Re: [ippm] Fw: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt

Ameya Deshpande <ameyanrd@yahoo.com> Mon, 05 July 2021 16:49 UTC

Return-Path: <ameyanrd@yahoo.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83E893A1EE5 for <ippm@ietfa.amsl.com>; Mon, 5 Jul 2021 09:49:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ilS2yfm-5gPz for <ippm@ietfa.amsl.com>; Mon, 5 Jul 2021 09:48:59 -0700 (PDT)
Received: from sonic309-20.consmr.mail.sg3.yahoo.com (sonic309-20.consmr.mail.sg3.yahoo.com [106.10.244.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 946BB3A1EE6 for <ippm@ietf.org>; Mon, 5 Jul 2021 09:48:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1625503731; bh=mvcfMRCdSCG/Ju1vJY5oK0Buel3cFJj/+9ujSNCTNl0=; h=Date:From:To:In-Reply-To:References:Subject:From:Subject:Reply-To; b=UfNWdssV9HRQj4wmcsJw8wd5Wvc73BqDQMwQ4q7XpTMcymMG1DFj8T5nS7YTyFiO+dFLEnmk1bYSh8hp4XlO2UMo47Ttpc8apOAVSDfrtY10SF3kFOFiueARq85jy+tJ3sUSJ3Q58M/BfEURmWsXodo588SOBghYx+FDQ2MzQJs0ySqmO6Y1g4wqDI9g7SUitOuMb3SrszcMJYJkxB7SZq2iqd/aWgJvq8IZWjUSaVV5PkaUe//gnYbFeUb8Z9VC8yPR/lI0QaEsCnsVc+NWaJo4lnJW5kPj2dKaymScUvMos0gwSKvP+Y3A0ajghw5sd0870AsiOfuTb2p9L7iGCA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1625503731; bh=Rni+nEkOgmbsr1K9mDMqYRJh0z1VHqe/2C1uQE2v/ND=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=TmZJymVnFSsm4v+rapYN+bMMfsxxpgKLk2kQrteL8H9MfOCtg1ovXDYhA69QJtB4id0o8nG0P/Qf6Lx35RD/amhGM6V9tAn3btIyefrctg58PFgLiGFuztstouezMnB7uNjdbg9yVj6H80iVTtgdG23TAbaTzUSBphhR+7a1VadPVeDczFR/mNlYbkhQmQG94w4KbwFY+mX1y4YpjYYwwjaWUMLJeVH99N5sMI+uVC0o2PXREbtN56aLRRLQdrIYmeY0j+iNhEK1C2inYuLHI8t9ET8W6cdAgC9N1nXsa9IdnoZiOGAkFceg6eBhPkxa6meaRuT8fVUjVMSn46pA8A==
X-YMail-OSG: ah.CtLsVM1lDRu19rXsYkYVcarKarD_Jt4l6zf4SBZc5tRDoF71HPOEkjWYtSt9 KPyhB3zELP3UVdoAcD6AHqFpT1sSEgxeYbPED7oTVwdMpwjbYvf.lzKOJ.zERrWAKvq9aDe6zez6 CscmcxMWVKTkEztEY08n4tO82ed8uV1Z1.0pmluMtjluAH_P4b.g5LKYQe0TmQaQ2MqyDrEfOfgo b9.MjF0qPM9aDeU_DHEN0VFF66MQ6SHXv2ShBse2p9vbp8F.UpJKgmULm9SEYjqML036h__fdWMk _xNgSBWXL.sK3Xi1MYqnwleUQOIG.4kAZewwSy2WlSVMD3eS.7j4GMvVYJWZZoCbRen922J0HOOT