Re: [ippm] Seeking advice on encryption requirements for a new measurement protocol
"MORTON JR., AL" <acmorton@att.com> Mon, 24 October 2022 21:35 UTC
Return-Path: <acmorton@att.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D190C14F74E for <ippm@ietfa.amsl.com>; Mon, 24 Oct 2022 14:35:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.608
X-Spam-Level:
X-Spam-Status: No, score=-2.608 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LvtZBbXuvZTv for <ippm@ietfa.amsl.com>; Mon, 24 Oct 2022 14:35:52 -0700 (PDT)
Received: from mx0b-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34350C14F73B for <ippm@ietf.org>; Mon, 24 Oct 2022 14:35:52 -0700 (PDT)
Received: from pps.filterd (m0288870.ppops.net [127.0.0.1]) by m0288870.ppops.net-00191d01. (8.17.1.5/8.17.1.5) with ESMTP id 29OItseA021003; Mon, 24 Oct 2022 17:35:45 -0400
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0288870.ppops.net-00191d01. (PPS) with ESMTPS id 3ke0dwvdg1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 24 Oct 2022 17:35:45 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 29OLZhOB003297; Mon, 24 Oct 2022 17:35:44 -0400
Received: from zlp30485.vci.att.com (zlp30485.vci.att.com [135.47.91.178]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 29OLZgac003226 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 24 Oct 2022 17:35:42 -0400
Received: from zlp30485.vci.att.com (zlp30485.vci.att.com [127.0.0.1]) by zlp30485.vci.att.com (Service) with ESMTP id 72159413ED84; Mon, 24 Oct 2022 21:35:42 +0000 (GMT)
Received: from GAALPA1MSGED2CC.ITServices.sbc.com (unknown [135.50.89.134]) by zlp30485.vci.att.com (Service) with ESMTP id 22459413ED9D; Mon, 24 Oct 2022 21:35:42 +0000 (GMT)
Received: from GAALPA1MSGEX1CD.ITServices.sbc.com (135.50.89.111) by GAALPA1MSGED2CC.ITServices.sbc.com (135.50.89.134) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.12; Mon, 24 Oct 2022 17:35:41 -0400
Received: from GAALPA1MSGETA02.tmg.ad.att.com (144.160.249.124) by GAALPA1MSGEX1CD.ITServices.sbc.com (135.50.89.111) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.12 via Frontend Transport; Mon, 24 Oct 2022 17:35:41 -0400
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.169) by edgeal.exch.att.com (144.160.249.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.12; Mon, 24 Oct 2022 17:35:41 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ty1k9F97nSIVRyOxFnzNaF9UczjxLJjsRJ0Kx7czts7IUAYZyQHsxoO8Wee1T6l6BzWk3uVQjOZQxHGHaJq5agGrlt2MkYzzFyAgNzk8G4ozTbz09VuByllNg3Mx4Q0Sgtj+G/9moMDXb9q9zAg3tznTikuHO48wEZ4EZXn/ry3oFSMuc7SOzqAEy5vS7Av+lhDqLfxACSdXG3R2Mkd08RsM3a9fIS9tGt4bj4/uNv3nTdgyecZ88mHJnI2H6lV8s5t0WiGqAJWiIH6TfB4eyDaEpP0ehCv51H0wqVoFBz8Yt0tII3RZwL5SxVtTztT18dkVf3T5VFMe7wZKuMly5Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PFouhBqrDb3jCwDfARubFdm6GWrKfzqXQMSAQ8ywP+E=; b=ar+Kr+bg8DPxYHhCtaMnfBZapjl0B/cQC9OAB9qsa124S2ii02PDbKL0qAd46D5+i6ZdWJassjhIh3VAIFBwIiq4Sv5h83Rh4V804AfLbJRBRwABXi3B1jiXhJrcZFyUchYq3+Fe8weYA0xyJ7lip2m5WAqh1LPnIVdj//Nau7EqAcmQrHmOlrpNdVtbsNUBp8BosOl8Ub1aUhokO/uIZ5LBPYTgVgvK3QT2k1XvlXdSMZttfDiySKmVEyiXY6bbacz8pVPgFYwREHEuAtd1hiHgbLHQxBx/1eMIHOUV3fipecMSveYRoNzcjFb38bpRG4EVBU50k+qPCgDy/DuRAA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=att.com; dmarc=pass action=none header.from=att.com; dkim=pass header.d=att.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.onmicrosoft.com; s=selector2-att-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PFouhBqrDb3jCwDfARubFdm6GWrKfzqXQMSAQ8ywP+E=; b=RWVHH5JF1ixSrY2ZeyDDR896OSDfrn9Mfme5UVD0BAWBJVY7yzFytfqzmkK4HEI5zk6vpJ37MH9DXFUR1w1nzpYCvXxHtKgWbS+VegDLaaWGdCwqfZuhKLyLkCpLPKIUOsQ2Y3tpohdi7YjLHLlW8EDgAeG06SiB2RFmLlkRlfE=
Received: from CH0PR02MB7980.namprd02.prod.outlook.com (2603:10b6:610:105::17) by CO1PR02MB8507.namprd02.prod.outlook.com (2603:10b6:303:15a::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.27; Mon, 24 Oct 2022 21:35:39 +0000
