IETF Logo Mail Archive

Re: [ippm] Working Group Last Call: draft-ietf-ippm-ioam-data

Greg Mirsky <gregimirsky@gmail.com> Sun, 26 January 2020 00:30 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3F9012007C for <ippm@ietfa.amsl.com>; Sat, 25 Jan 2020 16:30:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fgefe9S0dSEd for <ippm@ietfa.amsl.com>; Sat, 25 Jan 2020 16:30:14 -0800 (PST)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D8DA120044 for <ippm@ietf.org>; Sat, 25 Jan 2020 16:30:13 -0800 (PST)
Received: by mail-lj1-x236.google.com with SMTP id x7so6871470ljc.1 for <ippm@ietf.org>; Sat, 25 Jan 2020 16:30:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=I0ZugLPRWOLwI09sgo0MYsPfBmsEU+xWVBCShDblHYk=; b=Pa1B9T2KVaWhgomiC+32sGwXsn7IucVBC5P/eVeMcJW+KX8O57mY1e9HLCUDSqBHV4 k27ubSjcNsyWAmHfgYQPYlO2XM3Lr0fXVo0rcKjLRqeliG48wK/0KkckFwEF7z402mQe UAxHLaPPtd1OSu7zOYeqLY9AjQ8c6Eww+xGr4fLoEjfh5aDOvh375bU7vBJh1HYf3pxz TWqU1nCQ9yDiJNv7GmMfw4ibFi2x51nRpucWtCcEiCdOI20C1KFSp5+blsWVOslHpRP9 A1K8W92tbbJ4lLxbGNC/RwgJ5iQRgip51n7yMaFyiDhYksyJvNLRI8q/XoDSeHQE1+nu 5rEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=I0ZugLPRWOLwI09sgo0MYsPfBmsEU+xWVBCShDblHYk=; b=CyPMTXA9rexLEs8OsRIn5YOKlnh0bxKtX6A2LBKMp/doh+zoynyqdcj1z5M8J6qJHI Qj5N1VJRD6ENVIEA1fMyQ/a3xN3XCh1e7wP9+otHKpxr85bSsbYmcxM8gJbw5nkxxVfA oczWPKlmgA7/Zi198gnCFmzQx04DwvT1DFdi5v9g5mp/ZFvsS9xILKAbQxGO9PSn3Phk 18+Ojg6kw+QzehLTDlv0nIDmA4kjrX3mOBTy7kCU/griRyFLQx22N7HS4F2zBwVlHpU3 c1JN0/KAbitjbMJtxODqazhCnfGqKknJIeW3x/YBLWxrBvcGIPCgjOPQaROEtIBJaA7a 1KHw==
X-Gm-Message-State: APjAAAU5J1jY+AFQGIFeE+gAi6d7PhTTbBbUl17h2FKdzlTvoKX/1bhC LGp3prV6XgtB7W3A4Z5KzOn0+a4QpxbF5ReN0Rc=
X-Google-Smtp-Source: APXvYqzUeGvQJ7U1mqLThAJE6Xfhez53jF3iY6aaXsAvhsYMt1E+mVrMw7JugYYmH3rfLPm2ectpfT3lyEPmjCVYgLY=
X-Received: by 2002:a2e:88c4:: with SMTP id a4mr6424542ljk.174.1579998611489; Sat, 25 Jan 2020 16:30:11 -0800 (PST)
MIME-Version: 1.0
References: <E5725DE6-0637-4D52-BD61-2437D29D3C3B@apple.com> <CA+RyBmU8zgJzqA6USXY5jyQeGpV+6JZUntX5e0hkcjNEnvg3qA@mail.gmail.com> <CA+RyBmXf32P8cmCop0Mbqds5N7nUfQcP+czfD8cd-ZoSBgS7jQ@mail.gmail.com> <CABUE3X=SAi-UrEUXLMTHNa3_jWdYjrTs=1d-C6mtTQTKAUhN_Q@mail.gmail.com>
In-Reply-To: <CABUE3X=SAi-UrEUXLMTHNa3_jWdYjrTs=1d-C6mtTQTKAUhN_Q@mail.gmail.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Sat, 25 Jan 2020 16:30:01 -0800
Message-ID: <CA+RyBmXxEc0buUpfzYcPMaQ1DprMV0LqZwz-WJPH6oAgmN33XA@mail.gmail.com>
To: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, IETF IPPM WG <ippm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fbc8e1059d0017a1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/4ADpyxu6BjHLjqzPFSKQdCGKEd8>
Subject: Re: [ippm] Working Group Last Call: draft-ietf-ippm-ioam-data
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jan 2020 00:30:17 -0000

Hi Tal,
thank you for your quick response to my comments. Please find my follow-up
notes in-line tagged GIM>>.

