Re: [Ippm-ioam-ix-dt] IPPM IOAM Virtual Meeting, Feb 19, 2020
Tal Mizrahi <tal.mizrahi.phd@gmail.com> Thu, 20 February 2020 13:00 UTC
Return-Path: <tal.mizrahi.phd@gmail.com>
X-Original-To: ippm-ioam-ix-dt@ietfa.amsl.com
Delivered-To: ippm-ioam-ix-dt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 171A612001A for <ippm-ioam-ix-dt@ietfa.amsl.com>; Thu, 20 Feb 2020 05:00:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kG9J6RyPd_DL for <ippm-ioam-ix-dt@ietfa.amsl.com>; Thu, 20 Feb 2020 05:00:22 -0800 (PST)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46DD9120104 for <ippm-ioam-ix-dt@ietf.org>; Thu, 20 Feb 2020 05:00:22 -0800 (PST)
Received: by mail-wm1-x32c.google.com with SMTP id t23so1908447wmi.1 for <ippm-ioam-ix-dt@ietf.org>; Thu, 20 Feb 2020 05:00:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=6ZHPigI6v7NBZHAHI74iD7EQCeovWYQ0Cikk4wcuZ+s=; b=PbqVLvsmCO/YDYBiQrBFCqC3GVmMXO6OWCvHsMJr6TD1u1/VEMy8r32O7SQPtLSSs2 ESzHvROIgbtYmlYacw4IB7QUfoe/6urtdXoU0ubNrfB6mkW22XGPPZ9jiC3Jij+cZl8B 8tx8X+UC+4/ouyur1wdmHcCtoR6RF1cswluhP/u8ybopJ29tztvRIJOPuc3mroRAAA0C SamdUtTOyfLkem1spPIPiui7z3UquwNu2Ek++34WVM5w0DDuK9bjeOkaDGk0pQWhN/jc h9H0skvybApqLh25wQG0U9f3cZVYVviUXXmZWB13Xac15eT8W4kBIubpgkyAKWY4Czjw tODg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=6ZHPigI6v7NBZHAHI74iD7EQCeovWYQ0Cikk4wcuZ+s=; b=JSmgAwv9HpMygN895I6qzKfPkiUNz7W2r9/eeRh/tewLFbtdHCb9iIGfilIgV9RLyV gnTrTUTsHxX2uRXqda2qHF8PbOrbXhDTj392hW3E5eCf8La/K7caYh6I5+Y9kwvQGPbV v40Ft4NireriLMe+gjnvnN5Me90jGEaU0CM2HwnzfLzhYATqxfOk8NlxbCthZTVSdeTH Z8AjTgft7+B1v9ehr0QoSoPj1v0cVQwvVTZJ/Hv41FC8dlel7iS94uA5Ck0byfnzilHz yo0bsjNar1VdtcHLipmFqFBOZhi1OBL0IrkKsi9Zj9GPvCdH+Opim8E0YIfFUqtFedIX CsIw==
X-Gm-Message-State: APjAAAWUD4l69PDzuEQwNYh0y69HqpYqGto1OglxPL0w3WvpWjfDx40L 5u5085pZbRCHLG82nDrsmq3qJWE9bbPeJS4J1QydYIHX
X-Google-Smtp-Source: APXvYqwiBgoXCGWxjcbTpfz7Ka1EPmXZS6yOUcFQgMY0dHYq1xd64sdSH0m5WjGu6KWcrzeRiGVCWz8RzENPiVM9fmg=
X-Received: by 2002:a7b:c152:: with SMTP id z18mr4444250wmi.70.1582203620156; Thu, 20 Feb 2020 05:00:20 -0800 (PST)
MIME-Version: 1.0
References: <CABUE3XnB3b91kZoibwyWghOuS__PxutnH-hc4NEiT94GvefoxQ@mail.gmail.com>
In-Reply-To: <CABUE3XnB3b91kZoibwyWghOuS__PxutnH-hc4NEiT94GvefoxQ@mail.gmail.com>
From: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Date: Thu, 20 Feb 2020 15:00:08 +0200
Message-ID: <CABUE3X=wdUhsbP1c6p0UNFdHSa7UayREratKopBoewZDit4x0A@mail.gmail.com>
To: ippm-ioam-ix-dt@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm-ioam-ix-dt/vcsnevJP-ICYBWBISnLf8GYMryw>
Subject: Re: [Ippm-ioam-ix-dt] IPPM IOAM Virtual Meeting, Feb 19, 2020
X-BeenThere: ippm-ioam-ix-dt@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPPM iOAM Immediate Export \(IX\) design team" <ippm-ioam-ix-dt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm-ioam-ix-dt>, <mailto:ippm-ioam-ix-dt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm-ioam-ix-dt/>
List-Post: <mailto:ippm-ioam-ix-dt@ietf.org>
List-Help: <mailto:ippm-ioam-ix-dt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm-ioam-ix-dt>, <mailto:ippm-ioam-ix-dt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2020 13:00:25 -0000
P.S. I believe Frank said he will request a slot in IETF 107 for the working group drafts. I will request a slot for the profile draft (which is not a working group draft). Any other IOAM-related slots? Cheers, Tal. On Thu, Feb 20, 2020 at 2:43 PM Tal Mizrahi <tal.mizrahi.phd@gmail.com> wrote: > > IPPM IOAM Design Team > Virtual meeting > February 19th, 2020, 07:00 UTC > Webex meeting > > > Attendees: > Frank Brockners, Barak Gafni, Greg Mirsky, Tal Mizrahi, Mickey Spiegel. > > Minutes by Tal Mizrahi. > > > Summary: > ======== > - Tal has updated the pull request regarding the security > considerations of the data draft based on the discussion below: > https://github.com/inband-oam/ietf/pull/146 > - Mickey will suggest a text udate to address the timestamp issue in > the data draft. > - Frank will work on updated text to address other open issues in the > data draft. > - The next virtual meeting will be on March 4th, 07:00 UTC. > > > Detailed discussion: > ==================== > - Tal: an updated version of the DEX draft was posted as a working > group document. The main open issue is related to the hop limit/hop > count, and was presented on the mailing list. No comments yet. Any > suggestions on how to proceed? > - Frank: we can continue with the email discussion. > - Tal: an updated version of the flag draft was posted with