[Detnet] Benjamin Kaduk's No Objection on draft-ietf-detnet-mpls-11: (with COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Thu, 10 September 2020 03:59 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: detnet@ietf.org
Delivered-To: detnet@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 242223A0C1F; Wed, 9 Sep 2020 20:59:27 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-detnet-mpls@ietf.org, detnet-chairs@ietf.org, detnet@ietf.org, Ethan Grossman <eagros@dolby.com>, eagros@dolby.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.16.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <159971036659.9584.1635997157553102042@ietfa.amsl.com>
Date: Wed, 09 Sep 2020 20:59:27 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/uUzWNgtBGr0p4qX3qmmffzdcPSU>
Subject: [Detnet] Benjamin Kaduk's No Objection on draft-ietf-detnet-mpls-11: (with COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 03:59:27 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-detnet-mpls-11: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-detnet-mpls/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- There's nothing particularly earth-shattering in these remarks; just some things to double-check and potential minor improvements. (The combination of generic DetNet and MPLS security considerations cover just about everything that's going on here.) I also have a number of nit-level notes that I'll send to the authors separately. Section 2.2 I agree with the directorate reviewer that references for at least some of these terms would be useful. Section 3.1 I trust there's a reason for the figure to have "bottom of stack" at the top of the figure (and vice versa). The DetNet MPLS data plane representation is illustrated in Figure 1. The service sub-layer includes a DetNet control word (d-CW) and an identifying service label (S-Label). The DetNet control word (d-CW) conforms to the Generic PW MPLS Control Word (PWMCW) defined in [RFC4385]. An aggregation label (A-Label) is a special case of Just to check my understanding: we conform to the generic format from RFC 4385 but not the preferred one? Section 4.2.1 Do we want to say anything about why the RFC 4385 preferred-format's flags, fragmentation indicator, and length fields are not applicable to the DetNet usage? (I do not recall any restrictions that prevent DetNet flows from traversing Ethernet segments, one of the justifications given in RFC 4385 for the length field.) I would also suggest avoiding the "S/N" abbreviation (as colliding with "signal/noise"), and note that it is not listed at https://www.rfc-editor.org/materials/abbrev.expansion.txt . The sequence number length MUST be provisioned on a per Detnet service basis via configuration, i.e., via the controller plane described in [I-D.ietf-detnet-data-plane-framework]. (side note) I didn't find a great definition for "DetNet service" as a standalone term in RFC 8655, though it's clearly already in use there for this meaning. When the sequence number field length is 16 or 28 bits for a flow, the sequence number MUST be incremented by one for each new app-flow packet sent. When the field length is 16 bits, d-CW bits 4 to 15 Are there any considerations on the initial sequence number value? Randomization of the initial sequence number may be a generic best practice, as discussed in draft-gont-numeric-ids-sec-considerations (which I am AD sponsoring). Section 4.2.2 S-Label values MUST be provisioned per DetNet service via configuration, e.g., via the controller plane described in [I-D.ietf-detnet-data-plane-framework]. Note that S-Labels provide [...] MAY be allocated from the platform label space [RFC3031]. Because S-Labels are local to each node rather than being a global identifier within a domain, they must be advertised to their upstream DetNet service-aware peer nodes (e.g., a DetNet MPLS End System or a DetNet Relay or Edge Node) and interpreted in the context of their received I'm having a hard time reconciling "provisioned via configuration" with "advertised to their upstream peer nodes" -- can you help explain what is expected to happen here? An S-Label will normally be at the bottom of the label stack once the last F-Label is removed, immediately preceding the d-CW. To support service sub-layer level OAM, an OAM Associated Channel Header (ACH) [RFC4385] together with a Generic Associated Channel Label (GAL) [RFC5586] MAY be used in place of a d-CW. Does this preclude using an ACH in the absence of a GAL? In the case where platform labels are not used, zero or more F-Labels and optionally, the incoming interface, proceeding the S-Label MUST be used together with the S-Label to uniquely identify the DetNet service associated with a received packet. The incoming interface MAY also be used together with any present F-Label(s) and the S-Label to uniquely identify an incoming DetNet service, for example, in the case where PHP is used. [...] I'm not sure what the difference in meaning between these two sentences is supposed to