IETF Logo Mail Archive

Re: [ippm] Is loopback/direct export amplification worse than linear?

Martin Duke <martin.h.duke@gmail.com> Sat, 05 December 2020 01:12 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 943B93A1124 for <ippm@ietfa.amsl.com>; Fri, 4 Dec 2020 17:12:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YeB93MjADkRC for <ippm@ietfa.amsl.com>; Fri, 4 Dec 2020 17:12:41 -0800 (PST)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 244833A1121 for <ippm@ietf.org>; Fri, 4 Dec 2020 17:12:40 -0800 (PST)
Received: by mail-io1-xd34.google.com with SMTP id y5so7678849iow.5 for <ippm@ietf.org>; Fri, 04 Dec 2020 17:12:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OUrh1S2mU/DhCsnnyjX+v+UdGt5v8DzUZPAB9gv3iTI=; b=o+VZkBAaq3LyYH0X+ZNNejLMtgc2LxoiL1WxemeYCijI3CBVIiA5Lfea4eKQqwnfr9 uuZ27w0ZTiNjV/xUeUtRu+RrOLsRrgemyOUyWUZ21HTTMaQo/K4hOuPNKOP9SJYBapYU HiaFcnCZDL62gQlUxbHKPhafjFuuszySl9LcXIbvc+9Vexst8vawii2GB1nyxnf+NkfP wtmhK+c5ms5Whg6W4YQZbrqKY8HevjKMuFAn5UJTZpfWPvqe7TkWgAT4fTU4VcNRXbee 0/XyQgLbjM1SQdUitaP0v9aMRDrUQWuKLiRlNvU29p7eSDa8tWNfTzJkRrcEqpnCRvZd 24Bg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OUrh1S2mU/DhCsnnyjX+v+UdGt5v8DzUZPAB9gv3iTI=; b=RoS8vy5RZIWlZzlL3eDSsD/+Evn5YDs3s20DJOZMWvvUoM7gWmEbuGNG9LSGoewSoQ l/doawLc6OS4CvFKPMFtHDN7kKjQEuHhKEF/EvQU4XWigB5im+gtcBR0q0RRlVf2Kwss O78yK9ymHHcsDEuojy+CYzIIFHu8116cOV5Kt3PDazVoaSASCnN+urx+FidiOSJBOSC0 XW7uynyVqo/4hNcWpV9fGCu44sMcRLKicAjLseef6ml/11DhWzVUbJqNN6uKAyolC7Kb 8ircRY/erRietW6fud9ePwpWpyZ3UY1W/sGN4xoT0qfYUHuMx57dYADoeVfdFRMOTGhc qjUQ==
X-Gm-Message-State: AOAM532L3nT5xLtwQ/TVzqnEf/QE6ojSU1c1jv0yc2bTkcLcDTVlfqaq rpBV21hOFhjxxXTQBoXvSQEGe7dNmkjmPm69lak=
X-Google-Smtp-Source: ABdhPJxdu18GojfJT0Vlp1YIORbV0ALrIpOF1VRFefolAkcrAvYXu61jzFIKqjHTD33Okq4KPiT89hJuD/pDxCZacbM=
X-Received: by 2002:a02:a88a:: with SMTP id l10mr9575518jam.95.1607130760102; Fri, 04 Dec 2020 17:12:40 -0800 (PST)
MIME-Version: 1.0
References: <CAM4esxQiaRoCb9-7eBMy4yoCv28=St2XN-8AF7DwPiC2HU_Fzw@mail.gmail.com> <CA+RyBmVfW0kAwinNUCWmouqi1gg+cN5G8Ks1y3Jh+nokLqmeUA@mail.gmail.com> <CAM4esxSQEJ=r0WrG=6yg-Cwfa==8kJVxTAi3gmboZgtOsncHdw@mail.gmail.com> <CA+RyBmUyUo2qHgFRTw=cnCzeVuB880D1sGBmPR4tPtRhdYew0g@mail.gmail.com>
In-Reply-To: <CA+RyBmUyUo2qHgFRTw=cnCzeVuB880D1sGBmPR4tPtRhdYew0g@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Fri, 04 Dec 2020 17:12:29 -0800
Message-ID: <CAM4esxQbx-HYgc9O4stg22aUO1ZLG5Q5VtyztqjsrTf-yta54A@mail.gmail.com>
To: Greg Mirsky <gregimirsky@gmail.com>
Cc: IETF IPPM WG <ippm@ietf.org>, Greg Mirsky <gregory.mirsky@ztetx.com>
Content-Type: multipart/alternative; boundary="0000000000001048c505b5ad4ae2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/JF8X2Bhz5GF_n60k5aPM0_IGD4Q>
Subject: Re: [ippm] Is loopback/direct export amplification worse than linear?
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Dec 2020 01:12:44 -0000

My argument is that it doesn't matter if the DEX is non-IOAM; the point is
if the signature of this packet happens to match the criteria on some other
IOAM domain, we end up in trouble.

