Re: [icnrg] Last Call: draft-irtf-icnrg-ipoc

Greg White <g.white@CableLabs.com> Tue, 21 April 2020 04:05 UTC

Return-Path: <g.white@CableLabs.com>
X-Original-To: icnrg@ietfa.amsl.com
Delivered-To: icnrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1C193A0755 for <icnrg@ietfa.amsl.com>; Mon, 20 Apr 2020 21:05:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cablelabs.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7nLtizTP_Hg4 for <icnrg@ietfa.amsl.com>; Mon, 20 Apr 2020 21:05:22 -0700 (PDT)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2113.outbound.protection.outlook.com [40.107.223.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 221463A074E for <icnrg@irtf.org>; Mon, 20 Apr 2020 21:05:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BGbyCY/IY15M2Pro7JBI1hBfpF2+OaeYllUXDftxVgjie+GDDc0oxlZzOtYtZekSPC1G4peHqtFk697BpqSLIxq+YneBDAwbnzHxjI7d6oEm5HcfGvw5rJ+9uSJ9f9Z5ZgMHl12CT2HPoC6CJ+WfnUjhjxpKr6AwciauxNHgndOW2RGlxp53sQQ29R34+CuMdqRNCKi5pAs27+WhB9y6eKETzT5UxmKKocwqgn4tlBfHEZx0MXKhPHEC+0n2snMO0wDF+0WuZd4LGh4ftnCT55opaa6uyRXM/CVaBQxHhFHtnco/fsuO4f5J9Gl4uQroo7hxwisKlk5D+74N/j3iiA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6CqBTBDQB0O9j9HxMPs8xvR5ofeyn0Y8VdpiEfxfkCc=; b=BgRutuAFPn2L1g8jAAPz65xQRbOyhP8fY3NJPfEQOoqzsx3uzLCegEOBDJSD7njV/V2Rm76xZChYdiwouv6cDisXU/XZF3J3+YHzS3REHoOxO7+HNl4/byxllh1lVrz61c0CL5u3/gFkpb2p61GlE0w0n9oWwsqxdqv3G3Yjxy52G/WPp3Otg7qcTIc2bkXxua1l3d5ktqOQpEzPRrKRxJM1gAjf3t/+qwaCzPt/RZruyC9+ziIr6PUgV86e9abqUU7OJKArwkwoieSxhXHWilAvKl+phd1LvWzMblTtDyBoZ0BMv7odFh3KLPAdYFl4A/qsOL+vl4IlKCZeiXachA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cablelabs.com; dmarc=pass action=none header.from=cablelabs.com; dkim=pass header.d=cablelabs.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cablelabs.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6CqBTBDQB0O9j9HxMPs8xvR5ofeyn0Y8VdpiEfxfkCc=; b=GSNBG9lrA5IqH6mpF/Kv9wLsOKOQu3CE8xlTbdVg8SzvnhqjJE575e6kzpWFltdZEF7WOYuTEzUJj0Rr+luTp+udxbQJ63xBgsP1QBfX9JDo3v7r+gE39o7PLwBgQwY8NQQ+63Y5akbL9oqnhOod2CZ7RmWErN/TtLJZIQB2bbhsjx9fxOxpPf7HHZxZo93jd/uEJr5Px4cZBJ3RmJVSQhpbgd7gvR7V46AbpA36ZjDrVKiMnIiDA75Dp+FDshqImG+MuhxxqKoTw1b544yM7lRRxf8gtC8TQ0/djoNus6roKVKDgLc5D7JwrQiYjF0q/Z6TCNQobjh/UtlMyzVJ8w==
Received: from CY4PR06MB3239.namprd06.prod.outlook.com (2603:10b6:910:53::14) by CY4PR06MB2854.namprd06.prod.outlook.com (2603:10b6:903:134::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.29; Tue, 21 Apr 2020 04:05:19 +0000
Received: from CY4PR06MB3239.namprd06.prod.outlook.com ([fe80::e18a:1265:24a:dd7a]) by CY4PR06MB3239.namprd06.prod.outlook.com ([fe80::e18a:1265:24a:dd7a%5]) with mapi id 15.20.2921.030; Tue, 21 Apr 2020 04:05:19 +0000
From: Greg White <g.white@CableLabs.com>
To: Luca Muscariello <muscariello@ieee.org>
CC: "David R. Oran" <daveoran@orandom.net>, ICNRG <icnrg@irtf.org>
Thread-Topic: [icnrg] Last Call: draft-irtf-icnrg-ipoc
Thread-Index: AQHV/r6thAUt+nphTkOkk3l15p6BbKhV1M4AgCS5vQCAAPVsAIAAb9KA
Date: Tue, 21 Apr 2020 04:05:19 +0000
Message-ID: <0A3AFADD-B47E-45BA-A08A-94971C861C34@cablelabs.com>
References: <93E56749-73D1-4E34-81BB-B7F66DA30F7A@orandom.net> <CAH8sseRzHtrKpw5S+DKOUuysiZ7LaFM=ew5sgrwQjvSqnKL00A@mail.gmail.com> <C8616085-6FE7-4C4F-8048-4CD40C423261@cablelabs.com> <CAH8sseQ5Zn1T8DH2YzZaRqc-3cVf3M47aveWOPvjg1Rov6Sq2A@mail.gmail.com>
