[Ippm-ioam-ix-dt] IPPM IOAM Virtual Meeting, Feb 19, 2020
Tal Mizrahi <tal.mizrahi.phd@gmail.com> Thu, 20 February 2020 12:44 UTC
Return-Path: <tal.mizrahi.phd@gmail.com>
X-Original-To: ippm-ioam-ix-dt@ietfa.amsl.com
Delivered-To: ippm-ioam-ix-dt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3156D1200EF for <ippm-ioam-ix-dt@ietfa.amsl.com>; Thu, 20 Feb 2020 04:44:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uSDOH7detPhS for <ippm-ioam-ix-dt@ietfa.amsl.com>; Thu, 20 Feb 2020 04:44:02 -0800 (PST)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99B6D12001A for <ippm-ioam-ix-dt@ietf.org>; Thu, 20 Feb 2020 04:44:02 -0800 (PST)
Received: by mail-wm1-x332.google.com with SMTP id t23so1856206wmi.1 for <ippm-ioam-ix-dt@ietf.org>; Thu, 20 Feb 2020 04:44:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=i9IkDKfKqi06dCAck4rY5+FXEeLVhea/gfK817G7JTQ=; b=Nz0Wnmn96OnG20JW0pJjyAO4H6jUPb8EJP8dOhXj3snqbX26KZ9kyabK7E0oPe1uP6 gh4r09ZbCRRLPaWJMueZRj4x3MpWrR9+S4gCNnwT1dCeLcFLpFRmpuEkhCMBp1Tm/gkE Z5JWxSXgCTCfjM/GhGFB2PEbf55BmEA2cIqHyd37IPy+X3oDl40OsIEQQziSigOicZHh b7kAvhHreWe5RSgkEoasTZC30q+C7OgkrEG59zZNAFud7jL6/3TpaclqOLbM4Sh3AjpP LmbmtKHblrQaGJYWGdyJMi45kvfzzghegw3CtzIHzlX0ke4u7LW0wc7xJjEA7zD6Xchk JsAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=i9IkDKfKqi06dCAck4rY5+FXEeLVhea/gfK817G7JTQ=; b=fdQZ9NogoLumI6INCDNXa/IS3dZL5Ie2srKcgfJV5gXVMAkh648KFiXYYH9PmliDrm Jqnxem2Rqhq+ihSfGEpwWWn6hHLZXBOxzpnffOIvt6iPS2t7+SKRi94U+wB2CjRpCEt6 ypgqsLbqLfI1nRbKUvVWvLqxaj0tIDeJavEUIxTBCvrEMcr/GFXn5dG7wQbahmkVMeKt cmQLUZEre5pCnpXvXyqqr14vbI9bQw2DtKsER0O/Ppz2ohVz8XhW9heoXB6mTAfRXxUe w89GonU2cdtYmWDzoDgISCxdtuHjzRk+YFtUuP7Ei4KWEsmqMNuPMK25z6MpYOZxIMJd U7CA==
X-Gm-Message-State: APjAAAUpwBZ8R9gepy6v9/VRg5Scr6HHfk0V79YzA+Vlk06aI5ZRL/9I r3W0eYKrK5npTCNVFX6FvY46TPzfT47k9RNCC/d5X1dC9xU=
X-Google-Smtp-Source: APXvYqxT7ORF8OQbhcj3LbqlHZ/pGhRXS9eh67ep6WS5YshARqHMp0qEj4t6RYe56I7FVAmsJV/fjjPHOHpFTncsXSc=
X-Received: by 2002:a05:600c:2042:: with SMTP id p2mr4500054wmg.79.1582202640662; Thu, 20 Feb 2020 04:44:00 -0800 (PST)
MIME-Version: 1.0
From: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Date: Thu, 20 Feb 2020 14:43:49 +0200
Message-ID: <CABUE3XnB3b91kZoibwyWghOuS__PxutnH-hc4NEiT94GvefoxQ@mail.gmail.com>
To: ippm-ioam-ix-dt@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm-ioam-ix-dt/7yMAiZjGCsN0T_TTWvcH0OtSrgk>
Subject: [Ippm-ioam-ix-dt] IPPM IOAM Virtual Meeting, Feb 19, 2020
X-BeenThere: ippm-ioam-ix-dt@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPPM iOAM Immediate Export \(IX\) design team" <ippm-ioam-ix-dt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm-ioam-ix-dt>, <mailto:ippm-ioam-ix-dt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm-ioam-ix-dt/>
List-Post: <mailto:ippm-ioam-ix-dt@ietf.org>
List-Help: <mailto:ippm-ioam-ix-dt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm-ioam-ix-dt>, <mailto:ippm-ioam-ix-dt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2020 12:44:05 -0000
IPPM IOAM Design Team Virtual meeting February 19th, 2020, 07:00 UTC Webex meeting Attendees: Frank Brockners, Barak Gafni, Greg Mirsky, Tal Mizrahi, Mickey Spiegel. Minutes by Tal Mizrahi. Summary: ======== - Tal has updated the pull request regarding the security considerations of the data draft based on the discussion below: https://github.com/inband-oam/ietf/pull/146 - Mickey will suggest a text udate to address the timestamp issue in the data draft. - Frank will work on updated text to address other open issues in the data draft. - The next virtual meeting will be on March 4th, 07:00 UTC. Detailed discussion: ==================== - Tal: an updated version of the DEX draft was posted as a working group document. The main open issue is related to the hop limit/hop count, and was presented on the mailing list. No comments yet. Any suggestions on how to proceed? - Frank: we can continue with the email discussion. - Tal: an updated version of the flag draft was posted with updates based on comments and discussions in the design team. The loopback on the reverse path is an open issue. No comments received yet. Another open issue is security and amplification