[Detnet] Benjamin Kaduk's No Objection on draft-ietf-detnet-mpls-11: (with COMMENT)

[Benjamin Kaduk via Datatracker <noreply@ietf.org>]

Benjamin Kaduk has entered the following ballot position for
draft-ietf-detnet-mpls-11: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-detnet-mpls/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

There's nothing particularly earth-shattering in these remarks; just
some things to double-check and potential minor improvements.  (The
combination of generic DetNet and MPLS security considerations cover
just about everything that's going on here.)  I also have a number of
nit-level notes that I'll send to the authors separately.

Section 2.2

I agree with the directorate reviewer that references for at least some
of these terms would be useful.

Section 3.1

I trust there's a reason for the figure to have "bottom of stack" at the
top of the figure (and vice versa).

   The DetNet MPLS data plane representation is illustrated in Figure 1.
   The service sub-layer includes a DetNet control word (d-CW) and an
   identifying service label (S-Label).  The DetNet control word (d-CW)
   conforms to the Generic PW MPLS Control Word (PWMCW) defined in
   [RFC4385].  An aggregation label (A-Label) is a special case of

Just to check my understanding: we conform to the generic format from
RFC 4385 but not the preferred one?

Section 4.2.1

Do we want to say anything about why the RFC 4385 preferred-format's
flags, fragmentation indicator, and length fields are not applicable to
the DetNet usage?  (I do not recall any restrictions that prevent DetNet
flows from traversing Ethernet segments, one of the justifications given
in RFC 4385 for the length field.)

I would also suggest avoiding the "S/N" abbreviation (as colliding with
"signal/noise"), and note that it is not listed at
https://www.rfc-editor.org/materials/abbrev.expansion.txt .

   The sequence number length MUST be provisioned on a per Detnet
   service basis via configuration, i.e., via the controller plane
   described in [I-D.ietf-detnet-data-plane-framework].

(side note) I didn't find a great definition for "DetNet service" as a
standalone term in RFC 8655, though it's clearly already in use there
for this meaning.

   When the sequence number field length is 16 or 28 bits for a flow,
   the sequence number MUST be incremented by one for each new app-flow
   packet sent.  When the field length is 16 bits, d-CW bits 4 to 15

Are there any considerations on the initial sequence number value?
Randomization of the initial sequence number may be a generic best
practice, as discussed in draft-gont-numeric-ids-sec-considerations
(which I am AD sponsoring).

Section 4.2.2

   S-Label values MUST be provisioned per DetNet service via
   configuration, e.g., via the controller plane described in
   [I-D.ietf-detnet-data-plane-framework].  Note that S-Labels provide
   [...]
   MAY be allocated from the platform label space [RFC3031].  Because
   S-Labels are local to each node rather than being a global identifier
   within a domain, they must be advertised to their upstream DetNet
   service-aware peer nodes (e.g., a DetNet MPLS End System or a DetNet
   Relay or Edge Node) and interpreted in the context of their received

I'm having a hard time reconciling "provisioned via configuration" with
"advertised to their upstream peer nodes" -- can you help explain what
is expected to happen here?

   An S-Label will normally be at the bottom of the label stack once the
   last F-Label is removed, immediately preceding the d-CW.  To support
   service sub-layer level OAM, an OAM Associated Channel Header (ACH)
   [RFC4385] together with a Generic Associated Channel Label (GAL)
   [RFC5586] MAY be used in place of a d-CW.

Does this preclude using an ACH in the absence of a GAL?

                        In the case where platform labels are not used,
   zero or more F-Labels and optionally, the incoming interface,
   proceeding the S-Label MUST be used together with the S-Label to
   uniquely identify the DetNet service associated with a received
   packet.  The incoming interface MAY also be used together with any
   present F-Label(s) and the S-Label to uniquely identify an incoming
   DetNet service, for example, in the case where PHP is used.  [...]

I'm not sure what the difference in meaning between these two sentences
is supposed to be.

Section 4.2.3.1

   When multiple sets of outgoing F-Labels or interfaces are provisioned
   for a particular DetNet service, a copy of the outgoing packet,

Would it be banal to note that this occurs as part of the PRF?

