[Ippm-ioam-ix-dt] IPPM IOAM Meeting Minutes, November 25th, 2020
Tal Mizrahi <tal.mizrahi.phd@gmail.com> Wed, 25 November 2020 08:11 UTC
Return-Path: <tal.mizrahi.phd@gmail.com>
X-Original-To: ippm-ioam-ix-dt@ietfa.amsl.com
Delivered-To: ippm-ioam-ix-dt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A57713A11FF for <ippm-ioam-ix-dt@ietfa.amsl.com>; Wed, 25 Nov 2020 00:11:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xHbkrbolRz10 for <ippm-ioam-ix-dt@ietfa.amsl.com>; Wed, 25 Nov 2020 00:11:08 -0800 (PST)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D3203A11F4 for <ippm-ioam-ix-dt@ietf.org>; Wed, 25 Nov 2020 00:11:08 -0800 (PST)
Received: by mail-wr1-x429.google.com with SMTP id g14so925512wrm.13 for <ippm-ioam-ix-dt@ietf.org>; Wed, 25 Nov 2020 00:11:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=ClRUJ87trogvSRIXK+hwrT2WTGEgz/e2+tqge1lCqOc=; b=U+j/35xjvewjWTPHBudHZvTp6qtpWDqsDRDafUTFpkRFmF1QgAuG0qQL5pwMqAmwQz +GVrk3DIytuPT149CW0pvkQK/7h3Eup1O9jzluhssb7r7lzaCh1KuLWXEUpJvTRBX8XH 6MbHPYJqpQUvZxPIXe1RrPTuYQIEt4kBUDQUcNIoeDvbRXbYlWFaSBC31hH3l1LnGpX3 lyo5lChRXy6UTlGK/vRGkeLKway0ILYiOP7e+540/e3Y7YsWEYeentpn6mOm2kPQmJjU 74NnVJ80QX2lK7x/ofDV4OZXTA4RYXhJtzcFo5anUJxtZ6w2hklcsuYyKPKDgHWbdCNf Z3TQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ClRUJ87trogvSRIXK+hwrT2WTGEgz/e2+tqge1lCqOc=; b=AzfTbTd/lB0yCNHFWuCRhzP/lHBWZAoCzuRWtHGg57GW6ZU0jhcDeKcWkAVX832+Kr kVoyc8lrIkSScdFdV4MeqSkxO2LcOcCe37aFwuU/2TRP1vcL02yttddxryTEXWp8Eb+u pr4wLaFrcSTMXNWLb+Palj00LtdLl2bSm7lfVrchuoM27ow4Xi2kjbvYCYqbqeRnKCVY ypY8dKjA1KgPS0l2Bqkcpus9DrQD+fnvpUDqxqkcJB5yWi6kVwbYpKj6vYBaEtPILCn4 r90O5iyt5R/ExwCeRbyaz5ESP2H2nZgV43uuvDkFDzpTqCmabyuX2U1+PCFyHX84kxjG o9Fg==
X-Gm-Message-State: AOAM5322vLgQzl83WQqn4UP1WrSRzdw6bQoNnZFC7sGzhrnLhvXkmLa+ 0Xuw+y+nDApPAiLlGYSMilnPSeXasoFARgWiV+Od8dqbkr0m5w==
X-Google-Smtp-Source: ABdhPJwUQs7BwGrQ6jbfLh7CFKG0yNS4xen2ESmM6ovBIC2gH+ZaZGgNsFEZp/kdiX2ZiMNEZjucwKYiBPPrl3w129M=
X-Received: by 2002:adf:fd06:: with SMTP id e6mr2615297wrr.206.1606291866533; Wed, 25 Nov 2020 00:11:06 -0800 (PST)
MIME-Version: 1.0
From: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Date: Wed, 25 Nov 2020 10:10:55 +0200
Message-ID: <CABUE3XkCszuCWvKtNdh3TN5zb9dHWppe=+LoagEUDmSc8WR47A@mail.gmail.com>
To: ippm-ioam-ix-dt@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm-ioam-ix-dt/uO4m5qqM7aySKNCBDoRw9enwLRs>
Subject: [Ippm-ioam-ix-dt] IPPM IOAM Meeting Minutes, November 25th, 2020
X-BeenThere: ippm-ioam-ix-dt@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPPM iOAM Immediate Export \(IX\) design team" <ippm-ioam-ix-dt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm-ioam-ix-dt>, <mailto:ippm-ioam-ix-dt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm-ioam-ix-dt/>
List-Post: <mailto:ippm-ioam-ix-dt@ietf.org>
List-Help: <mailto:ippm-ioam-ix-dt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm-ioam-ix-dt>, <mailto:ippm-ioam-ix-dt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2020 08:11:11 -0000
IPPM IOAM Design Team Virtual meeting November 25th, 2020, 07:00 UTC Webex meeting Attendees: Frank Brockners, Barak Gafni, Greg Mirsky, Justin Iurman, Tal Mizrahi. Minutes by Tal Mizrahi. Summary ======= - Frank will update the IPv6 draft to address an issue regarding the IPv6 tunnel destination address. - Tal will propose some text to address some amplification scenarios that were raised by Martin Duke. - Some more discussion will continue on the mailing list regarding two security issues in the data draft that were raised by Greg. - The next meeting will be two weeks from now, December 9th at 07:00 UTC. IPv6 Draft ========== Frank: Justin is working on the IOAM implementation for the Linux kernel. A few problems in the IPv6 draft came up as a result of this