IETF Logo Mail Archive

Re: [ippm] Zaheduzzaman Sarker's Discuss on draft-ietf-ippm-ioam-direct-export-09: (with DISCUSS)

Tal Mizrahi <tal.mizrahi.phd@gmail.com> Thu, 18 August 2022 13:17 UTC

Return-Path: <tal.mizrahi.phd@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55EA4C14F74C; Thu, 18 Aug 2022 06:17:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HquW4PMNGg4H; Thu, 18 Aug 2022 06:17:02 -0700 (PDT)
Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 295EEC14F73A; Thu, 18 Aug 2022 06:17:02 -0700 (PDT)
Received: by mail-pj1-x1035.google.com with SMTP id r15-20020a17090a1bcf00b001fabf42a11cso1807361pjr.3; Thu, 18 Aug 2022 06:17:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=+qzhsUeB24WP4TQHn9++5EfXfZXDV1gLVU8jaWomdBY=; b=Z8D0u4k0VWAmWJP2EmTlHyA3xK1ofkc9CfBHK7tfJMKXhfCwdPW1Qg9fT+wAdYUQ4+ ivzdCAlGrRUF7/E6/o9NGDL+QtnrGrBrWhOG4rU/UeD1TzLhorV5+SU6XOE+LAIhMpGl r18bHjPjOiQ9XPTKUW74B8MS1F5+56FWLg/KEROPvvmyub7QWZ859MObEzrP30xnyUt4 CFW89sRWGmfjGgUcWdJC8qk7ciDRcYOJdVbXJ53l54nMllMNzsDsLxWC2saIFmF6cNDp XrJPNkDMc3qZLbzGKR76QvPVS6g8bdZj+05bGbKErZ4chyPdQMYS6dpU5ACnlYNVprp0 9eKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=+qzhsUeB24WP4TQHn9++5EfXfZXDV1gLVU8jaWomdBY=; b=LDcItWeFJRE4hvn6+lqk+6EdlE5H+ReHeL/9FD8dA4U3p64iXyyFxJsgfo0qOsEMnX fKL+b5gkP/8U7YFIfx618nvQFBsnlIkLm//bUWQTJGxWCPKE4gqzG4CqhrJktcba9n7v 27tGWVefaTBxvG/LXkMlCu1wr0zfioXagTK+dTWtmeqn8VrNPlMvW8lXF9Ppx3rRwARp nXOf/TM/vEM/TpgBf4KCjzfGXbVJKS8mMB06dhw7cc2CVmkb38bUh6H5TKZpVPLFAk5y tg8LcE/K96CIA1nutH42zaz6Tx4RHrxn23GBquGRiAphNZ2Uvqw/I2Nc2f8BC5B6bzRF ZFDQ==
X-Gm-Message-State: ACgBeo3rGqLp3DJp+O6J1f/k73l2d5VxTXXsnNbnVw4XMR74FrO4cSIJ nMbBbhxVaQ4KsBa9KOEY0OE72AXlv4XJMYnvGQc=
X-Google-Smtp-Source: AA6agR4T7MxNVRI0n34VeRoElL/d6CZkRG5FjJMgxkCzgSrxth0LQmaD4A9PM9nHb+Lt0tpVkbV6cDgUHhj2DIXNLeM=
X-Received: by 2002:a17:90a:55:b0:1f7:4513:8cac with SMTP id 21-20020a17090a005500b001f745138cacmr3020409pjb.93.1660828621582; Thu, 18 Aug 2022 06:17:01 -0700 (PDT)
MIME-Version: 1.0
References: <165653760608.27520.5309528880057245173@ietfa.amsl.com>
In-Reply-To: <165653760608.27520.5309528880057245173@ietfa.amsl.com>
From: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Date: Thu, 18 Aug 2022 16:16:47 +0300
Message-ID: <CABUE3Xnz+xg0y2whG0_gZzuxT6Ys9Ad+LDtSmbCaXMvWKEnMVA@mail.gmail.com>
To: Zaheduzzaman Sarker <Zaheduzzaman.Sarker@ericsson.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-ippm-ioam-direct-export@ietf.org, ippm-chairs@ietf.org, ippm@ietf.org, tpauly@apple.com
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/97zCs8Ql-OwKkAl18lwxhLefS9Q>
Subject: Re: [ippm] Zaheduzzaman Sarker's Discuss on draft-ietf-ippm-ioam-direct-export-09: (with DISCUSS)
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2022 13:17:04 -0000

Dear Zahed,

Thanks for the comments.

Here is an  updated version of the draft:
https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-direct-export/

Regarding the following DISCUSS point:

[snip]
> Thanks to Colin Perkins for his valuable TSVART review. I find the TSVART early
> reviewer's concern on rate limiting the exported traffic triggered by DEX
> Option-type as only protection mechanism
> (https://mailarchive.ietf.org/arch/msg/tsv-art/1WNgYWGJmxLd4f3RAiDk-LJ-S8Y/)
> very valid but haven't seen it addressed. In this discuss, I would like to
> bring back attention to that concern and would like to discuss why there should
> not be a circuit breaker kind of functionality required here?
[snip]

The rate limiting is just one of the security measures in this
document. There was a long discussion in the IPPM working group about
amplification attacks and how to mitigate them:
https://mailarchive.ietf.org/arch/msg/ippm/PyfokOEsBBCTtRdNYG-Vr-674Nw/
https://mailarchive.ietf.org/arch/msg/ippm/JNiX94A7fN6tUPsA-VQizQEBWms/

Following this discussion, what we came up with in order to mitigate
these attacks is a combination of the following components:
- Rate limiting (1/N) at the encap node.
- Export traffic rate limiting (1/N) at the exporting node.
- No exporting over DEX-enabled tunnels.
- The DEX option is not pushed into packets that already include an IOAM encap.
- Exporting over a secure connection to a trusted destination.

We believe that this combination of components, which are discussed in
the document, provides reasonable measures to address the threat.

Please let us know what you think.

Thanks,
Tal.



On Thu, Jun 30, 2022 at 12:20 AM Zaheduzzaman Sarker via Datatracker
<noreply@ietf.org> wrote:
>
> Zaheduzzaman Sarker has entered the following ballot position for
> draft-ietf-ippm-ioam-direct-export-09: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
> for more information about how to handle DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-direct-export/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> Thanks for working on this specification.
>
> Thanks to Colin Perkins for his valuable TSVART review. I find the TSVART early
> reviewer's concern on rate limiting the exported traffic triggered by DEX
> Option-type as only protection mechanism
> (https://mailarchive.ietf.org/arch/msg/tsv-art/1WNgYWGJmxLd4f3RAiDk-LJ-S8Y/)
> very valid but haven't seen it addressed. In this discuss, I would like to
> bring back attention to that concern and would like to discuss why there should
> not be a circuit breaker kind of functionality required here?
>
> I also think this specification should be explicit about not exporting IOAM
> data to any receiver outside of IOAM limited domain. Hence supporting Roman's
> discuss.
>
> for example - The introduction section can state-
>
> OLD text-
>
>    A
>    "receiving entity" in this context can be, for example, an external
>    collector, analyzer, controller, decapsulating node, or a software
>    module in one of the IOAM nodes.
>
> New text-
>
>    A
>    "receiving entity" in this context can be, for example, an external
>    collector, analyzer, controller, decapsulating node, or a software
>    module in one of the IOAM nodes with in IOAM limited domain.
>
>
>
>
>

v2.14.0 | Report a Bug | By Email