On Fri, Dec 4, 2020 at 4:53 PM Greg Mirsky <gregimirsky@gmail.com> wrote:

> Hi Martin,
> I thought of them as "concerns" ;)
> I share your concerns regarding the impact of the Loopback flag. I think
> that if the returned packet travels back out-of-band, not as IOAM-esque
> packet that might mitigate some risks associated with the Loopback. And
> though I don't think that the DEX draft explicitly states that the IOAM
> data collected on a node is exported to a collector out-of-band, i.e., not
> as an IOAM packet, as well, I'd like the WG to consider this approach.
> The rest of my notes reflect my earlier comments.
>
> Regards,
> Greg
>
> On Fri, Dec 4, 2020 at 2:53 PM Martin Duke <martin.h.duke@gmail.com>
> wrote:
>
>> thanks Greg.
>>
>> I hope I'm understanding you correctly these are critiques of the drafts
>> largely unrelated to mine?
>>
>> On Wed, Dec 2, 2020 at 3:06 PM Greg Mirsky <gregimirsky@gmail.com> wrote:
>>
>>> Hi Martin,
>>> thank you for highlighting some troublesome characteristics of using the
>>> Loopback flag in IOAM. I agree that draft-ietf-ippm-ioam-flags could
>>> tighten up the description of scenarios when the Loopback flag is used.
>>> Also, it seems that the behavior of Direct Export
>>> <https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-direct-export/?include_text=1> can
>>> benefit from more clarifications. Now I've read both drafts taking notes
>>> and present them to you below:
>>> *draft-ietf-ippm-ioam-flags:*
>>>
>>>    - draft-ietf-ippm-ioam-data defined IOAM as a method to record
>>>    "operational and telemetry information in the packet while the packet
>>>    traverses a path between two points in the network". It is an example of a
>>>    hybrid measurement method, per RFC 7799 classification. The introduction of
>>>    the Loopback and Active flags clearly makes IOAM into an active method and
>>>    thus it should be discussed as a protocol that originates test packets,
>>>    including potential security threats it may be used to create.
>>>    - If the purpose of the Loopback flag is producing a series of
>>>    responses from traversed nodes, then it might be much easier to use not a
>>>    copy of the original packet but a different packet to respond to the sender
>>>    (similar to CFM's LTM/LTR). That will avoid any risk of reverse-path
>>>    amplification.
>>>    - It is not clear what kind of path is expected in "a return path
>>>    from transit nodes and destination nodes towards the source (encapsulating
>>>    node) exists"? For example, if IOAM is used in an SFC environment, would
>>>    Loopback require the use of an SFP to the sender?
>>>    - It is not clear what establishes "the identity of the [IOAM]
>>>    encapsulating node". Some examples would be helpful.
>>>    - There seems to be a disconnect in handling unexpected looped IOAM
>>>    packet:
>>>
>>> In the second paragraph Section 4 it is stated:
>>> "If an encapsulating node receives a looped back packet that was not
>>> originated from the current encapsulating node, the packet is dropped."
>>>
>>> But in the second from the last paragraph of the same section is noted
>>> that:
>>> "If there is no match in the Node ID, the packet is processed like a
>>> conventional IOAM-encapsulated packet."
>>>
>>>
>>>    - The following probably may be expressed using the definitions from
>>>    the IANA registry:
>>>
>>>    An IOAM trace option that has the loopback bit set MUST have the
>>>    value '1' in the most significant bit of IOAM-Trace-Type, and '0' in
>>>    the rest of the bits of IOAM-Trace-Type.
>>>
>>> like that:
>>>    An IOAM Trace Option that has the Loopback bit set MUST have the
>>>    "hop_Lim and node_id in short format" bit set IOAM-Trace-Type, and
>>> MUST
>>>    have all other bits of IOAM-Trace-Type cleared.
>>>
>>>
>>>    - What is the value of collecting "hop_Lim and node_id in short
>>>    format" on the return path of a packet looped back by an intermediate node?
>>>    As I understand it, only that information can be collected if the Loopback
>>>    flag is set. Please correct me if that is not the case.
>>>    - Can you point where it is specified that when using the Loopback
>>>    "the packet does not have any payload"? Earlier in Section 4 action of an
>>>    intermediate node is explained:
>>>
>>>    A loopback bit that is set indicates to the transit nodes processing
>>>    this option that they are to create a copy of the received packet and
>>>    send the copy back to the source of the packet.
>>>
>>> One can understand that the looped back packet is a carbon copy of the
>>> original packet less the Loopback flag being cleared. And the actions of
>>> the encapsulating node are described as:
>>>    The encapsulating node either generates synthetic packets with an
>>>    IOAM trace option that has the loopback flag set, or sets the loopack
>>>    flag in a subset of the in-transit data packets.
>>>
>>> Which suggests that, at least in the latter case, the packet with the
>>> Loopback flag set does have a payload.
>>>
>>>
>>>    - One of the essential aspects of defining an active measurement
>>>    protocol is the specification of the expected rates that test packets be
>>>    generated for the intended purpose of the protocol. Some protocols provide
>>>    a mechanism to negotiate that rate either through its control-plane
>>>    component or as part of bringing the test session to Up state. I couldn't
