Re: [ippm] Adoption call for IOAM deployment and integrity documents
Haoyu Song <haoyu.song@futurewei.com> Thu, 12 August 2021 17:18 UTC
Return-Path: <haoyu.song@futurewei.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BF353A4372 for <ippm@ietfa.amsl.com>; Thu, 12 Aug 2021 10:18:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.089
X-Spam-Level:
X-Spam-Status: No, score=-2.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N-OtMMQc3P0Z for <ippm@ietfa.amsl.com>; Thu, 12 Aug 2021 10:17:56 -0700 (PDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2090.outbound.protection.outlook.com [40.107.236.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC50B3A436E for <ippm@ietf.org>; Thu, 12 Aug 2021 10:17:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=meGhTT1FbIXBWVOIEsA3tf0fYZFR+hW3niUibg0wtf3laoNnMwdgjaRUo17ftPZNXAqoRe+nhadYkS5kcYyhWnE1PCq+jIlWftRGIzIUK+As+XgqLp7uhGluc6quUVSt62hbxZFW5XerQOmJbF0g4dXvWFSz/Hgj35woIWCbAK2uuCcU5VwuymGWPCGnsW7pskitbLNoQYd4Pipudf2SsuZqGe0PZ3SuclZr/FEGdE7IFkHKwTnk5OF5Tc4yB4Ed7/3Jfuxm+jbzBYFVGq/Kbh7vkIbn/RMowa14hsk7Tv98BVzjxeJ5s23nniSmIGafcHQ2UtBs4NS+rMhwtLc+hw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ggoDsEaXydLFlNLA+Osvn/2iChLayYLrbeKFHOXz2ik=; b=E/12WMOwGqtKJ73BDafg/3zqE5w0bvTf+GuPu7vdUP9di1l43sDzwWHV88HBQhoqeQ7ixF1vpGeSReJEP8E6vNDbHran4Hoky6syJ4jMTOxFtSuQ8lob7Oo9kR+N5ezHv7Jk9aqUn+DJIjbVYWrpQHG4zj3SCUG0EssKV0ekOjdzBWfM+3YT39sm5b4bqz0U6je/i5ExGjbi9KnXwI04mConHEfLsmcIDx+2CWhaX77FTDDKOD1VccArByftTaCDNHj4pHNuk+Lng5tqGnXw4gdrONx/nlzSvG2Tbtp6p/s+SMqAhaIxiEH+BEf6q/oIhqghhg/mi9iimWhtUnQjsg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ggoDsEaXydLFlNLA+Osvn/2iChLayYLrbeKFHOXz2ik=; b=BosxJ1WJQ7iZ56sAWV7wc43ZY/u7XBwWcPGYUSdQBPIIgte9l5GFNzB76PKwQZBf5RuzXP+tD6cOhR+ohPbDTCf/v2HrLOQSIC8GF+x1/idFeNrTol8VLgiCSIIRE+S97gXetjMeGAE01gD3CunlKg+Jy+zg++CL5/25oNy55No=
Received: from BY3PR13MB4787.namprd13.prod.outlook.com (2603:10b6:a03:357::13) by BY5PR13MB3064.namprd13.prod.outlook.com (2603:10b6:a03:184::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.9; Thu, 12 Aug 2021 17:17:50 +0000
Received: from BY3PR13MB4787.namprd13.prod.outlook.com ([fe80::9cca:6add:5d57:aa0b]) by BY3PR13MB4787.namprd13.prod.outlook.com ([fe80::9cca:6add:5d57:aa0b%8]) with mapi id 15.20.4415.017; Thu, 12 Aug 2021 17:17:50 +0000
From: Haoyu Song <haoyu.song@futurewei.com>
To: IETF IPPM WG <ippm@ietf.org>
Thread-Topic: Re: [ippm] Adoption call for IOAM deployment and integrity documents
Thread-Index: AdePnNSt0rwfzsg5S+uByF2WD/9lfw==
Date: Thu, 12 Aug 2021 17:17:50 +0000
Message-ID: <BY3PR13MB4787AE252838F7BAA0A2185E9AF99@BY3PR13MB4787.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=futurewei.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f9737465-7318-4691-107b-08d95db51d14
x-ms-traffictypediagnostic: BY5PR13MB3064:
