[ippm] Fw: I-D Action: draft-ietf-ippm-encrypted-pdmv2-10.txt
"nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com> Mon, 07 April 2025 16:10 UTC
Return-Path: <nalini.elkins@insidethestack.com>
X-Original-To: ippm@mail2.ietf.org
Delivered-To: ippm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 78542186C300 for <ippm@mail2.ietf.org>; Mon, 7 Apr 2025 09:10:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b1Wp1ksNRhRg for <ippm@mail2.ietf.org>; Mon, 7 Apr 2025 09:10:24 -0700 (PDT)
Received: from sonic322-14.consmr.mail.ne1.yahoo.com (sonic322-14.consmr.mail.ne1.yahoo.com [66.163.189.37]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9C285186C2F9 for <ippm@ietf.org>; Mon, 7 Apr 2025 09:10:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1744042223; bh=0BFqvJpVxU+AFPVylckMYOIN9MeI7IluH3rJodSfE7Y=; h=Date:From:To:In-Reply-To:References:Subject:From:Subject:Reply-To; b=pENI7A6lqZKXs4w2Ymgy7vBZCFGvU4K2wwl8+2i23Op3i3FUTMRsQVHcRWTOMdzEh4xLM3o2Cau09xRzE4xaZtPgiBc2bkvB7Jy8/lxEasFsFZynEFda4lxUcc+/9dnOZVBNSw/7FVqCwsixZi1O+8zwTXaYQZeGCVDYYTPKmSEGFC5hHvVQslKV8vJDrjiVnG2mC3yKbeeM7Yyd3oM/VgFyC/M/jPf+BzYtDI1awDX4wCaNQShMeu8XlYSUri9Nmcz2OTTYg3qQWGvZ1NsM5dg6AvbzD8TDy1A1V3sewLfphbfBLtMefCwK+eCYlkFuHASeV6vOeWYtZBxPKVU0HQ==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1744042223; bh=bDMeYEu1X0jzDLcipb+MoJGywt0Xb0RNK1YJSAq3NQ4=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=WdIjN22ov+wg33N7Gx9EiYcuMxI+uv1uJFz6Nx15V7up6DJC3Vn1b5eswXMrhBC8nOpCyaVdxtjskRu825OKhUOLJ+huRre8ySYROY+Gb8/PUOGSHVBQC+A6CY5pNH5RfE8y0pZ3EP7/rJoYFAhgAHrtB56kNzN64u6M5jbnobbkQC/S/jZ+51T9fRTuUTNNoQOnH6GlXH7k225pliWi/BcsIlumNQ9u7JI028qncbNPPT2IG7NhBAPAu7Ae8/7zf5bnKteR1MyOPdyddbtUSUbpRPxA3gq4a3e8dX570AYW3muhOAb7wyxrmDV924bKTDvCZ6k0HEBxKaoQMs0d4Q==
X-YMail-OSG: _fmzY_8VM1ne6Lp3uzGAsCu0fsG._CCWK2xE16uKdrEyd9BQX8IY3nh9pPD0l2k 1P56V5BsrkNK0kvD8xx0slRTaq4.qoJ1xMLGTO_KLZBvTlqoTacYja2NmxLX18qZ6r97Wu5GPsze 6Fgnmw6R96i3ytUb9fgzDAOUpaJ86C_jGhNdmR1zh9RWcDhJJBQapwExPEw5atJZERmQRXENa5Ku 5JbXCQkxYVxRseaa0X64i2VySiD8TL79B9QIg7BvC8_vWc8EVgMTbE4PfmVqcdZtZGnQNFTz2jI7 OTD7WYlQIOqxqlKttKmNQpk7uFYsVVfL6g2ml_FsHtysO9SoIDV4YskrTA9KBPUJFXMP9Oji15eL XNHSKGl2YeP2__xG0HFVaISSPYD9YmwwczjZhwwjPaRjHUbzJR61KBIj_wY2iNb0OvUZ7UPAGIB9 in_9aMZDUC44_T24QlH55AJPIeXQf3Q6Z6liMZBSxsxddHbi25FuwcCJOKMQb5_GrtXrHWnC7Bvz FNV2nXz4j8QRTLi2CZRu.vDPQdQ7IdVbtxKM.MZSa._eMIs6ksWuEUg2sIn2woU3VAQq4zzyWSFD bHQ2NeBgO7I4rKRibRIYmNuYT4lvsjdgkGHamN2Xe4Uprh2MZqWccQprV68nwaGo4Soe_LIqMmvK B1.xTPDwRELbeEk.dLCwVSFE_uKIF0GTNnktk8IhjXcsfCkJnC.AmTzc7YT5LlPZVInBmn260eMi os9inXOCvlGZDZK5iOLD0iKKgR.MsQItkn2p9IVcx_e.YkJQN7I.i4TpejMqGzdXrEdru9R5NeBc PHovktVMT8RmnR.5FHne5oG047lIu._RytFHn9vKIDeNTn.KKbvccMUoNZ.OTkM5Kj.lGZx0WLwF p.EI6C5bSx58yovYMSbBgN_KItAdhaAyv167NYjmNdcwkNiqsKEeVVXDHATsieq_ypr8trbc8zGj ftc1wQlolyUhcyI4qY9dHwswMxrMD.M1otyVjMZLrvKZ0MMczsiYk2tblrpNP63TdvD6yy04nyMx I333I2Op2dorC8vgrb1QOicWzohIsgNitlDUZPYj5um2M.kLZe4JfDFQyjzeXGaeNP2f91bqVDui GIu36s5qlzny2jZAvHicYLaDZl3WbV58miYS8NY4LfWRbWL8IT8OGIRSfkxtw7coRpnDDtJGGsCr xpLRWoaVApC_BA92JLciYNERmB1zr3xSEchS5fTo_u197FQDFRgJyb8BM_ni5lFb_1f_bjwh_ONs gNupEx8LU0QvY4NndFUQBo7Kj0.9x1bDzNyJa2389FFgZ5mJ7npa_pIZRGPNNkT5ainzJqGUJt3s YSnRPhGuP0po4XiH3JW0WIXaN4sHb8NMhZ32qQOg89uhWvyS6CzxTnWyiPxMdDalkOq2z6XnMKEe tuH1e0HjmV3LzhTVyFLtLmXGJTSHPuC.VutasoL2Czrxzd3NI6Qg0.WlkRBrss.VbnIIvlWt9u9O OYXHfNmnc33WFmEHo_kNBfexZ5_3L6BeuEd3ZtnA7_x3W7FNHTJO.sEobu8t.Y_RZPQ3jUDhutFz _W_ktQN1ib57.aph05rD3d2aTUZ.uaGz3HmOn1G6VazXMlMVdp1dPwsvF_W7SSFoYJlBL9gbKsnL 4cgadicCkFcbmQrFgDuD1Q5nzJZJE55yxZ_dfoZMU8fQLdlc6yV0mlgwQBtOOey5pW2KzDgdI2Kw hzuIxA1YBQL6NhxM7yUs7i_aqVFKQw1pJa2c3Ldiri9YEaA6pRjo4cvoV6EHf5yNzte1pTTygzGA N3k7Sgw0m.M0BKqtxe..b_S5hCOf31OIta5vII5NVUHSEJd0A5OgbGdhBY.rde7QW3aZNupPnafC RMhi_b.KAhqPWZAofYETZ8D0zt.DVKCybnxyA08zbUFwDyWSKLzxwd4GSJ20fWIbkEPC3JX5ti_Q 48bKgtg3iwPmK9HSoSzdq.eYj_ZC6N_0OND42fLJPf4YZNLkSlxMVPQWn.sAMSoxQVwVaAkdCYgt dor1DpjTYY59dXdtsutzLlRq6FfNbm2XH33X5vhQrh6VzxroS_Aiej7gJsF5YVnH0UCr98HjdGXG u0tiWDVKme6q8pE.uHnMrOdlpyPzU3QvEX17zeka3QxM0cgsUAzaZYvxkPC_uziYf8AzNZuy_9a4 mMbxBWWcgPg_bDNuU5.30v_dg8A.GUuxRMLr0rzEObJF.IceDq_nhqmINGRWLBmnu1vFisXhNtZv E_tlzcXQOs_yciKZLRKZlqvIVmGp22sG1QZMt2d._SUAdNaMOZ3kCLWdz271S2kCZ3EvEZEthXg6 .x4i.slz8ctLQQ2oeGIBbYWXLLdqRhXU-
X-Sonic-MF: <nalini.elkins@insidethestack.com>
X-Sonic-ID: 32b6a166-c5d3-45c8-9fd0-c1a0d0a221d9
Received: from sonic.gate.mail.ne1.yahoo.com by sonic322.consmr.mail.ne1.yahoo.com with HTTP; Mon, 7 Apr 2025 16:10:23 +0000
Date: Mon, 07 Apr 2025 16:10:19 +0000
From: "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>
To: IETF IPPM WG <ippm@ietf.org>
Message-ID: <230782326.2614572.1744042219812@mail.yahoo.com>
In-Reply-To: <174399028625.379280.5836195526757194540@dt-datatracker-64c5c9b5f9-hz6qg>
References: <174399028625.379280.5836195526757194540@dt-datatracker-64c5c9b5f9-hz6qg>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_2614571_1086456245.1744042219810"
X-Mailer: WebService/1.1.23590 YMailNorrin
Message-ID-Hash: XYA3POB4XECJ4BRI4MKOTXRXX56S5P3W
X-Message-ID-Hash: XYA3POB4XECJ4BRI4MKOTXRXX56S5P3W
X-MailFrom: nalini.elkins@insidethestack.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ippm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [ippm] Fw: I-D Action: draft-ietf-ippm-encrypted-pdmv2-10.txt
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/8s7ELvnlnBF4zRCswVXUhZxlnc4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Owner: <mailto:ippm-owner@ietf.org>
List-Post: <mailto:ippm@ietf.org>
List-Subscribe: <mailto:ippm-join@ietf.org>
List-Unsubscribe: <mailto:ippm-leave@ietf.org>
Guys, Please comment on this draft. We want to get agreement and have discussion on these things before proceeding. Confusion / misunderstanding on what we were trying to achieve and why was the reason (IMHO!) for many of the IESG comments. So, we very much would like the WG to chime in. To review: PDMv2 is an IPv6 Destination Options Extension Header that enhances PDM [RFC8250] by adding confidentiality, integrity, and authentication to its measurement data. PDMv2 Foundational Principles The design of PDMv2 adheres to a set of foundational principles which guide its architecture and operational model: 1. Offline Decryption: All decryption of data occurs offline, eliminating the computational overhead of real-time decryption on network devices. 2. Speed of Handshake Processing: The goal of PDMv2 is to have as little time spent in handshake processing as possible. 3. Handshake at IP Layer: The establishment of session keys is at the IP layer not at the transport or session layers. However, keys will be changed when there is a change in the 5-tuple. For ICMP and IPsec, sender-destination IP pair defines the session for key rotation purposes. 