IETF Logo Mail Archive

Re: [Ippm-ioam-ix-dt] IPPM IOAM Virtual Meeting, Feb 19, 2020

Tianran Zhou <zhoutianran@huawei.com> Thu, 20 February 2020 13:24 UTC

Return-Path: <zhoutianran@huawei.com>
X-Original-To: ippm-ioam-ix-dt@ietfa.amsl.com
Delivered-To: ippm-ioam-ix-dt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F3EF1200F9 for <ippm-ioam-ix-dt@ietfa.amsl.com>; Thu, 20 Feb 2020 05:24:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x1bqpVIA_RhL for <ippm-ioam-ix-dt@ietfa.amsl.com>; Thu, 20 Feb 2020 05:24:55 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A2A81200FD for <ippm-ioam-ix-dt@ietf.org>; Thu, 20 Feb 2020 05:24:55 -0800 (PST)
Received: from LHREML713-CAH.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id C1D3B8A0C2FD290727CA; Thu, 20 Feb 2020 13:24:50 +0000 (GMT)
Received: from lhreml726-chm.china.huawei.com (10.201.108.77) by LHREML713-CAH.china.huawei.com (10.201.108.36) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 20 Feb 2020 13:24:50 +0000
Received: from lhreml726-chm.china.huawei.com (10.201.108.77) by lhreml726-chm.china.huawei.com (10.201.108.77) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Thu, 20 Feb 2020 13:24:50 +0000
Received: from NKGEML413-HUB.china.huawei.com (10.98.56.74) by lhreml726-chm.china.huawei.com (10.201.108.77) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.1.1713.5 via Frontend Transport; Thu, 20 Feb 2020 13:24:49 +0000
Received: from NKGEML515-MBX.china.huawei.com ([fe80::a54a:89d2:c471:ff]) by NKGEML413-HUB.china.huawei.com ([10.98.56.74]) with mapi id 14.03.0439.000; Thu, 20 Feb 2020 21:24:42 +0800
From: Tianran Zhou <zhoutianran@huawei.com>
To: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
CC: "ippm-ioam-ix-dt@ietf.org" <ippm-ioam-ix-dt@ietf.org>
Thread-Topic: [Ippm-ioam-ix-dt] IPPM IOAM Virtual Meeting, Feb 19, 2020
Thread-Index: AQHV5+t3FJWQ44UouUiFBNWPXZAJ16gjhWcAgACM+aQ=
Date: Thu, 20 Feb 2020 13:24:41 +0000
Message-ID: <BBA82579FD347748BEADC4C445EA0F21BF2258EE@NKGEML515-MBX.china.huawei.com>
References: <CABUE3XnB3b91kZoibwyWghOuS__PxutnH-hc4NEiT94GvefoxQ@mail.gmail.com>, <CABUE3X=wdUhsbP1c6p0UNFdHSa7UayREratKopBoewZDit4x0A@mail.gmail.com>
In-Reply-To: <CABUE3X=wdUhsbP1c6p0UNFdHSa7UayREratKopBoewZDit4x0A@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_BBA82579FD347748BEADC4C445EA0F21BF2258EENKGEML515MBXchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm-ioam-ix-dt/HIEGFz9htQy8b-TlnM1IXa0Xm10>
Subject: Re: [Ippm-ioam-ix-dt] IPPM IOAM Virtual Meeting, Feb 19, 2020
X-BeenThere: ippm-ioam-ix-dt@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPPM iOAM Immediate Export \(IX\) design team" <ippm-ioam-ix-dt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm-ioam-ix-dt>, <mailto:ippm-ioam-ix-dt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm-ioam-ix-dt/>
List-Post: <mailto:ippm-ioam-ix-dt@ietf.org>
List-Help: <mailto:ippm-ioam-ix-dt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm-ioam-ix-dt>, <mailto:ippm-ioam-ix-dt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2020 13:24:59 -0000

I would also suggest to mention the ioam yang model. I will update the draft to align with the latest data draft.


Cheers,
Tianran




________________________________

Sent from WeLink
发件人: Tal Mizrahi<tal.mizrahi.phd@gmail.com<mailto:tal.mizrahi.phd@gmail.com>>
收件人: ippm-ioam-ix-dt<ippm-ioam-ix-dt@ietf.org<mailto:ippm-ioam-ix-dt@ietf.org>>
主题: Re: [Ippm-ioam-ix-dt] IPPM IOAM Virtual Meeting, Feb 19, 2020
时间: 2020-02-20 21:00:37

P.S.
I believe Frank said he will request a slot in IETF 107 for the
working group drafts.
I will request a slot for the profile draft (which is not a working
group draft).
Any other IOAM-related slots?

Cheers,
Tal.

