Re: [ippm] Adoption call for draft-mizrahi-ippm-ioam-flags Re: Regarding draft-mizrahi-ippm-ioam-flags

Greg Mirsky <gregimirsky@gmail.com> Sat, 03 August 2019 23:27 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E17DD12014E; Sat, 3 Aug 2019 16:27:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gDdwLGayhJzz; Sat, 3 Aug 2019 16:27:49 -0700 (PDT)
Received: from mail-lf1-x143.google.com (mail-lf1-x143.google.com [IPv6:2a00:1450:4864:20::143]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64940120143; Sat, 3 Aug 2019 16:27:48 -0700 (PDT)
Received: by mail-lf1-x143.google.com with SMTP id 62so50498250lfa.8; Sat, 03 Aug 2019 16:27:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3uyG2UdIG5A98i7XjDNdqZnOJEVqJV5CZXj9gmX7uyI=; b=PbH3NUSvsYhDjBivtcLefm8uSVqG3+WovuUJYtN3nIjafaaMH4KS6L/3MxyD/Jo+HX VfbLxi7XtljlIr87zTVGwQrf9523LHE6VlKy+gLrZwwZfWGjTmRb9n0LATZbzuh4g0VK Qk8w3KK4hropAFcnu75sD3NecKIhWbA86YDSe4h7lbvMCux4WTzApkjGwMOFfu2cKXk5 mAfRZ0N8Y3/Lc/BNYCuHBss6dY7HbV06klUzAb7PeZdCBzd9Sj5gXoJqmsckye1Bg7P3 3ddOu4DCgs0kw7zqgnCBcruRknY9CzHCofyMO4imaAgUqnnNBIPue8huiola5h8SR++R QWkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3uyG2UdIG5A98i7XjDNdqZnOJEVqJV5CZXj9gmX7uyI=; b=QcZfAAULxHhH/RmDx7IZ9g+ItgXgGrO5q56haesGgi6Y7ts6xv+gB7zN1E4lBoi3YO FJx4AnduBJ0KbNAETDabyIoXEnaUJut8zT7TsO5Wo40buiDCCxZ5tG/JiwSGbRQWGaMl UaRnEpVndjxHQMX2W7/JTk3uoscH/tFmt1coshVwF+aTLQJU4OpYu3kDAtat2ugxptrp 2NuGO6ghsKeyvZOL44BGHAf9c1XaRHGaFBtKHkc2idLNtIa/YgEhIheCjgwD93b6fyYN TmaSzEJ55GlRmAHhoLnC2qPnj5B4uZE2qXYusNGvkwKJv8PJnAiAkcob4N4q6oYz0vbU 2kDg==
X-Gm-Message-State: APjAAAXB8cuweK2SJOPgiREBkzU42izGwkjzIpZwXcQp5R+fZk6DfaYu C2FUTqC0OSOizEj/MJj77fuqpmQQv1cG1ABXHJ8=
X-Google-Smtp-Source: APXvYqzh+MTRMJ3lHo7lhxwv75SjZNHTMCrwqA43CPGkz2WYQLN/Kml+RQk+prAF/cISl9dHWxvB19PcvauZ8lnETaI=
X-Received: by 2002:ac2:442f:: with SMTP id w15mr6291309lfl.9.1564874866551; Sat, 03 Aug 2019 16:27:46 -0700 (PDT)
MIME-Version: 1.0
References: <CA+RyBmVnkMFEQv=Hr3y9OD09+_vocHRgnGQnLwEVO=yuTcptEQ@mail.gmail.com> <EAB5C70D-A160-423E-84FE-3CE7AC079168@trammell.ch> <CA+RyBmWxh+FRxnrFH9ZbQ_F0V42UTm8aE0yOpd2N7vXb-Eqaiw@mail.gmail.com> <CAPDqMeoS8ZatMF9SXNYi0bPDdRN7T0gj-snxrLNL+1arGv5RTw@mail.gmail.com> <BYAPR11MB258458D075E929C9C0CF4901DADE0@BYAPR11MB2584.namprd11.prod.outlook.com> <CA+RyBmXzZvi7GBC6OJ_+RcRFp_xQMmfnGAwhxUdh9YQ-4fBw3A@mail.gmail.com> <BYAPR11MB2584A68317656AB94D1EE2C1DADE0@BYAPR11MB2584.namprd11.prod.outlook.com> <CAPDqMeox8Q0Oqn-zqDVTLbAcyzpCKo+8FVXctCmNKUgsHXcg3w@mail.gmail.com> <BYAPR11MB2584978168353AC7C0D1493EDAD90@BYAPR11MB2584.namprd11.prod.outlook.com>
In-Reply-To: <BYAPR11MB2584978168353AC7C0D1493EDAD90@BYAPR11MB2584.namprd11.prod.outlook.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Sat, 03 Aug 2019 16:27:35 -0700
Message-ID: <CA+RyBmWJ56FfrshsoqfpeGQ7zjZFK-oVU4iJjGbG4YsL68u-AQ@mail.gmail.com>
To: "Frank Brockners (fbrockne)" <fbrockne@cisco.com>
Cc: Tom Herbert <tom@quantonium.net>, IPPM Chairs <ippm-chairs@ietf.org>, IETF IPPM WG <ippm@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000089f011058f3ed26b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/6rYruj_D2IJfeGiBIilGwYJttm0>
Subject: Re: [ippm] Adoption call for draft-mizrahi-ippm-ioam-flags Re: Regarding draft-mizrahi-ippm-ioam-flags
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Aug 2019 23:27:52 -0000

Hi Frank,
thank you for the very detailed description of the use case for the
