IETF Logo Mail Archive

Re: [ippm] Zaheduzzaman Sarker's Discuss on draft-ietf-ippm-ioam-direct-export-09: (with DISCUSS)

Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com> Mon, 19 September 2022 21:08 UTC

Return-Path: <zaheduzzaman.sarker@ericsson.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E23B0C1524C9; Mon, 19 Sep 2022 14:08:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.681
X-Spam-Level:
X-Spam-Status: No, score=-7.681 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u4XTXDtAGMbw; Mon, 19 Sep 2022 14:08:02 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150042.outbound.protection.outlook.com [40.107.15.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34C0CC14CE3E; Mon, 19 Sep 2022 14:07:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eQBG9R0uR0VWCbKeKGttqFCiUeCsbH+/nugoMlD6yAmIlBh6eV9kMkpH0VKu48lbQJBiog2dTm2+bfthaayBFnFrkCwp1pdnGp5iZNNa5jE00JLvpdeSwZmgif/GEIxkGUUcnuuTR70j0yrFnu4GaLcxrKeS93EHkO/r6jpgAZYr/tTwprYbPRRzXDwNC2stUP+E2wVUp+aOn1tdcNmGYljvFLLOaxmJ7MJa5aNGOduJ3nhOSoPAKaXe+yslShN+Hx47y2KTuZgEFNU6BJ7rEY6ect2pVyGtaKGMKiryIfsi2zCPcRiVdUp/l2nJlchgMKhXA6sTh1w07wTiW6h+uw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JYaFbhKo3QFl3F2eQ0UOK7xkeE8ZS2Pz/KtXnLrBN1U=; b=hlcdqL0TFBIbvyHmddmja3SuGGT1ifSV4MgoZEhUehzsSwPs59usUK4/uoQc+Fs2gGqNyNXswbHfCewn5gs+1wrnkSDaomOvCTP3SdTM7FyYkHgPcjmmxy60zG5XBAvM53T7xXDybCHUufkZWJLfOlCthld2F2sDHZnc4lpoQC8fVezRTaCZrx2zZC15ykGD/w/x5JQrRm/4vUtgZIw5UYNnrS5X4jig0hGCcijeY/+gA7ByNkaHz7xO4RGY6D2j/0GwjFk/uUNYpH1CoEvY0ekWf8swxDC8eGGwG59fk1UPz/7dLch75gY0Vp2QtwXLmtnm2i3xdc6zBcQCkJRJeA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JYaFbhKo3QFl3F2eQ0UOK7xkeE8ZS2Pz/KtXnLrBN1U=; b=Do8OxqdScgxIN98Cp0pVyRUeH8+KG2dEMlaUR8amVUq60Xwk5+UZUPFDL30/DqZjwSpdcN5jVGl63nB2yUM3b7kv/vvhImFuiU1YxCcaSM7UyDqbMKw5BOO+2zWICh92CrT9n+iep7Z5nKiFhmpTCOflIM48/O1DSzlFcyezNE4=
Received: from HE1PR07MB4187.eurprd07.prod.outlook.com (2603:10a6:7:98::23) by PAWPR07MB9202.eurprd07.prod.outlook.com (2603:10a6:102:2e9::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5632.12; Mon, 19 Sep 2022 21:07:55 +0000
Received: from HE1PR07MB4187.eurprd07.prod.outlook.com ([fe80::dd85:77ac:c888:698e]) by HE1PR07MB4187.eurprd07.prod.outlook.com ([fe80::dd85:77ac:c888:698e%5]) with mapi id 15.20.5654.014; Mon, 19 Sep 2022 21:07:55 +0000
From: Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com>