On Thu, Feb 20, 2020 at 2:43 PM Tal Mizrahi <tal.mizrahi.phd@gmail.com> wrote:
>
> IPPM IOAM Design Team
> Virtual meeting
> February 19th, 2020, 07:00 UTC
> Webex meeting
>
>
> Attendees:
> Frank Brockners, Barak Gafni, Greg Mirsky, Tal Mizrahi, Mickey Spiegel.
>
> Minutes by Tal Mizrahi.
>
>
> Summary:
> ========
> - Tal has updated the pull request regarding the security
> considerations of the data draft based on the discussion below:
> https://github.com/inband-oam/ietf/pull/146
> - Mickey will suggest a text udate to address the timestamp issue in
> the data draft.
> - Frank will work on updated text to address other open issues in the
> data draft.
> - The next virtual meeting will be on March 4th, 07:00 UTC.
>
>
> Detailed discussion:
> ====================
> - Tal: an updated version of the DEX draft was posted as a working
> group document. The main open issue is related to the hop limit/hop
> count, and was presented on the mailing list. No comments yet. Any
> suggestions on how to proceed?
> - Frank: we can continue with the email discussion.
> - Tal: an updated version of the flag draft was posted with updates
> based on comments and discussions in the design team. The loopback on
> the reverse path is an open issue. No comments received yet. Another
> open issue is security and amplification attacks. Some text was added
> to this draft, but no feedback yet. Greg - any comments about
> security?
> - Greg: will look at the draft. Also the open issue of the loopback
> reverse path needs more discussion. Maybe we should discuss the
> security issues in the data draft first.
> - Tal: moving on to the data draft - we have a pull request regarding
> security that tries to capture our understanding of the security
> considerations.
> - Greg: if IOAM traverses inter-data-center links, how do you secure that?
> - Tal: inter-data-center has to be secured anyway, regardless of IOAM.
> - Greg: for example, Geneve has security mechanisms.
> - Tal: what if we explained in the draft that some of the security
> would have to be defined on a per encapsulation basis?
> - Greg: some considerations in Geneve may affect IOAM.
> - Tal: we need to explain that some security considerations will have
> to be defined on a per encapsulation basis.
> - Greg: that may help. Whether security mechanisms are used is not the
> same question as whether security mechanisms are defined. This
> document is the base for other encapsulations.
> - Tal: we are looking to scope the security threats and requirements,
> but this draft should not define security mechanisms.
> - Greg: if we do not define security mechanisms then we are not
> providing any solutions.
> - Mickey: there may be various scenarios for IOAM. What is the scope
> of your concern? Only inter-data-center?
> - Greg: you may be exposed in inter-data-center similarly to exposure
> on the Internet.
> - Frank: is the concern that IOAM packets are changed by transit node,
> or is it that there may be IOAM nodes that malfunction? The first
> concern is not specific to IOAM.
> - Greg: there is a specific discussion about IOAM - whether it is
> fault management or performance management. In other protocols we have
> integrity protection.
> - Frank: right, but in that case we are also concerned about integrity
> protection for data.
> - Greg: Geneve has integrity protection. It would be a good step
> forward that in specific encapsulations it would be useful to use
> specific security mechanisms. If there is no security mechanism, it is
> not available to encapsulations.
> - Mickey: it depends on the deployment scenario.
> - Greg: if there is no security mechanism, then you can't use IOAM in
> a scenario that is subject to threats.
> - Frank: security is a concern. You can either ignore it, or you can
> address it in the draft. I would suggest to address it by adding a
> paragraph that explains this.
> - Tal: I agree. We should add a paragraph that explains that in some
> scenarios and encaps we will need a security mechanism, but will not
> be defined in this draft.
> - Mickey: adding a security mechanism makes sense for DEX, but how
> does it fit the data draft?
> - Frank: for example, a Geneve tunnel between IOAM hops can be
> secured. The links between IOAM hops can be secured in some cases.
> - Mickey: in DEX you can secure the data.
> - Frank: an attacker can still add a DEX option.
> - Mickey: for inter-data-center is there a concern that the tunnel
> extends across more than one administrative domain?
> - Greg: it does not matter where the tunnel is terminated. If the
> packet is not protected it can be modified. It would be a good idea to
> have at least some text that mentions this may be necessary in other
> drafts.
> - Mickey: you may or may not require these mechanisms depending on the
> deployment scenario.
> - Tal: will update the pull request, and let's discuss the text.
> - Frank: going over the issues, and will try to update the text in the
> next few days.
> - Tal: the next meeting is on the 4th of March. Will try to have text
> suggestions before that.
> - Mickey: most of the issues should be simple. Security may require
> more iterations. I will try to find some text for timestamp
> boundaries.
> - Mickey: the raw export draft expired a month ago. I will refresh it.
> - Tal: we need to request a slot for IETF 107, to discuss the working
> group documents.

--
Ippm-ioam-ix-dt mailing list
Ippm-ioam-ix-dt@ietf.org
https://www.ietf.org/mailman/listinfo/ippm-ioam-ix-dt

v2.23.0 | Report a Bug | By Email