Re: [ippm] WGLC for IOAM Direct Exports

Greg Mirsky <gregimirsky@gmail.com> Wed, 06 October 2021 23:30 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 265A63A0A60; Wed, 6 Oct 2021 16:30:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s2vI09ZodSoo; Wed, 6 Oct 2021 16:30:28 -0700 (PDT)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B74F53A0A64; Wed, 6 Oct 2021 16:30:27 -0700 (PDT)
Received: by mail-ed1-x531.google.com with SMTP id g10so15463413edj.1; Wed, 06 Oct 2021 16:30:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DyWtm6VQ1DeQEMATbLmGyzyKAmUd18yvpwnh0SqFlaw=; b=J/6EB5G6u35yl8F15Cua4QgkSk7GzZl3SjA6fPptKDr8/1DEdo47C95Bv4PtUuyKXz B+geCP7rPAkis4fy1IIAKMelGq200s+JHClScyClONwyVIDYyljsxmas+mnaBKQ/erzX A3wh20wNG6Thn8Ykr2kaCKrEgSgGbqhGtmft7OpeUKFtBG2Y2RW6rZuQiC2Z7QV+VFC2 8aYQthCmra2nLUfF/56ifjyFzzR8LDnZQkz8fruDphLOAGu0Pd2tDmC/q5ezaTTKWUIL FFHb8HTXbtit8j0rREGxW+XyOxuZToRk4vpFe02DAb+IzI2GyeaiphMqx2sMx/jPXD/v 4D4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DyWtm6VQ1DeQEMATbLmGyzyKAmUd18yvpwnh0SqFlaw=; b=o+agJD58PySlMdM+XIFHwPqiATYXKm7vFnlCThMj2horKioakvVw6FEfsFhofvCMJu 5uqFainqAHLRNKBj/eLOQHJCfWbKPCQBDp9qeq6lZGhOkVj0+VXu6GEu67ZpKen9ifew oozW7+erTLTI4Cp/GjBe9A4QmLfeDiZkmQGTmIusDpRHg/v+OBUI1SIqBIMkAsoaHhld YtBeWN66UAEvZf7ATPoxsAjhwJZccxTIfTXEM+5OYdd34RFfvhCIAmv1W83PKa5tzwHa 7pWu7Nxb7E0trZPEQmZwfWDiZ646MTh9YyV5ZQ1JxHml+/w/dCIOvZ66d+FRt1CAi+Kg KK+A==
X-Gm-Message-State: AOAM533DYFVAHrkugbskTKt0ChihJTxwlO7VVP0lxIUFvw+S1KZX9NuD I4jYQIZo/ipi+LOfR3t6BGSHVLK9DF1x3aoFrPmjOb5/t/M=
X-Google-Smtp-Source: ABdhPJzvxAhsVSw8rZS5W8VNDGV4zkRtukP3bterxmYOmppllu/O2RRQXpSVH6mA9EOmEoNMtAIoanQtMv4PBhNeJWw=
X-Received: by 2002:a17:906:369a:: with SMTP id a26mr1302204ejc.539.1633563025613; Wed, 06 Oct 2021 16:30:25 -0700 (PDT)
MIME-Version: 1.0
References: <A4F59F82-7F47-452B-9E63-0FDFBB812CEC@apple.com> <CA+RyBmW3nKqMftmEZ+e=7OcZ_jukc71BHBt0BgVCxB8S9QvCRQ@mail.gmail.com> <CABUE3XnQLraizDGnH7NhYO9jfTbN_-G01RwnxH1H9xMitv+mUA@mail.gmail.com>
In-Reply-To: <CABUE3XnQLraizDGnH7NhYO9jfTbN_-G01RwnxH1H9xMitv+mUA@mail.gmail.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Wed, 6 Oct 2021 16:30:15 -0700
Message-ID: <CA+RyBmVtas_araRAiTiwJGfOH1O9OZEBJoXBxguQLsq4p7MSZw@mail.gmail.com>
To: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, IPPM Chairs <ippm-chairs@ietf.org>, "IETF IPPM WG (ippm@ietf.org)" <ippm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dc276d05cdb7878e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/33ApjF2fD8V-xmrRq7YPEffylq8>
Subject: Re: [ippm] WGLC for IOAM Direct Exports
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2021 23:30:34 -0000

Hi Tal,
thank you for your kind consideration of my comments and constructive
proposals. Please find my notes in-lined below under the GIM>> tag.

