Re: [Detnet] Roman Danyliw's Discuss on draft-ietf-detnet-ip-06: (with DISCUSS and COMMENT)
Lou Berger <lberger@labn.net> Thu, 25 June 2020 14:26 UTC
Return-Path: <lberger@labn.net>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 862C13A0B8C for <detnet@ietfa.amsl.com>; Thu, 25 Jun 2020 07:26:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=labn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CXZ7BUoNxcXG for <detnet@ietfa.amsl.com>; Thu, 25 Jun 2020 07:26:46 -0700 (PDT)
Received: from gproxy8-pub.mail.unifiedlayer.com (gproxy8-pub.mail.unifiedlayer.com [67.222.33.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E6973A0B8D for <detnet@ietf.org>; Thu, 25 Jun 2020 07:26:46 -0700 (PDT)
Received: from cmgw12.unifiedlayer.com (unknown [10.9.0.12]) by gproxy8.mail.unifiedlayer.com (Postfix) with ESMTP id A06BC1AB1E7 for <detnet@ietf.org>; Thu, 25 Jun 2020 08:26:44 -0600 (MDT)
Received: from box313.bluehost.com ([69.89.31.113]) by cmsmtp with ESMTP id oSpwj3EciWYdhoSpwjv46r; Thu, 25 Jun 2020 08:26:44 -0600
X-Authority-Reason: nr=8
X-Authority-Analysis: v=2.3 cv=Le4SFAXi c=1 sm=1 tr=0 a=h1BC+oY+fLhyFmnTBx92Jg==:117 a=h1BC+oY+fLhyFmnTBx92Jg==:17 a=dLZJa+xiwSxG16/P+YVxDGlgEgI=:19 a=xqWC_Br6kY4A:10:nop_ipv6 a=nTHF0DUjJn0A:10:nop_rcvd_month_year a=Vy_oeq2dmq0A:10:endurance_base64_authed_username_1 a=r77TgQKjGQsHNAKrUKIA:9 a=48vgC7mUAAAA:8 a=TWq6ZYQzAAAA:8 a=jsLqV8V3AAAA:8 a=174xjjHKAAAA:20 a=VB46miiLAAAA:20 a=lCP7la0hQffnhYDBX9oA:9 a=9_jVPlfLNi1YaKfo:21 a=TfiieTRcg5LIC-LV:21 a=QEXdDO2ut3YA:10:nop_charset_2 a=mYAOWqAtFUkA:10:demote_hacked_domain_1 a=1dbGxDndw2gA:10:demote_hacked_domain_7 a=CKEBa5LydO0mGrN1UKgA:9 a=Lse4ShC8Ezfe8cMd:21 a=bzj9Hdp7lHzdWbRT:21 a=j0usuL8eO9S6PzGW:21 a=UiCQ7L4-1S4A:10:nop_mshtml_css_classes a=hTZeC7Yk6K0A:10:nop_msword_html a=frz4AuCg-hUA:10:nop_css_in_html a=_W_S_7VecoQA:10:nop_html a=w1C3t2QeGrPiZgrLijVG:22 a=ELI009spOhp4_qEUuRHw:22 a=ugk2N6kDtXxT1k6o-wp-:22
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=labn.net; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From: References:Cc:To:Subject:Sender:Reply-To:Content-Transfer-Encoding:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=eBPHUjkQJWsJdwVFSPWKAZPUhngexUn5uX6uBTcQn0M=; b=clDUEh3M5ibceBcXoHL24CuVPF znPAH6Zo0KJkUNlYls9EnDFqPLMKRO/Ff80sa7b4KuTx8tdn5TPtcJaknlncxgSLWyX87InmPFcOY f1nF0gu70R8P0sqOczTKbajIW;
Received: from [127.0.0.1] (port=57789 helo=[IPv6:::1]) by box313.bluehost.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <lberger@labn.net>) id 1joSpw-000QRR-5X; Thu, 25 Jun 2020 08:26:44 -0600
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
Cc: Ethan Grossman <eagros@dolby.com>, "detnet@ietf.org" <detnet@ietf.org>, "draft-ietf-detnet-ip@ietf.org" <draft-ietf-detnet-ip@ietf.org>, "detnet-chairs@ietf.org" <detnet-chairs@ietf.org>
References: <159285187260.32738.2496766777836008651@ietfa.amsl.com> <ee4d8560-f765-3914-26ef-f9d494ae13f9@labn.net> <721c6cdc3fa544349a650ca49208dbbb@cert.org>
From: Lou Berger <lberger@labn.net>
Message-ID: <ef31cb7c-6789-c7b7-ec53-5649382adc9c@labn.net>
Date: Thu, 25 Jun 2020 10:26:38 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <721c6cdc3fa544349a650ca49208dbbb@cert.org>
Content-Type: multipart/alternative; boundary="------------6A14CC15F5A5AC481E9D9598"
Content-Language: en-US
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box313.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - labn.net
X-BWhitelist: no
X-Source-IP: 127.0.0.1
X-Source-L: Yes
X-Exim-ID: 1joSpw-000QRR-5X
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([IPv6:::1]) [127.0.0.1]:57789
X-Source-Auth: lberger@labn.net
X-Email-Count: 10
X-Source-Cap: bGFibm1vYmk7bGFibm1vYmk7Ym94MzEzLmJsdWVob3N0LmNvbQ==
X-Local-Domain: yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/m5YvjJeXqu0hm7JX40IKYN0QzRo>
Subject: Re: [Detnet] Roman Danyliw's Discuss on draft-ietf-detnet-ip-06: (with DISCUSS and COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jun 2020 14:26:49 -0000