x-microsoft-antispam-prvs: <BY5PR13MB30649C64587D874F99976F069AF99@BY5PR13MB3064.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: CoXbIxk39Npv7oFUrOrvXWhdDU4tx+gf9uvSqZqIjBbp/M2vtG5TebvPpvgNol2jpGSPebGOa7xrJEVkF4eTYG73ijqtBAUO8JLApysVPlDeL9ikW6qJ19sZkW5QOAUSLIdRdsCw+LUUSK7rcWxnvrl0ClVrKH8yU7xIZC8K7I/tnFt4t7tdbdJyPZQFXTIWaKxiDCl1LA2tugFdjrMmsHc4pmBXEh3Bkg5Z2hChvcBuY506lwTLiv+W2CVHsuCkAgXJqk0RizfpcMhtOnnC3hUu3Sh8WRiB0K8i8ief52RfWEsh3QKWepmFzFm/96T7ODuER33Oodc/779007qGy+OEY02gOMuJlvCrISo5Nh4+J1cZrz232nr1AIaxu3Jrue9fueDDquLOfQs3Ip6NPibRZSVeyyZobodhVRj6+Qi0McX0CBGlLpOHOVbWXD+xNFW4KSCV27wPFbStLipXoDBAI7k2SHxEUi90RlFfllkDdqUxo9FowJjlkhqyn2stwUJa1P4Z3MWLTh+bFuxKhZhym8BgqcnKVHFJjcvKe6MYFpE98VnaHdVFmo8hIzzfOfO3fp+SME2jXnHKiaMLWqzy+i2X4uoiLlCp9OOzJHUPkGw9yoWEB7J3JUujOkhcDpZKmZNiS16Syx2nvI+FBcjRnsKYzEsVenHpeq1JyM2FSHMo4RYiZjyHZ9h/x/qHfC0V7ru5VlxAHKx54rtLPKqLB1zvCu+zel0tdnuRETTaUMzDGup9cQaVVkxR+jMFeBOJQctwlJ5CyCHg89hoxwJRY/SlJroXfO6kReT1YdnsRd0ICqj6Ko7l9BwEHREPD7p0bT/Hd3xF3U+G3sLUCw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY3PR13MB4787.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(366004)(376002)(346002)(396003)(39840400004)(9686003)(166002)(8936002)(6506007)(86362001)(2906002)(478600001)(66946007)(186003)(76116006)(66446008)(66476007)(66556008)(64756008)(316002)(6916009)(21615005)(53546011)(55016002)(966005)(7696005)(8676002)(5660300002)(38100700002)(83380400001)(52536014)(33656002)(38070700005)(122000001)(44832011)(71200400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Y5/teJk9RLeIXD2sLWHnAjaYvNpmZ6qc/OQ+DkmBh9q8I/nROB8RJXHeUj2cUqc2AwDuZSsVrwFDYqPcA4zCCrSYD+x0BVNr34QEfS3Y6bkCQm+GX8BXhZBiApwpjJfPUtimic73f6G4/HEdPa12MrV7W62yl6cWrKO5STID6UWlWg03dtV9olVbY0h/pxL9/8hiLdLbe0AZmZq5iaaZdCIj3IG8dlssPSO5+c4RTLOJN5hWMQdqFR9XCi2MMEJaG09mYTS+g3O7iJt1ZB8sCSlUO/1kvrS6vafid2AGFWOKQ89cUIW+q5qjCCENdy8F4QbVP6C3woAks5TADiTqmDmlkm0cU8goX2z3EFB2LQGc01cuz40uCvyE3HiyanoFATIqO44m2T6nU4IRs6w9TFigBsNtV+uOUwWvdC/DutnULdwOIMoj7Pv4r+CI2KHlLhayoBS3xon/KQjmLaNfRgbph8ByjJ1or3yfrhk/U3FFEgp+fQpSgqwThg7dCEZCXBsJL7/bH94jbl/zkZ3c7sZHA8tGlcSX/1UfQr5SYUeuMkeAge2K/ktuNRftgLKUwal5MkS5utosWMOgOkAGzkxRDzoYziEsFyPLJ8/qMI3sHrV01HonNhoPRWcRDvuCTjL7/yJ062qPGD6QKh5cLZ3nNCxS3QgnyaYVWAkwf74cYhOmqttYjuz2dhuetLvaBCt+QSW1rF4sBFMZKWDoI+u+GgtFPZpLOhQq4RkfQO2MYVvnMqiw3zghUOTQjLPnbZRH4Lic1rscjswZW5Y4LbqbPpAJzLZElgXm+2Mqhp4+jSeRLwxYnoeUbJ7hiD62hts/Q8LrZ97DXHo7OrL5Sb8hUaBXrMt5dX1M/JIjFiv0AGjXYAwXMuyuxydRTrLUmgqwDjIQ59/fywt7ITdx7qp95X2JY0VY+sctE+d3ehMjSAngzWk/IpebYIk9THg+Es52/ud0+thQQLxoKJem+7knaAZu837hT0fsUyVYcWwPf4PxAW6iMZm4IA7ViKRGYoPyTNyeTDniuJH1AqJcd6CqUWQXplOvGcs2P393ukBHdbVWb+ldtE/fiaJvYyaSr7aLcW7EApi3Qemdaq0zR3xkB+dSB/68reaEE83nWq7U8qY62CO7FA0UK5P5DBZwJqfbzBHVN9z2HpwvS1hxzzTAXTHX1aXj5GV/ygyUpD1cnyc+L+GedEgFbXP/k2vuMvKW7FIEMluzOxATlCxOMoLXvh2lgZwORwzlvr+a3ZDG744q35gamwt989gs4GJz3iz4xB7JN484IJ8/nkNWpFvwTSrK2Nl6wSbg8p/wLa0/dmyrolqBAjWiGy5seTxMuZHX6ZED6MhG5AX+aL1zHSgGPPlq+0Qllukw3TZDxoKqvRnxID+6h8QY8Vok/Ci0
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BY3PR13MB4787AE252838F7BAA0A2185E9AF99BY3PR13MB4787namp_"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY3PR13MB4787.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f9737465-7318-4691-107b-08d95db51d14
