IETF Logo Mail Archive

Re: [Detnet] Roman Danyliw's Discuss on draft-ietf-detnet-ip-06: (with DISCUSS and COMMENT)

Lou Berger <lberger@labn.net> Thu, 25 June 2020 14:26 UTC

Return-Path: <lberger@labn.net>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 862C13A0B8C for <detnet@ietfa.amsl.com>; Thu, 25 Jun 2020 07:26:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=labn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CXZ7BUoNxcXG for <detnet@ietfa.amsl.com>; Thu, 25 Jun 2020 07:26:46 -0700 (PDT)
Received: from gproxy8-pub.mail.unifiedlayer.com (gproxy8-pub.mail.unifiedlayer.com [67.222.33.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E6973A0B8D for <detnet@ietf.org>; Thu, 25 Jun 2020 07:26:46 -0700 (PDT)
Received: from cmgw12.unifiedlayer.com (unknown [10.9.0.12]) by gproxy8.mail.unifiedlayer.com (Postfix) with ESMTP id A06BC1AB1E7 for <detnet@ietf.org>; Thu, 25 Jun 2020 08:26:44 -0600 (MDT)
Received: from box313.bluehost.com ([69.89.31.113]) by cmsmtp with ESMTP id oSpwj3EciWYdhoSpwjv46r; Thu, 25 Jun 2020 08:26:44 -0600
X-Authority-Reason: nr=8
X-Authority-Analysis: v=2.3 cv=Le4SFAXi c=1 sm=1 tr=0 a=h1BC+oY+fLhyFmnTBx92Jg==:117 a=h1BC+oY+fLhyFmnTBx92Jg==:17 a=dLZJa+xiwSxG16/P+YVxDGlgEgI=:19 a=xqWC_Br6kY4A:10:nop_ipv6 a=nTHF0DUjJn0A:10:nop_rcvd_month_year a=Vy_oeq2dmq0A:10:endurance_base64_authed_username_1 a=r77TgQKjGQsHNAKrUKIA:9 a=48vgC7mUAAAA:8 a=TWq6ZYQzAAAA:8 a=jsLqV8V3AAAA:8 a=174xjjHKAAAA:20 a=VB46miiLAAAA:20 a=lCP7la0hQffnhYDBX9oA:9 a=9_jVPlfLNi1YaKfo:21 a=TfiieTRcg5LIC-LV:21 a=QEXdDO2ut3YA:10:nop_charset_2 a=mYAOWqAtFUkA:10:demote_hacked_domain_1 a=1dbGxDndw2gA:10:demote_hacked_domain_7 a=CKEBa5LydO0mGrN1UKgA:9 a=Lse4ShC8Ezfe8cMd:21 a=bzj9Hdp7lHzdWbRT:21 a=j0usuL8eO9S6PzGW:21 a=UiCQ7L4-1S4A:10:nop_mshtml_css_classes a=hTZeC7Yk6K0A:10:nop_msword_html a=frz4AuCg-hUA:10:nop_css_in_html a=_W_S_7VecoQA:10:nop_html a=w1C3t2QeGrPiZgrLijVG:22 a=ELI009spOhp4_qEUuRHw:22 a=ugk2N6kDtXxT1k6o-wp-:22
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=labn.net; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From: References:Cc:To:Subject:Sender:Reply-To:Content-Transfer-Encoding:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=eBPHUjkQJWsJdwVFSPWKAZPUhngexUn5uX6uBTcQn0M=; b=clDUEh3M5ibceBcXoHL24CuVPF znPAH6Zo0KJkUNlYls9EnDFqPLMKRO/Ff80sa7b4KuTx8tdn5TPtcJaknlncxgSLWyX87InmPFcOY f1nF0gu70R8P0sqOczTKbajIW;
Received: from [127.0.0.1] (port=57789 helo=[IPv6:::1]) by box313.bluehost.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <lberger@labn.net>) id 1joSpw-000QRR-5X; Thu, 25 Jun 2020 08:26:44 -0600
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
Cc: Ethan Grossman <eagros@dolby.com>, "detnet@ietf.org" <detnet@ietf.org>, "draft-ietf-detnet-ip@ietf.org" <draft-ietf-detnet-ip@ietf.org>, "detnet-chairs@ietf.org" <detnet-chairs@ietf.org>
References: <159285187260.32738.2496766777836008651@ietfa.amsl.com> <ee4d8560-f765-3914-26ef-f9d494ae13f9@labn.net> <721c6cdc3fa544349a650ca49208dbbb@cert.org>
From: Lou Berger <lberger@labn.net>
Message-ID: <ef31cb7c-6789-c7b7-ec53-5649382adc9c@labn.net>
Date: Thu, 25 Jun 2020 10:26:38 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <721c6cdc3fa544349a650ca49208dbbb@cert.org>
Content-Type: multipart/alternative; boundary="------------6A14CC15F5A5AC481E9D9598"
Content-Language: en-US
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box313.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - labn.net
X-BWhitelist: no
X-Source-IP: 127.0.0.1
X-Source-L: Yes
X-Exim-ID: 1joSpw-000QRR-5X
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([IPv6:::1]) [127.0.0.1]:57789
X-Source-Auth: lberger@labn.net
X-Email-Count: 10
X-Source-Cap: bGFibm1vYmk7bGFibm1vYmk7Ym94MzEzLmJsdWVob3N0LmNvbQ==
X-Local-Domain: yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/m5YvjJeXqu0hm7JX40IKYN0QzRo>
Subject: Re: [Detnet] Roman Danyliw's Discuss on draft-ietf-detnet-ip-06: (with DISCUSS and COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jun 2020 14:26:49 -0000