implementation. Let's talk about that. Github issue: https://github.com/inband-oam/ietf/issues/196 Justin: There is an issue about decapsulation. The IPv6 draft says that the tunnel destination address should be the same as the inner destination address. This is a problem. You have to make sure that you are decapsulating the right packets. This is a security concern. This is further discussed in the Github issue. Of course this creates an issue regarding the destination address when you push the IP tunnel at the IOAM encapsulating node; if you do not use the inner destination address, there is a question how you know the tunnel destination address. Barak: Why do you need a tunnel? Justin: A tunnel is required in order to comply to RFC 8200. Barak: If you use the pre-allocated trace option then transit IOAM nodes do not need to extend the IPv6 extended header. Justin: That is right if the encapsulating node is the source host. Barak: Right. If you use tunnels then you need to manage a lot of IP tunnels. It sounds like a theoretical solution, not a practical one. Frank: It is up to us to make sure that what we define in the draft complies to the standard. 6man folks are concerned that if this is deployed on the Internet then it needs to comply to the standard. Not sure we can define how to determine the destination address. The suggestion from Justin is to remove the requirement that the destination of the outer tunnel is the same as the destination of the endpoint, as this is a problem on the tunnel termination point. Barak: Right, it is a problem to terminate a tunnel if you are not the destination address. What is the suggestion? Frank: Just drop this requirement. It needs to be a proper tunnel, where the destination is the decapsulating node. It has operational implications, but it is the right way to do it. Justin: I have proposed on the Github issue to remove the sentence in question. Barak: So what are you implementing at this point? Greg: We need to mandate something if we do not want to violate RFC 8200. Justin: For the Linux kernel at this point I will push the variant in which the encap/decap node is the endpoint (no need for tunnels). Will work on the tunnel variant in the future - will try to find a solution for this. Flag draft / DEX draft amplification scenarios ============================================== Tal: Martin Duke introduced a couple of amplification scenarios. https://mailarchive.ietf.org/arch/msg/ippm/PyfokOEsBBCTtRdNYG-Vr-674Nw/ Barak: Are these real scenarios? Tal: They may occur in some cases. When we have more than one operator (Namespace). Frank: We may want to suggest some text that mentions these cases. Tal: I will send some proposed text to the mailing list. Data draft security comments ============================ Greg has sent security-related comments: https://mailarchive.ietf.org/arch/msg/ippm/hzQMZ9n0GaRDreSa_PpizNodRiU/ Greg: Integrity protection can be provided by using HMAC, and tying it with some information in the packet itself. It must be provided as an option. Frank: Do you really want another data field for that? Greg: Yes. Frank: The reason it is not there now is hardware implications. Greg: The option should be there. Each node should have the ability to protect its data. Frank: We may need to address this issue in the draft. Greg: Regarding Checksum Complement, it may be a concern. It is similar to a zero checksum. Tal: A Checksum Complement is different than a zero checksum. When a Checksum Complement is used the destination still verifies the checksum. The Checksum Complement is mathematically equivalent to a conventional checksum, so this is not a security threat. Greg: In my opinion there is a security issue that will need to be discussed.