Re: [Dime] DOIC Requirements Analysis

Hi Ben,

Please see below.

Regards,

Lionel

-----Message d'origine-----
De : DiME [mailto:dime-bounces@ietf.org] De la part de Ben Campbell
Envoyé : vendredi 7 novembre 2014 17:38
À : Benoit Claise
Cc : dime@ietf.org list
Objet : Re: [Dime] DOIC Requirements Analysis

Hi Benoit, 

I will remove that.

I had mixed emotions about putting it in, since I don't know if we want the detailed sections to stay in the RFC. But the way the summary is currently structured, it just mentions requirements by number and depends on the detailed section for, well, details. So my personal inclination is to have all of Appendix E stay in the RFC. Otherwise, we would probably need to add more detail to the summary.

[LM] I think that an exhaustive comparison of the DOIC solution compared to RFC7068 requirements is not deemed required e.g. Req 1 partially compliant, etc. This could be done in generic way IMHO.
For instance, a specific section in the annex could say:

	Compared to the set of requirements listed in RFC7068, it has been decided to defer for 
	future works the following aspects:
	- load indication conveyance in Diameter messages
	- specific handling of overloaded Diameter agent

	The solution defined in this document slightly deviates by design from some other
	requirements, mainly due to the decision to:
	- piggyback DOIC information over existing Diameter applications
	- limit the scope of the overload report to the application advertised in the application command and to the host/realm contained in the Origin-Host/Origin-Realm AVPs. 
	Further extensions of the overload report might remove these restrictions in the future.

With such kind of wording, it is not required to refer to explicit requirement numbers used in RFC7068. And I think that we provide enough information to make people understand that the solution is not 100% compliant with the RFC7068 but it was done consciously, which is in fine the most important point for the IESG/IETF.

Does anyone else have thoughts on this?

Thanks!

Ben.