Loopback flag. I think it would be helpful to add some text that explains
the use case in the draft. But from your explanation, I cannot find how the
Loopback flag can be used in any performance measurement method. What I
gather is that the Loopback is used to localize a fault detected by another
Fault Management OAM tool. If my understanding is correct, the Loopback may
be useful as part of FM OAM. But Fault Management OAM is not part of the
IPPM WG charter. It could be I've missed something and please correct me if
I did, but I don't see that the Loopback flag and the use case it
addresses, i.e., fault localization, is in the scope of this WG.

Regards,
Greg

On Thu, Aug 1, 2019 at 11:48 PM Frank Brockners (fbrockne) <
fbrockne@cisco.com> wrote:

>
>
> > -----Original Message-----
> > From: Tom Herbert <tom@quantonium.net>
> > Sent: Freitag, 2. August 2019 00:27
> > To: Frank Brockners (fbrockne) <fbrockne@cisco.com>
> > Cc: Greg Mirsky <gregimirsky@gmail.com>; IPPM Chairs <ippm-
> > chairs@ietf.org>; IETF IPPM WG <ippm@ietf.org>
> > Subject: Re: [ippm] Adoption call for draft-mizrahi-ippm-ioam-flags Re:
> > Regarding draft-mizrahi-ippm-ioam-flags
> >
> > On Thu, Aug 1, 2019 at 12:12 PM Frank Brockners (fbrockne)
> > <fbrockne@cisco.com> wrote:
> > >
> > > Hi Greg,
> > >
> > >
> > >
> > > Please see inline…
> > >
> > >
> > >
> > > From: Greg Mirsky <gregimirsky@gmail.com>
> > > Sent: Donnerstag, 1. August 2019 20:54
> > > To: Frank Brockners (fbrockne) <fbrockne@cisco.com>
> > > Cc: Tom Herbert <tom@quantonium.net>; IPPM Chairs
> > > <ippm-chairs@ietf.org>; IETF IPPM WG <ippm@ietf.org>
> > > Subject: Re: [ippm] Adoption call for draft-mizrahi-ippm-ioam-flags
> > > Re: Regarding draft-mizrahi-ippm-ioam-flags
> > >
> > >
> > >
> > > Hi Frank,
> > >
> > > thank you for your expedient response and the clarification, much
> > appreciated. I have some follow-up questions but your response, in my
> opinion,
> > supports my original evaluation of the draft that it is not ready for WG
> adoption.
> > I don't agree that the presumed benefits of the proposed Loopback flag
> > outweigh risks that were called out during the meeting and were pointed
> by Tom
> > and me.
> > >
> > > Also, thank you for informing everyone that a design team is forming
> to define
> > the use of the Immediate flag. I think that that flag should be
> introduced along
> > with the clear and firm specification of its utilization.
> > >
> > > And I'm still not clear about how the Active flag can be used. You
> suggest that
> > it is intended as complementary to "an operator who uses his own
> probing".
> > What such "own probing" could be? Why would the operator use well-known
> > standard-based active OAM for fault management and performance
> > monitoring?
> > >
> > >
> > >
> > > …FB: draft-lapukhov-dataplane-probe-01 is an example of an operator’s
> > approach to probing. I’ve also seen deployments where the probing is
> integrated
> > with the application – i.e. part of the application solution, which is
> another
> > example domain where specific health checks are used.
> > >
> > >
> > >
> > > And, going back to the scenario in DC. I wonder why the well-known
> > Traceroute is not sufficient?
> > >
> > >
> > >
> > > …FB: In the scenario discussed below, detection speed was the driving
> factor –
> > the IOAM loopback solution gives you an indication of the failed link in
> less than
> > 1 RTT.