Received: from CH0PR02MB7980.namprd02.prod.outlook.com ([fe80::7298:d034:46f9:41a5]) by CH0PR02MB7980.namprd02.prod.outlook.com ([fe80::7298:d034:46f9:41a5%9]) with mapi id 15.20.5723.033; Mon, 24 Oct 2022 21:35:39 +0000
From: "MORTON JR., AL" <acmorton@att.com>
To: Roman Danyliw <rdd@cert.org>, "ippm@ietf.org" <ippm@ietf.org>
CC: "CIAVATTONE, LEN" <lc9892@att.com>, Brian Weis <bew.stds@gmail.com>, "Tommy Pauly (tfpauly@apple.com)" <tfpauly@apple.com>, "marcus.ihlar@ericsson.com" <marcus.ihlar@ericsson.com>, "paul.wouters@aiven.io" <paul.wouters@aiven.io>, "martin.h.duke@gmail.com" <martin.h.duke@gmail.com>
Thread-Topic: Seeking advice on encryption requirements for a new measurement protocol
Thread-Index: AdjDxpMeHyd9MQXFT1CmaWf78eJfzASyczEwAx5Um3ABNHtaoA==
Date: Mon, 24 Oct 2022 21:35:39 +0000
Message-ID: <CH0PR02MB7980F69C7A0DE3A8F335AEDCD32E9@CH0PR02MB7980.namprd02.prod.outlook.com>
References: <CH0PR02MB7980E064A9A49CC801B0F277D3409@CH0PR02MB7980.namprd02.prod.outlook.com> <CH0PR02MB798056985677FA52CAC14560D3589@CH0PR02MB7980.namprd02.prod.outlook.com> <BN2P110MB1107CD83B3D68DC0F7988576DC2C9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN2P110MB1107CD83B3D68DC0F7988576DC2C9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR02MB7980:EE_|CO1PR02MB8507:EE_
x-ms-office365-filtering-correlation-id: 94360120-7d90-48ff-a024-08dab607b1db
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Mn2zQqB+otMW11iLnx9vulKpVzK9RvL9+3lQlrWQjuoJELLqZeTtrEgTE2vts4ykGgwGVEtMzebL2pdeOABh0mLTicgArinIoOhzylGdqjpJ4uJ7V84zqe1zRYLwC8pTwmf23k4kiwH/NMX/6jdElNxvRk8FwrvmAkVHWQM8/HQzlH5XBo9lyjE+kqiy/+N/H+cCvnIUPPicgdGdO36QbZRTc9eVAEpE4LFqkvEqSEKQuIbtG5JvivjNe83KuTmSeEf7+PnVs0b3IXtLV4/kTsctyOZ1MCeldPYUQpFMOJUq3QT9uqyqSSDQQtVGRY26+WRelBExLdcZMry2q948rntVEjjXRdIbYj0/My5dB6WrBMmkPBx9jwoMIbUj9SUvDal7AsM3SBMI5FDU4FS2NlOTh6oFCdRrCu+077+ZpIWkTQjuHno9Spyl2fiFL95WppvKRmnbM+DcgbVTVfzXGpO02nX7liGO3ZjerkBbKNhMipC+I/1nTWTspldLCF0yHqVS0E5K8siv2Ka3i6o72eAn9JqwJ8L8vsvF9J5BlX09zInvV/nJ4VaYb6hyoSEu0cCBEYwQrFpfGrUYgn9ZO7iJ1hzJc1dCXTIvWsRMSBB1Is+vfwVr1hI/0PC5+owesqj/HrVkAGiPn2CQjredq6zmvzcXALSBaNyyFP8uEMC4AtY6tCUkFqr3aQmVYe+EurImfqNSmDfphML/UlCcKSpcoO7jm9Fl6NOmiP6IrKbKZoewMhEswxutXUjiJdQFJYYU7tNN4TyMHe62piAUQV8Gu4/UiV2t/KrDUsZJZeqzrS7h5HrImNj9BBPbbY7h9sp53qiCCHpXYFGuBILzGQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR02MB7980.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(39860400002)(396003)(366004)(346002)(376002)(136003)(451199015)(86362001)(66899015)(33656002)(38070700005)(38100700002)(122000001)(82960400001)(83380400001)(186003)(55016003)(30864003)(2906002)(53546011)(6506007)(9686003)(26005)(82202003)(66574015)(7696005)(316002)(71200400001)(478600001)(110136005)(54906003)(76116006)(66946007)(8936002)(64756008)(8676002)(4326008)(41300700001)(66556008)(966005)(66446008)(5660300002)(66476007)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: bKzllbbFS67UH+iKZWjPyaymSDBg/e79VHrhEz/JFgAwYW70/HLCnhjMk6b6Kvn75EGjpOZOk9ffP61sOrGb72llwzi64O0+uvDyG5Xq8kblPFti1XlVDpKNeOU1ztbovJxLeRkDuFbDE0hysGMIPRuUDAl+s1idJu66bpZG3YU8Mxc7QCIUrxeMjbKLYkoQ/ScrTpI8VVPZ80HbnXpmqjv2uswu6hPLthB5SB41fG/p/cyxsXjJu+UcrMVX2PSwkn6jQ+OKw1DLKZ+xXXGt4tO4JhwtwlRneSRPQr3SqblQCQfNE/fAGbOIk6/sYEB5PKVlcmnExlc9sGMdtbWeCvjyqsNppPOo4BPyE5NqDoJSno8TtKf7GqHXF9JyHAMXwGwX4DXNA5t0Jg5QLs4q/2dAVkUSjRnCjXEm1ab7MYkvjwtzvRyS/aq3DT+L7zMlNTlNY+xeXrbQ6GCkcgZ8dDIHnt7qAnq39b5MJpuICLaCJBkeWWSSz70qvC2ziqhgZ5UtAc9H4kcM1XVJh/KlL+ErYVng5Eg0Ia0ZHc62w+0Ap9qs+3TvjqzlveTPYw097PeaMaUHwU1bWb9i/F7Nh6fFFJqwyZITdkvFv5+aCqo2UlVBuIxSncpHZlbiGn4ZijNsQa4yI3+T9wVXsjhuDu6qVQLni3HHUcNC79fpin+8vEW+zLG5xUux98LjX3y0assb4szoNaq9yQ16h3A6axmqvKS1MVFuy8vXms+sNkNAjMZTgMFxVTOd76iyzA0uA8VM2IHYWZF2h7oz5kTcpX4/7ArZJlYpf3/1R4DQ2vIVzQubGEtuw9gyUaO//YEbZMu/cJhNnRjywqHeHRhLVMYYeQBIP+FlHHOnPTsSyRIuZaZIU1r+k23+VINOFTu0Ita9RJH2UHfDuQInJy2D4le0nc4qDHkAzpV1yC98GSLylDLvWO/bPmVCiabiRabeAyzSdiTNye1clW2YeNWeuzb+4l29Ilyf4TmLkvlO1y6qunGqNzYXSOrq3jKniCFjAQ84gJev2hA3LBNfpMfYZV+VD0/F88uSz6nTHF5+eWseYe24xM58qxJKt9s/nh0CS0H9Mx59hZcjYhpMvWR2spOIMx9N2RcdOYtYro2Msbo9E9iVaZiFJVmnGr8A3qDwEetyybEoQgm2aPuJcUjoxc7TfYDb4hSrduYFNTy+qKr84EDjeLN7FKZmL9x6j6npgOnzECj47hiQxWwyGT6tgsjnCk5FG89gPJkh3K78WPaPHvB3nGvjLj3MPJuy+WE++mBKjlJqkJMudxPkSK2Z3TCrsYcCkAcSp5AYAV+ZRqZjhRUtaPQBNAH7v9yGxeV1on8ryodppiEvrNwjggVTUyQM8Iujm50Q8flevvF+VIS/VWRsw9Hj9xv+fnyF+wVjNwWuHO1viQ4i/4mcSRwTT8EqjPyE31CM4wjE4XcArXODuCCWMPxwOsIF/sojLYGXYpJXoS8Dw5AOlHhTOXGHHQrXT1uDlPO7Rnf8S8DMqib8H1eMRa7veviT0WVrYo0hXDqKFaImNkIZl0qWARwzZjTnAlgP4uK4IFd0d9jKG1c=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR02MB7980.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 94360120-7d90-48ff-a024-08dab607b1db
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2022 21:35:39.1177 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e741d71c-c6b6-47b0-803c-0f3b32b07556
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lDuSWIoYSBaIiv2fX51M/h8+lXZGtbcfX1a7WK2/1CE0Tx9SoxqNtB3bqoyJ5tbP
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR02MB8507
X-TM-SNTS-SMTP: BF87B2A1793AD62C720CEA0E3CA16544407526C6AF66D994B692899E45752D292
X-Proofpoint-ORIG-GUID: P6zjA_Re28UvagYmFrRITkmxCZFDUfNc
X-Proofpoint-GUID: P6zjA_Re28UvagYmFrRITkmxCZFDUfNc
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-10-24_07,2022-10-21_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 lowpriorityscore=0 priorityscore=1501 adultscore=0 spamscore=0 mlxlogscore=999 bulkscore=0 phishscore=0 clxscore=1011 malwarescore=0 impostorscore=0 mlxscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000 definitions=main-2210240129
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/LQxG-144USqSlwTHCZvFtW9wA08>
Subject: Re: [ippm] Seeking advice on encryption requirements for a new measurement protocol
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2022 21:35:56 -0000
Thanks for your thoughts and helpful questions, Roman. I'm sharing my response on the IPPM-list, as we agreed. in-line below, [acm] Al > -----Original Message----- > From: Roman Danyliw <rdd@cert.org> > Sent: Friday, October 21, 2022 8:34 PM > To: MORTON JR., AL <acmorton@att.com> > Cc: CIAVATTONE, LEN <lc9892@att.com>; Brian Weis <bew.stds@gmail.com>; Tommy > Pauly (tfpauly@apple.com) <tfpauly@apple.com>; marcus.ihlar@ericsson.com; > paul.wouters@aiven.io; martin.h.duke@gmail.com; Roman Danyliw <rdd@cert.org> > Subject: RE: Seeking advice on encryption requirements for a new measurement > protocol > > Hi Al! Thanks for the continued pointers and sorry for the delay. > > Hi Brian! Thanks for the early SECDIR review. [acm] Big +1 on that, the improvements in draft--03 are the result of exchanges with Brian! > > Up front, this response is not coordinated with Paul. I think the question is > what are thoughts around "fully-encrypted operation during the control and > measurement phases of a new IPPM standards Track Protocol." Let me flip it > around since I don't have all answers on what's acceptable given the expected > deployment. Help me out: > > (1) What's the applicability scope of the protocol -- is it Internet and/or > limited domain? If it's limited domain, what assumptions can be made about > who controls the network? [acm] In the Scope for this (and previous related work, including the metric in RFC 9097), we say: The primary application of the protocol described here is the same as in Section 2 of [RFC7497] where: + The access portion of the network is the focus of this problem statement. The user typically subscribes to a service with bidirectional access partly described by rates in bits per second. I don't want to get tangled-up in the definition of Internet