To: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-ippm-ioam-direct-export@ietf.org" <draft-ietf-ippm-ioam-direct-export@ietf.org>, "ippm-chairs@ietf.org" <ippm-chairs@ietf.org>, "ippm@ietf.org" <ippm@ietf.org>, "tpauly@apple.com" <tpauly@apple.com>
Thread-Topic: Zaheduzzaman Sarker's Discuss on draft-ietf-ippm-ioam-direct-export-09: (with DISCUSS)
Thread-Index: AQHYi/4IVKA9KrRhB0CDiDhy1ymqwK208Y2AgCYAvQCABiDTAIAF5UEAgAA9hYCAAInlAA==
Date: Mon, 19 Sep 2022 21:07:54 +0000
Message-ID: <77E66E89-5CFB-4C72-9DDA-FDDF45F7564E@ericsson.com>
References: <165653760608.27520.5309528880057245173@ietfa.amsl.com> <CABUE3Xnz+xg0y2whG0_gZzuxT6Ys9Ad+LDtSmbCaXMvWKEnMVA@mail.gmail.com> <26CD61B5-BDE8-484C-ACD9-5C1C451E2F69@ericsson.com> <CABUE3XmrqdUfG2OYsE=Lc4-QknaE7Qhb47VjsX6MoZx1cW-_zw@mail.gmail.com> <783A4A80-6E31-4A09-BD79-596DB79ADB4D@ericsson.com> <CABUE3XkxeC65u57EZUz+iQygsTrCTMMwdE4CMM_V+ZooD2ziLA@mail.gmail.com>
In-Reply-To: <CABUE3XkxeC65u57EZUz+iQygsTrCTMMwdE4CMM_V+ZooD2ziLA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.120.41.1.1)
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: HE1PR07MB4187:EE_|PAWPR07MB9202:EE_
x-ms-office365-filtering-correlation-id: 3aa69de1-4309-4693-2808-08da9a83057e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3Sm9STJldSTscG8mZ+ZlzWDv2wKe14h0ACP4BlytqNQ3uqC/8J9lGFXYTNJ6HdGaitVEBrPPqsVmbsR3QSS6iicTRk8vtS+fkEaN333n/fnK9/8joXsVcw5h9aysWz164A5Ocdn8jpkCFYtlK+BeJSD/Yq9BvJJ9PX1vKEbIinB5V3aN3AdImcfP0L4xerap6b/Yt7kQnN+8NYpK+I3aWtDDSfbxfNVsKxUKWCCY9554YkkaYLI+BGadCVZGIhL8OJfjlhkiyzslid+IxgzpiUQuMYt5Koa/++4xMv6bT4CwkZQDkvq6KKz++QXHDNZaUNz02lSGIZ19dAjXnG+3098aSkJkwHUzNn4pJIXok/c/x3Lf3N/jE/kzmoxFF24s0Xp4GfvgboTdJsknTw4vbOP7wJTlO4ZYklGPQciwpwatsoiBmZYnoQ1jSIN9xxTILdAKnurs1iCrU68JrfRPrYK35XCL8a04SkykuvOo62qZbBoslUl0AmurR1ZoiyunDMyYzGHhELVqQDcbmevmPxj/KxTrJuLdss4at9UtbJNw0kbihUSSHYSDjbovinw5LYaKO1VXHJr8nlF2Z4H1NtakkvDSpYA6rgJnkQIM9lNAAjwtubpsQt4NDEivkHHyOrXcv9Y83OAxSUIpdujV02dZUOY07T1j8Stzo4BfsJLy0Y0RX+LaY0WaVqyNiqPeZxfwbTPhmP59c7ESb1HNfdMjKwTAt3DaGL7X5jE+55c5RrmVJ93Gz0rtmFo1sxxK0vIjuanbHJX+PDaAwg/Rj+p3TZjmXszmFgpR03cSF59ooL304SBwfp4mIJVIKHGEaPujc3uglOrFx5MwTx26xHtWB+GIihxo9nUrq5udytw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB4187.