be. Section 4.2.3.1 When multiple sets of outgoing F-Labels or interfaces are provisioned for a particular DetNet service, a copy of the outgoing packet, Would it be banal to note that this occurs as part of the PRF? S-label uniquely identifies the DetNet service. In the case where platform labels are not used, incoming F-Label(s) and, optionally, the incoming interface MUST also be provisioned for a DetNet service. This might be the third time we've mentioned this behavior; is it perhaps getting redundant? Section 4.3 OAM follows the procedures set out in [RFC5085] with the restriction that only Virtual Circuit Connectivity Verification (VCCV) type 1 is supported. Earlier we talked about OAM as just using the regular RFC 4385 ACH method (which is what VCCV type 1 corresponds to); why is it necessary to pull in the RFC 5085 procedures now (especially when we follow up two paragraphs down with "the reader is referred to [RFC5058] for a more detailed description")? Section 4.4.1 into and from an H-LSP. Both carried LSPs and H-LSPs may or may not use the TC field, i.e., L-LSPs or E-LSPs. Such nodes will need to Perhaps a RFC 3270 reference is in order here, to pick up L-LSPs and E-LSPs? We seem to not really mention it in this context until Section 4.6.1 otherwise. Additional details of the traffic control capabilities needed at a DetNet-aware node may be covered in the new service definitions mentioned above or in separate future documents. Controller plane Er, mentioned where? This seems to be the first instance of "service definition" in this document. Section 4.5 latency the impact on the DetNet application would be severe. To avoid the problem of a transient forwarding loop, changes to an LSP supporting DetNet MUST be loop-free. Just to check my understanding: it's possible to get this loop-free behavior with all the common control planes, e.g., RSVP-TE, MPLS-TP, MPLS SR, etc.? Section 5 and hybrid combinations of the two. The details of the controller plane solution required for the label distribution and the management of the label number space are out of scope of this document. There The details are out of scope, sure, but the requirements for what it needs to provide seem to be in scope. It looks like this is what is in the following sub-sections, which is good, but perhaps the transition to them could be written more explicitly. (I did not try to cross-reference the lists given here with the in-line requirements stated throughout the document, and trust the authors to have done so.) Section 5.1.1 Section 6 plane. The considerations raised related to MPLS networks in general in [RFC5920] are equally applicable to the the DetNet MPLS data plane. In line of Roman's remarks, I'd suggest calling out a few key pieces from the RFC 5920 security considerations, especially boundary filtering to protect against label spoofing. We might pull in the considerations from the relevant control word RFCs as well, and from RFC 4206 for H-LSPs. Some of the service label stuff is fairly analogous to the ongoing SFC work, but it's probably a stretch to say that we should reference their security considerations from here. There's a couple chunks of text that are essentially copied from RFC 8655 but seem incoherent or incorrect, e.g.: Security aspects which are unique to DetNet are those whose aim is to provide the specific quality of service aspects of DetNet, which are (It's DetNet's aim to provide those, not the security aspects' aim.) traffic. To prevent DetNet packets from being delayed by an entity external to a DetNet domain, DetNet technology definition can allow for the mitigation of Man-In-The-Middle attacks, for example through use of authentication and authorization of devices within the DetNet domain. (I don't think we've seen a clear portrayal of what these MITM protection schemes would actually do, what is being authenticated/authorized, etc., any of the times that it has come up.) I hope we can improve them in this iteration. Section 9 We're already over the 5-author limit; I, for one, would not mind having 7 authors (and skipping this section) instead of the current 6. Section 10.1 Some of these may not strictly need to be in the normative references section, e.g., 2211/2212, but it doesn't seem particularly harmful to keep them here. Section 10.2 I'm quite surprised that draft-ietf-detnet-data-plane-framework is not listed as normative. The reference to RFC 5586 is in "an OAM Associated Channel Header (ACH) [RFC4385] together with a Generic Associated Channel Label (GAL) [RFC5586] MAY be used in place of a d-CW", the normative keyword of which suggests that it should properly be classified as normative. Likewise for RFC 6790 ("Similarly, an Entropy Label Indicator/Entropy Label (ELI/EL) [RFC6790] MAY be carried below the S-Label").
- [Detnet] Benjamin Kaduk's No Objection on draft-i… Benjamin Kaduk via Datatracker
- Re: [Detnet] Benjamin Kaduk's No Objection on dra… Balázs Varga A
- Re: [Detnet] Benjamin Kaduk's No Objection on dra… Benjamin Kaduk