access here: it involves a single administrative domain as one might imagine. I think it would be consistent with the scope that users can make measurements of their private networks that connect to access (ideally they deploy their own server). However, there's nothing in the draft to discourage users from deploying this protocol Internet-wide. In fact, the minimal RTT sensitivity of this capacity metric and method makes it a attractive alternative to other (TCP-based) methods. > > (2) Per the question of confidentiality services, I think this is intended to > support active measurement so there isn't any user activity data in the > payload. Is that right? If there is user data, encryption is definitely > needed. [acm] Exactly right. As with all Active measurements, the traffic emanates from the measurement process. Users don't have the opportunity to communicate SPI anywhere. But see below: > > (3) If an on-path observer sees this traffic, what will they see? [acm] I'll break this down in the two phases, Control and Data. Data phase first because it contains the most interesting/valuable information. Data phase: In this phase, client and server take on the roles of sender or receiver, depending on the transmission direction (upstream or downstream test). The sender transmits synthetic traffic (Load PDUS). The receiver makes measurements on the traffic (and sends status feedback messages). A unique feature of this protocol is that status feedback messages are exchanged frequently between the client and server during a test. If the receiver is the remote client, it sends the results of measurements during the recent status interval (~50ms) in each status feedback message. If the receiver is the server, it considers the measurements it made and transmits the new sending rate level that it wants the client to use. BOTH the measurements and sending rate level in the status feedback would be interesting to an on-path observer (probably more so than any other information in the Control phase). The communications to gracefully stop a test take place during the Data phase, and we have already considered an attack on this info (and mitigation) in draft--03. Control phase: In this phase, lots of mundane test configuration is exchanged (client requested & accepted/rejected by the server). The most interesting info is the optional ability for the client to indicate the maximum bit rate it intends to use during a test (so the server can perform test capacity management and reject a test if it has insufficient capacity). An on-path observer might correlate the client's bit rate request with their subscribed service rate. > > -- if this is in a limited domain, the operator of the network could get > visibility in all of the details of the test, regardless of if the operator > ran them or they came from the user. Are the network operators the same as > the user that would run the test? [acm] The main difference between an operator's test and a test between two users is likely the location of the server host. An operator has the freedom to locate a server near the network end of the access pipe, while two users would likely be testing two access pipes in parallel (plus some networks that connect the access). > ... Is it acceptable for the network operator > to see all of the details of any the measurement? [acm] I think so, but I'm working at a network operator 😊 However, it is considered polite (if not a requirement in some service agreements) to notify the network operator when testing their network. The agreement might involve sharing the measurement results with the service operator. > > -- if this is the Internet, anyone on the path can see all the details of the > measurements using the protocol. Roughly what's the exposure of someone doing > passive