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(136003)(346002)(39860400002)(376002)(366004)(396003)(451199015)(8936002)(4326008)(76116006)(5660300002)(66556008)(66446008)(66946007)(44832011)(91956017)(64756008)(6512007)(66476007)(122000001)(38070700005)(36756003)(316002)(71200400001)(6916009)(33656002)(26005)(6486002)(2906002)(966005)(8676002)(478600001)(54906003)(99936003)(2616005)(86362001)(82960400001)(38100700002)(186003)(83380400001)(41300700001)(53546011)(6506007)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: QJ81tMb8wJnmXh5NezASltcZ2GUfy632/Q4iiKukuuelRCibFXVWbMSKDZYojHoHCpkXDneGnZ64zgpd6p+WYzMBBEMvrTCzcDu+BGcAknpG4sFNkjMMxI7iSaRU9ep7O+ktRSTq03j3iCxPRQb2VjZfBSeYk9icPVyzAheGKRlkr8h5L7oD54woLMhr33EauqNQqVCltLpNGw3h2EwybtPtkS8FTeUiqb1VBjaFMmCpeZfOxHc9/kRX7lL7s7/23pUbK1WastDLqt1Ba3FXWwoKT2/SNl1F/k0yGSLNJpwuX8ws4YB3ywS5FF3UsWaMW+t64Ygj67p0n8shdBs1OhzRzmLUDm71bE5ypG7VSOYq/NS/pN6/DpopNps1sRNh+N523p5m45l8skKz47+tad23g7582O81TA3MhbldUr3MGv7iiK1GLJX9TMcuZj9TURmMLkDMDLsLPT6OoSZivUWHsYYWfj+1RvVr9I57W4AEA7awBdrahnGCBAU5FwEc7e1ZQOOwd+egBNKU5nfr8SyKXu/7a/VChWh79/2sqEH0VSzbYbD9O5DbzthSqGHusn1lLVu9U7My+CrtBCaHYGtltFTKl3bGluUZWe91vlZyihuoS+8+3WEqmE28mP3UVQlcnSZAaw0zOlOEz7mV3yGQufURr8I/HJhF3ZZYiv4FwyJ/WrkYkYysJAVSsjUKqsVNjGqpeWGNYUGi+Bl8QEEyh6rrmF7mYxKGuy0iSUs+SMd4uqp1TE0wYL06H+xOtYHarD/naCrsqi1eP0GAjAiyQNpw9PT4b7wNffzjCNlqSCKPD+ZtKKLVHoOzEFJKwPY3L6bpxLRUIf7jpEwGQ1SijmepjrYATFOrt7WKIWSe+Lq5ndmykcXZ9hAW1OKBz6LlzSq/HUK12JI5i+7aeSWW93seB1z+Iill2icRF8tm5LI6Xy2sB5V8PZZZY/gNEd4VZqY9hxynfopxFHJkk9xkWMnWU0X+bVsF7L5qYTuyRnfW/k7wQyOFb8RHHU/yeeJWciqbQdHB8V68LMcs64kICPOY5hpJFfPrsQsCN3evXj1GnGxQSL6vK9VGQLpc+OGhBxz1wsGdHHQ6MvTEG0rJdLUtXhNqWhJ8BRjy1qUz+rsJQC9ZZgiL3ckHkK7c2aALKnkNqtXGfgUPzcdyOPkBD/PEylV3Kp+JjnMfrblZqEkl0gZBrlxmDPH426FV2HAYi5vPlp2Ki4McrID6g+8YC5tsqpNRJteiVUWD8VsqKtEJgpb1n9eMz0FghWRf83SkVxMerC/Wj6dvhS40kzZiQJCVO4J6pupiQPtKDB8U97GK2cZvMVnQ/VLU2h/B06fov9OskOcch41NAGi9nyNnBqBPJNX/aFCO8ALtIe6Gu+FTd+jzVxhVmetWZigVyLOOBxDK7ksW44am6TqixlZP2ExcsDE5BSH2VIBih4B7v5V6OgjKK7to8VCD7BV9tgX6uNuIvmXTkjdiAYn5guRu2VAc0dSCHyYolwDJeCsMabz8LERFENCu6JbrQFWFdkYOJNqyg7zxRK4baO7JKcB+IcqOLRSy1936DrjFdxZK5FgevlfgQnkR5IBUUEWcP1WgaAXg1fbXwO1C0tuuxmtRK/nWaHy4KdmZ9I8quvY=
Content-Type: multipart/signed; boundary="Apple-Mail=_0BFC5668-FA6A-4064-BB47-02E3E91C6CD5"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR07MB9202
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/55kgcAciv5nZEJuIUWOvq7qh1-s>
Subject: Re: [ippm] Zaheduzzaman Sarker's Discuss on draft-ietf-ippm-ioam-direct-export-09: (with DISCUSS)
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Sep 2022 21:08:07 -0000