> On Nov 7, 2014, at 2:11 AM, Benoit Claise <bclaise@cisco.com> wrote:
> 
> Hi Ben,
> 
> I believe that the E1, at least, must be part of draft. I'm referring to
>    [RFC EDITOR: Please remove this section prior to publication as an
>    RFC.]
> 
> For E2, up to the WG to decide.
> 
> 
> Regards, Benoit
>> 
>>> On Nov 3, 2014, at 11:43 AM, Benoit Claise <bclaise@cisco.com> wrote:
>>> 
>>> Hi Ben,
>>> 
>>> Thanks for your detailed analysis.
>>> While this is good, what is required is the justification of why some requirements are not met with DOIC and why have you decided to postpone some RFC 7068 requirements? Then you can list those requirements.
>>> 
>> 
>> Hi Benoit,
>> 
>> Here's an updated version with a "summary" section at the front. Hopefully this captures what you are looking for. 
>> 
>> I've put this in version 05 in a branch in GitHub. If no one objects in the next few days, I will send a pull request to merge it into the main branch.
>> 
>> Thanks!
>> 
>> Ben.
>> 
>> ----------------------
>> 
>> Appendix E.  Requirements Analysis
>> 
>>    [RFC EDITOR: Please remove this section prior to publication as an
>>    RFC.]
>> 
>>    This section analyzes the mechanism described in this document
>>    against the set of requirements detailed in [RFC7068].
>> 
>> E.1.  Requirements Summary
>> 
>>    This section summarizes areas where DOIC partially complies or does
>>    not comply with certain requirements.  Please see Appendix E.2 for
>>    the text of each requirement.
>> 
>>    The following requirements have been deferred for future work, due to
>>    schedule constraints (3GPP CT4 needs to reference basic overload
>>    control for release 12):
>> 
>>    o  Requirements 1 (partial), 12 (partial), 23, and 24 - DOIC does not
>>       currently support conveyance of load information when not
>>       otherwise overloaded.
>> 
>>    o  Requirements 1 (partial), and 31 (partial) - DOIC does not
>>       currently allow the reporting of an overloaded agent.  (DIME has a
>>       separate milestone for agent overload.)
>> 
>>    The following requirements could not be met due to certain working
>>    group decisions:
>> 
>>    o  Requirements 6 (partial), 16 (partial), 28 (partial), 29 (partial)
>>       and 34 (partial). - The working group elected not to add a way to
>>       determine that non-supporting node exists between two DOIC
>>       supporting nodes.
>> 
>>    o  Requirements 8 (partial), 9, 10 (partial), 19 (partial), and 34
>>       (partial) - The application and server or realm to which an OLR
>>       applies is determined by the Application-Id and Origin-Realm AVPs
>>       of the enclosing answer.  If a node that doesn't understand DOIC
>>       modifies certain AVPs in the enclosing answer, the OLR will become
>>       invalid, without a way for downstream nodes to detect it.  It is
>>       currently not possible to construct an OLR that refers to an
>>       application, server, or realm different from that of the answer
>>       that carries it.
>> 
>>    o  Requirement 13: While the requirement discourages sending OLRs in
>>       every response, the working group decided that not doing that
>>       would be less reliable, and require more stateful behavior.  (Note
>>       that the document allows reporting nodes to avoid sending OLRs in
>>       every response if the node has some other way of determining that
>>       all relevant reacting nodes receive the report.)
>> 
>>    o  The working group believes that DOIC is compliant with requirement
>>       27 (no new vulnerabilities).  However, this may warrant an early
>>       review from a security expert.
>> 
>> E.2.  Detailed Requirements
>> 
>> E.2.1.  General
>> 
>>    REQ 1:  The solution MUST provide a communication method for Diameter
>>            nodes to exchange load and overload information.
>> 
>>            *Partially Compliant*. The mechanism uses new AVPs
>>            piggybacked on existing Diameter messages to exchange
>>            overload information.  It does not currently support "load"
>>            information or the ability to report overload of an agent.
>>            These have been left for future extensions.
>> 
>> 
>> 
>>    REQ 2:  The solution MUST allow Diameter nodes to support overload
>>            control regardless of which Diameter applications they
>>            support.  Diameter clients and agents must be able to use the
>>            received load and overload information to support graceful
>>            behavior during an overload condition.  Graceful behavior
>>            under overload conditions is best described by REQ 3.
>> 
>>            *Compliant*. The DOIC AVPs can be used in any application
>>            that allows the extension of AVPs.
>> 
>> 
>> 
>>    REQ 3:  The solution MUST limit the impact of overload on the overall
>>            useful throughput of a Diameter server, even when the
>>            incoming load on the network is far in excess of its
>>            capacity.  The overall useful throughput under load is the
>>            ultimate measure of the value of a solution.
>> 
>>            *Compliant*. DOIC provides information that nodes can use to
>>            reduce the impact of overload.
>> 
>> 
>> 
>>    REQ 4:  Diameter allows requests to be sent from either side of a
>>            connection, and either side of a connection may have need to
>>            provide its overload status.  The solution MUST allow each
>>            side of a connection to independently inform the other of its
>>            overload status.
>> 
>>            *Compliant*. DOIC AVPs can be included regardless of
>>            transaction "direction"
>> 
>> 
>> 
>>    REQ 5:  Diameter allows nodes to determine their peers via dynamic
>>            discovery or manual configuration.  The solution MUST work
>>            consistently without regard to how peers are determined.
>> 
>>            *Compliant*. DOIC contains no assumptions about how peers are
>>            discovered.  [Note: This may require further study]
>> 
>> 
>> 