updates > based on comments and discussions in the design team. The loopback on > the reverse path is an open issue. No comments received yet. Another > open issue is security and amplification attacks. Some text was added > to this draft, but no feedback yet. Greg - any comments about > security? > - Greg: will look at the draft. Also the open issue of the loopback > reverse path needs more discussion. Maybe we should discuss the > security issues in the data draft first. > - Tal: moving on to the data draft - we have a pull request regarding > security that tries to capture our understanding of the security > considerations. > - Greg: if IOAM traverses inter-data-center links, how do you secure that? > - Tal: inter-data-center has to be secured anyway, regardless of IOAM. > - Greg: for example, Geneve has security mechanisms. > - Tal: what if we explained in the draft that some of the security > would have to be defined on a per encapsulation basis? > - Greg: some considerations in Geneve may affect IOAM. > - Tal: we need to explain that some security considerations will have > to be defined on a per encapsulation basis. > - Greg: that may help. Whether security mechanisms are used is not the > same question as whether security mechanisms are defined. This > document is the base for other encapsulations. > - Tal: we are looking to scope the security threats and requirements, > but this draft should not define security mechanisms. > - Greg: if we do not define security mechanisms then we are not > providing any solutions. > - Mickey: there may be various scenarios for IOAM. What is the scope > of your concern? Only inter-data-center? > - Greg: you may be exposed in inter-data-center similarly to exposure > on the Internet. > - Frank: is the concern that IOAM packets are changed by transit node, > or is it that there may be IOAM nodes that malfunction? The first > concern is not specific to IOAM. > - Greg: there is a specific discussion about IOAM - whether it is > fault management or performance management. In other protocols we have > integrity protection. > - Frank: right, but in that case we are also concerned about integrity > protection for data. > - Greg: Geneve has integrity protection. It would be a good step > forward that in specific encapsulations it would be useful to use > specific security mechanisms. If there is no security mechanism, it is > not available to encapsulations. > - Mickey: it depends on the deployment scenario. > - Greg: if there is no security mechanism, then you can't use IOAM in > a scenario that is subject to threats. > - Frank: security is a concern. You can either ignore it, or you can > address it in the draft. I would suggest to address it by adding a > paragraph that explains this. > - Tal: I agree. We should add a paragraph that explains that in some > scenarios and encaps we will need a security mechanism, but will not > be defined in this draft. > - Mickey: adding a security mechanism makes sense for DEX, but how > does it fit the data draft? > - Frank: for example, a Geneve tunnel between IOAM hops can be > secured. The links between IOAM hops can be secured in some cases. > - Mickey: in DEX you can secure the data. > - Frank: an attacker can still add a DEX option. > - Mickey: for inter-data-center is there a concern that the tunnel > extends across more than one administrative domain? > - Greg: it does not matter where the tunnel is terminated. If the > packet is not protected it can be modified. It would be a good idea to > have at least some text that mentions this may be necessary in other > drafts. > - Mickey: you may or may not require these mechanisms depending on the > deployment scenario. > - Tal: will update the pull request, and let's discuss the text. > - Frank: going over the issues, and will try to update the text in the > next few days. > - Tal: the next meeting is on the 4th of March. Will try to have text > suggestions before that. > - Mickey: most of the issues should be simple. Security may require > more iterations. I will try to find some text for timestamp > boundaries. > - Mickey: the raw export draft expired a month ago. I will refresh it. > - Tal: we need to request a slot for IETF 107, to discuss the working > group documents.
- [Ippm-ioam-ix-dt] IPPM IOAM Virtual Meeting, Feb … Tal Mizrahi
- Re: [Ippm-ioam-ix-dt] IPPM IOAM Virtual Meeting, … Tal Mizrahi
- Re: [Ippm-ioam-ix-dt] IPPM IOAM Virtual Meeting, … Tianran Zhou