[ippm] Roman Danyliw's Discuss on draft-ietf-ippm-ioam-data-12: (with DISCUSS and COMMENT)

Roman Danyliw via Datatracker <noreply@ietf.org> Wed, 24 March 2021 15:05 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: ippm@ietf.org
Delivered-To: ippm@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 631A33A2E46; Wed, 24 Mar 2021 08:05:55 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-ippm-ioam-data@ietf.org, ippm-chairs@ietf.org, ippm@ietf.org, Al Morton <acm@research.att.com>, acm@research.att.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.27.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <161659835537.18895.9718541717885407286@ietfa.amsl.com>
Date: Wed, 24 Mar 2021 08:05:55 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/E42VDq5Fp74STPwb1sxv7hn6jVI>
Subject: [ippm] Roman Danyliw's Discuss on draft-ietf-ippm-ioam-data-12: (with DISCUSS and COMMENT)
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Mar 2021 15:05:56 -0000

Roman Danyliw has entered the following ballot position for
draft-ietf-ippm-ioam-data-12: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


Please clarify what constitutes the edge or boundary of the IOAM domain. 

(a) Section 4.
IOAM is a
   network domain focused feature, with "network domain" being a set of
   network devices or entities within a single administration.
Designers of
   protocol encapsulations for IOAM specify mechanisms to ensure that
   IOAM data stays within an IOAM domain.  In addition, the operator of
   such a domain is expected to put provisions in place to ensure that
   IOAM data does not leak beyond the edge of an IOAM domain.

(b) Section 5.3.
Namespace identifiers allow devices which are IOAM capable to
   determine: …
whether IOAM-Option-Type(s) has to be removed from the packet,
      e.g. at a domain edge or domain boundary.

(a) suggests that the filtering occurs on the basis of the single
administrative domain.  However, (b) suggests that namespace identifiers are
part of the filtering decision; which suggests that sub-domains can be created
in a given domain which should be partitioned from each other.

The Security Considerations should be clearer on who does the IOAM information
filtering, on what criteria and on what boundary.


Thank you to Shawn Emery for the SECDIR review.

I support Ben Kaduk’s DISCUSS position.

** Section 4.  Per the scope of “IOAM is a network domain focused feature, with
‘network domain’ being a set of network devices or entities within a single
administration” and the implicit trust model, the more precise text seems to be
a s/a set of network devices/a set of trusted network devices/.

** Section 10.  To the end of the first paragraph, “All nodes in the path of a
IOAM carrying packet can perform such an attack”.

** Section 10.  It is not clear why the "Direct Exporting" mode, a reference an
unadopted I-D, is being referenced here and then consideration for it is noted
as out of scope.

** Section 10
   At the management plane, attacks can be set up by misconfiguring or
   by maliciously configuring IOAM-enabled nodes in a way that enables
   other attacks.  Thus, IOAM configuration has to be secured in a way
   that authenticates authorized users and verifies the integrity of
   configuration procedures.

The link to authenticating authorized users isn’t clear.  Perhaps the intent of
the second sentence is that configurations should only managed by authorized
processes or users?

** Section 10.  Please note that IOAM fields could introduce the possibility of
a per-packet cover channel

** Editorial nits:
Section 4. Typo. s/using,for/using, for/

Section 10.  Editorial. s/Section Section 5.5/Section 5.5/