> >
> > Frank,
> >
> > I'm doubtful it would be practical to set loopback on every packet given
> the
> > amplification characteristic, which means that either it's done as a
> periodic
> > probe or on demand when the application has reason to suspect a failing
> link. In
> > either case, it seems like the latency to detect and identify a failing
> link would be
> > greater than 1 RTT. Am I missing something?
>
> Tom,
>
> you would not set loopback on every packet. Let me re-explain the
> deployment scenario:
>
> * Operator runs a custom application UDP probe - which makes probe traffic
> follow all paths the application uses.
> * On detecting failure of a specific probe for a specific connection, IOAM
> tracing is turned on with loopback for *that* connection.
> * Once IOAM tracing is turned on, you can detect the node/link where
> traffic is stuck within one RTT. I.e. identification can be done in 1 RTT,
> once you detected the failure.
>
> So in other words, you only need the IOAM trace option with loopback added
> to a very small set of packets. In an ideal world even one packet would be
> sufficient.
>
> Frank
>
> >
> > Tom
> >
> > >
> > >
> > >
> > > Cheers, Frank
> > >
> > >
> > >
> > > Regards,
> > >
> > > Greg
> > >
> > >
> > >
> > > On Thu, Aug 1, 2019 at 12:32 PM Frank Brockners (fbrockne)
> > <fbrockne@cisco.com> wrote:
> > >
> > >
> > > Some additional notes on the different flags - restating and expanding
> the
> > discussion we had at the WG meeting in Montreal:
> > >
> > > Loopback flag:
> > > The loopback flag was inspired by a specific use case, which could be
> > summarized as "rapid identification of a failed link/node in a DC": In a
> DC (read:
> > controlled/specific domain), one runs UDP probes
> (draft-lapukhov-dataplane-
> > probe-01) over a v6 fabric. In case a UDP probe detects a failure, one
> adds the
> > IOAM trace option and enables loopback mode - i.e. every node sends a
> copy
> > back to the source in addition to forwarding the packet. Correlating the
> > information from both ends allows one to pinpoint the failed node/link
> rapidly
> > and gives one a view of the overall forwarding topology. This use-case
> was
> > implemented in FD.io/VPP roughly 2 years ago and was also showcased at
> IETF
> > bits-n-bites. There is a rough outline of the open source implementation
> > available here: https://jira.fd.io/browse/VPP-471 .
> > > In more generic words: Loopback mode is like all IOAM, a domain
> specific
> > feature. Loopback mode is to enrich an existing (here the
> dataplane-probe)
> > active OAM mechanism.
> > > Reading through the comments below, it proves that the current draft is
> > indeed a good basis for the discussion and it also clearly shows that we
> need to
> > add a section to the document that expands on how loopback mode is
> expected
> > to be used.
> > >
> > > Immediate export flag:
> > > Per the WG discussion in Montreal - and the follow up breakout meeting
> > (https://mailarchive.ietf.org/arch/msg/ippm/Do9kJ9ED_grmTqwcZHSdpy3CmRk
> > ):
> > > The plan is to consolidate the IOAM-related content for a new
> "immediate
> > export option" from draft-song-ippm-postcard-based-telemetry-04 and the
> > description of the immediate export flag in
> draft-mizrahi-ippm-ioam-flags  into a
> > new draft.
> > >
> > > Active flag:
> > > The active flag is not to replace any existing active OAM mechanisms -
> but
> > rather allow an operator who uses his own probing along with IOAM to
> flag a
> > packet as a probe packet.
> > >
> > > Security considerations for flags in the context of PNF vs. VNF:
> > > Thanks for raising the point. It would be great to see
> specifics/details
> > discussed here on the list, so that those could be incorporated into the
> security
> > section.
> > >
> > > Thanks, Frank
> > >
> > > > -----Original Message-----
> > > > From: ippm <ippm-bounces@ietf.org> On Behalf Of Tom Herbert
> > > > Sent: Donnerstag, 1. August 2019 00:41
> > > > To: Greg Mirsky <gregimirsky@gmail.com>
> > > > Cc: IPPM Chairs <ippm-chairs@ietf.org>; IETF IPPM WG <ippm@ietf.org>
> > > > Subject: Re: [ippm] Adoption call for draft-mizrahi-ippm-ioam-flags
> Re:
> > > > Regarding draft-mizrahi-ippm-ioam-flags
> > > >
> > > > On Wed, Jul 31, 2019 at 11:53 AM Greg Mirsky <gregimirsky@gmail.com>
> > > > wrote:
> > > > >
> > > > > Dear Authors,
> > > > > thank you for bringing this proposal for the discussion. When
> > > > > considering WG
> > > > AP, I use the following criteria:
> > > > >
> > > > > is the document reasonably well-written; does it addresses a
> > > > > practical problem; is the proposed solution viable?
