Re: [Detnet] Roman Danyliw's Discuss on draft-ietf-detnet-ip-06: (with DISCUSS and COMMENT)
Lou Berger <lberger@labn.net> Thu, 25 June 2020 13:27 UTC
Return-Path: <lberger@labn.net>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7D773A09B4 for <detnet@ietfa.amsl.com>; Thu, 25 Jun 2020 06:27:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=labn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rapM3gshH2gi for <detnet@ietfa.amsl.com>; Thu, 25 Jun 2020 06:27:17 -0700 (PDT)
Received: from gproxy1-pub.mail.unifiedlayer.com (gproxy1-pub.mail.unifiedlayer.com [69.89.25.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC2853A09C4 for <detnet@ietf.org>; Thu, 25 Jun 2020 06:27:17 -0700 (PDT)
Received: from CMGW (unknown [10.9.0.13]) by gproxy1.mail.unifiedlayer.com (Postfix) with ESMTP id 9B9267981A6AA for <detnet@ietf.org>; Thu, 25 Jun 2020 07:27:14 -0600 (MDT)
Received: from box313.bluehost.com ([69.89.31.113]) by cmsmtp with ESMTP id oRuMjYdZB2tTHoRuMjOLfx; Thu, 25 Jun 2020 07:27:14 -0600
X-Authority-Reason: nr=8
X-Authority-Analysis: v=2.2 cv=Kug94SeN c=1 sm=1 tr=0 a=h1BC+oY+fLhyFmnTBx92Jg==:117 a=h1BC+oY+fLhyFmnTBx92Jg==:17 a=dLZJa+xiwSxG16/P+YVxDGlgEgI=:19 a=xqWC_Br6kY4A:10 a=nTHF0DUjJn0A:10 a=Vy_oeq2dmq0A:10 a=r77TgQKjGQsHNAKrUKIA:9 a=48vgC7mUAAAA:8 a=174xjjHKAAAA:20 a=VB46miiLAAAA:20 a=fk4zamfxyloGzMzSu4QA:9 a=MOWUvcprqzY_-KZa:21 a=7-Xxlp4fknE0_rCx:21 a=QEXdDO2ut3YA:10 a=mYAOWqAtFUkA:10 a=1dbGxDndw2gA:10 a=jGqiy6jZAAAA:8 a=5UHh9D4INieCpx_q3fIA:9 a=emmCbRQGxKp2-SFl:21 a=NpYiRgZwTshVjbWw:21 a=2FE4s96X9qvRAZEZ:21 a=_W_S_7VecoQA:10 a=w1C3t2QeGrPiZgrLijVG:22 a=jHrLhlbFqA1ZHZAWynec:22
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=labn.net; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From: References:Cc:To:Subject:Sender:Reply-To:Content-Transfer-Encoding:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=LdMeCDKie6KNW8iS5mBvZXmxwHpCT8fhJudOrUdqYRw=; b=bcVbHHkELiibM0PvbUApSZzDmc fB/MM5vrLNCipQ7+IlqKKBmhCgMz2xqG+UMVRav0m3MzhjMwTOf8J4VGUc6cT8+sokHfku54218B9 agwK0uqI2HBB6LzPGAuoyOrh5;
Received: from [127.0.0.1] (port=25263 helo=[IPv6:::1]) by box313.bluehost.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <lberger@labn.net>) id 1joRuM-0008ca-2N; Thu, 25 Jun 2020 07:27:14 -0600
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
Cc: draft-ietf-detnet-ip@ietf.org, detnet-chairs@ietf.org, detnet@ietf.org, Ethan Grossman <eagros@dolby.com>
References: <159285187260.32738.2496766777836008651@ietfa.amsl.com>
From: Lou Berger <lberger@labn.net>
Message-ID: <ee4d8560-f765-3914-26ef-f9d494ae13f9@labn.net>
Date: Thu, 25 Jun 2020 09:27:04 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <159285187260.32738.2496766777836008651@ietfa.amsl.com>
Content-Type: multipart/alternative; boundary="------------72D47218AF40B751A2927753"
Content-Language: en-US
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box313.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - labn.net
X-BWhitelist: no
X-Source-IP: 127.0.0.1
X-Source-L: Yes
X-Exim-ID: 1joRuM-0008ca-2N
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([IPv6:::1]) [127.0.0.1]:25263
X-Source-Auth: lberger@labn.net
X-Email-Count: 5
X-Source-Cap: bGFibm1vYmk7bGFibm1vYmk7Ym94MzEzLmJsdWVob3N0LmNvbQ==
X-Local-Domain: yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/ZaeUXDmmrt3Jww5Jr7jM1qtPBqw>
Subject: Re: [Detnet] Roman Danyliw's Discuss on draft-ietf-detnet-ip-06: (with DISCUSS and COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jun 2020 13:27:20 -0000
Hi, Thank you for the comments/discuss. Please see responses (as co-author) in line below On 6/22/2020 2:51 PM, Roman Danyliw via Datatracker wrote: > Roman Danyliw has entered the following ballot position for > draft-ietf-detnet-ip-06: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-detnet-ip/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > A few easy clarifications: > > ** Section 7. Per “From a data plane perspective this document does not add or > modify any header information”, this statement, which is also found in Section > 9.1 of draft-ietf-detnet-security-10 does not seem consistent with Section 3 > which states “… however modification of these fields is allowed, for example > changing the DSCP value, when required by the DetNet service”. This is actually a mistake. DetNet does not modify standard DSCP remarking. I just addressed this as part of addressing Murry's comments. The text should read: Non-DetNet and DetNet IP packets are identical on the wire. Generally the fields used in flow identification are forwarded unmodified. However, standard modification of the DSCP field [RFC2474] is not precluded. > > ** Section 7. RFC8655 reminds us that “Security considerations for DetNet are > constrained (compared to, for example, the open Internet) because DetNet is > defined to operate only within a single administrative domain”. However, the > only IP-specific guidance on preventing escape from the DetNet domain is in > Section 4.2 (“Note that not mixing DetNet and non-DetNet traffic within a > single 5-tuple, as described above, enables simpler 5-tuple filters to be used > (or re-used) at the edges of a DetNet network to prevent > non-congestion-responsive DetNet traffic from escaping the DetNet