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Aug 2021 17:17:50.6221 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: fZJmTDkz7LbLinZ1lMXfTqIHIzVxIr9PeJg5n/QVNDPfARe2qqDlEjhyDsWmZ54fUumxiHNJHP1YAAhcqM4ALw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR13MB3064
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/-Ms1OIRVMyBRIOGN3U1vqNSq4Pk>
Subject: Re: [ippm] Adoption call for IOAM deployment and integrity documents
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Aug 2021 17:18:02 -0000
IPPM WG, After reviewing the drafts, I don't think the integrity draft is ready to be adopted. The reasons are as follows: 1. According to the IOAM data draft, IOAM is intended to be used in a limited domain managed by a single operator. If so, the integrity is not necessary. I don't think the discussion is consistent between the docs and clear. "The current [I-D.ietf-ippm-ioam-data] assumes that IOAM is deployed in limited domains, where an operator has means to select, monitor, and control the access to all the networking devices, making the domain a trusted network. As such, IOAM tracing data is carried in the packets in clear and there are no protections against any node or middlebox tampering with the data. As a consequence, IOAM tracing data collected in an untrusted or semi-trusted environments cannot be trusted for critical operational decisions. Any rogue or unauthorized change to IOAM data fields in a user packet cannot be detected." 1. Is there any real implementation and evaluation on the performance impact of the method, especially for the HBH trace option? My experience told me this is not a simple task. Without solid evidence, we may end up with a proposal nobody can actually use. The purpose of IOAM is to faithfully capture the user-traffic's forwarding behavior and performance. If added functions significantly change the forwarding performance, what's the point to apply it? For this, I suggest to get expert review from ASIC/NP vendors to give evaluation on feasibility and performance impact. 2. The draft suggests to sample packet to apply the integrity protection to mitigate the potential performance impact. This is problematic: (1) depending on the performance difference on the packets with or without protection, significant jitter and out-of-order packet delivery may occur, which is detrimental to the user traffic flow (again, we need evaluation on this); (2) More important, the sampling itself defies the purpose. Antagonists can easily just tamper the unprotected packets. Is it necessary to introduce a heavy method to just provide inadequate and easy-to-elude protection? 