Re: [ippm] DEX Draft Updated
Tal Mizrahi <tal.mizrahi.phd@gmail.com> Mon, 12 July 2021 10:45 UTC
Return-Path: <tal.mizrahi.phd@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D69013A13F5; Mon, 12 Jul 2021 03:45:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Yp77flfMlgu; Mon, 12 Jul 2021 03:45:34 -0700 (PDT)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BA8F3A14A2; Mon, 12 Jul 2021 03:45:23 -0700 (PDT)
Received: by mail-wm1-x335.google.com with SMTP id k32so7875292wms.4; Mon, 12 Jul 2021 03:45:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Kf9AFEiAqJqVYSBKfvpqGZRrW3z6DQlGxnhBbuj/WLo=; b=WSAmg08s/0gsntHcEKXkClK9KwqpPitVctVP4QxlKpamhP3Q9D0jasgBEY9wkc9feQ m2agYgo+DnHipMBiHfEKK9WDoRf9844qGp3BiQCYgJ/wMigeu5NT0GF7H+aVGbOHBJnp /4ss70VrsM4hmmk8PC3YP4zonuF2/8pZzWMscnOc9EHDo6oH7ovUbbiZU2SxHF4ZkNmO YE/Lf4SxcWB4LBBxUGzDFOVQZk1Z9Gk2gNiox1LSUnlJUlbZAjKtjM/v91tp0rnZt6cn R/mk7g39E2PnUyuiaZar51+/+r0xC7DdiZfPYxmsdzoTnkEhfc9wHKViwjcdJggVbNPf Idvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Kf9AFEiAqJqVYSBKfvpqGZRrW3z6DQlGxnhBbuj/WLo=; b=bAzBRJOwS3EnLyGDYJJhweSHXHwlsCuxGcN9GA865R6vDXGA3KSfoehvkMbAIeaCta vreqDR0Hi0hpKr3vBRKJMZtPbKQ+hjEKAeuKBV+u+y0/8SOrtruXnMIhF3kGhBvGOEDt coK76qAE9gAkSPsVLWbS9rVGxyumroEho6CCaZFtPjdoWDBrRRbw9GqG+Yh6fvGZjQ+t SdAzBdgtPmtm5RnOiowLTKWnK6DTeU3TU+yjEVDHwnGcd0asovODHeK27E+m+bX1QdyW Wvp6wmVndPsSKEx4gTgaDASqMGEib7MfpBPlEXBcl+xxRqEMjCnUiuUTPvc7XPugMiCz JCRg==
X-Gm-Message-State: AOAM530XzQJIeg6Rl0EsW42UnG356CkAreebSoTpnu/6+3nvDRYEhdxy WGovAYBU2tOTYkUpLgjEKYMQ9bPpGYW2Yri7HmU=
X-Google-Smtp-Source: ABdhPJzgitiOoMZN2h+1XuDg47NhAj/plv0BO2RfaAsd6hfPv05McgSWmr6WOYqpL0AFbdYp4XLAe1MSDxFvPDxuJko=
X-Received: by 2002:a1c:2c43:: with SMTP id s64mr12298423wms.9.1626086721131; Mon, 12 Jul 2021 03:45:21 -0700 (PDT)
MIME-Version: 1.0
References: <162514156275.10687.5210311195217579136@ietfa.amsl.com> <CABUE3Xki7N77Z1cKUtg6Y_VcGnH4nZ_b7ae6LcTxLUiac==Dvg@mail.gmail.com> <CAM4esxQtTQ_Xr5E3WdO8hd3K2OJBv5TC4LhXF1W0RQ5u7ej8Pg@mail.gmail.com>
In-Reply-To: <CAM4esxQtTQ_Xr5E3WdO8hd3K2OJBv5TC4LhXF1W0RQ5u7ej8Pg@mail.gmail.com>
From: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Date: Mon, 12 Jul 2021 13:45:10 +0300
Message-ID: <CABUE3X=NsBDE=OSm3TT=36RruJVyiapP3cCDDaTpfW3QmTe=Gg@mail.gmail.com>
To: Martin Duke <martin.h.duke@gmail.com>, IETF IPPM WG <ippm@ietf.org>
Cc: IPPM Chairs <ippm-chairs@ietf.org>, Mirja Kuehlewind <ietf@kuehlewind.net>, draft-ietf-ippm-ioam-direct-export@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/1GzCFpq04dq51PftI1V6EnOem4U>
Subject: Re: [ippm] DEX Draft Updated
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2021 10:45:40 -0000
Hi, An updated version of the draft has been posted. https://datatracker.ietf.org/doc/html/draft-ietf-ippm-ioam-direct-export-05 Martin, Many thanks for your comments below. These comments have been addressed in this version of the draft. If there are no further comments about the security-related content, we plan to apply similar changes to the flag draft, namely consisting of the following components to mitigate the security issues of the loopback flag: - Selective loopback trigger for a small fraction of the traffic at IOAM encapsulating nodes. - Rate limiting of loopback response at IOAM transit nodes. - Avoid encapsulating IOAM-with-loopback to exported / looped back packets. These are (similar to) the main components we added to the DEX draft, and we believe they are relevant to the loopback flag. Cheers, Tal. On Thu, Jul 1, 2021 at 10:16 PM Martin Duke <martin.h.duke@gmail.com> wrote: > > Hi Tal, > > Thanks for the changes. Some