In-Reply-To: <CAH8sseQ5Zn1T8DH2YzZaRqc-3cVf3M47aveWOPvjg1Rov6Sq2A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1c.0.190812
authentication-results: spf=none (sender IP is ) smtp.mailfrom=g.white@CableLabs.com;
x-originating-ip: [2601:285:8200:323:38a9:857b:a241:4220]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 22b1d9b4-22b4-48c7-e191-08d7e5a9350c
x-ms-traffictypediagnostic: CY4PR06MB2854:
x-microsoft-antispam-prvs: <CY4PR06MB2854980F94795FD259A4A84BEED50@CY4PR06MB2854.namprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 038002787A
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR06MB3239.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10019020)(366004)(39850400004)(396003)(346002)(376002)(136003)(5660300002)(6512007)(6916009)(36756003)(478600001)(81156014)(30864003)(71200400001)(8936002)(66446008)(66574012)(6506007)(53546011)(86362001)(64756008)(66556008)(66476007)(66946007)(54906003)(186003)(33656002)(76116006)(316002)(2616005)(966005)(4326008)(6486002)(2906002)(8676002)(85282002); DIR:OUT; SFP:1102;
received-spf: None (protection.outlook.com: CableLabs.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wWJ1fX0rMj05vxDiBT9upxUFPXJXQTuH8J5GYYTuCJouxRKQoq2Nf41+kVUSWhlBlXLnpwVM3jiv0uIbGmlGUiVgv7pYpEDLL3gFoP3FxXAi7g9Eox33pgUOB0KX8Re5OyzXhJMpXfrtTA8584H+mhgV84JAE/7vMssX6cQm6jQqluvYl6lYoH2YkpgyzpwsQA3Hj1ZPhom/C5UK18X5fhA/B1xJuQu0RlteY7YnyW5WCqME9WVOOBITdj7/KUtyJHbumLOXQLjC8BHAufbXqd1ie8W1J2aPsYYxh34L4JEenUJ3l3ZY9GU1yx5O0LTrAyOym2DR79aAdb150/uepU/Nm+DUfOd5b+gcJNEO0pkhshVbfouyQ/mTA5c4jTmZqusyrtJaEvb/gN3xW6NdoZL8l5vvIhrwmNfz8Ju3PFlBwVRZD2vkqlQjlkI5Ssvth6JrCWvOFMQqnDdHzG2+c4OwjKb9VYWNyl6EXN4EebaAY77MXqPIPUX643UqYbAC+7C6Hr14I4EsaYphSI+WaR8fRFA+HKnp6qk/PQVsHV3Z8NStO+oYgpEm4w7KWq/D
x-ms-exchange-antispam-messagedata: +jB5oOO6+GT3BUvze0DHJ0ixhZhuueqFr+98uutSNPETFSVSyBHIgn89y42J5WIe4mBPxM36z7heJDfjSnBfUkHqGpCO+yPEm5d0bigEUjWrGyrlW61ns4JAEepsHXXcQqypqaenqBYPie9oJc0q3+9fcNhavXkpO+Wk4HZlaK3EtUPXi/3cv6HjG0ppwGEMv55YHNkDj4DbG0M1JKN2nA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_0A3AFADDB47E45BAA08A94971C861C34cablelabscom_"
MIME-Version: 1.0
X-OriginatorOrg: cablelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 22b1d9b4-22b4-48c7-e191-08d7e5a9350c
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Apr 2020 04:05:19.8215 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ce4fbcd1-1d81-4af0-ad0b-2998c441e160
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: a+cUFelrJpdUYwK6BnPHpH4Sh20ttfYJdeRS5f8j4jAKU9kiLfDejUDzBixMnGFTYFF/lbZvxXdVPRLaq5zqhA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR06MB2854
Archived-At: <https://mailarchive.ietf.org/arch/msg/icnrg/XovzxZjygAOzKh6Nx9beclrB5gM>
Subject: Re: [icnrg] Last Call: draft-irtf-icnrg-ipoc
X-BeenThere: icnrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Information-Centric Networking research group discussion list <icnrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/icnrg>, <mailto:icnrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/icnrg/>
List-Post: <mailto:icnrg@irtf.org>
List-Help: <mailto:icnrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/icnrg>, <mailto:icnrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2020 04:05:26 -0000