> > > > >
> > > > > On the first point, I commend you - the draft is easy to read.
> > > > > On the second point, I have several questions:
> > > > >
> > > > > What is the benefit of using Loopback flag in the Trace mode?
> > > >
> > > > This is unclear to me also. Additionally, I am concerned that
> > > > protocol blindly reflects the packet back to the source without any
> > > > regard to what else the packet contains. For instance, if a TCP
> > > > packet is reflected by ten intermediate nodes this is nonsensical.
> > > > The possibility of an amplification attack is obvious and in fact
> > > > mentioned in the security section, however I'm skeptical that the
> proposed
> > mitigation of rate limiting is sufficient.
> > > >
> > > > Minimally, it seems like the reflected packets should be wrapped in
> > > > ICMP to mitigate spoofing attacks. Also, I wonder if traceroute
> > > > methodology could be used for tracing, i.e. one sent packet results
> > > > in at most one return packet (ICMP), to mitigate the amplification
> problem.
> > > >
> > > > Tom
> > > >
> > > > > Why is it important to limit the applicability of Loopback to only
> Trace
> > mode?
> > > > > What is the benefit of collecting the same, as I understand the
> > > > > description,
> > > > data on the return path to the source?
> > > > > What is the benefit of using Active flag comparing to existing
> > > > > active OAM
> > > > protocols?
> > > > > What is the benefit of using Immediate flag comparing to
> > > > > Postcard-Based
> > > > Telemetry (PBT) proposal?
> > > > >
> > > > > On the third point, I'd appreciate your clarification on these
> points:
> > > > >
> > > > > In which transports (I find that iOAM encapsulation has been
> > > > > proposed for all
> > > > known transports) you've envisioned to use Loopback flag?
> > > > > The third bullet in Section 5 refers to a replica of the data
> > > > > packet that follows
> > > > the same path as the original packet. What controls that replication?
> > > > > The last paragraph in the Security Consideration section relies on
> > > > > "restricted
> > > > administrative domain" to mitigate the threat of malicious attacks
> > > > using a combination of iOAM extensions. That might be the case when
> > > > operating in a PNF environment, but it is much more challenging to
> > > > maintain such a trusted domain in VNF environment. How can these new
> > > > security risks be mitigated in a VNF environment?
> > > > >
> > > > > Appreciate your consideration and clarifications to my questions.
> > > > >
> > > > > Regards,
> > > > > Greg
> > > > >
> > > > > On Thu, Jul 25, 2019 at 2:07 PM Brian Trammell (IETF)
> > > > > <ietf@trammell.ch>
> > > > wrote:
> > > > >>
> > > > >> hi Greg,
> > > > >>
> > > > >> Thanks for the feedback; absolutely, we can do this the normal
> way.
> > Authors:
> > > > let's do a normal two-week adoption call for this document before
> > > > publishing the update.
> > > > >>
> > > > >> This adoption call starts now.
> > > > >>
> > > > >> IPPM, please respond to this message with an indication to the
> > > > >> mailing list of
> > > > your support for adopting draft-mizrahi-ippm-ioam-flags as a working
> > > > group document, in partial fulfillment of our charter milestone
> > > > "submit a Standards Track draft on inband OAM based measurement
> > methodologies to the IESG"
> > > > (obviously, depending on how many documents we end up sending to the
> > > > IESG, we may have to change the plurality of this milestone). If you
> > > > do not support this, please send a message to the list explaining
> why.
> > > > >>
> > > > >> Thanks, cheers,
> > > > >>
> > > > >> Brian (as IPPM co-chair)
> > > > >>
> > > > >>
> > > > >> > On 25 Jul 2019, at 13:15, Greg Mirsky <gregimirsky@gmail.com>
> wrote:
> > > > >> >
> > > > >> > Dear Chairs, et al.,
> > > > >> > I appreciate that editors of draft-ietf-ippm-ioam-data followed
> > > > >> > on the
> > > > decision of the WG reached at the meeting in Prague to extract
> > > > material not directly related to the definition of iOAM data
> > > > elements from the document. The new draft was presented earlier this
> > > > week and generated many comments. I feel that it would be right to
> > > > discuss the draft and its relevance to the charter of the IPPM WG
> before
> > starting WG adoption poll.
> > > > >> >
> > > > >> > Regards,
> > > > >> > Greg
> > > > >>
> > > > > _______________________________________________
> > > > > ippm mailing list
> > > > > ippm@ietf.org
> > > > > https://www.ietf.org/mailman/listinfo/ippm
> > > >
> > > > _______________________________________________
> > > > ippm mailing list
> > > > ippm@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/ippm
>