Re: [ippm] Fw: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt

Ameya Deshpande <ameyanrd@yahoo.com> Mon, 05 July 2021 16:52 UTC

Return-Path: <ameyanrd@yahoo.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E99CC3A1F00 for <ippm@ietfa.amsl.com>; Mon, 5 Jul 2021 09:52:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3BLSw1wKK5X1 for <ippm@ietfa.amsl.com>; Mon, 5 Jul 2021 09:52:51 -0700 (PDT)
Received: from sonic310-20.consmr.mail.sg3.yahoo.com (sonic310-20.consmr.mail.sg3.yahoo.com [106.10.244.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2F743A1EFE for <ippm@ietf.org>; Mon, 5 Jul 2021 09:52:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1625503963; bh=Sb89m540Ki21CBnXYVUwYKBWCavUbeHidXQzLKYQV/g=; h=Date:From:To:In-Reply-To:References:Subject:From:Subject:Reply-To; b=a/USROBM8Q7/0LN16I0K9ELeXa89wrH9kmJbjeV+q9O6gMxlV84pQjqXLho0Vrw8mruAlrfd4nTExoe5uPmdswBbLw7CC8oazTnwtm2bPgiBtxSIwMaLDoU3QKjrcVhnp0Bz+gQAtJFHDn2GQq346DYP3dvbjI7VRsyMqsJFPjZrXobBZvPUNqr+Hb0xqudzyM8U/Uhk3q91ZRFGBQQyGa9os4emdFwKZV+xzP0+yCFzWSWNhQlMD9sy8FMCpNsATXmjX503vFLladB6KmQaBdhN4RYr2XVct0neBGqCQWmqm/ZnqUJmcy2eq/T5MSP4fjrkEN5Gj0m0EHkXWUii3Q==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1625503963; bh=DPrMnIGrxLXAlzQalC9/LwSEvbMDgbTDEEfICnUvh9B=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=KmGODF6fo+6IgUxf7Oc8b5/6C1F3WYxGGx5biXzrVEP0KqnedXSzeSMBNAHXJ31yUA14lXjj5NvGnMvbxABW3IeJg1er9kFVZUlvIIV/ijUXn49wgKSEBpqWa5WKzfwZjsGigHlrnEMpTHwBAUXo4XfXV2vvgPkIrsF0cN5PD5gFeCjcrIhoqt5LxpMt/cmBEOn0rAdHhd6F4t6noMvrm2bFsxw/N/QE6CuGlhZylkIJuo9TKJyqbItVIg0M6WIu3dpc4YGJoZ2FBHHeyfiemIcM7pcIjnvqreOJrJCh0nIQ1cqDBoNqyGYquL/4zc4U43ZfdsJXng6FISrq9+XXdA==
X-YMail-OSG: Rj6tA_QVM1nGRTjDvHO.ZY4iM8wFN3aFBIYQ0G6Em0Dbi22LeObyzXqrEZKtDso Zv_Lom9CexUK4iFHV89IM0YbSQt3j9F4a1VM1vD4PTFmBOyPnu4cugBu7SlInZyN8AllH.10eZjp SI5duLqdlqj3qtbGlZUYHlMm8pY2XhgZa8fInrRnYVnsIirHHkIXOTjoKBEO8PNo8G2ztzTinZAR nn.CcDei01Ps0a33At_6_IdqH2RmCaJzTM5m4aUFPtOdKSROHakblELQHx1ftha9FNrUr7X39F7U eMGUtAQ.kI6gw31TjSkdT5IOF8g_MrmrKXkeyep51498zJ_DXdrobUYGJ.jLwMEqLcaTWBvVoqtw cR_dmH6mphoz47cX5tUKQbVbTI276KOyIVicZYkfI8m4bW_R53_bKEuI8aevOKcqksX2hzy6xoxB 687A6jkTPIjmxmAkMqEKXmpB8l9_yHdeu..tdxIcRR_lDlDlFCsYR8.jCzeBhtg8DRP__wQQMe7E ntfXQi_fqswCWuWqsYU93y73vriOFBixBcqMWPFjQRT8RNvnlbPqRx1LhGus6zLExWb_2h0VjkHk 7M6hjAMQroXRpSW0WK4Z_9UT.wyrHL5hWIVh_HmhjsJ39HgLgKSX0QP3Z36K0C..Gijm7r9qdo8U DhM_7RUaQ1PEA53cKrFykpZh7UcXPyy0vBdSocGj55IosLCevqdxOjGtZ6ZqIPauiSnRnUl_lEdl mgXV7Bf_CIzA1xItt5bpApt6TYuBp6CDw_tpcHYSaBSnbbRj4aTHB0qle65wPPevebfYWdXG8m8p P35crQtaNeWlg0pR7uMqVKPUXwCjNUKwTBg38axmkBA2Wh4cx1.MFVIZRbOqEYjwHpFci97sJiyH gTWdtTUN9143HbGD4D6TuWMTOtMakia9D2pIZIhHxVoWGvjRj12YizCnqux5TrZjzv3X6eszWRZ7 