IETF Logo Mail Archive

Re: [Int-area] FW: New Version Notification for draft-eckert-intarea-flow-metadata-framework-01.txt

Toerless Eckert <eckert@cisco.com> Fri, 19 July 2013 03:12 UTC

Return-Path: <eckert@cisco.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF70D21E81A2 for <int-area@ietfa.amsl.com>; Thu, 18 Jul 2013 20:12:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.508
X-Spam-Level:
X-Spam-Status: No, score=-10.508 tagged_above=-999 required=5 tests=[AWL=0.091, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 50fUIYpCoRln for <int-area@ietfa.amsl.com>; Thu, 18 Jul 2013 20:12:42 -0700 (PDT)
Received: from mtv-iport-1.cisco.com (mtv-iport-1.cisco.com [173.36.130.12]) by ietfa.amsl.com (Postfix) with ESMTP id CB56C21E818D for <int-area@ietf.org>; Thu, 18 Jul 2013 20:12:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1547; q=dns/txt; s=iport; t=1374203559; x=1375413159; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=K9tePYrayK7jcVamDfVBrcrrhbAYzIl965PNfBE3dvg=; b=b+7INcjPbuqchQux3mItCUFrUF9vNv25g8S253xhUhuI336rBSZk7PNf TRGlhFLYUG1aV7Cg7ZKaiLSiCFRWbqBz1aKc7qWCy1ONw7Na3Q2DiqU3t BO2W/XYeWHxtTgeJIyDIsBj75mAn8RUDVCy0H9+h7Tuk8DvpsDYjDBkqS Y=;
X-IronPort-AV: E=Sophos;i="4.89,698,1367971200"; d="scan'208";a="83412585"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-1.cisco.com with ESMTP; 19 Jul 2013 03:12:38 +0000
Received: from mcast-linux1.cisco.com (mcast-linux1.cisco.com [172.27.244.121]) by mtv-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r6J3CcQi018093 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 19 Jul 2013 03:12:38 GMT
Received: from mcast-linux1.cisco.com (localhost.cisco.com [127.0.0.1]) by mcast-linux1.cisco.com (8.13.8/8.13.8) with ESMTP id r6J3CbmG004954; Thu, 18 Jul 2013 20:12:37 -0700
Received: (from eckert@localhost) by mcast-linux1.cisco.com (8.13.8/8.13.8/Submit) id r6J3CbCT004953; Thu, 18 Jul 2013 20:12:37 -0700
Date: Thu, 18 Jul 2013 20:12:37 -0700
From: Toerless Eckert <eckert@cisco.com>
To: mohamed.boucadair@orange.com
Message-ID: <20130719031237.GM23170@cisco.com>
References: <94C682931C08B048B7A8645303FDC9F36EE2DDB4FE@PUEXCB1B.nanterre.francetelecom.fr> <45A697A8FFD7CF48BCF2BE7E106F0604090C8510@xmb-rcd-x04.cisco.com> <94C682931C08B048B7A8645303FDC9F36EE2DDB59F@PUEXCB1B.nanterre.francetelecom.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <94C682931C08B048B7A8645303FDC9F36EE2DDB59F@PUEXCB1B.nanterre.francetelecom.fr>
User-Agent: Mutt/1.4.2.2i
Cc: "int-area@ietf.org" <int-area@ietf.org>
Subject: Re: [Int-area] FW: New Version Notification for draft-eckert-intarea-flow-metadata-framework-01.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jul 2013 03:12:48 -0000

On Thu, Jul 18, 2013 at 02:11:21PM +0200, mohamed.boucadair@orange.com wrote:
> >[RP] I believe the end-point making the request for flow characteristics
> >will be the CPE in many cases where the applications is not metadata
> >aware. In other words, the CPE makes the request on behalf of applications.
> [Med] I'm more interested in this CPE flavor (managed CPE) since it avoids relying on applications to benefit from the added value of this approach. This is worth be discussed in the document too. 

See section 3.1.4.1 which talks about proxies. The problem really is where
the proxied information comes from. If the proxy is doing DPI inspection to
deduce it or some configured mappings, then it's likely going to be unreliable
(encryption) or suffer from problems in getting it provisioned.

To me these inspecting proxies are a way to get a foot in the door with
the method while it takes its time to persuade app-developers (or middleware
like browsers) to signal the information explicitly (couple of years ?...).

> [Med] The question is not whether a secure transport is used or not but to what extent the flow description is accurate (e.g., send fake flow description, systematically request treatment with higher priority, etc.).

Right. That was the intention of 3.1.4.2. Ultimately the network taking
action on the metadata needs to trust the authenticated identity
associated with the attributes to not lie about the attributes - OR
enforce the semantic of the attributes signalled.

Cheers
    Toerless

v2.23.0 | Report a Bug | By Email