>>>    find any discussion of the expected purpose of using the Active flag, nor
>>>    sufficient information that would help to set reasonable limits on
>>>    processing packets with the Active flag set. Also, even though the document
>>>    is on the Standards track, I find normative language in relation to the
>>>    security impact of Loopback and Active flags being underused.
>>>    - Applying rate limits throughout the IOAM domain might be
>>>    cumbersome. I think that stronger security methods must be defined making
>>>    using the Loopback and Active options more secure. For example, using
>>>    authentication to ensure the identity of the encapsulating IOAM node that
>>>    imposed the Loopback or Active option.
>>>
>>> *draft-ietf-ippm-ioam-direct-export*
>>>
>>>    - Section 3.1 includes very important assumption:
>>>
>>>   The option [DEX] can be read but not modified by transit nodes.
>>>
>>> That brings the question What protects the DEX option in particular and
>>> IOAM-Option-Types in general?
>>>
>>>
>>>    - The description of the processing of the DEX option by
>>>    encapsulating, transit, and decapsulating nodes in an IOAM domain in all
>>>    cases states "MAY export the requested IOAM data". What are other possible
>>>    behaviors of nodes processing the DEX option?
>>>    - In the last paragraph of Section 3.1 stated:
>>>
>>>   A transit IOAM node that does not support the DEX option SHOULD ignore
>>> it.
>>>
>>> What are other allowed behaviors of a node, whether transit or
>>> decapsulating? Report an error? Discard the packet with the DEX option?
>>>
>>>
>>>    - Though considerations for performance impact at a collector(s) is
>>>    sensible, it seems that the impact on the node exporting telemetry
>>>    information triggered by the DEX should also be considered.
>>>    - Applying rate limits throughout the IOAM domain might be
>>>    cumbersome. I think that there could be other methods to improve the
>>>    security of the DEX option.
>>>    - I can understand that the identity of a collector(s) of exported
>>>    information can be provisioned via the management or control plane. But I
>>>    also believe that there must be a discussion of why the Loopback option is
>>>    not a special case of the DEX option.
>>>
>>> Regards,
>>> Greg
>>>
>>> On Sun, Nov 15, 2020 at 9:45 PM Martin Duke <martin.h.duke@gmail.com>
>>> wrote:
>>>
>>>> I recognize that the loopback and direct export drafts discuss
>>>> potential amplification results, as a path of length N will generate N
>>>> packets for each IOAM packet -- a linear relationship. As these are
>>>> discussed in the draft with proposed mitigation, in an editorial sense the
>>>> job is done. Whether giving people this kind of foot gun is a good idea is
>>>> a separate question, but reasonable people can disagree.
>>>>
>>>> However, if I understand correctly, certain pathological combinations
>>>> of IOAM namespaces could result in amplification far worse than linear.
>>>>
>>>> 1) Loopback loops
>>>> Imagine there is an IOAM namespace that covers the path from Hop A to
>>>> Hop D. There is a separate namespace entirely contained in A-D, from hop B
>>>> from hop C. Both namespaces enable loopback.
>>>>                            A
>>>> --------------------------------------------------------D
>>>>
>>>>  B-------------------------------C
>>>>
>>>> So a user packet is traveling from A to D. There will be (D-A) loopback
>>>> packets headed towards A. The (D - C) loopback packets that generated
>>>> between C and D will travel through the encapsulating node at C and then
>>>> trigger further loopbacks to C. Thus the total number of packets generated
>>>> by the single user packet is
>>>> (D - A) + (D - C)(C - B)
>>>> and obviousy there could be several of these smaller namespaces, or
>>>> nested namespaces, that aggravate the amplification further.
>>>>
>>>> 2) Direct Export
>>>> Direct Export potentially has even worse properties. Suppose namespace
>>>> A, N_A hops across, direct exports to a node that is reachable across
>>>> namespace B. Namespace B, N_B hops across, direct exports to a node
>>>> reachable across namespace A.
>>>>
>>>> Thus a single user packet sent over namespace A will generate N_A
>>>> packets that traverse Namespace B. This will, in turn, generate N_A * N_B
>>>> packets that traverse namespace A, which in turn triggers N_A ^ 2 * N_B
>>>> packets, and so on.
>>>>
>>>> In fact, if the namespaces direct export with probability exactly,1/N_A
>>>> and 1/N_B, the same level of traffic will ping-pong infinitely. Any more
>>>> than that, and the traffic will steadily increase to infinity. If the
>>>> probability is 1, the growth is exponential.
>>>>
>>>> ****************
>>>>
>>>> This analysis, if correct, raises three questions that I can think of:
>>>> - Are these corner cases plausible?
>>>> - If so, and they occurred, would the namespace administrators
>>>> necessarily be aware of each other? If not, I'm concerned that this is
>>>> unsafe to deploy.
>>>> - Do phenomena like this indicate that the design is brittle and
>>>> putting in some "considerations" doesn't really mitigate the dangers here?
>>>>
>>>> Martin
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> ippm mailing list
>>>> ippm@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/ippm
>>>>
>>>

v2.23.0 | Report a Bug | By Email