Thanks Roman!

On 6/25/2020 10:11 AM, Roman Danyliw wrote:
>
> Hi Lou!
>
> Thanks for the quick response with the edits and clarifications.  In 
> that spirit and resolving blocking things before the telechat -- the 
> proposed edits addresses my DISCUSSes; consider all of the COMMENTs 
> but the last resolved (give me a chance to put fingers to keyboard).
>
> Roman
>
> *From:* iesg <iesg-bounces@ietf.org> *On Behalf Of * Lou Berger
> *Sent:* Thursday, June 25, 2020 9:27 AM
> *To:* Roman Danyliw <rdd@cert.org>; The IESG <iesg@ietf.org>
> *Cc:* Ethan Grossman <eagros@dolby.com>; detnet@ietf.org; 
> draft-ietf-detnet-ip@ietf.org; detnet-chairs@ietf.org
> *Subject:* Re: Roman Danyliw's Discuss on draft-ietf-detnet-ip-06: 
> (with DISCUSS and COMMENT)
>
> Hi,
>
> Thank you for the comments/discuss.  Please see responses (as 
> co-author) in line below
>
> On 6/22/2020 2:51 PM, Roman Danyliw via Datatracker wrote:
>
>     Roman Danyliw has entered the following ballot position for
>
>     draft-ietf-detnet-ip-06: Discuss
>
>     When responding, please keep the subject line intact and reply to all
>
>     email addresses included in the To and CC lines. (Feel free to cut this
>
>     introductory paragraph, however.)
>
>     Please refer tohttps://www.ietf.org/iesg/statement/discuss-criteria.html
>
>     for more information about IESG DISCUSS and COMMENT positions.
>
>     The document, along with other ballot positions, can be found here:
>
>     https://datatracker.ietf.org/doc/draft-ietf-detnet-ip/
>
>     ----------------------------------------------------------------------
>
>     DISCUSS:
>
>     ----------------------------------------------------------------------
>
>     A few easy clarifications:
>
>     ** Section 7.  Per “From a data plane perspective this document does not add or
>
>     modify any header information”, this statement, which is also found in Section
>
>     9.1 of draft-ietf-detnet-security-10 does not seem consistent with Section 3
>
>     which states “… however modification of these fields is allowed, for example
>
>     changing the DSCP value, when required by the DetNet service”.
>
> This is actually a mistake.  DetNet does not modify standard DSCP 
> remarking.  I just addressed this as part of addressing Murry's 
> comments.  The text should read:
>
>    Non-DetNet and DetNet IP packets are identical on the wire.
>    Generally the fields used in flow identification are forwarded
>    unmodified.  However, standard modification of the DSCP field
>    [RFC2474] is not precluded.
>
>
>     ** Section 7.  RFC8655 reminds us that “Security considerations for DetNet are
>
>     constrained (compared to, for example, the open Internet) because DetNet is
>
>     defined to operate only within a single administrative domain”.  However, the
>
>     only IP-specific guidance on preventing escape from the DetNet domain is in
>
>     Section 4.2 (“Note that not mixing DetNet and non-DetNet traffic within a
>
>     single 5-tuple,  as described above, enables simpler 5-tuple filters to be used
>
>     (or re-used) at the edges of a DetNet network to prevent
>
>     non-congestion-responsive DetNet traffic from escaping the DetNet domain.”).
>
>     Please provide more prescriptive guidance in this section.
>
> How about adding the following to section 6.
>
> The DetNet controller plane MUST ensure that non-congestion-responsive 
> DetNet traffic is not forwarded outside a DetNet domain.
>
>     ** Section 7.  The guidance from RFC8655 and draft-ietf-detnet-security needs
>
>     to be deconflicted relative to confidentiality.  The following assertions are
>
>     stated in a single paragraph:
>
>     (a) The primary considerations for the data plane is to maintain
>
>         integrity of data and delivery of the associated DetNet service
>
>         traversing the DetNet network.
>
>     (b) Application flows can be protected
>
>         through whatever means is provided by the underlying technology.  For
>
>         example, encryption may be used, such as that provided by IPSec
>
>         [RFC4301] for IP flows and/or by an underlying sub-net using MACSec
>
>         [IEEE802.1AE-2018] for IP over Ethernet (Layer-2) flows.
>
>     (a) appears to be a cut-and-paste (or maybe vice versa) from Section 9 of
>