Rl9NRTPvh3HUYVF8lFVD1EDVENRqvEMMxi22_8dyupvUyDqbB_BehEzQmQZhzcIJid0tUN.Bg.1Z UCXRYvTqHaHL2GW96zz6SIzozw81B53PKIPbQXWh9rGwtxAXcZCZJkYgEgwgjjejJL9BTWvxLwre 9FRBAC.wo85HzHPqkIbKjzVPHWrYG.5_MAZyulcF2wnZ02KtkbSWapZDk2jKMk2J0TrryPahSbL6 Q3BqY9JlnxRuAszGKzQ.mkT5RDYiUokDYFBgKllqCOEWc1IoJJZQcK1JWQpVleU_HumsxAyw4rCO wXolWDPhoNOSe2Hs1ayKL9jawzt..54ESaodfYFufVTTWrI9KbEwoSYopt2Xxk1_7mU3iwKFIqj3 HgAVG9LxP4HNnu67RuEd1j4yivS7OAmtNEri9z_ov4LJZIq1VlGvan4CNsboGexOaklVo0I3Oebw 79Z1NyfcoPFAyZLrbTsUbBvvkpDCcDywLtycXVrGeT0p9McjWuCcsvJkpDFVH2OTtByTlMPF_7yX aKLUQUswH7tUOWXChhGTXE_8s_UVph1GvXzsxQBLwAsumOqrHqIp8T2oPN79kDds1SdOINsihnFn f6UFJKyQ58Jghwt3dzWVVTmYGN5ul5K521vN5IZxHNA4FCwxSliQLL6XEiXk6aEOUJd0AMLFv_Oz sAMNRc7AKBB02bwg9l9UeFt8lHWVN9o9QTQbXtAuObfjotA7aBSCBlLvCVxgSJ_lKk343PxbsPd_ jfZrEV5CfoTZxFkb33dmbx3sQV.G0ixc9lXh7bMVuwQOcuWP3CfZ8Zo52KJpyOxNTtlmBTVCzoOU _Hy0Zu6P1dgsKBYbhvaYbN1dRBHavTsJEyGsrLnxb7tsF5zzff190NHPfjQxqGpD_Xq7yn8O4zYI PK17DIZz4ywTjm7lpCb_1aSXE2EVZz4wKIeQKHqvuP.zgD99RYlVB3E345UaQhvFf2sqLTRqhuYa br6ZpR0OfFY70cg9E.YmHCV_FjAQbtLsC6mgx5d5q5S0W3S5tlr8b9xbM0iul8Y_tfgf8G8t_O_h JPdGvaz49EsTljUoeu1YGTas.Fi75YL2IcdD0dedy9mF2Why8x0v0rfCZX25bMXLrUhnxGUedEkR LMqRF4g9oKRoYLPP3vA_58s5MYfGKSQhv09.BtCH1gUolo9H90eT.KXu6Oy5NSfRr2vlSUP5IGfP dZ4eQ66ICQ6s2AZQkqkLYple10y7Snn5fzz0oRIWF2ZUFg2VPmdmnZLMepg2V9KgdORyb9Mvd4hm Mf3_80V1m6vFtXdChA.o6.Dhctq8eJPPqBpikNLT_BPY2Zrdg99wRCjpfwvowVA8ii907ADrwkAi 0BG4JR9BR5DSe6kVKj7zMON2aakLPR8NHzVryN1_HLBhGDOOT5qfxGSVaaRrzIRrsVxDWjyGt2QN ZwyfQYnowTJyXPolSHAFJT.UYVGWz6U3GDDQu8.u.vHzx23jXV.f7jVdr8LZvQrT38vUfB16EwEY G20pHpS4C2S1OwuKR5uQVh7tNssFL9PX_4uSn7GOd2.OaeAoNCeEMVX.DB9B8dtnBYY1ks6ud
X-Sonic-MF: <ameyanrd@yahoo.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.sg3.yahoo.com with HTTP; Mon, 5 Jul 2021 16:52:43 +0000
Date: Mon, 5 Jul 2021 16:52:41 +0000 (UTC)
From: Ameya Deshpande <ameyanrd@yahoo.com>
To: "ippm@ietf.org" <ippm@ietf.org>, "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>, Paolo Volpato <paolo.volpato@huawei.com>
Message-ID: <1572807293.5736260.1625503961968@mail.yahoo.com>
In-Reply-To: <1402651859.5739390.1625503729029@mail.yahoo.com>
References: <162256330634.19677.3885804345914692467@ietfa.amsl.com> <28584824.2341925.1622563579715@mail.yahoo.com> <721002155.671981.1625161479360@mail.yahoo.com> <c0651506a3fb437c9300b1fc14206560@cas.org> <1732873610.1690997.1625502432340@mail.yahoo.com> <1402651859.5739390.1625503729029@mail.yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_5736259_2072012791.1625503961964"
X-Mailer: WebService/1.1.18469 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/GqSbvur_q8yPkaAO_c0B4bp0qhA>
Subject: Re: [ippm] Fw: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jul 2021 16:52:58 -0000