Best regards,
Greg

On Wed, Jan 22, 2020 at 12:33 AM Tal Mizrahi <tal.mizrahi.phd@gmail.com>
wrote:

> Hi Greg,
>
> Thanks for this comment.
>
> In the context of "confidentiality", since we are talking about OAM
> information, the correct context here is reconnaissance. Recon and its
> implications are indeed discussed in the Security Considerations section on
> the third paragraph.
>
GIM>> I find the text that you've referring too terse:
   The data elements of IOAM can be used for network reconnaissance,
   allowing attackers to collect information about network paths,
   performance, queue states, buffer occupancy and other information.
True, you name the problem but I don't see any discussion of how to
mitigate the risk of an intruder obtaining very sensitive information. What
mechanisms can be used to protect the confidentiality of data?

Also, I've noticed the text that, I think, should not be in the document in
WG Last Call phase:
   Note that in case IOAM is used in "immediate export" mode (reference
   to be added in a future revision) ...
This is a simple editorial change but I'd appreciate it being done.

And as we discuss confidentiality, I believe that
I-D.ietf-sfc-proof-of-transit must be in the normative list since the
security measures and mechanisms discussed in that draft are applicable to
this specification as well.

>
> Regarding integrity protection, the first paragraph of the Security
> Considerations section discusses the consequences of compromising the
> integrity of IOAM.
>
GIM>> I am not sure that I can interpret the first paragraph in the same
manner as you. (As a side note, since RFC 7276 is used as the source of
information, I think it should be in the normative list of references). My
understanding of the first paragraph is that it explains that iOAM may be
used to produce a false-negative and/or false-positive view of the network
state. But I don't find any discussion on how to protect, how to make it
more difficult for an attacker to manipulate with or alter iOAM data.

>
> In my opinion the current Security Considerations section covers the main
> threats related to IOAM, and also explains the rationale of not including
> explicit security mechanisms (the last paragraph of the section).
>
GIM>> On this I do agree. Security Considerations section names threats.
But I believe that it as well should include recommendations, options of
mitigating these risks, risk introduced specifically by iOAM transporting
information in data packets.