comments on the diff: > > (3.1.2) - "The rate of exported packets SHOULD be limited so that the number of exported > packets is significantly lower than the number of packets that are exported by the device." > > I think there's a typo here? s/exported/received in the second instance? > > - s/SHOULD not/SHOULD NOT > > - "Furthermore, IOAM encapsulating > nodes that push a DEX option into traversing packets MUST avoid > pushing an IOAM header into IOAM exported packets." > > but the DEX format is undefined, so I don't know how they could possibly meet this requirement in the general case. Instead, perhaps > "Furthermore, IOAM encapsulation nodes that can identify a packet as an IOAM direct export MUST NOT insert a DEX option in those packets" > > On Thu, Jul 1, 2021 at 5:54 AM Tal Mizrahi <tal.mizrahi.phd@gmail.com> wrote: >> >> Hi, >> >> The draft was significantly revised (see links below) following the >> security-related feedback from the last IETF meeting, and based on >> further discussion that were held at the IOAM design team meetings. >> >> Thanks again, Martin and Mirja, for your feedback. >> >> The main changes compared to the previous version: >> - Two sections were added, "DEX Packet Selection", and "Responding to >> the DEX Trigger". These two sections are specifically intended to >> address Martin's feedback regarding amplification attacks. >> - New requirements were added to the security consideration section in >> response to the comments in the last IETF meeting: >> - Selective DEX at IOAM encapsulating nodes - in response to >> Martin's comments. >> and >> - Rate limiting at IOAM transit nodes - in response to Martin's comments. >> >> - Avoid pushing the DEX option onto exported packets - in response >> to Martin's comments. >> >> - Only export to trusted nodes - in response to Mirja's comments. >> >> Please let us know if there are further comments, and specifically >> regarding the security aspects of the draft. >> >> Cheers, >> Tal. >> >> >> >> On Thu, Jul 1, 2021 at 3:12 PM <internet-drafts@ietf.org> wrote: >> > >> > >> > A new version of I-D, draft-ietf-ippm-ioam-direct-export-04.txt >> > has been successfully submitted by Tal Mizrahi and posted to the >> > IETF repository. >> > >> > Name: draft-ietf-ippm-ioam-direct-export >> > Revision: 04 >> > Title: In-situ OAM Direct Exporting >> > Document date: 2021-07-01 >> > Group: ippm >> > Pages: 12 >> > URL: https://www.ietf.org/archive/id/draft-ietf-ippm-ioam-direct-export-04.txt >> > Status: https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-direct-export/ >> > Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf-ippm-ioam-direct-export >> > Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-ippm-ioam-direct-export-04 >> > >> > Abstract: >> > In-situ Operations, Administration, and Maintenance (IOAM) is used >> > for recording and collecting operational and telemetry information. >> > Specifically, IOAM allows telemetry data to be pushed into data >> > packets while they traverse the network. This document introduces a >> > new IOAM option type called the Direct Export (DEX) option, which is >> > used as a trigger for IOAM data to be directly exported or locally >> > aggregated without being pushed into in-flight data packets. The >> > exporting method and format are outside the scope of this document. >> > >> > >> > >> > >> > The IETF Secretariat >> > >> >
- [ippm] DEX Draft Updated Tal Mizrahi
- Re: [ippm] DEX Draft Updated Martin Duke
- Re: [ippm] DEX Draft Updated Tal Mizrahi
- Re: [ippm] DEX Draft Updated Martin Duke