IETF Logo Mail Archive

Re: [Detnet] Roman Danyliw's Discuss on draft-ietf-detnet-ip-06: (with DISCUSS and COMMENT)

Lou Berger <lberger@labn.net> Thu, 25 June 2020 13:27 UTC

Return-Path: <lberger@labn.net>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7D773A09B4 for <detnet@ietfa.amsl.com>; Thu, 25 Jun 2020 06:27:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=labn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rapM3gshH2gi for <detnet@ietfa.amsl.com>; Thu, 25 Jun 2020 06:27:17 -0700 (PDT)
Received: from gproxy1-pub.mail.unifiedlayer.com (gproxy1-pub.mail.unifiedlayer.com [69.89.25.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC2853A09C4 for <detnet@ietf.org>; Thu, 25 Jun 2020 06:27:17 -0700 (PDT)
Received: from CMGW (unknown [10.9.0.13]) by gproxy1.mail.unifiedlayer.com (Postfix) with ESMTP id 9B9267981A6AA for <detnet@ietf.org>; Thu, 25 Jun 2020 07:27:14 -0600 (MDT)
Received: from box313.bluehost.com ([69.89.31.113]) by cmsmtp with ESMTP id oRuMjYdZB2tTHoRuMjOLfx; Thu, 25 Jun 2020 07:27:14 -0600
X-Authority-Reason: nr=8
X-Authority-Analysis: v=2.2 cv=Kug94SeN c=1 sm=1 tr=0 a=h1BC+oY+fLhyFmnTBx92Jg==:117 a=h1BC+oY+fLhyFmnTBx92Jg==:17 a=dLZJa+xiwSxG16/P+YVxDGlgEgI=:19 a=xqWC_Br6kY4A:10 a=nTHF0DUjJn0A:10 a=Vy_oeq2dmq0A:10 a=r77TgQKjGQsHNAKrUKIA:9 a=48vgC7mUAAAA:8 a=174xjjHKAAAA:20 a=VB46miiLAAAA:20 a=fk4zamfxyloGzMzSu4QA:9 a=MOWUvcprqzY_-KZa:21 a=7-Xxlp4fknE0_rCx:21 a=QEXdDO2ut3YA:10 a=mYAOWqAtFUkA:10 a=1dbGxDndw2gA:10 a=jGqiy6jZAAAA:8 a=5UHh9D4INieCpx_q3fIA:9 a=emmCbRQGxKp2-SFl:21 a=NpYiRgZwTshVjbWw:21 a=2FE4s96X9qvRAZEZ:21 a=_W_S_7VecoQA:10 a=w1C3t2QeGrPiZgrLijVG:22 a=jHrLhlbFqA1ZHZAWynec:22
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=labn.net; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From: References:Cc:To:Subject:Sender:Reply-To:Content-Transfer-Encoding:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=LdMeCDKie6KNW8iS5mBvZXmxwHpCT8fhJudOrUdqYRw=; b=bcVbHHkELiibM0PvbUApSZzDmc fB/MM5vrLNCipQ7+IlqKKBmhCgMz2xqG+UMVRav0m3MzhjMwTOf8J4VGUc6cT8+sokHfku54218B9 agwK0uqI2HBB6LzPGAuoyOrh5;
Received: from [127.0.0.1] (port=25263 helo=[IPv6:::1]) by box313.bluehost.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <lberger@labn.net>) id 1joRuM-0008ca-2N; Thu, 25 Jun 2020 07:27:14 -0600
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
Cc: draft-ietf-detnet-ip@ietf.org, detnet-chairs@ietf.org, detnet@ietf.org, Ethan Grossman <eagros@dolby.com>
References: <159285187260.32738.2496766777836008651@ietfa.amsl.com>
From: Lou Berger <lberger@labn.net>
Message-ID: <ee4d8560-f765-3914-26ef-f9d494ae13f9@labn.net>
Date: Thu, 25 Jun 2020 09:27:04 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <159285187260.32738.2496766777836008651@ietfa.amsl.com>
Content-Type: multipart/alternative; boundary="------------72D47218AF40B751A2927753"
Content-Language: en-US
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box313.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - labn.net
X-BWhitelist: no
X-Source-IP: 127.0.0.1
X-Source-L: Yes
X-Exim-ID: 1joRuM-0008ca-2N
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([IPv6:::1]) [127.0.0.1]:25263
X-Source-Auth: lberger@labn.net
X-Email-Count: 5
X-Source-Cap: bGFibm1vYmk7bGFibm1vYmk7Ym94MzEzLmJsdWVob3N0LmNvbQ==
X-Local-Domain: yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/ZaeUXDmmrt3Jww5Jr7jM1qtPBqw>
Subject: Re: [Detnet] Roman Danyliw's Discuss on draft-ietf-detnet-ip-06: (with DISCUSS and COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jun 2020 13:27:20 -0000

Hi,

Thank you for the comments/discuss.  Please see responses (as co-author) 
in line below


On 6/22/2020 2:51 PM, Roman Danyliw via Datatracker wrote:
> Roman Danyliw has entered the following ballot position for
> draft-ietf-detnet-ip-06: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-detnet-ip/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> A few easy clarifications:
>
> ** Section 7.  Per “From a data plane perspective this document does not add or
> modify any header information”, this statement, which is also found in Section
> 9.1 of draft-ietf-detnet-security-10 does not seem consistent with Section 3
> which states “… however modification of these fields is allowed, for example
> changing the DSCP value, when required by the DetNet service”.
This is actually a mistake.  DetNet does not modify standard DSCP 
remarking.  I just addressed this as part of addressing Murry's 
comments.  The text should read:

    Non-DetNet and DetNet IP packets are identical on the wire.
    Generally the fields used in flow identification are forwarded
    unmodified.  However, standard modification of the DSCP field
    [RFC2474] is not precluded.