Luca,

Clearly you have a vested interest in hICN.  But, just as there are multiple technologies to enable the transition from IPv4 to IPv6, there is value in having multiple transition technologies for ICN.  IPoC fills a different niche from hICN, and it seems you’ve failed to understand that.  Whereas hICN is a way to run limited ICN applications over a modified IPv6 network, IPoC is a way to run *unmodified* IPv4/IPv6 applications over a pure CCNx network.  Both approaches have their own applicability, and their own tradeoffs.  In the context of a mobile network, hICN does not provide a mobility solution for IP traffic, and thus requires the operator to deploy and maintain two parallel forwarding planes. On the other hand, IPoC allows the operator to eliminate IP routing and legacy mobility mechanisms from the mobile core and support all services over CCNx.  Yes, IPoC assumes a bigger first step (deployment of CCNx), but it makes taking that step easier, and once taken, native CCNx applications can be deployed getting the advantages of the full CCNx architecture.  Additionally, other transition technologies (like HTTP->CCN proxies) can be deployed to enable certain applications to get more of the CCNx-native benefits.

-Greg


From: Luca Muscariello <muscariello@ieee.org>
Date: Thursday, April 16, 2020 at 1:29 AM
To: Greg White <g.white@CableLabs.com>
Cc: "Dave Oran (oran)" <daveoran@orandom.net>et>, ICNRG <icnrg@irtf.org>
Subject: Re: [icnrg] Last Call: draft-irtf-icnrg-ipoc

Hi Greg,

comments in line.

On Thu, Apr 16, 2020 at 12:50 AM Greg White <g.white@cablelabs.com<mailto:g.white@cablelabs.com>> wrote:
Hi Luca,

Thanks for the review and for the questions and comments.

On your first question, the IPoC naming convention and CCNx routing mechanism ensure that the IPoC client remains in communication with the IPoC gateway that provides reachability to the client’s assigned IP address by other devices on the IP network.  If the IPoC gateway becomes unreachable due to a network attachment change (e.g. if the client leaves the current IPoC network and joins another), it would need to establish communication with a new IPoC gateway in the new network, using the mechanism described in Section 8.  It would thus be in a different subnet, with a different IP address.   It would also be possible for a client to periodically run the Section 8 mechanism in order to determine whether it was connected to the topologically nearest gateway.  If it finds a nearer gateway (and thus gets a new IP address) it could begin transitioning new IP connections to the new IP address, while allowing existing connections that used the previous IP address to complete.


The IPoC GW is very similar to what we do in enterprise networks with LISP to optimize Wi-Fi mobility management and more. Even if this happens from the AP to the switch it does not change much.
Similarly from the eNB to the SGW using GTP tunneling. IPoC does not provide any advantage w.r.t. LISP or GTP which both rely on IP only. I'd say that in this case I only see the disadvantages of IPoC as it makes the assumption that CCNx is the backhaul.
The fact that IPoC binds IP addresses to the CCNx namespace destroys all good features of CCNx which is used with hands and legs tied.
In summary: No many-to-many communications, weak security properties, inferior mobility wrt the state of the art and also no incentives to move from the current solutions to this one.


Correct me if I am misunderstanding, but questions 2 & 4 seem to be essentially the same question, i.e.:  is it expected that Interests and Content Objects are all signed, and if so, what are the performance implications?
As you noted, section 14 mentions signing of Interests and Content Objects, and implies that it is optional.  It is in fact optional.  As section 14 discusses, the protocol is intended for use within a managed, CCNx-based, mobile core network where endpoint authentication and authorization is managed via existing means. Interest and CO signing would certainly add computational complexity perhaps on the order of the complexity associated with encrypted tunnels in IP, so the benefits of doing so would need to be weighed against the scalability impacts.   I’ll add an explicit mention in Section 4 that signing is optional.

Q2 and Q4 are distinct questions related to the usage of signed interest systematically, i.e. 100% of the interests.
Q2: This is about the fact that interests are signed because they carry payload. So local flow balance is gone and this has performance implications in terms of congestion management, loss recovery AND mobility. All gone. This is what Q2 is about. Sorry for being so compact, but I'm assuming some terminology is well understood in this list.
Also what are the security implications of signing every Interest? It looks very similar to an IPSEC GW with all the certificate business.

Q4: This is about the computation cost. In the hICN project we're spending a lot of time to bring performance of a single transfer beyond 10Gbps. All forms of optimizations are required: manifests, hash computation offloading, software/hardware tricks and many more. This is not a negligible point. In practice one would be tempted to disable signatures. This is worse.
The security implication of using non authenticated end-points are very well known even in a managed network. Managed networks carry customer' traffic and security is MUST, not an option.
Current solid deployments of LISP in enterprise networks make use of authentication, GTP tunnels too in the EPC backhaul. Tunnel confidentiality may be an option but authentication is not.
It is an option in EPC for 4G but for 5G UPC confidentiality is mandatory.




