[Ippm-ioam-ix-dt] IPPM IOAM Meeting, December 9th, 2020
Tal Mizrahi <tal.mizrahi.phd@gmail.com> Wed, 09 December 2020 08:27 UTC
Return-Path: <tal.mizrahi.phd@gmail.com>
X-Original-To: ippm-ioam-ix-dt@ietfa.amsl.com
Delivered-To: ippm-ioam-ix-dt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADB733A0E1C for <ippm-ioam-ix-dt@ietfa.amsl.com>; Wed, 9 Dec 2020 00:27:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5piZq-Pjmwp1 for <ippm-ioam-ix-dt@ietfa.amsl.com>; Wed, 9 Dec 2020 00:27:19 -0800 (PST)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D956D3A0E18 for <ippm-ioam-ix-dt@ietf.org>; Wed, 9 Dec 2020 00:27:18 -0800 (PST)
Received: by mail-wr1-x42f.google.com with SMTP id y17so722655wrr.10 for <ippm-ioam-ix-dt@ietf.org>; Wed, 09 Dec 2020 00:27:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=tltSMJiU+QKMwxAz8F3uD07kZm854LNd4hvdH3PCcmU=; b=VPz/34qhf6DRXnah4yoEFzDD9TUae8xT9sTTwM/ecm2cHd0KonzQk95Vl0JOyT3QEC ghoICrpPs/U0hyh3eetAQUflAJ6qTQL+wNvCmGeOoBRzRiud8Rb73UY9l+f5jykKsHJb Jq0XQxLejPxA3+Bs18D0wcZajNqJwYIx4kUhf2/VvIuQexg0oioEw7AA5sUgRPGRF1+Y sr3aiErke78Mn2k++aQr+Vs4nNPc2HIK1XQZvDHuHKJWMQ8A5NXRlg3SDkZ5q76FLV3Q Yr8rEdAwZ5d/i8F0nlm9l0XHL6Lx679X0N8dVdb8RhKZkamw2Wh/QjYPwWdcaNRjcpc7 uC/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=tltSMJiU+QKMwxAz8F3uD07kZm854LNd4hvdH3PCcmU=; b=BiPMYjSr2bz7cbJ4VDNGbI4jFXnxw7SCkRoPTU+3j7qY+kFjiB1N0OJK1i7IxbhBCJ m8lmn4EshmqfSEddh09PZIenbsbNJcgIiChOJ4LvkaDs7ucYGZ/Gb1DGu+gDeF/mslxC Ts5wkiEvqk0hFko8nadr5OPRhBXSDL1ptvkek/U5ydX8sAWSExDzS2SMH4biOMOZeYXM Viz3OLiD/WJhUHx0WLWhT0W3AFB5U6dbIV/uAsy3PcVMrBarFFU4qSQ+YJXbIfuw+Q/S YqbQUlozd+D9XN5yLE7dZ3CFFHG6Xv9zrLx/wtqlQu+w+JkwSW7o+lhE/NUydjOBtPe4 6PDw==
X-Gm-Message-State: AOAM533YGJrSf5t9o/yFxCQwX358cgkIsjl0rTakhe+M40UAuCRSigMD mrxCMWeCyptre+2IroMVx6WdKFKb7yyukzRkMilu7owfXITj9A==
X-Google-Smtp-Source: ABdhPJw7qbFbxI7plLiCJawRc24lZgxwZi9j+jx2QFiLyU3+UdBQ25R0x8fkZVV6ck3kTiMxcaS0V/1OvuJ5aPetG7I=
X-Received: by 2002:adf:e60e:: with SMTP id p14mr1298850wrm.188.1607502436620; Wed, 09 Dec 2020 00:27:16 -0800 (PST)
MIME-Version: 1.0
From: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Date: Wed, 09 Dec 2020 10:27:05 +0200
Message-ID: <CABUE3XmRsssJ3xk1kgOzQYfadFBdfSQobk3F2HutffASn=TXaA@mail.gmail.com>
To: ippm-ioam-ix-dt@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm-ioam-ix-dt/_IWuuGVMMWd8dRS2we5Qhhyy1I4>
Subject: [Ippm-ioam-ix-dt] IPPM IOAM Meeting, December 9th, 2020
X-BeenThere: ippm-ioam-ix-dt@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPPM iOAM Immediate Export \(IX\) design team" <ippm-ioam-ix-dt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm-ioam-ix-dt>, <mailto:ippm-ioam-ix-dt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm-ioam-ix-dt/>
List-Post: <mailto:ippm-ioam-ix-dt@ietf.org>
List-Help: <mailto:ippm-ioam-ix-dt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm-ioam-ix-dt>, <mailto:ippm-ioam-ix-dt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2020 08:27:21 -0000
IPPM IOAM Design Team Virtual meeting December 9th, 2020, 07:00 UTC Webex meeting Attendees: Frank Brockners, Greg Mirsky, Haoyu Song, Mickey Spiegel, Tal Mizrahi. Minutes by Tal Mizrahi. Summary ======= - Tal will ping the AD and chairs regarding integrity protection of IOAM data. - Frank will suggest text to address Shawn Emery. - Haoyu presented a new draft about E2E RTT measurement. - The next meeting will be on the 6th of January 2021, 07:00 UTC. Data Draft ========== Tal: some comments from Shawn Emery on the mailing list. Frank: we have the deployment draft. There is some more detailed security discussion there. I can add a note to the data draft referring to this. Tal: sounds good. Frank: there was Greg's point regarding integrity protection. There is probably going to be a new document about this. Tal: so integrity protection solutions should be defined in a new document(s). Frank: right, we may need a new document about this. Greg: security considerations is a required component. Security of IOAM is important. Draft that defines trace option format should have an integrity protection solution. Tal: as a reference, TWAMP authentication is pretty simple, since its end-to-end. But, for example, NSH is much more complicated, because it has intermediate points. Greg: STAMP