>
> ** Section 7.  RFC8655 reminds us that “Security considerations for DetNet are
> constrained (compared to, for example, the open Internet) because DetNet is
> defined to operate only within a single administrative domain”.  However, the
> only IP-specific guidance on preventing escape from the DetNet domain is in
> Section 4.2 (“Note that not mixing DetNet and non-DetNet traffic within a
> single 5-tuple,  as described above, enables simpler 5-tuple filters to be used
> (or re-used) at the edges of a DetNet network to prevent
> non-congestion-responsive DetNet traffic from escaping the DetNet domain.”).
> Please provide more prescriptive guidance in this section.
How about adding the following to section 6.

The DetNet controller plane MUST ensure that non-congestion-responsive 
DetNet traffic is not forwarded outside a DetNet domain.


>
> ** Section 7.  The guidance from RFC8655 and draft-ietf-detnet-security needs
> to be deconflicted relative to confidentiality.  The following assertions are
> stated in a single paragraph:
>
> (a) The primary considerations for the data plane is to maintain
>     integrity of data and delivery of the associated DetNet service
>     traversing the DetNet network.
>
> (b) Application flows can be protected
>     through whatever means is provided by the underlying technology.  For
>     example, encryption may be used, such as that provided by IPSec
>     [RFC4301] for IP flows and/or by an underlying sub-net using MACSec
>     [IEEE802.1AE-2018] for IP over Ethernet (Layer-2) flows.
>
> (a) appears to be a cut-and-paste (or maybe vice versa) from Section 9 of
> draft-ietf-detnet-security-10
>
> (b) appears to be a cut-and-paste from Section 5 of RFC8655.
>
> The concatenation of (a) + (b) appears to be unique to this document.
>
> When RFC8655 states (b), it prefaced with “[t]o maintain confidentiality of
> data traversing the DetNet, application flows can be protected through whatever
> means is provided by the underlying technology.”  (a) makes no references to
> confidentiality.  It seems like it should.
Sure, added.
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Thanks for responding to the SECDIR review (and thank you Tero for doing it).
>
> ** Section 3.  I wasn’t able to follow how the reference architectures (Figure
> 1 and 2) in this section had bearing on the normative behavior in Section 5 and
> 6.
Figures 1 and 2 provide overall context for the node specific behavior 
defined in 5 and 6.
>
> ** Section 3. Editorial.  As a reader, I would have benefited from a forward
> reference to Section 5 somewhere in this section.  As I was reading this text,
> I kept looking for specify in exactly which fields go into the tuple and under
> what circumstances.
sure.
> ** Section 3.  Per “Same can be valid for flow aggregates”, I didn’t follow
> what this meant.  Did you mean, “The same can be true for flow aggregates”,
> editorially? But I’m still not sure what a “flow aggregates” is in this case.

This has been fixed per my previous mail.


> ** Section 3.  Per “… however modification of these fields is allowed, for
> example changing the DSCP value, when required by the DetNet service”, is the
> DSCP the only field that is permitted to be modified?  Perhaps I missed it, but
> I didn’t see this behavior covered in the subsequent guidance (i.e., outside of
> this overview) -- see related DISCUSS above.

per above, detnet does not preclude standard remarking, i.,e., it allows 
for it.

> ** Section 4.  Per “This section provides informative considerations …”, is
> that the same thing as saying this entire section is not normative?  If so, I
> was surprised by the use of RFC2119 language in this section.
"informative" should have been removed when the 2119 language was 
added.  I have removed it.
> ** Section 4.2.  Per “Note that not mixing DetNet and non-DetNet traffic within
> a single 5-tuple”, how does one do flow identification if such mixing is done?

This is a requirement on the application.  It's the only one that could 
identify the different traffic types when such mixing occurs.


>
> ** Section 4.3.1.  Is there a pointer that can be provided to explain how
> DetNet nodes are to “ensure that the CoS service classes do not impact the
> congestion protection and latency control mechanisms used to provide DetNet
> QoS?”

This is a tough one as the IETF has generally avoided defining internal 
behavior (unlike some other SDOs).  Section 5.3 does provide some 
additional information.


> ** Section 5.1.2.2.  Per “DetNet flow identification for ICMP is achieved based
> on the protocol’s header”, I recommend being precise by explicitly saying which
> protocol header field and which value (just as was done in for TCP, UDP and
> IPSec.).

In the current definition, it's just the protocol number:

s/protocol's header/protocol number in the IP header.

> ** Section 7.  It wasn’t clear to me which security consideration mentioned
> here were specific to a DetNet data plane when IP is used for the forwarding
> sub-layer.  I have no issues restating key considerations, but this write-up
> was generic.

I'm not sure what else to add here.  If you have suggestion, we're more 
than open to them.

Changes covered here can be previewed at:
https://github.com/detnet-wg/data-plane-drafts/tree/working/lb/iesg-0625

https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https://raw.githubusercontent.com/detnet-wg/data-plane-drafts/working/lb/iesg-0625/ip/draft-ietf-detnet-ip.xml

Thank you!

Lou

>
>
>

v2.23.0 | Report a Bug | By Email