 Hi Paolo,
Thanks for your comments. Please check the inline reply.
> Also,  I assume that PDMv2 is mainly used by end stations (e.g. hosts instead of routers). If this is the case, then I don’t expect that the performance degradation due to encryption is a serious issue. Do you see other different cases where instead degradation may be a concern? 

When using encrypted PDMv2, we have a bigger packet to send asthe size of encrypted data is more than the corresponding plaintext data.This can increase the timing slightly as the packet size has increased.

For using encrypted PDMv2, we have an initial registration phase wherewe negotiate the shared secret (using KEM). We have also given a registrationmechanism for enterprises with many servers and clients. However, this willbe done before transmitting PDMv2 packets.
We intend to have a side-meeting where we will explain HPKE and be able to thoroughly discuss these points.  When we are able to schedule it, we will let you know.  The registration to schedule side meetings has not yet opened.
Thanks,Ameya Deshpande
    On Monday, 5 July, 2021, 10:19:21 pm IST, Ameya Deshpande <ameyanrd=40yahoo.com@dmarc.ietf.org> wrote:  
 
  Hi Robert,
Thanks for your comments. Please check the inline comments.
> - The latest HPKE draft expired just last week. That means it's some time before general implementation. I'm a mainframer, mostly, so I suspect that makes it even longer before I'll see implementation for _production_ use. Further, I don't want the implementation of PDM in more secure environments delayed because of encryption-method concerns. 

We have kept an option for no-encryption in PDMv2 as well. And it is kept exactly for
 the same reason you mentioned. Connections over encrypted medium (say VPN tunnels),link-local network, or any secured company domain can choose to use PDMv2 unencrypted.
> - When we generate the PDM structure and determine the timing, we want that to be as close to the wire as possible. The PDM timing was very granular, so this will add a variable amount of time to the time the packet is determined to be spending in transmission; the encryption delay is now part of the transmission time.
Yes, for a PDM-to-PDM machine, the round trip time, a.k.a DELTATLS, will include the two encryptionand two decryption times. We are trying our best to minimize any added timing due to the encryption in PDMv2, but we feel that encryption is important, so we're trying to achieve a correct balance.
Thanks,Ameya Deshpande

    On Monday, 5 July, 2021, 9:57:51 pm IST, nalini.elkins@insidethestack.com <nalini.elkins@insidethestack.com> wrote:  
 
 Hi Robert,[Posting for some of the co-authors.]We fully agree with your concerns. However, we’re confident that HPKE will reach the RFC status soon. Moreover, also other protocols (e.g., MLS, see https://www.ietf.org/archive/id/draft-ietf-mls-architecture-06.txt) are using it.About HPKE itself, there are two different aspects to consider: HPKE (as an architecture, API, etc.) and the cryptographic functions used by HKPE. While HPKE is still in draft, the cryptographic functions are well-known and proven. Hence, we don’t expect any concern related to the encryption methods used by HPKE.The fact that Tommy confirms that it is being implemented and deployed reinforces our confidence on the fact that its availability is not going to be a critical point.
In any case, we will take this point into consideration, as it is a valid concern.
Best regards,
Nalini, Tom, and Adnan
  

    On Thursday, July 1, 2021, 02:05:31 PM PDT, Hamilton, Robert <rhamilton=40cas.org@dmarc.ietf.org> wrote:  
 
 I am interested in the encryption of the PDM header, just because I've done symmetric-key encryption with pseudorandom numbers and pseudorandom obfuscation algorithms for key management. I see that we are interested in using HPKE. I have just a few concerns:

 - The latest HPKE draft expired just last week. That means it's some time before general implementation. I'm a mainframer, mostly, so I suspect that makes it even longer before I'll see implementation for _production_ use. Further, I don't want the implementation of PDM in more secure environments delayed because of encryption-method concerns.

 - When we generate the PDM structure and determine the timing, we want that to be as close to the wire as possible. The PDM timing was very granular, so this will add a variable amount of time to the time the packet is determined to be spending in transmission; the encryption delay is now part of the transmission time.

Still reviewing; I'll be back with more thoughts.