3. If data integrity becomes a concern, why not data confidentiality? To me, that's more important. At least there are already multiple checksums in the packet to make data tampering difficult. But leaking the data is a more serious threat. Of course, if we insist IOAM would be used just in a limited domain, then none is necessary. My point is: either both are needed or none. 4. I'm not sure if it's already done, I suggest to engage some security experts to review this draft. Because this is not a light mechanism, it is very important to make it right before going any further. Best regards, Haoyu From: ippm [mailto:ippm-bounces@ietf.org] On Behalf Of Tommy Pauly Sent: Wednesday, August 4, 2021 12:29 AM To: IETF IPPM WG (ippm@ietf.org<mailto:ippm@ietf.org>) <ippm@ietf.org><mailto:<ippm@ietf.org>> Subject: [ippm] Adoption call for IOAM deployment and integrity documents Hello IPPM, As discussed in our meeting last week, we will be starting an adoption call for two IOAM-related documents that have been raised as important dependencies during the IESG review of IOAM-data. This email begins a Working Group adoption call for two documents: Integrity of In-situ OAM Data Fields https://datatracker.ietf.org/doc/draft-brockners-ippm-ioam-data-integrity/ https://www.ietf.org/archive/id/draft-brockners-ippm-ioam-data-integrity-03.html In-situ OAM Deployment https://datatracker.ietf.org/doc/draft-brockners-opsawg-ioam-deployment/ https://datatracker.ietf.org/doc/html/draft-brockners-opsawg-ioam-deployment-03 This call will last until Wednesday, August 18. Please reply to this email with your comments, and if you think these documents should be taken on by IPPM. Best, Tommy & Ian
- [ippm] Adoption call for IOAM deployment and inte… Tommy Pauly
- Re: [ippm] Adoption call for IOAM deployment and … Frank Brockners (fbrockne)
- Re: [ippm] Adoption call for IOAM deployment and … Rakesh Gandhi (rgandhi)
- Re: [ippm] Adoption call for IOAM deployment and … Srihari Raghavan (srihari)
- Re: [ippm] Adoption call for IOAM deployment and … Tal Mizrahi
- Re: [ippm] Adoption call for IOAM deployment and … Vengada Prasad Govindan (venggovi)
- Re: [ippm] Adoption call for IOAM deployment and … Justin Iurman
- Re: [ippm] Adoption call for IOAM deployment and … Ramesh Sivakolundu (sramesh)
- Re: [ippm] Adoption call for IOAM deployment and … gregory.mirsky
- Re: [ippm] Adoption call for IOAM deployment and … Tianran Zhou
- Re: [ippm] Adoption call for IOAM deployment and … xiao.min2
- Re: [ippm] Adoption call for IOAM deployment and … Wangyali(Yali,Data Communication Standards and Patents Dept)
- Re: [ippm] Adoption call for IOAM deployment and … Haoyu Song
- Re: [ippm] Adoption call for IOAM deployment and … Carlos Pignataro (cpignata)
- Re: [ippm] Adoption call for IOAM deployment and … MORTON JR., AL
- Re: [ippm] Adoption call for IOAM deployment and … MORTON JR., AL
- Re: [ippm] Adoption call for IOAM deployment and … Ackermann, Michael
- Re: [ippm] Adoption call for IOAM deployment and … Frank Brockners (fbrockne)
- Re: [ippm] Adoption call for IOAM deployment and … Tommy Pauly