Thanks Roman! On 6/25/2020 10:11 AM, Roman Danyliw wrote: > > Hi Lou! > > Thanks for the quick response with the edits and clarifications. In > that spirit and resolving blocking things before the telechat -- the > proposed edits addresses my DISCUSSes; consider all of the COMMENTs > but the last resolved (give me a chance to put fingers to keyboard). > > Roman > > *From:* iesg <iesg-bounces@ietf.org> *On Behalf Of * Lou Berger > *Sent:* Thursday, June 25, 2020 9:27 AM > *To:* Roman Danyliw <rdd@cert.org>; The IESG <iesg@ietf.org> > *Cc:* Ethan Grossman <eagros@dolby.com>; detnet@ietf.org; > draft-ietf-detnet-ip@ietf.org; detnet-chairs@ietf.org > *Subject:* Re: Roman Danyliw's Discuss on draft-ietf-detnet-ip-06: > (with DISCUSS and COMMENT) > > Hi, > > Thank you for the comments/discuss. Please see responses (as > co-author) in line below > > On 6/22/2020 2:51 PM, Roman Danyliw via Datatracker wrote: > > Roman Danyliw has entered the following ballot position for > > draft-ietf-detnet-ip-06: Discuss > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > Please refer tohttps://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-detnet-ip/ > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > A few easy clarifications: > > ** Section 7. Per “From a data plane perspective this document does not add or > > modify any header information”, this statement, which is also found in Section > > 9.1 of draft-ietf-detnet-security-10 does not seem consistent with Section 3 > > which states “… however modification of these fields is allowed, for example > > changing the DSCP value, when required by the DetNet service”. > > This is actually a mistake. DetNet does not modify standard DSCP > remarking. I just addressed this as part of addressing Murry's > comments. The text should read: > > Non-DetNet and DetNet IP packets are identical on the wire. > Generally the fields used in flow identification are forwarded > unmodified. However, standard modification of the DSCP field > [RFC2474] is not precluded. > > > ** Section 7. RFC8655 reminds us that “Security considerations for DetNet are > > constrained (compared to, for example, the open Internet) because DetNet is > > defined to operate only within a single administrative domain”. However, the > > only IP-specific guidance on preventing escape from the DetNet domain is in > > Section 4.2 (“Note that not mixing DetNet and non-DetNet traffic within a > > single 5-tuple, as described above, enables simpler 5-tuple filters to be used > > (or re-used) at the edges of a DetNet network to prevent > > non-congestion-responsive DetNet traffic from escaping the DetNet domain.”). > > Please provide more prescriptive guidance in this section. > > How about adding the following to section 6. > > The DetNet controller plane MUST ensure that non-congestion-responsive > DetNet traffic is not forwarded outside a DetNet domain. > > ** Section 7. The guidance from RFC8655 and draft-ietf-detnet-security needs > > to be deconflicted relative to confidentiality. The following assertions are > > stated in a single paragraph: > > (a) The primary considerations for the data plane is to maintain > > integrity of data and delivery of the associated DetNet service > > traversing the DetNet network. > > (b) Application flows can be protected > > through whatever means is provided by the underlying technology. For > > example, encryption may be used, such as that provided by IPSec > > [RFC4301] for IP flows and/or by an underlying sub-net using MACSec > > [IEEE802.1AE-2018] for IP over Ethernet (Layer-2) flows. > > (a) appears to be a cut-and-paste (or maybe vice versa) from Section 9 of > > draft-ietf-detnet-security-10 > > (b) appears to be a cut-and-paste from Section 5 of RFC8655. > > The concatenation of (a) + (b) appears to be unique to this document. > > When RFC8655 states (b), it prefaced with “[t]o maintain confidentiality of > > data traversing the DetNet, application flows can be protected through whatever > > means is provided by the underlying technology.” (a) makes