>>    REQ 6:  The solution designers SHOULD seek to minimize the amount of
>>            new configuration required in order to work.  For example, it
>>            is better to allow peers to advertise or negotiate support
>>            for the solution, rather than to require that this knowledge
>>            to be configured at each node.
>> 
>>            *Partially Compliant*. Most DOIC parameters are advertised
>>            using the DOIC capability announcement mechanism.  However,
>>            there are some situations where configuration is required.
>>            For example, a DOIC node detect the fact that a peer may not
>>            support DOIC when nodes on the other side of the non-
>>            supporting node do support DOIC without configuration.
>> 
>> 
>> 
>> E.2.2.  Performance
>> 
>>    REQ 7:  The solution and any associated default algorithm(s) MUST
>>            ensure that the system remains stable.  At some point after
>>            an overload condition has ended, the solution MUST enable
>>            capacity to stabilize and become equal to what it would be in
>>            the absence of an overload condition.  Note that this also
>>            requires that the solution MUST allow nodes to shed load
>>            without introducing non-converging oscillations during or
>>            after an overload condition.
>> 
>>            *Compliant*. The specification offers guidance that
>>            implementations should apply hysteresis when recovering from
>>            overload, and avoid sudden ramp ups in offered load when
>>            recovering.
>> 
>> 
>> 
>>    REQ 8:  Supporting nodes MUST be able to distinguish current overload
>>            information from stale information.
>> 
>>            *Partially Compliant*. DOIC overload reports are "soft
>>            state", that is they expire after an indicated period.  DOIC
>>            nodes may also send reports that end existing overload
>>            conditions.  DOIC requires reporting nodes to ensure that all
>>            relevant reacting nodes receive overload reports.
>> 
>>            However, since DOIC does not allow reports to send OLRs in
>>            watchdog messages, if an overload condition results in zero
>>            offered load, the reporting node cannot update the condition
>>            until the expiration of the original OLR.
>> 
>> 
>> 
>>    REQ 9:  The solution MUST function across fully loaded as well as
>>            quiescent transport connections.  This is partially derived
>>            from the requirement for stability in REQ 7.
>> 
>>            *Not Compliant*. DOIC does not allow OLRs to be sent over
>>            quiescent transport connections.  This is due to the fact
>>            that OLRs cannot be sent outside of the application to which
>>            they apply.
>> 
>> 
>> 
>>    REQ 10: Consumers of overload information MUST be able to determine
>>            when the overload condition improves or ends.
>> 
>>            *Partially Compliant*. (See response to previous two
>>            requirements.)
>> 
>> 
>> 
>>    REQ 11: The solution MUST be able to operate in networks of different
>>            sizes.
>> 
>>            *Compliant*. DOIC makes no assumptions about the size of the
>>            network.  DOIC can operate purely between clients and
>>            servers, or across agents.
>> 
>> 
>> 
>>    REQ 12: When a single network node fails, goes into overload, or
>>            suffers from reduced processing capacity, the solution MUST
>>            make it possible to limit the impact of the affected node on
>>            other nodes in the network.  This helps to prevent a small-
>>            scale failure from becoming a widespread outage.
>> 
>>            *Partially Compliant*. DOIC allows overload reports for an
>>            entire realm, where abated traffic will not be redirected
>>            towards another server.  But in situations where nodes choose
>>            to divert traffic to other nodes, DOIC offers no way of
>>            knowing whether the new recipients can handle the traffic if
>>            they have not already indicated overload.  This may be
>>            mitigated with the use of a future "load" extension, or with
>>            the use of proprietary dynamic load-balancing mechanisms.
>> 
>> 
>> 
>>    REQ 13: The solution MUST NOT introduce substantial additional work
>>            for a node in an overloaded state.  For example, a
>>            requirement for an overloaded node to send overload
>>            information every time it received a new request would
>>            introduce substantial work.
>> 
>>            *Not Compliant*. DOIC does in fact encourage an overloaded
>>            node to send an OLR in every response.  The working group
>>            that other mechanisms to ensure that every relevant node
>>            receives an OLR would create even more work.  [Note: This
>>            needs discussion.]
>> 
>> 
>> 
>>    REQ 14: Some scenarios that result in overload involve a rapid
>>            increase of traffic with little time between normal levels
>>            and levels that induce overload.  The solution SHOULD provide
>>            for rapid feedback when traffic levels increase.
>> 
>>            *Compliant*. The piggyback mechanism allows OLRs to be sent
>>            at the same rate as application traffic.
>> 
>> 
>> 
>>    REQ 15: The solution MUST NOT interfere with the congestion control
>>            mechanisms of underlying transport protocols.  For example, a
>>            solution that opened additional TCP connections when the
>>            network is congested would reduce the effectiveness of the
>>            underlying congestion control mechanisms.
>> 
>>            *Compliant*. DOIC does not require or recommend changes in
>>            the handling of transport protocols or connections.
>> 
>> 
>> 
>> E.2.3.  Heterogeneous Support for Solution
>> 
>>    REQ 16: The solution is likely to be deployed incrementally.  The
>>            solution MUST support a mixed environment where some, but not