Regards,
Greg

On Thu, Sep 30, 2021 at 12:17 AM Tal Mizrahi <tal.mizrahi.phd@gmail.com>
wrote:

> Hi Greg,
>
> Many thanks for the thorough review.
> Below you can find responses to your comments, and in some cases
> proposed text edits.
>
> If there are no further comments we will update the document accordingly.
>
> Thanks,
> The authors.
>
>
> On Wed, Sep 8, 2021 at 1:01 AM Greg Mirsky <gregimirsky@gmail.com> wrote:
> >
> > Dear Authors, WG Chairs, and All,
> > I've read the latest version of the draft and have several comments and
> questions to share with you. None of these are blocking, I support
> progressing this draft to publication. Please consider the notes below as
> an invitation to a discussion:
> >
> > It seems that the characterization of the Direct Export IOAM option in
> the following is not entirely accurate:
> >
> > The DEX option is used as a trigger to collect and/or export IOAM data.
> >
> > I propose re-wording:
> > The DEX option is used as a trigger to collect and export or only
> collect locally the IOAM data.
> >
> > Using "exporting and/or collecting" reflects the use of the Direct
> Export option type technically accurate but the order of actions is
> backward. What are your thoughts?
> >
>
> [TM] Right. The following text edit is proposed in the introduction.
>
> OLD:
>    This option is used as
>    a trigger for IOAM nodes to locally aggregate and process IOAM data,
>    and/or to export it to a receiving entity (or entities).
> NEW:
>    This option is used as
>    a trigger for IOAM nodes to locally aggregate and process IOAM data,
>    and/or to export it to a receiving entity (or entities). Throughout
>    the document this functionality is referred to as collection and/or
> exporting.
>
GIM>> Thank you, the new text is very helpful.

>
>
> > I find references to RFC 5475 and 7014 very appropriate and helpful. But
> I don't see these RFCs being referenced in draft-ietf-ippm-ioam-data. I
> think that excessive use of not only the Direct Export IAOM option but the
> IOAM method, in general, may adversely affect a network and the
> recommendations listed in RFC 5475 and 7014 are equally applicable.
> > Similarly, the good and helpful discussion of how to practically control
> the use of the Direct Export option is, in my opinion, equally applicable
> to other IOAM trace options and should be in the Security Considerations
> section of draft-ietf-ippm-ioam-data.
>
>
> [TM] The last two comments are about draft-ietf-ippm-ioam-data, which
> is currently in IESG review. I will take this feedback with the other
> authors to see how we can address this input at this point.
>
GIM>> Thank you.

>
>
> > The second paragraph in Section 3.1.2 is re-phrasing if not repeating
> what is already expressed in the last paragraph of the previous sub-section
> (though the limit is applied to exporting telemetry information). I think
> that it can be removed without any loss to the document.
>
> [TM] The second par of 3.1.2 refers to *exporting*, while the last par
> of 3.1.1 refers to *encapsulating*, so these are two complementary
> requirements.
>
GIM>> Thank you for clarifying that to me.

>
>
> > I think that it will be helpful to provide some recommendations, i.e.,
> SHOULD do this, how an implementation handles the excess of packets to
> export. Drop silently, drop and log notification, or try to shape that flow?
>
> [TM] Assuming an amplification scenario, a large number of packets may
> be dropped, so logging each drop may defeat the purpose. A drop
> counter may be a good idea here, but this document does not really
> define counter requirements in general, so it seems like more of an
> implementation-specific aspect, or possibly can be considered as part
> of the YANG model.
>
GIM>> I think that logging a warning with the throttling control is a good
option. What is your opinion? A counter of throttled DEX packets is
helpful. Perhaps both mechanisms can be recommended.

>
> > I was really puzzled by this requirement in Section 3.1.2
> >
> >    Exported packets SHOULD NOT be exported over a path or a tunnel that
> >
> >    is subject to IOAM direct exporting.
> >
> > I hope you can clarify it for me.
>
>
> [TM] As explained later in that paragraph: "This requirement is
> intended to prevent nested exporting and/or exporting loops."
> This was thoroughly discussed in the working group, and came out of
> the security-related review.
>
GIM>> As I understand IOAM DEX, packets with telemetry information are
out-of-band relative to the monitored data flow and encapsulated to avoid
being taken for an IOAM packet. I imagine that exported telemetry data can
be collected via, for example, Kafka or gRPC. Am I missing something?

>
> >
> > This requirement
> >
> >    Furthermore, IOAM encapsulating
> >    nodes that can identify a packet as an IOAM exported packet MUST NOT
> >    push a DEX option into such a packet.
> > brings up questions:
> >
> > How can a node identify a packet as the IOAM exported packet?
>
> [TM] The requirement means that if an encapsulating node's ACL can
> detect exported packets, then DEX should not be applied.
>
GIM>> Please consider my previous note. I understand that that gets very
close to an implementation choice but it seems that the document should be
clear in its normative statements.

>
> > What should be done if the IOAM exported packet contains the IOAM header
> with the DEX option?
>
> [TM] The current document does not require an IOAM transit node to
> parse beyond the (external) IOAM encapsulation if there are nested
> IOAM encapsulations.
>
GIM>> I have to admit that I'm lost with the reference to an "external IOAM
encapsulation". What is the purpose of using IOAM in the exported packet?