domain.”). > Please provide more prescriptive guidance in this section. How about adding the following to section 6. The DetNet controller plane MUST ensure that non-congestion-responsive DetNet traffic is not forwarded outside a DetNet domain. > > ** Section 7. The guidance from RFC8655 and draft-ietf-detnet-security needs > to be deconflicted relative to confidentiality. The following assertions are > stated in a single paragraph: > > (a) The primary considerations for the data plane is to maintain > integrity of data and delivery of the associated DetNet service > traversing the DetNet network. > > (b) Application flows can be protected > through whatever means is provided by the underlying technology. For > example, encryption may be used, such as that provided by IPSec > [RFC4301] for IP flows and/or by an underlying sub-net using MACSec > [IEEE802.1AE-2018] for IP over Ethernet (Layer-2) flows. > > (a) appears to be a cut-and-paste (or maybe vice versa) from Section 9 of > draft-ietf-detnet-security-10 > > (b) appears to be a cut-and-paste from Section 5 of RFC8655. > > The concatenation of (a) + (b) appears to be unique to this document. > > When RFC8655 states (b), it prefaced with “[t]o maintain confidentiality of > data traversing the DetNet, application flows can be protected through whatever > means is provided by the underlying technology.” (a) makes no references to > confidentiality. It seems like it should. Sure, added. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks for responding to the SECDIR review (and thank you Tero for doing it). > > ** Section 3. I wasn’t able to follow how the reference architectures (Figure > 1 and 2) in this section had bearing on the normative behavior in Section 5 and > 6. Figures 1 and 2 provide overall context for the node specific behavior defined in 5 and 6. > > ** Section 3. Editorial. As a reader, I would have benefited from a forward > reference to Section 5 somewhere in this section. As I was reading this text, > I kept looking for specify in exactly which fields go into the tuple and under > what circumstances. sure. > ** Section 3. Per “Same can be valid for flow aggregates”, I didn’t follow > what this meant. Did you mean, “The same can be true for flow aggregates”, > editorially? But I’m still not sure what a “flow aggregates” is in this case. This has been fixed per my previous mail. > ** Section 3. Per “… however modification of these fields is allowed, for > example changing the DSCP value, when required by the DetNet service”, is the > DSCP the only field that is permitted to be modified? Perhaps I missed it, but > I didn’t see this behavior covered in the subsequent guidance (i.e., outside of > this overview) -- see related DISCUSS above. per above, detnet does not preclude standard remarking, i.,e., it allows for it. > ** Section 4. Per “This section provides informative considerations …”, is > that the same thing as saying this entire section is not normative? If so, I > was surprised by the use of RFC2119 language in this section. "informative" should have been removed when the 2119 language was added. I have removed it. > ** Section 4.2. Per “Note that not mixing DetNet and non-DetNet traffic within > a single 5-tuple”, how does one do flow identification if such mixing is done? This is a requirement on the application. It's the only one that could identify the different traffic types when such mixing occurs. > > ** Section 4.3.1. Is there a pointer that can be provided to explain how > DetNet nodes are to “ensure that the CoS service classes do not impact the > congestion protection and latency control mechanisms used to provide DetNet > QoS?” This is a tough one as the IETF has generally avoided defining internal behavior (unlike some other SDOs). Section 5.3 does provide some additional information. > ** Section 5.1.2.2. Per “DetNet flow identification for ICMP is achieved based > on the protocol’s header”, I recommend being precise by explicitly saying which > protocol header field and which value (just as was done in for TCP, UDP and > IPSec.). In the current definition, it's just the protocol number: s/protocol's header/protocol number in the IP header. > ** Section 7. It wasn’t clear to me which security consideration mentioned > here were specific to a DetNet data plane when IP is used for the forwarding > sub-layer. I have no issues restating key considerations, but this write-up > was generic. I'm not sure what else to add here. If you have suggestion, we're more than open to them. Changes covered here can be previewed at: https://github.com/detnet-wg/data-plane-drafts/tree/working/lb/iesg-0625 https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https://raw.githubusercontent.com/detnet-wg/data-plane-drafts/working/lb/iesg-0625/ip/draft-ietf-detnet-ip.xml Thank you! Lou > > >
- [Detnet] Roman Danyliw's Discuss on draft-ietf-de… Roman Danyliw via Datatracker
- Re: [Detnet] Roman Danyliw's Discuss on draft-iet… Lou Berger
- Re: [Detnet] Roman Danyliw's Discuss on draft-iet… Roman Danyliw
- Re: [Detnet] Roman Danyliw's Discuss on draft-iet… Lou Berger
- Re: [Detnet] Roman Danyliw's Discuss on draft-iet… Lou Berger
- Re: [Detnet] Roman Danyliw's Discuss on draft-iet… Roman Danyliw