>>            all, nodes implement it.
>> 
>>            *Partially Compliant*. DOIC works with most mixed-deployment
>>            scenarios.  However, it cannot work across a non-supporting
>>            proxy that modifies Origin-Host AVPs in answer messages.
>>            DOIC will have limited impact in networks where the nodes
>>            that perform server selections do not support the mechanism.
>> 
>> 
>> 
>>    REQ 17: In a mixed environment with nodes that support the solution
>>            and nodes that do not, the solution MUST NOT result in
>>            materially less useful throughput during overload as would
>>            have resulted if the solution were not present.  It SHOULD
>>            result in less severe overload in this environment.
>> 
>>            *Compliant*. In most mixed-support deployment, DOIC will
>>            offer at least some value, and will not make things worse.
>> 
>> 
>> 
>>    REQ 18: In a mixed environment of nodes that support the solution and
>>            nodes that do not, the solution MUST NOT preclude elements
>>            that support overload control from treating elements that do
>>            not support overload control in an equitable fashion relative
>>            to those that do.  Users and operators of nodes that do not
>>            support the solution MUST NOT unfairly benefit from the
>>            solution.  The solution specification SHOULD provide guidance
>>            to implementors for dealing with elements not supporting
>>            overload control.
>> 
>>            *Compliant*. DOIC provides mechanisms to abate load from non-
>>            supporting sources.  Furthermore, it recommends that
>>            reporting nodes will still need to be able to apply whatever
>>            protections they would ordinarily apply if DOIC were not in
>>            use.
>> 
>> 
>> 
>>    REQ 19: It MUST be possible to use the solution between nodes in
>>            different realms and in different administrative domains.
>> 
>>            *Partially Compliant*. DOIC allows sending OLRs across
>>            administrative domains, and potentially to nodes in other
>>            realms.  However, an OLR cannot indicate overload for realms
>>            other than the one in the Origin-Realm AVP of the containing
>>            answer.
>> 
>> 
>> 
>>    REQ 20: Any explicit overload indication MUST be clearly
>>            distinguishable from other errors reported via Diameter.
>> 
>>            *Compliant*. DOIC sends explicit overload indication in
>>            overload reports.  It does not depend on error result codes.
>>            [Note: I don't think the resuse of too-busy and unable-to-
>>            comply for throttled requests impacts this requirement.  Do
>>            others agree?]
>> 
>> 
>> 
>>    REQ 21: In cases where a network node fails, is so overloaded that it
>>            cannot process messages, or cannot communicate due to a
>>            network failure, it may not be able to provide explicit
>>            indications of the nature of the failure or its levels of
>>            overload.  The solution MUST result in at least as much
>>            useful throughput as would have resulted if the solution were
>>            not in place.
>> 
>>            *Compliant*. DOIC overload reports have the primary effect of
>>            suppressing message retries in overload conditions.  DOIC
>>            recommends that messages never be silently dropped if at all
>>            possible.
>> 
>> 
>> 
>> E.2.4.  Granular Control
>> 
>>    REQ 22: The solution MUST provide a way for a node to throttle the
>>            amount of traffic it receives from a peer node.  This
>>            throttling SHOULD be graded so that it can be applied
>>            gradually as offered load increases.  Overload is not a
>>            binary state; there may be degrees of overload.
>> 
>>            *Compliant*. The "loss" algorithm expresses a percentage
>>            reduction.
>> 
>> 
>> 
>>    REQ 23: The solution MUST provide sufficient information to enable a
>>            load-balancing node to divert messages that are rejected or
>>            otherwise throttled by an overloaded upstream node to other
>>            upstream nodes that are the most likely to have sufficient
>>            capacity to process them.
>> 
>>            *Not Compliant*. DOIC provides no built in mechanism to
>>            determine the best place to divert messages that would
>>            otherwise be throttled.  This can be accomplished with a
>>            future "load" extension, or with proprietary load balancing
>>            mechanisms.
>> 
>> 
>> 
>>    REQ 24: The solution MUST provide a mechanism for indicating load
>>            levels, even when not in an overload condition, to assist
>>            nodes in making decisions to prevent overload conditions from
>>            occurring.
>> 
>>            *Not Compliant*. "Load" information has been left for a
>>            future extension.
>> 
>> 
>> 
>> E.2.5.  Priority and Policy
>> 
>>    REQ 25: The base specification for the solution SHOULD offer general
>>            guidance on which message types might be desirable to send or
>>            process over others during times of overload, based on
>>            application-specific considerations.  For example, it may be
>>            more beneficial to process messages for existing sessions
>>            ahead of new sessions.  Some networks may have a requirement
>>            to give priority to requests associated with emergency
>>            sessions.  Any normative or otherwise detailed definition of
>>            the relative priorities of message types during an overload
>>            condition will be the responsibility of the application
>>            specification.
>> 
>>            *Compliant*. The specification offers guidance on how
>>            requests might be prioritized for different types of
>>            applications.
>> 
>> 
>> 
>>    REQ 26: The solution MUST NOT prevent a node from prioritizing