On question 3, there are two implementations that have been made available.  One was built on the PARC Metis libraries, experimental results using this implementation were shared at the November 13, 2016 ICNRG Interim Meeting, and it was mentioned as well at the March 20, 2018 and July 21, 2018 ICNRG meeting where IPoC was presented.  While this implementation is not currently being maintained, the code is available. The second implementation was built in ndnSim, and is available on GitHub.  Experimental results and a link to the repo can be found in the paper listed in the Informative References of the IPoC draft.  That paper discusses the benefits compared to the existing GTP tunneling mechanisms used in LTE-EPC.  I’m not sure why you are questioning whether CCNx consumer mobility still holds.  This protocol makes use of CCNx stateful forwarding directly, and is designed precisely to make use of that feature.

I read the paper that describes and evaluates IPoC and compares to GTP. That's the whole point. The conclusion of the paper is that IPoC is no worse than GTP. Which is my whole point.
What is the reason to disrupt a technology (GTP) and replace it with something that is no worse?
As soon as the IPoC namespace is tied to the IP addresses of the end-points of the tunnel, IPoC becomes isomorphic to GTP or any tunneling protocol making use of locators.
So it is no worse than any of those protocols. This does not look like a compelling reason to change the transport infrastructure. Worse, it looks like an argument NOT to move towards ICN.

I am surprised that this draft has moved to last call with this implicit message.

I did not pay attention to all drafts moving forward in this RG because there are so many of them being pushed by the chairs, but I hope we pay more attention to "shoot-yourself-in-the-foot" messages.


Best
Luca




Best Regards,
Greg



From: icnrg <icnrg-bounces@irtf.org<mailto:icnrg-bounces@irtf.org>> on behalf of Luca Muscariello <muscariello@ieee.org<mailto:muscariello@ieee.org>>
Date: Monday, March 23, 2020 at 2:01 AM
To: "Dave Oran (oran)" <daveoran@orandom.net<mailto:daveoran@orandom.net>>
Cc: ICNRG <icnrg@irtf.org<mailto:icnrg@irtf.org>>
Subject: Re: [icnrg] Last Call: draft-irtf-icnrg-ipoc

Hi

I went through the draft and I have a few comments and some questions.

1 how does this system work when IP addresses at local interfaces change?
  My question is about both the underlying mechanics and also the performance
  of the system in such cases.
2 What are the implications of using signed Interests in this way? I mean
  100% of the Interests are signed in the tunneling scheme. My question is both
  in terms of security and performance. And with performance I mean both
  mobility and local flow balance.
3 Is there any reality check and running code of this scheme?
  Every Internet draft comes with a security section but not a cost section
  however it is unclear in this specific case, what are the benefits of this
  scheme and if one would need it compared to existing tunneling technologies.
  The alleged benefits of CCNx in terms of mobility are never spelled out in the
  draft but it is unclear if any mobility benefit still holds using this technique.
4 The cost of signing every packet is significant and would probably kill
  the performance of the tunnel. In the last section the authors seem to
  consider interest/data signatures as optional. Can this be clarified and spelled
  out clearly? Is the intent to use the tunnel w/o signatures?

Thank
Best
Luca



On Fri, Mar 20, 2020 at 2:51 PM David R. Oran <daveoran@orandom.net<mailto:daveoran@orandom.net>> wrote:
Hello ICNRG,

This is a last call for comments on draft-irtf-icnrg-IPOC (Internet
Protocol Tunneling over Content Centric Mobile Networks).

We want to publish this as an Experimental RFC. Please read it and let
us know if you think there are issues. The last call ends on April 15,
i.e., 3 weeks from today.

https://datatracker.ietf.org/doc/draft-irtf-icnrg-ipoc/

Abstract

    This document describes a protocol that enables tunneling of
Internet
    Protocol traffic over a Content Centric Network (CCNx) or a Named
    Data Network (NDN).  The target use case for such a protocol is to
    provide an IP mobility plane for mobile networks that might
otherwise
    use IP-over-IP tunneling, such as the GPRS Tunneling Protocol (GTP)
    used by the Evolved Packet Core in LTE networks (LTE-EPC).  By
    leveraging the elegant, built-in support for mobility provided by
    CCNx or NDN, this protocol achieves performance on par with LTE-EPC,
    equivalent efficiency, and substantially lower implementation and
    protocol complexity [Shannigrahi].  Furthermore, the use of CCNx/NDN
    for this purpose paves the way for the deployment of ICN native
    applications on the mobile network.

Best regards,
ICNRG chairs


DaveO

_______________________________________________
icnrg mailing list
icnrg@irtf.org<mailto:icnrg@irtf.org>
https://www.irtf.org/mailman/listinfo/icnrg