measurement on this active measurement. [acm] The results of measurements or the control of the sender's rate are the most interesting information exposed (see 3, Data phase, above). > There is no nuance between > the operator being tightly tied to the user to consider. What does observing > the test traffic reveal about the initiator or recipient end-points of the > measurements? [acm] IP addresses, and the fact that measurements were conducted, at least. IDK anything else, offhand. > Relationship between the two measurement points? [acm] The client's IP address (visible on the Internet) is likely the subscriber's globally routable IP address, assigned by the service provider and located at the edge of the access network. Can't make similar assumptions about the server's IP (could be anywhere). > ...Could the > provisioning or network configuration be revealed? [acm] Measurement results likely reveal the affects of traffic shapers on access. There is a lot of shaping deployed on access. Configuration aspects of other traffic management methods could also be revealed (to experts in the field). > Could the very existence > of there being measurement traffic be a problem? [acm] If too many users try to test high-speed traffic at the same time, there could be network overload and adverse affects on non-testing users. That's always a risk with the capacity measurements that users can download and use today (something goes wrong, everybody starts testing...). > > On the balance, I'm suspecting that as long as everything in the data channel > is synthetic, it's probably ok to not be encrypted. [acm] That was true for OWAMP, TWAMP, and STAMP, the earlier IPPM Active measurement protocols (but we had an encrypted mode anyway - AFAIK it was never implemented in the widely deployed TWAMP). Unfortunately for this point, the measurements or sender rate control messages are in the data channel in this protocol. > Per the control channel, > I think I'd have to look more carefully. If the former was in the clear and > the latter encrypted, I don't have a sense for whether passive observation of > the data channel could reconstruct certain information about from the control > channel. I think the answers to the above might steer the design choice. [acm] Some high-level Control phase configurations could be reconstructed by observing the Data phase, such as test duration, status feedback interval, and actual sending rates. But these might be determined even if the traffic in the Data Phase was encrypted. > > Does that help with some of the deliberations you are having? Should we talk > more? [acm] It does, and thanks for your structured questions. I suspect we might next need to look into the simplest solutions to provide privacy through encryption, but see what you think. Al > > Roman > > > -----Original Message----- > > From: MORTON JR., AL <acmorton@att.com> > > Sent: Sunday, October 2, 2022 2:57 PM > > To: Roman Danyliw <rdd@cert.org>; paul.wouters@aiven.io; > > martin.h.duke@gmail.com > > Cc: CIAVATTONE, LEN <lc9892@att.com>; Brian Weis <bew.stds@gmail.com>; > > Tommy Pauly (tfpauly@apple.com) <tfpauly@apple.com>; > > marcus.ihlar@ericsson.com > > Subject: RE: Seeking advice on encryption requirements for a new > > measurement protocol > > > > Hi Roman and Paul, > > > > This is a reminder that we asked for your advice regarding an IETF > requirement > > for fully-encrypted operation during the control and measurement phases of a > > new IPPM standards Track Protocol. See below. > > > > We have just uploaded > > https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft- > ietf-ippm-capacity-protocol- > 03__;!!BhdT!gNVOdtiLeJX2bP0TWUIz4ZlWrqJYDYvV7f7U3FDH_AmZ8gLjqLGaT6Jod7amsRAUxK > ITPw$ > > > > which effectively addresses all of Brian Weis' Early SEC-DIR