>     draft-ietf-detnet-security-10
>
>     (b) appears to be a cut-and-paste from Section 5 of RFC8655.
>
>     The concatenation of (a) + (b) appears to be unique to this document.
>
>     When RFC8655 states (b), it prefaced with “[t]o maintain confidentiality of
>
>     data traversing the DetNet, application flows can be protected through whatever
>
>     means is provided by the underlying technology.”  (a) makes no references to
>
>     confidentiality.  It seems like it should.
>
> Sure, added.
>
>     ----------------------------------------------------------------------
>
>     COMMENT:
>
>     ----------------------------------------------------------------------
>
>     Thanks for responding to the SECDIR review (and thank you Tero for doing it).
>
>     ** Section 3.  I wasn’t able to follow how the reference architectures (Figure
>
>     1 and 2) in this section had bearing on the normative behavior in Section 5 and
>
>     6.
>
> Figures 1 and 2 provide overall context for the node specific behavior 
> defined in 5 and 6.
>
>     ** Section 3. Editorial.  As a reader, I would have benefited from a forward
>
>     reference to Section 5 somewhere in this section.  As I was reading this text,
>
>     I kept looking for specify in exactly which fields go into the tuple and under
>
>     what circumstances.
>
> sure.
>
>     ** Section 3.  Per “Same can be valid for flow aggregates”, I didn’t follow
>
>     what this meant.  Did you mean, “The same can be true for flow aggregates”,
>
>     editorially? But I’m still not sure what a “flow aggregates” is in this case.
>
> This has been fixed per my previous mail.
>
>     ** Section 3.  Per “… however modification of these fields is allowed, for
>
>     example changing the DSCP value, when required by the DetNet service”, is the
>
>     DSCP the only field that is permitted to be modified?  Perhaps I missed it, but
>
>     I didn’t see this behavior covered in the subsequent guidance (i.e., outside of
>
>     this overview) -- see related DISCUSS above.
>
> per above, detnet does not preclude standard remarking, i.,e., it 
> allows for it.
>
>     ** Section 4.  Per “This section provides informative considerations …”, is
>
>     that the same thing as saying this entire section is not normative?  If so, I
>
>     was surprised by the use of RFC2119 language in this section.
>
> "informative" should have been removed when the 2119 language was 
> added.  I have removed it.
>
>     ** Section 4.2.  Per “Note that not mixing DetNet and non-DetNet traffic within
>
>     a single 5-tuple”, how does one do flow identification if such mixing is done?
>
> This is a requirement on the application.  It's the only one that 
> could identify the different traffic types when such mixing occurs.
>
>     ** Section 4.3.1.  Is there a pointer that can be provided to explain how
>
>     DetNet nodes are to “ensure that the CoS service classes do not impact the
>
>     congestion protection and latency control mechanisms used to provide DetNet
>
>     QoS?”
>
> This is a tough one as the IETF has generally avoided defining 
> internal behavior (unlike some other SDOs). Section 5.3 does provide 
> some additional information.
>
>     ** Section 5.1.2.2.  Per “DetNet flow identification for ICMP is achieved based
>
>     on the protocol’s header”, I recommend being precise by explicitly saying which
>
>     protocol header field and which value (just as was done in for TCP, UDP and
>
>     IPSec.).
>
> In the current definition, it's just the protocol number:
>
> s/protocol's header/protocol number in the IP header.
>
>     ** Section 7.  It wasn’t clear to me which security consideration mentioned
>
>     here were specific to a DetNet data plane when IP is used for the forwarding
>
>     sub-layer.  I have no issues restating key considerations, but this write-up
>
>     was generic.
>
> I'm not sure what else to add here.  If you have suggestion, we're 
> more than open to them.
>
> Changes covered here can be previewed at:
> https://github.com/detnet-wg/data-plane-drafts/tree/working/lb/iesg-0625
> https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https://raw.githubusercontent.com/detnet-wg/data-plane-drafts/working/lb/iesg-0625/ip/draft-ietf-detnet-ip.xml
> Thank you!
> Lou
>

v2.23.0 | Report a Bug | By Email