attacks. Some text was added to this draft, but no feedback yet. Greg - any comments about security? - Greg: will look at the draft. Also the open issue of the loopback reverse path needs more discussion. Maybe we should discuss the security issues in the data draft first. - Tal: moving on to the data draft - we have a pull request regarding security that tries to capture our understanding of the security considerations. - Greg: if IOAM traverses inter-data-center links, how do you secure that? - Tal: inter-data-center has to be secured anyway, regardless of IOAM. - Greg: for example, Geneve has security mechanisms. - Tal: what if we explained in the draft that some of the security would have to be defined on a per encapsulation basis? - Greg: some considerations in Geneve may affect IOAM. - Tal: we need to explain that some security considerations will have to be defined on a per encapsulation basis. - Greg: that may help. Whether security mechanisms are used is not the same question as whether security mechanisms are defined. This document is the base for other encapsulations. - Tal: we are looking to scope the security threats and requirements, but this draft should not define security mechanisms. - Greg: if we do not define security mechanisms then we are not providing any solutions. - Mickey: there may be various scenarios for IOAM. What is the scope of your concern? Only inter-data-center? - Greg: you may be exposed in inter-data-center similarly to exposure on the Internet. - Frank: is the concern that IOAM packets are changed by transit node, or is it that there may be IOAM nodes that malfunction? The first concern is not specific to IOAM. - Greg: there is a specific discussion about IOAM - whether it is fault management or performance management. In other protocols we have integrity protection. - Frank: right, but in that case we are also concerned about integrity protection for data. - Greg: Geneve has integrity protection. It would be a good step forward that in specific encapsulations it would be useful to use specific security mechanisms. If there is no security mechanism, it is not available to encapsulations. - Mickey: it depends on the deployment scenario. - Greg: if there is no security mechanism, then you can't use IOAM in a scenario that is subject to threats. - Frank: security is a concern. You can either ignore it, or you can address it in the draft. I would suggest to address it by adding a paragraph that explains this. - Tal: I agree. We should add a paragraph that explains that in some scenarios and encaps we will need a security mechanism, but will not be defined in this draft. - Mickey: adding a security mechanism makes sense for DEX, but how does it fit the data draft? - Frank: for example, a Geneve tunnel between IOAM hops can be secured. The links between IOAM hops can be secured in some cases. - Mickey: in DEX you can secure the data. - Frank: an attacker can still add a DEX option. - Mickey: for inter-data-center is there a concern that the tunnel extends across more than one administrative domain? - Greg: it does not matter where the tunnel is terminated. If the packet is not protected it can be modified. It would be a good idea to have at least some text that mentions this may be necessary in other drafts. - Mickey: you may or may not require these mechanisms depending on the deployment scenario. - Tal: will update the pull request, and let's discuss the text. - Frank: going over the issues, and will try to update the text in the next few days. - Tal: the next meeting is on the 4th of March. Will try to have text suggestions before that. - Mickey: most of the issues should be simple. Security may require more iterations. I will try to find some text for timestamp boundaries. - Mickey: the raw export draft expired a month ago. I will refresh it. - Tal: we need to request a slot for IETF 107, to discuss the working group documents.
- [Ippm-ioam-ix-dt] IPPM IOAM Virtual Meeting, Feb … Tal Mizrahi
- Re: [Ippm-ioam-ix-dt] IPPM IOAM Virtual Meeting, … Tal Mizrahi
- Re: [Ippm-ioam-ix-dt] IPPM IOAM Virtual Meeting, … Tianran Zhou