>
> >
> > What is special about the decapsulating node that is not DEX-capable?
> >
> >    A decapsulating node that does not support the DEX option
> >    MUST remove it, along with any other IOAM options carried in the
> >    packet if such exist.
> > Shouldn't that be a general behavior of a decapsulating IOAM node?
>
> [TM] Right. The following text edit is proposed:
>
> OLD:
>    A transit IOAM node that does not support the DEX option SHOULD
>    ignore it.  A decapsulating node that does not support the DEX option
>    MUST remove it, along with any other IOAM options carried in the
>    packet if such exist.
> NEW:
>    A transit or decapsulating IOAM node that does not support the DEX
> option SHOULD
>    ignore it.  Note that as per <xref target="I-D.ietf-ippm-ioam-data"/> a
>    decapsulating node removes the IOAM encapsulation and all its IOAM
> options,
>    and specifically in the case where one of these options is a
> (possibly unknown)
>    DEX option.
>
GIM>> What could be an alternative to ignoring IOAM DEX option? I feel that
MUST is what is required here. Would you agree?

>
>
> >
> > The format of the first four-octet word in Figure 2 is different from
> the format defined in draft-ietf-ippm-ioam-data:
> >
> >     0                   1                   2                   3
> >     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> >    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >    |        Namespace-ID           |NodeLen  | Flags | RemainingLen|
> >    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >    |               IOAM-Trace-Type                 |  Reserved     |
> >    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > Is this intentional? If it is, how does an implementation know which
> format to use?
>
> [TM] Each IOAM Option-Type has a different header format. The current
> document defines a new Option-Type, which was not defined in
> draft-ietf-ippm-ioam-data.
> The IOAM-Type field in the lower layer header determines which
> Option-Type is used and how its header should be parsed.
>
GIM>> How does an IOAM node differentiate between different Option-Types?
Is that expected to be communicated to an IOAM node over the management or
control plane and not part of the IOAM encapsulation? If that is the case,
then, I imagine, changing between IOAM tracing modes will require
reconfiguration of all IOAM nodes. Doesn't seem operationally friendly.

>
>
> >
> > It is stated in the draft that:
> >
> > The length of the DEX option is at least 8 octets.
> >
> > But the figure 2 in the draft does not include any field that reflects
> the length of the IOAM option. Is that because the figure is out of sync?
> If not, how can an implementation verify the length? Also, what is the
> behavior if the length is less than 8 octets?
> >
>
> [TM] Quoting the draft:
>
>    The existence of the optional fields is
>    indicated by the corresponding flags in the Extension-Flags field.
>    ...
>    Thus, the Extension-Flags field explicitly indicates
>    the length of the DEX option.
>
>
> > RE: PerformanceConsiderations
> >
> > I agree with you that a DEX-encapsulating node and DEX-transit nodes
> must have rate-limiting controls (as noted earlier, the behavior of the
> transit node needs more detailed specification). But I think that the
> document should also note that exported packets could be sent over the
> network out-of-band, relative to the monitored flow. As a result, the
> impact of packets carrying telemetry information might be not direct and
> harmful to the data flow. I see that as one of the important benefits of
> the Direct Export method transporting on-path telemetry information.
> >
>
> [TM] Right. The following new text is proposed:
>
> It should be noted that in some networks DEX data may be exported over
> an out-of-band network, in which a large volume of exported traffic
> does not compromise user traffic. In this case an operator may choose
> to disable the exporting rate limiting.
>
GIM>> Thank you for the proposed update. I thought that the main advantage
of the IOAM DEX mode is the ability to export the telemetry information
out-of-band. And, as I've noted above, the mechanism to collect and
transport the telemetry is outside the scope of this specification. I think
that would significantly simplify the document without any adverse impact
on the value it provides.

>
> >
> > Regards,
> > Greg
> >
> > On Mon, Aug 30, 2021 at 1:58 PM Tommy Pauly <tpauly=
> 40apple.com@dmarc.ietf.org> wrote:
> >>
> >> Hello IPPM,
> >>
> >> This email starts a Working Group Last Call on two related IOAM
> documents, draft-ietf-ippm-ioam-flags and
> draft-ietf-ippm-ioam-direct-export.
> >>
> >> In-situ OAM Loopback and Active Flags
> >> https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-flags/
> >> https://datatracker.ietf.org/doc/html/draft-ietf-ippm-ioam-flags-06
> >>
> >> In-situ OAM Direct Exporting
> >> https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-direct-export/
> >>
> https://datatracker.ietf.org/doc/html/draft-ietf-ippm-ioam-direct-export-06
> >>
> >> Please provide feedback by replying to this email with your reviews and
> if you think these documents are ready to progress, by Wednesday, September
> 15.
> >>
> >> Best,
> >> Tommy & Ian
> >>
> >> _______________________________________________
> >> ippm mailing list
> >> ippm@ietf.org
> >> https://www.ietf.org/mailman/listinfo/ippm
> >
> > _______________________________________________
> > ippm mailing list
> > ippm@ietf.org
> > https://www.ietf.org/mailman/listinfo/ippm
>