4. Separation of Encryption Layers: Encryption at the extension header level is designed to be independent of encryption in higher-layer protocols (e.g., TLS, QUIC). This avoids bootstrapping problems where key negotiation at one layer (IP) is dependent on information from another layer (TCP / TLS). 5. Key Reuse Avoidance: Keys are not reused between sessions. Each session uses a freshly derived key to enhance security and forward secrecy. 6. Base Key Registration: Master keys and device authentication are established through a registration process with an Authentication Server. A complementary draft will detail the full registration procedure and the operation of the Decryption Server that handles offline decryption. 7. Sequential Field for Key Derivation: Each packet may include a sequential field (in cleartext), which serves as input to a key derivation function (KDF). This supports dynamic keying mechanisms such as those used in Hybrid Public Key Encryption (HPKE). 8. Sample Key Derivation Implementation: A sample implementation using HPKE will be included to illustrate how these principles can be applied in practice. Alternative KDFs may be used, based on implementation needs. 9. Optional Sequential Field Usage: A field which may be used as a nonce and is sent in the clear will be provided. Usage of this sequential field is optional and can be omitted if not required for the cryptographic scheme in use. It is required for HPKE but the implementor may choose another scheme. Thanks, PresidentIndustry Network Technology Councilhttps://www.industrynetcouncil.org ----- Forwarded Message ----- From: "internet-drafts@ietf.org" <internet-drafts@ietf.org>To: "i-d-announce@ietf.org" <i-d-announce@ietf.org>Cc: "ippm@ietf.org" <ippm@ietf.org>Sent: Sunday, April 6, 2025 at 06:45:31 PM PDTSubject: [ippm] I-D Action: draft-ietf-ippm-encrypted-pdmv2-10.txt Internet-Draft draft-ietf-ippm-encrypted-pdmv2-10.txt is now available. It is a work item of the IP Performance Measurement (IPPM) WG of the IETF. Title: IPv6 Performance and Diagnostic Metrics Version 2 (PDMv2) Destination Option Authors: Nalini Elkins Michael Ackermann Ameya Deshpande Tommaso Pecorella Adnan Rashid Name: draft-ietf-ippm-encrypted-pdmv2-10.txt Pages: 23 Dates: 2025-04-06 Abstract: RFC8250 describes an optional Destination Option (DO) header embedded in each packet to provide sequence numbers and timing information as a basis for measurements. As this data is sent in clear-text, this may create an opportunity for malicious actors to get information for subsequent attacks. This document defines PDMv2 which has a lightweight handshake (registration procedure) and encryption to secure this data. Additional performance metrics which may be of use are also defined. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-ippm-encrypted-pdmv2/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-ippm-encrypted-pdmv2-10 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-ippm-encrypted-pdmv2-10 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts _______________________________________________ ippm mailing list -- ippm@ietf.org To unsubscribe send an email to ippm-leave@ietf.org
- [ippm] I-D Action: draft-ietf-ippm-encrypted-pdmv… internet-drafts
- [ippm] Fw: I-D Action: draft-ietf-ippm-encrypted-… nalini.elkins@insidethestack.com