Hi,

The proposed change looks good to me. With this I will clear my discuss. Thanks for working on making this specification better.

//Zahed

> On 19 Sep 2022, at 14:54, Tal Mizrahi <tal.mizrahi.phd@gmail.com> wrote:
> 
> Hi Zahed,
> 
> I propose the following text edit. Given that this is a general
> requirement and the specific exporting method is not within the scope
> of this document, I believe the following change seems reasonable.
> 
> OLD:
> Although the exporting method is not within the scope of this
> document, any exporting method MUST secure the exported data from the
> IOAM node to the receiving entity.  Specifically, an IOAM node that
> performs DEX exporting MUST send the exported data to a pre-
> configured trusted receiving entity that is in the same IOAM domain
> as the exporting IOAM node.  Furthermore, an IOAM node MUST gain
> explicit consent to export data to a receiving entity before starting
> to send exported data.
> NEW:
> Although the exporting method is not within the scope of this
> document, any exporting method MUST secure the exported data from the
> IOAM node to the receiving entity, in order to protect the confidentiality and
> guarantee the integrity of the exported data. Specifically, an IOAM node that
> performs DEX exporting MUST send the exported data to a pre-
> configured trusted receiving entity that is in the same IOAM domain
> as the exporting IOAM node.  Furthermore, an IOAM node MUST gain
> explicit consent to export data to a receiving entity before starting
> to send exported data.
> 
> Cheers,
> Tal.
> 
> On Mon, Sep 19, 2022 at 12:14 PM Zaheduzzaman Sarker
> <zaheduzzaman.sarker@ericsson.com> wrote:
>> 
>> I have noticed that paragraph, however,  I didn’t interpreted that immediately to use of secure connection in that paragraph. May be we should be a bit more specific/descriptive about what is included in the "secure the export of data”.
>> 
>> //Zahed
>> 
>>> On 15 Sep 2022, at 17:12, Tal Mizrahi <tal.mizrahi.phd@gmail.com> wrote:
>>> 
>>> Hi Zahed,
>>> 
>>> 
>>> On Sun, Sep 11, 2022 at 8:37 PM Zaheduzzaman Sarker
>>> <zaheduzzaman.sarker@ericsson.com> wrote:
>>> 
>>>> This is good. I haven’t noticed any requirements on exporting over a secure connection to and trusted destination in this specification. I may have missed this, could you please point me to that?
>>> 
>>> 
>>> Yes, the following paragraph addresses this topic:
>>> 
>>>  Although the exporting method is not within the scope of this
>>>  document, any exporting method MUST secure the exported data from the
>>>  IOAM node to the receiving entity.  Specifically, an IOAM node that
>>>  performs DEX exporting MUST send the exported data to a pre-
>>>  configured trusted receiving entity that is in the same IOAM domain
>>>  as the exporting IOAM node.  Furthermore, an IOAM node MUST gain
>>>  explicit consent to export data to a receiving entity before starting
>>>  to send exported data.
>>> 
>>> Cheers,
>>> Tal.
>>> 
>>> On Sun, Sep 11, 2022 at 8:37 PM Zaheduzzaman Sarker
>>> <zaheduzzaman.sarker@ericsson.com> wrote:
>>>> 
>>>> 
>>>> 
>>>>> On 18 Aug 2022, at 15:16, Tal Mizrahi <tal.mizrahi.phd@gmail.com> wrote:
>>>>> 
>>>>> Dear Zahed,
>>>>> 
>>>>> Thanks for the comments.
>>>>> 
>>>>> Here is an  updated version of the draft:
>>>>> https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-1191a6b94b1b8ef3&q=1&e=832af60a-d8a4-4ce6-b114-803e40c69f48&u=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-ippm-ioam-direct-export%2F
>>>>> 
>>>>> Regarding the following DISCUSS point:
>>>>> 
>>>>> [snip]
>>>>>> Thanks to Colin Perkins for his valuable TSVART review. I find the TSVART early
>>>>>> reviewer's concern on rate limiting the exported traffic triggered by DEX
>>>>>> Option-type as only protection mechanism
>>>>>> (https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-f1a8e03896e17207&q=1&e=832af60a-d8a4-4ce6-b114-803e40c69f48&u=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Ftsv-art%2F1WNgYWGJmxLd4f3RAiDk-LJ-S8Y%2F)
>>>>>> very valid but haven't seen it addressed. In this discuss, I would like to
>>>>>> bring back attention to that concern and would like to discuss why there should
>>>>>> not be a circuit breaker kind of functionality required here?
>>>>> [snip]
>>>>> 
>>>>> The rate limiting is just one of the security measures in this
>>>>> document. There was a long discussion in the IPPM working group about
>>>>> amplification attacks and how to mitigate them:
>>>>> https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-85de22596797bb61&q=1&e=832af60a-d8a4-4ce6-b114-803e40c69f48&u=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Fippm%2FPyfokOEsBBCTtRdNYG-Vr-674Nw%2F
>>>>> https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-a9aaeff04156da3d&q=1&e=832af60a-d8a4-4ce6-b114-803e40c69f48&u=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Fippm%2FJNiX94A7fN6tUPsA-VQizQEBWms%2F
>>>>> 
>>>>> Following this discussion, what we came up with in order to mitigate
>>>>> these attacks is a combination of the following components:
>>>>> - Rate limiting (1/N) at the encap node.
>>>>> - Export traffic rate limiting (1/N) at the exporting node.
>>>>> - No exporting over DEX-enabled tunnels.
>>>>> - The DEX option is not pushed into packets that already include an IOAM encap.
>>>>> - Exporting over a secure connection to a trusted destination.
>>>>> 
>>>>> We believe that this combination of components, which are discussed in
>>>>> the document, provides reasonable measures to address the threat.
>>>> 
>>>> This is good. I haven’t noticed any requirements on exporting over a secure connection to and trusted destination in this specification. I may have missed this, could you please point me to that?
>>>> 
>>>> //Zahed

v2.23.0 | Report a Bug | By Email