>>            requests based on any local policy, so that certain requests
>>            are given preferential treatment, given additional
>>            retransmission, not throttled, or processed ahead of others.
>> 
>>            *Compliant*. Nothing in the specification prevents
>>            application-specific, implementation-specific, or local
>>            policies.
>> 
>> 
>> 
>> E.2.6.  Security
>> 
>>    REQ 27: The solution MUST NOT provide new vulnerabilities to
>>            malicious attack or increase the severity of any existing
>>            vulnerabilities.  This includes vulnerabilities to DoS and
>>            DDoS attacks as well as replay and man-in-the-middle attacks.
>>            Note that the Diameter base specification [RFC6733] lacks
>>            end-to-end security and this must be considered (see the
>>            Security Considerations in [RFC7068]).  Note that this
>>            requirement was expressed at a high level so as to not
>>            preclude any particular solution.  Is is expected that the
>>            solution will address this in more detail.
>> 
>>            *Compliant*. The working group is not aware of any such
>>            vulnerabilities.  [This may need further analysis.]
>> 
>> 
>> 
>>    REQ 28: The solution MUST NOT depend on being deployed in
>>            environments where all Diameter nodes are completely trusted.
>>            It SHOULD operate as effectively as possible in environments
>>            where other nodes are malicious; this includes preventing
>>            malicious nodes from obtaining more than a fair share of
>>            service.  Note that this does not imply any responsibility on
>>            the solution to detect, or take countermeasures against,
>>            malicious nodes.
>> 
>>            *Partially Compliant*. Since all Diameter security is
>>            currently at the transport layer, nodes must trust immediate
>>            peers to enforce trust policies.  However, there are
>>            situations where a DOIC node cannot determine if an immediate
>>            peer supports DOIC.  The authors recommend an expert security
>>            review.
>> 
>> 
>> 
>>    REQ 29: It MUST be possible for a supporting node to make
>>            authorization decisions about what information will be sent
>>            to peer nodes based on the identity of those nodes.  This
>>            allows a domain administrator who considers the load of their
>>            nodes to be sensitive information to restrict access to that
>>            information.  Of course, in such cases, there is no
>>            expectation that the solution itself will help prevent
>>            overload from that peer node.
>> 
>>            *Partially Compliant*. (See response to previous
>>            requirement.)
>> 
>> 
>> 
>>    REQ 30: The solution MUST NOT interfere with any Diameter-compliant
>>            method that a node may use to protect itself from overload
>>            from non-supporting nodes or from denial-of-service attacks.
>> 
>>            *Compliant*. The specification recommends that any such
>>            protection mechanism needed without DOIC should continue to
>>            be employed with DOIC.
>> 
>> 
>> 
>> E.2.7.  Flexibility and Extensibility
>> 
>>    REQ 31: There are multiple situations where a Diameter node may be
>>            overloaded for some purposes but not others.  For example,
>>            this can happen to an agent or server that supports multiple
>>            applications, or when a server depends on multiple external
>>            resources, some of which may become overloaded while others
>>            are fully available.  The solution MUST allow Diameter nodes
>>            to indicate overload with sufficient granularity to allow
>>            clients to take action based on the overloaded resources
>>            without unreasonably forcing available capacity to go unused.
>>            The solution MUST support specification of overload
>>            information with granularities of at least "Diameter node",
>>            "realm", and "Diameter application" and MUST allow
>>            extensibility for others to be added in the future.
>> 
>>            *Partially Compliant*. All DOIC overload reports are scoped
>>            to the specific application and realm.  Inside that scope,
>>            overload can be reported at the specific server or whole
>>            realm scope.  As currently specified, DOIC cannot indicate
>>            local overload for an agent.  At the time of this writing,
>>            the DIME working group has plans to work on an agent-overload
>>            extension.
>> 
>>            DOIC allows new "scopes" through the use of extended report
>>            types.
>> 
>> 
>> 
>>    REQ 32: The solution MUST provide a method for extending the
>>            information communicated and the algorithms used for overload
>>            control.
>> 
>>            *Compliant*. DOIC allows new report types and abatement
>>            algorithms to be created.  These may be indicated using the
>>            OC-Supported-Features AVP.
>> 
>> 
>> 
>>    REQ 33: The solution MUST provide a default algorithm that is
>>            mandatory to implement.
>> 
>>            *Compliant*. The "loss" algorithm is mandatory to implement.
>> 
>> 
>> 
>>    REQ 34: The solution SHOULD provide a method for exchanging overload
>>            and load information between elements that are connected by
>>            intermediaries that do not support the solution.
>> 
>>            *Partially Compliant*. DOIC information can traverse non-
>>            supporting agents, as long as those agents do not modify
>>            certain AVPs. (e.g., Origin-Host).  DOIC does not provide a
>>            way for supporting nodes to detect such modification.
>> 
>> 
> 

_______________________________________________
DiME mailing list
DiME@ietf.org
https://www.ietf.org/mailman/listinfo/dime

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.