 4385 but not the preferred one? <Bala'zs> Yes. Section 4.2.1 Do we want to say anything about why the RFC 4385 preferred-format's flags, fragmentation indicator, and length fields are not applicable to the DetNet usage? (I do not recall any restrictions that prevent DetNet flows from traversing Ethernet segments, one of the justifications given in RFC 4385 for the length field.) <Bala'zs> Yes, there are no restrictions to use Ethernet segments. d-CW is always mandatory. Main focus was on sequence number required for DetNet service sub-layer functions (PREOF) and to allow bigger then 16 bits sequence numbers. - Flags: were not considered as no per-payload signaling needed. - FRG: fragmentation intends to use the sequence number (already used for DetNet purposes), so allowing fragmentation was out-of-scope. - Length: I am not able to recall, but I think gaining from padding stuff was expected too low and flags and FRG were already sorted out. I would also suggest avoiding the "S/N" abbreviation (as colliding with "signal/noise"), and note that it is not listed at https://protect2.fireeye.com/v1/url?k=982b359e-c68b8ff0-982b7505-869a14f4b08c-3ba4210af4f84c3b&q=1&e=cb4fa085-b19d-4e86-8aa7-16bdc0d51115&u=https%3A%2F%2Fwww.rfc-editor.org%2Fmaterials%2Fabbrev.expansion.txt . <Bala'zs> OK, I will fix this. The sequence number length MUST be provisioned on a per Detnet service basis via configuration, i.e., via the controller plane described in [I-D.ietf-detnet-data-plane-framework]. (side note) I didn't find a great definition for "DetNet service" as a standalone term in RFC 8655, though it's clearly already in use there for this meaning. When the sequence number field length is 16 or 28 bits for a flow, the sequence number MUST be incremented by one for each new app-flow packet sent. When the field length is 16 bits, d-CW bits 4 to 15 Are there any considerations on the initial sequence number value? Randomization of the initial sequence number may be a generic best practice, as discussed in draft-gont-numeric-ids-sec-considerations (which I am AD sponsoring). <Bala'zs> No restrictions on initial sequence number. Section 4.2.2 S-Label values MUST be provisioned per DetNet service via configuration, e.g., via the controller plane described in [I-D.ietf-detnet-data-plane-framework]. Note that S-Labels provide [...] MAY be allocated from the platform label space [RFC3031]. Because S-Labels are local to each node rather than being a global identifier within a domain, they must be advertised to their upstream DetNet service-aware peer nodes (e.g., a DetNet MPLS End System or a DetNet Relay or Edge Node) and interpreted in the context of their received I'm having a hard time reconciling "provisioned via configuration" with "advertised to their upstream peer nodes" -- can you help explain what is expected to happen here? <Bala'zs> It is similar to the MS-PW scenario. Text intends to cover all MPLS flavors. The application of DetNet using MPLS supports a number of control plane/management plane types. These types support certain MPLS data plane deployments. For example RSVP-TE, MPLS-TP, or MPLS Segment Routing (when extended to support resource allocation) are all valid MPLS deployment cases. An S-Label will normally be at the bottom of the label stack once the last F-Label is removed, immediately preceding the d-CW. To support service sub-layer level OAM, an OAM Associated Channel Header (ACH) [RFC4385] together with a Generic Associated Channel Label (GAL) [RFC5586] MAY be used in place of a d-CW. Does this preclude using an ACH in the absence of a GAL? <Bala'zs> Details of OAM are out-of-scope in this document. We have a dedicated document for it https://datatracker.ietf.org/doc/draft-ietf-detnet-mpls-oam/ In the case where platform labels are not used, zero or more F-Labels and optionally, the incoming interface, proceeding the S-Label MUST be used together with the S-Label to uniquely identify the DetNet service associated with a received packet. The incoming interface MAY also be used together with any present F-Label(s) and the S-Label to uniquely identify an incoming DetNet service, for example, in the case where PHP is used. [...] I'm not sure what the difference in meaning between these two sentences is supposed to be. <Bala'zs> Yes, same comment received recently. This sentences are fixed in the next version. Section 4.2.3.1 When multiple sets of outgoing F-Labels or interfaces are provisioned for a particular DetNet service, a copy of the outgoing packet, Would it be banal to note that this occurs as part of the PRF? <Bala'zs> OK. I will add it. :--))) S-label uniquely identifies the DetNet service. In the case where platform labels are not used, incoming F-Label(s) and, optionally, the incoming interface MUST also be provisioned for a DetNet service. This might be the third time we've mentioned this behavior; is it perhaps getting