R;


Rob Hamilton
Infrastructure Engineer
Chemical Abstracts Service

-----Original Message-----
From: ippm <ippm-bounces@ietf.org> On Behalf Of nalini.elkins@insidethestack.com
Sent: Thursday, July 1, 2021 1:45 PM
To: IETF IPPM WG <ippm@ietf.org>
Cc: draft-elkins-ippm-encrypted-pdmv2@ietf.org
Subject: [EXT] Re: [ippm] Fw: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt

[Actual Sender is ippm-bounces@ietf.org]

IPPM,

Please do take a look at this draft.

I think that iOAM will need encryption as well.   We have spent quite a bit of time thinking over these issues.  We even have 2 cryptographers from Italy involved as co-authors.   I want to do a side meeting where we can have quite a bit more time to discuss this but would love to have comments from the group on the list.

I am very reluctant to push PDM out to the wider world without encryption.  I feel that we will become the attacker's best friend.
We have modified the Linux kernel to include PDM but as I say, without encryption, we do not wish to release.


Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
https://smex12-5-en-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=www.insidethestack.com&umid=61654d20-9615-453c-80b2-c06c82268e9d&auth=3c97381e9a30865a1a3f3ad58750d85b2b059558-86a3cb083390e2163fd0daaf45646c2a55adf702
(831) 659-8360






On Tuesday, June 1, 2021, 09:06:39 AM PDT, nalini.elkins@insidethestack.com <nalini.elkins@insidethestack.com> wrote: 





Hello IPPMers!

We have just posted a new draft to encrypt PDM data.   We feel that this is an important feature to add before promoting widespread adoption of PDM.

We would appreciate any thoughts or comments from the group.

Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
https://smex12-5-en-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=www.insidethestack.com&umid=61654d20-9615-453c-80b2-c06c82268e9d&auth=3c97381e9a30865a1a3f3ad58750d85b2b059558-86a3cb083390e2163fd0daaf45646c2a55adf702
(831) 659-8360






----- Forwarded Message -----

From: "internet-drafts@ietf.org" <internet-drafts@ietf.org>
To: mackermann@bcbsm.com <mackermann@bcbsm.com>om>; Adnan Rashid <adnan.rashid@unifi.it>it>; Ameya Deshpande <ameyanrd@gmail.com>om>; Michael Ackermann <mackermann@bcbsm.com>om>; Nalini Elkins <nalini.elkins@insidethestack.com>om>; Tommaso Pecorella <tommaso.pecorella@unifi.it>
Sent: Tuesday, June 1, 2021, 12:01:47 PM EDT
Subject: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt



A new version of I-D, draft-elkins-ippm-encrypted-pdmv2-00.txt
has been successfully submitted by Nalini Elkins and posted to the
IETF repository.

Name:        draft-elkins-ippm-encrypted-pdmv2
Revision:    00
Title:        Encrypted IPv6 Performance and Diagnostic Metrics Version 2 (EPDMv2) Destination Option
Document date:    2021-06-01
Group:        Individual Submission
Pages:        16
URL:            https://www.ietf.org/archive/id/draft-elkins-ippm-encrypted-pdmv2-00.txt
Status:        https://datatracker.ietf.org/doc/draft-elkins-ippm-encrypted-pdmv2/
Htmlized:      https://datatracker.ietf.org/doc/html/draft-elkins-ippm-encrypted-pdmv2


Abstract:
  RFC8250 describes an optional Destination Option (DO) header embedded
  in each packet to provide sequence numbers and timing information as
  a basis for measurements.  As this data is sent in clear- text, this
  may create an opportunity for malicious actors to get information for
  subsequent attacks.  This document defines PDMv2 which has a
  lightweight handshake (registration procedure) and encryption to
  secure this data.  Additional performance metrics which may be of use
  are also defined.

                                                                                  


The IETF Secretariat




_______________________________________________
ippm mailing list
ippm@ietf.org
https://www.ietf.org/mailman/listinfo/ippm

_______________________________________________
ippm mailing list
ippm@ietf.org
https://www.ietf.org/mailman/listinfo/ippm
Confidentiality Notice: This electronic message transmission, including any attachment(s), may contain confidential, proprietary, or privileged information from CAS, a division of the American Chemical Society ("ACS"). If you have received this transmission in error, be advised that any disclosure, copying, distribution, or use of the contents of this information is strictly prohibited. Please destroy all copies of the message and contact the sender immediately by either replying to this message or calling 614-447-3600.
_______________________________________________
ippm mailing list
ippm@ietf.org
https://www.ietf.org/mailman/listinfo/ippm
  _______________________________________________
ippm mailing list
ippm@ietf.org
https://www.ietf.org/mailman/listinfo/ippm
  _______________________________________________
ippm mailing list
ippm@ietf.org
https://www.ietf.org/mailman/listinfo/ippm