review > comments, > > so now the question to you on whether we need fully-encrypted operation is > > top-of-mind. > > > > Thanks for your consideration and regards, Al and Len > > > > > -----Original Message----- > > > From: MORTON JR., AL > > > Sent: Thursday, September 8, 2022 5:12 PM > > > To: rdd@cert.org; paul.wouters@aiven.io; martin.h.duke@gmail.com > > > Cc: CIAVATTONE, LEN <lc9892@att.com>; Brian Weis > > <bew.stds@gmail.com>; > > > Tommy Pauly (tfpauly@apple.com) <tfpauly@apple.com>; > > > marcus.ihlar@ericsson.com > > > Subject: Seeking advice on encryption requirements for a new > > > measurement protocol > > > > > > Hi Roman and Paul, > > > > > > The IPPM WG is developing a new active measurement protocol, and we > > > would like to receive your advice. The protocol currently has no > > > option for fully- encrypted operation during the control and > > > measurement phases. We'll discuss the protocol details and > > > accuracy/security trade-offs below. Our AD (Martin > > > Duke) suggested that starting a dialog on this topic now would be most > > > efficient for specification development (and the running code). > > > > > > Background: > > > The UDP-based protocol has two phases of operation: a Control phase > > > where testing options are agreed between the remote client and the > > > server hosts, and a Data phase where one of the hosts sends Load > > > packets fast enough to measure the path capacity at the IP-Layer, and > > > the receiving host measures the packet stream. Frequent Feedback > > > messages are exchanged while the test is in- progress, and they are also > used > > for round-trip measurements. > > > > > > We have received many helpful and enlightening comments from Brian > > > Weis in his Early SEC-DIR review, mostly pertaining to Key management, > > > Firewall configuration, and Authenticated operation modes. You may > > > have seen several of our messages exchanged on the SEC-DIR list. But > > > we all still wonder if there is a requirement for full encryption in > > > IETF protocols. We don't want to guess whether the absence of some > > > features, like full encryption or authentication of *all* message > > > types, are deal-breakers for approval of a protocol where the > > > clear-text packet generation and measurement is often near the limit of > > remote client or server processing power (or both). > > > > > > A concrete example of the measurement accuracy trade-off with security > > > features is when the maximum packet processing rate of the secure > > > tunnel GWs (encap, decap, or both) is less than the Maximum IP-Layer > > > Capacity of the path. In this case, every measurement result would be in > > error. > > > > > > We have discussed using DTLS for the Control phase of the protocol, > > > where retransmission and ordered delivery would be seen as additional > > features. > > > However, these same features disqualify DTLS from the Data phase, > > > where it is essential to measure packet loss when it occurs (along > > > with re-ordering, etc.). > > > > > > URLS for the current draft [0] and Discussion at IETF-114 [1] (starts > > > about 30 minutes in). > > > The -03 version of the draft is coming, where we mostly implement > > > Brian's take on required and optional authenticated modes. > > > > > > Thanks for your consideration and regards, Al and Len > > > > > > > > > [0] > > > https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ietf- > ippm-capacity-protocol- > 02.h__;!!BhdT!gNVOdtiLeJX2bP0TWUIz4ZlWrqJYDYvV7f7U3FDH_AmZ8gLjqLGaT6Jod7amsRBW > f-YNgA$ > > > tml > > > > > > [1] https://urldefense.com/v3/__https://www.youtube.com/watch?v=wRhzhBrH- > KY__;!!BhdT!gNVOdtiLeJX2bP0TWUIz4ZlWrqJYDYvV7f7U3FDH_AmZ8gLjqLGaT6Jod7amsRC7- > A1oXA$
- Re: [ippm] Seeking advice on encryption requireme… MORTON JR., AL