   S-label uniquely identifies the DetNet service.  In the case where
   platform labels are not used, incoming F-Label(s) and, optionally,
   the incoming interface MUST also be provisioned for a DetNet service.

This might be the third time we've mentioned this behavior; is it
perhaps getting redundant?

Section 4.3

   OAM follows the procedures set out in [RFC5085] with the restriction
   that only Virtual Circuit Connectivity Verification (VCCV) type 1 is
   supported.

Earlier we talked about OAM as just using the regular RFC 4385 ACH
method (which is what VCCV type 1 corresponds to); why is it necessary
to pull in the RFC 5085 procedures now (especially when we follow up two
paragraphs down with "the reader is referred to [RFC5058] for a more
detailed description")?

Section 4.4.1

   into and from an H-LSP.  Both carried LSPs and H-LSPs may or may not
   use the TC field, i.e., L-LSPs or E-LSPs.  Such nodes will need to

Perhaps a RFC 3270 reference is in order here, to pick up L-LSPs and
E-LSPs?  We seem to not really mention it in this context until Section
4.6.1 otherwise.

   Additional details of the traffic control capabilities needed at a
   DetNet-aware node may be covered in the new service definitions
   mentioned above or in separate future documents.  Controller plane

Er, mentioned where?  This seems to be the first instance of "service
definition" in this document.

Section 4.5

   latency the impact on the DetNet application would be severe.  To
   avoid the problem of a transient forwarding loop, changes to an LSP
   supporting DetNet MUST be loop-free.

Just to check my understanding: it's possible to get this loop-free
behavior with all the common control planes, e.g., RSVP-TE, MPLS-TP,
MPLS SR, etc.?

Section 5

   and hybrid combinations of the two.  The details of the controller
   plane solution required for the label distribution and the management
   of the label number space are out of scope of this document.  There

The details are out of scope, sure, but the requirements for what it
needs to provide seem to be in scope.  It looks like this is what is in
the following sub-sections, which is good, but perhaps the transition to
them could be written more explicitly.

(I did not try to cross-reference the lists given here with the in-line
requirements stated throughout the document, and trust the authors to
have done so.)

Section 5.1.1

Section 6

   plane.  The considerations raised related to MPLS networks in general
   in [RFC5920] are equally applicable to the the DetNet MPLS data
   plane.

In line of Roman's remarks, I'd suggest calling out a few key pieces
from the RFC 5920 security considerations, especially boundary filtering
to protect against label spoofing.

We might pull in the considerations from the relevant control word RFCs
as well, and from RFC 4206 for H-LSPs.

Some of the service label stuff is fairly analogous to the ongoing SFC
work, but it's probably a stretch to say that we should reference their
security considerations from here.

There's a couple chunks of text that are essentially copied from RFC
8655 but seem incoherent or incorrect, e.g.:

   Security aspects which are unique to DetNet are those whose aim is to
   provide the specific quality of service aspects of DetNet, which are

(It's DetNet's aim to provide those, not the security aspects' aim.)

   traffic.  To prevent DetNet packets from being delayed by an entity
   external to a DetNet domain, DetNet technology definition can allow
   for the mitigation of Man-In-The-Middle attacks, for example through
   use of authentication and authorization of devices within the DetNet
   domain.

(I don't think we've seen a clear portrayal of what these MITM
protection schemes would actually do, what is being
authenticated/authorized, etc., any of the times that it has come up.)

I hope we can improve them in this iteration.

Section 9

We're already over the 5-author limit; I, for one, would not mind having
7 authors (and skipping this section) instead of the current 6.

Section 10.1

Some of these may not strictly need to be in the normative references
section, e.g., 2211/2212, but it doesn't seem particularly harmful to
keep them here.

Section 10.2

I'm quite surprised that draft-ietf-detnet-data-plane-framework is not
listed as normative.

The reference to RFC 5586 is in "an OAM Associated Channel Header (ACH)
[RFC4385] together with a Generic Associated Channel Label (GAL)
[RFC5586] MAY be used in place of a d-CW", the normative keyword of
which suggests that it should properly be classified as normative.

Likewise for RFC 6790 ("Similarly, an Entropy Label Indicator/Entropy
Label (ELI/EL) [RFC6790] MAY be carried below the S-Label").