>
> You make a good point that we did not explicitly use the terms
> "confidentiality" and "integrity", and I will suggest new text that
> explicitly refers to these terms in the relevant context of the section.
>
> Cheers,
> Tal.
>
>
>
>
> On Wed, Jan 22, 2020 at 8:52 AM Greg Mirsky <gregimirsky@gmail.com> wrote:
>
>> Dear All,
>> I'd like to add a note on the scope of the Security Considerations
>> section. While it discusses the potential use of iOAM as the new DDOS
>> attack vector, I didn't find a discussion of the protection of integrity
>> and confidentiality of collected data. As I understand, please correct me
>> if I've missed that in other sections of the document, all data is
>> collected and transported in the clear text, no provisions for
>> authentication or encryption except for Proof-of-Transit. I think that in
>> addition to stressing the importance of protecting the integrity of clock
>> synchronization and of the management plane, possible ways of protecting
>> integrity and, possibly, the confidentiality of collected data must be
>> discussed in the document.
>>
>> Regards,
>> Greg
>>
>> On Tue, Jan 21, 2020 at 3:56 PM Greg Mirsky <gregimirsky@gmail.com>
>> wrote:
>>
>>> Dear All,
>>> please consider my comments to draft-ietf-ippm-ioam-data as part of IPPM
>>> WG Last Call:
>>>
>>>    - In Abstract and Section 3, Segment Routing is characterized, among
>>>    other networking technologies, as a transport. RFC 8402 defines Segment
>>>    Routing as a method to leverage the source routing paradigm. Where else
>>>    could the Segment Routing be defined as transport?
>>>    - Also, "native IPv6" is mentioned in the Abstract as transport.
>>>    Could it be just a reference to IPv6? What is the significance of singling
>>>    out "native IPv6"?
>>>    - Introduction section explains the "in-situ" term as
>>>
>>>    The term "in-situ" refers to the fact that the OAM
>>>    data is added to the data packets rather than is being sent within
>>>    packets specifically dedicated to OAM.
>>>
>>> But with the introduction of Loopback and Direct Export as iOAM
>>> behaviors, iOAM data are not added to the data packet. And how these new
>>> iOAM functions affect the definition of IOAM control points in Section 3?
>>>
>>>
>>>    - I-D.lapukhov-dataplane-probe referenced as describing "recent
>>>    active probing mechanisms". That could have been the case in 2016 when the
>>>    draft was last time updated. But has expired and has not been discussed or
>>>    worked for 3.5 years.
>>>    - In regard to the control over iOAM, text in Section 3 states "It
>>>    SHOULD be possible to enable IOAM on a selected set of traffic ..." Does
>>>    that mean that not providing the selective enabling of iOAM is an
>>>    acceptable option?
>>>    - Further in Section 3, the requirement for encapsulation
>>>    independence is using SHOULD "Data formats for IOAM SHOULD be defined in a
>>>    transport-independent manner." What are the examples of exceptions?
>>>    - section 4.4 introduces the notion of an "iOAM capable node". Which
>>>    of iOAM objects are expected to be supported by the iOAM capable node? If a
>>>    node doesn't support a sub-set of iOAM data types, would it still be
>>>    considered as iOAM capable?
>>>    - Section 4.4.1 I'm having a hard time figuring how the presence
>>>    of Opaque State Snapshot space can be deduced. The explanation in NodeLen
>>>    is not clear to me.
>>>    - The definitions of Bit 0 and Bit 8 of IOAM-Trace-Type differ only
>>>    in part of the latter specifying that the format is wide. What is the
>>>    length on data identified by Bit 0?
>>>    - Hop_limit in Section 4.4.2 is defined as
>>>
>>>         This is copied from the lower
>>>          layer, e.g., TTL value in IPv4 header or hop limit field from
>>>          IPv6 header of the packet when the packet is ready for
>>>          transmission.
>>> What is the value of Hop_Limit field if the lower level does not include
>>> TTL/Hop Limit field?
>>>
>>>
>>>    - Four octets are allocated for timestamp subseconds in Section
>>>    4.4.2. Both PTP and NTP have formats that can provide a higher resolution
>>>    of a timestamp. That likely to be useful where a higher resolution of time
>>>    measurement, e.g. delay variation is needed (for example, URLLC
>>>    applications of 5G, TSN or DetNet). Can iOAM data be extended in the future
>>>    to support a different length of the subsecond field?
>>>    - What was the rationale to choose nanoseconds as the unit for
>>>    transit delay?
>>>    - How future proof is allocating four octets to express the length
>>>    of an egress queue (queue depth)? What should be the value if an iOAM node
>>>    cannot write the local value in four octets?
>>>    - Similar to the questions above but in regard to the buffer
>>>    occupancy field.
>>>    - Checksum Complement may be practical but it raises serious
>>>    security issues. I couldn't find these being identified and discussed in
>>>    the document.
>>>    - Section 5 defers the specification of the particular timestamp
>>>    format used in the given iOAM Namespace to the management plane. Does that
>>>    mean that all nodes in the given iOAM Domain must support the same format?
>>>    In other words, timestamps collected in the domain required to be in the
>>>    homogeneous format - either all in NTP, all in PTP, or all in POSIX. That
>>>    looks like unnecessary complexity and limitation and may cause lower
>>>    accuracy of time measurement as an iOAM node may be required to transform
>>>    from its native time format into the format chosen by the management plane.
>>>
>>> Regards,
>>> Greg
>>>
>>> On Tue, Jan 7, 2020 at 8:47 AM Tommy Pauly <tpauly=
>>> 40apple.com@dmarc.ietf.org <40apple.com@dmarc..ietf.org>> wrote:
>>>
>>>> Hello IPPM,
>>>>
>>>> Happy New Year! This email starts a working group last call for "Data
>>>> Fields for In-situ OAM" (
>>>> https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-data/).
>>>>
>>>> The last call will end on *Tuesday, January 21*. Please reply to
>>>> ippm@ietf.org with your reviews and comments. Please indicate whether
>>>> you think this document is ready for publication.
>>>>
>>>> Best,
>>>> Tommy (as co-chair)
>>>> _______________________________________________
>>>> ippm mailing list
>>>> ippm@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/ippm
>>>>
>>> _______________________________________________
>> ippm mailing list
>> ippm@ietf.org
>> https://www.ietf.org/mailman/listinfo/ippm
>>
>

v2.23.0 | Report a Bug | By Email