no references to > > confidentiality. It seems like it should. > > Sure, added. > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > Thanks for responding to the SECDIR review (and thank you Tero for doing it). > > ** Section 3. I wasn’t able to follow how the reference architectures (Figure > > 1 and 2) in this section had bearing on the normative behavior in Section 5 and > > 6. > > Figures 1 and 2 provide overall context for the node specific behavior > defined in 5 and 6. > > ** Section 3. Editorial. As a reader, I would have benefited from a forward > > reference to Section 5 somewhere in this section. As I was reading this text, > > I kept looking for specify in exactly which fields go into the tuple and under > > what circumstances. > > sure. > > ** Section 3. Per “Same can be valid for flow aggregates”, I didn’t follow > > what this meant. Did you mean, “The same can be true for flow aggregates”, > > editorially? But I’m still not sure what a “flow aggregates” is in this case. > > This has been fixed per my previous mail. > > ** Section 3. Per “… however modification of these fields is allowed, for > > example changing the DSCP value, when required by the DetNet service”, is the > > DSCP the only field that is permitted to be modified? Perhaps I missed it, but > > I didn’t see this behavior covered in the subsequent guidance (i.e., outside of > > this overview) -- see related DISCUSS above. > > per above, detnet does not preclude standard remarking, i.,e., it > allows for it. > > ** Section 4. Per “This section provides informative considerations …”, is > > that the same thing as saying this entire section is not normative? If so, I > > was surprised by the use of RFC2119 language in this section. > > "informative" should have been removed when the 2119 language was > added. I have removed it. > > ** Section 4.2. Per “Note that not mixing DetNet and non-DetNet traffic within > > a single 5-tuple”, how does one do flow identification if such mixing is done? > > This is a requirement on the application. It's the only one that > could identify the different traffic types when such mixing occurs. > > ** Section 4.3.1. Is there a pointer that can be provided to explain how > > DetNet nodes are to “ensure that the CoS service classes do not impact the > > congestion protection and latency control mechanisms used to provide DetNet > > QoS?” > > This is a tough one as the IETF has generally avoided defining > internal behavior (unlike some other SDOs). Section 5.3 does provide > some additional information. > > ** Section 5.1.2.2. Per “DetNet flow identification for ICMP is achieved based > > on the protocol’s header”, I recommend being precise by explicitly saying which > > protocol header field and which value (just as was done in for TCP, UDP and > > IPSec.). > > In the current definition, it's just the protocol number: > > s/protocol's header/protocol number in the IP header. > > ** Section 7. It wasn’t clear to me which security consideration mentioned > > here were specific to a DetNet data plane when IP is used for the forwarding > > sub-layer. I have no issues restating key considerations, but this write-up > > was generic. > > I'm not sure what else to add here. If you have suggestion, we're > more than open to them. > > Changes covered here can be previewed at: > https://github.com/detnet-wg/data-plane-drafts/tree/working/lb/iesg-0625 > https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https://raw.githubusercontent.com/detnet-wg/data-plane-drafts/working/lb/iesg-0625/ip/draft-ietf-detnet-ip.xml > Thank you! > Lou >
- [Detnet] Roman Danyliw's Discuss on draft-ietf-de… Roman Danyliw via Datatracker
- Re: [Detnet] Roman Danyliw's Discuss on draft-iet… Lou Berger
- Re: [Detnet] Roman Danyliw's Discuss on draft-iet… Roman Danyliw
- Re: [Detnet] Roman Danyliw's Discuss on draft-iet… Lou Berger
- Re: [Detnet] Roman Danyliw's Discuss on draft-iet… Lou Berger
- Re: [Detnet] Roman Danyliw's Discuss on draft-iet… Roman Danyliw