redundant? <Bala'zs> OK. I will check how to reduce redundancy. Section 4.3 OAM follows the procedures set out in [RFC5085] with the restriction that only Virtual Circuit Connectivity Verification (VCCV) type 1 is supported. Earlier we talked about OAM as just using the regular RFC 4385 ACH method (which is what VCCV type 1 corresponds to); why is it necessary to pull in the RFC 5085 procedures now (especially when we follow up two paragraphs down with "the reader is referred to [RFC5058] for a more detailed description")? <Bala'zs> OK. We have a dedicated OAM draft, should be defined there. Section 4.4.1 into and from an H-LSP. Both carried LSPs and H-LSPs may or may not use the TC field, i.e., L-LSPs or E-LSPs. Such nodes will need to Perhaps a RFC 3270 reference is in order here, to pick up L-LSPs and E-LSPs? We seem to not really mention it in this context until Section 4.6.1 otherwise. <Bala'zs> OK. I will check how to fix this. Additional details of the traffic control capabilities needed at a DetNet-aware node may be covered in the new service definitions mentioned above or in separate future documents. Controller plane Er, mentioned where? This seems to be the first instance of "service definition" in this document. <Bala'zs> Controller plane is explained in rfc8655. May add a reference here. Section 4.5 latency the impact on the DetNet application would be severe. To avoid the problem of a transient forwarding loop, changes to an LSP supporting DetNet MUST be loop-free. Just to check my understanding: it's possible to get this loop-free behavior with all the common control planes, e.g., RSVP-TE, MPLS-TP, MPLS SR, etc.? <Bala'zs> They are under discussion. Controller plane related work started recently. Section 5 and hybrid combinations of the two. The details of the controller plane solution required for the label distribution and the management of the label number space are out of scope of this document. There The details are out of scope, sure, but the requirements for what it needs to provide seem to be in scope. It looks like this is what is in the following sub-sections, which is good, but perhaps the transition to them could be written more explicitly. (I did not try to cross-reference the lists given here with the in-line requirements stated throughout the document, and trust the authors to have done so.) Section 5.1.1 Section 6 plane. The considerations raised related to MPLS networks in general in [RFC5920] are equally applicable to the the DetNet MPLS data plane. In line of Roman's remarks, I'd suggest calling out a few key pieces from the RFC 5920 security considerations, especially boundary filtering to protect against label spoofing. We might pull in the considerations from the relevant control word RFCs as well, and from RFC 4206 for H-LSPs. Some of the service label stuff is fairly analogous to the ongoing SFC work, but it's probably a stretch to say that we should reference their security considerations from here. There's a couple chunks of text that are essentially copied from RFC 8655 but seem incoherent or incorrect, e.g.: Security aspects which are unique to DetNet are those whose aim is to provide the specific quality of service aspects of DetNet, which are (It's DetNet's aim to provide those, not the security aspects' aim.) traffic. To prevent DetNet packets from being delayed by an entity external to a DetNet domain, DetNet technology definition can allow for the mitigation of Man-In-The-Middle attacks, for example through use of authentication and authorization of devices within the DetNet domain. (I don't think we've seen a clear portrayal of what these MITM protection schemes would actually do, what is being authenticated/authorized, etc., any of the times that it has come up.) I hope we can improve them in this iteration. <Bala'zs> OK. Thanks. Section 9 We're already over the 5-author limit; I, for one, would not mind having 7 authors (and skipping this section) instead of the current 6. Section 10.1 Some of these may not strictly need to be in the normative references section, e.g., 2211/2212, but it doesn't seem particularly harmful to keep them here. <Bala'zs> OK. Thanks. Section 10.2 I'm quite surprised that draft-ietf-detnet-data-plane-framework is not listed as normative. The reference to RFC 5586 is in "an OAM Associated Channel Header (ACH) [RFC4385] together with a Generic Associated Channel Label (GAL) [RFC5586] MAY be used in place of a d-CW", the normative keyword of which suggests that it should properly be classified as normative. Likewise for RFC 6790 ("Similarly, an Entropy Label Indicator/Entropy Label (ELI/EL) [RFC6790] MAY be carried below the S-Label"). <Bala'zs> OK. Thanks.
- [Detnet] Benjamin Kaduk's No Objection on draft-i… Benjamin Kaduk via Datatracker
- Re: [Detnet] Benjamin Kaduk's No Objection on dra… Balázs Varga A
- Re: [Detnet] Benjamin Kaduk's No Objection on dra… Benjamin Kaduk