can be a reference. Tal: integrity protection is complicated when you have both end-to-end integrity and hop-by-hop integrity. Greg: the hybrid two-step draft defines a mechanism that can be reused here. Tal: each node would also need to verify the header in order to mitigate modifications of the header. Greg: not necessarily. From a protocol perspective, it can be solved. Whether it is deployed or not is up to the operator. The hardware constraints are important, but do not determine the protocol. Mickey: that is not always true. In some cases implementations will determine which protocols are deployed. Geneve is an example. Greg: VMware have deployed Geneve. Mickey: but that is not an example of a hardware implementation. Greg: the IETF does not care about whether protocols can be implemented in hardware or not. Mickey: does the HMAC have constant length, or variable length? Greg: we believe that 16 octets are enough. Tal: it is certainly feasible to solve this problem, but a security solution here is more complicated than previous protocols. Greg: the security AD's feedback was that they will expect a security solution. Tal: right, either way we will need our AD's support for this. As a reference, NSH was published without security, and now the SFC WG is working on a security document. Greg: you will need to convince the security AD. Frank: Tommy asked how complicated it would be to integrate some of it into the data draft, and then cleanly create a security draft. We will need to hear some more opinions. Tal: we need some guidance from the AD and chairs, since the document is in IETF last call. Frank: right, we need some recommendation. Tal: I am going to ping the AD and chairs about this issue, and try to get some guidance. Security of DEX and Flags Draft =============================== Tal: Greg sent some comments to the mailing list about these two drafts. Greg: I consider loopback as a special case of direct exporting, and I believe that the active flag should not be there. Tal: are you suggesting to drop the flag draft altogether? Greg: Loopback: you can explain how DEX can be used for loopback. Active: either has to be very restricted, or removed. Active OAM protocols can be pretty easily filtered in existing protocols. That is not the case with the IOAM 'active' flag. Mickey: the flag distinguishes active OAM from conventional data. Greg: but the flag is much 'deeper'. You need a lot of processing before you get to the flag. Mickey: not sure I understand the distinction. Greg: it is a tool that can be used for attacking. Mickey: you do not need the active flag to inject such an attack. Greg: the active flag is an attack tool. Mickey: the only thing you are doing differently is dropping the active packets at the decap node. Other nodes don't care about this flag. Greg: imagine the active flag in NSH or segment routing. Mickey: those are just domain endpoints. New draft about IOAM RTT Measurement ==================================== draft-song-ippm-inband-e2e-rtt-measurement Haoyu: this is intended for 5G use cases. We need a flag to tell the other end to send back a packet. Suggest to add flags to the E2E format. Greg: have you looked at BFD echo? Haoyu: no. We would be happy for feedback or related work. Greg: the system controls the profile of the traffic. The RTT does not necessarily reflect what you want to measure. Haoyu: we are looking for inband measurement. Greg: active OAM needs to be inband anyway. Mickey: there is a large class of information that can be useful if you send it back to the source. I would be interested if this could be generalized. Greg: you can use DEX and send the exported packet back to the source. Mickey: then you are coupling the export format with the data format. Greg: if you define the export format carefully, will it do the job? Mickey: the exported format may be forwarded differently then the data format. Greg: with careful configuration of the management plane this can be achieved. Haoyu: we do not necessarily know when the feedback packet will be sent if done in the management plane. Greg: with segment routing you can program your segments in a way that the packet loops back to you. Another thing to consider is to use BFD.