GT6vgNUxJ93B1YMhIaxyJeEFoxDMrrZBRgmj3SaNiWXrI.HkV5Hu7OScB.Y10uDkdNu3sJO5uRbF 632vuY5RarRrjh4JN7jAnSLVLGM66mrxX_zGTCDkFfFmruobAFJxJPzH7UV0fUl9DPuFDLxFWhPH 1fpV_U0mBWoNBbi2HUxnVqosY4Fr7kTgEq5anePsOQcWFPWsiokOJo5_7ge7nwKQQ.1_Ni8jTlb. Hflm7Cf3cV0ilp5sbJhjtR825pXFVIpCUPH0FNfkoMseOlvpniYJcWjv9vNb4C9bSdYPn5Ik2ouK KLHfkM669SvSTJA428ZUAtsRhRpAxpMUeeeB8fdoNUE_ex9DbxEC62FzqPRsz8BLC1t0H4HVpzh7 IY421OYuW6QIWIWPyQhmHl3VveZfedaQkAvwG7XfFGxRjEiWONtQix9oGou7ehnq0xHizFHxd_6u tzdpt.eppPkOEKnsMg8n4zxNXdKDJWhCXeFXZPWvkxMehdeRdjNr3q2xLcPyw2Inw7637tqJvW1f 4GVQg33WXJ4aL.OLVrkHjRCAjbYRSC5Z_9Pr3d6RjLZSx6x2jaVayeVnzyuoX5IIf4Icq7N8gF6a G.9I0bHOeG2wJsVuOFpnkW8D0RnghAM1ndPYxUqOqc70D4otwIzaBcjADWCEuG4y5iKKwPU.N6y9 vjXwFObKSz5dVAI3AWWv4aHV1v393BcRUNirxDsH05ikWeEZJc8uEkkePdxW5TjiVHx79l707geX h.JRZYf02bvsNQN_5M18ixk57tMUSddaaCZdYm5ArnqaB4blwOLRIH6sCRvva7Eftp3FYCK2FfwF QLT_66wi2YQwcTQiZYZw2mXCagDR8B7vZ3itvQTX6w40cbyvMt6g4H9AxjTs.PwcfBnNS3O81dtN kGpZ5MBJkO8MD8NfyF9KmJcu2YjSm6sfFWRMS1JkvnN0sHnFZR5EsLJtFJ2w43zcb1cK2CU3xF81 Li_yPVXNXKzyv7ttK5k68KzjE5xUtWQVNEKWv.3F1aTcMZxAygy3WNwXuLgU69GIxLHDxfQyk42E VdF3TB.h49c5qcaNArytScqDTsoLEr1aITyx6Uh6XUc1JsFQNKovbroPEG6.axSN9lBnztvRqI3x dkuKTaBXJTUv7bsFvCUQJUBSy7Sg4w.lDqaWNU1IaW8_ZJ7JbvU9wHcwYdqwce7YhgbnNskE9Rv5 K7N_MjIJJW5tclv6R2OGmksuS1lEGU4ZGYCooNg8R8UxN.Yt1ErjuolU6DCqIhr0VpisOpVd0k4r tU5AKd.5eW2AV1DvPXq4RQPAOIz95L5Er_JMdp8HP0fechmOYBDZY58d6ZLRevTYfH3d0_qNZI0G 0t9wlnao3ldn9lvuYCn9SlCqv1aXMC0RXT8WjWHTzbM8pYl9xysKDCXwGFv0C.Zr7LiU4NnO73vf D4Kt.HxyqAzvHkqFFGSwYp9bjTsPRKVcIaYr5hNHnQM6wfBOUQqNtYMq3Nch8sXl926H_3hezwHW qG.Fgr4hSrVs.SAwsQguG_LDiy_gP_guBWC9WPUUpIC0qlWhzGGLkiIMKOZ3ct90i71p.7KDaMUE KVdDp5lXAhYFz4SB4JdrwASaMKYUS21f67Z5G8cIdu72H9Qu9.iLEat0B1Y42BrZ3l6tGtawNt5_ KFdKLZ.nepHF48fOoDyt7aycpC.9LUEjWodWCWqoZLTYn.fDkoycsVKitGytZRmXSHtCHLi4fDVu EbVIzwHQyH00jK_AYdsRABC68bX1PZs66O1q7QfkohPhsU8Av6sZHoNt1YNw_rBqZyF9bnmxr.Ft Uk.7GmnRCwfDvAxPEhpM29YNHWCid7PrmnrhTl59FXyEIwntufnJEyXPr5MWfCrS3.8f1u_9._Ix ksoRyOtUx0D256Py20TJJ6KOUhDSS5KvUzZl3rVJvNOD.PsxqRBqWPEEpyOSrNvDiVpfgxWWALvp WAZpoo8wqpLEju88T3ukv8LGtExMHUW1r6orF63wvVHQlF9Y8vjEZ7m4rUBdjrWUUsLkC_SMRt0Z J4TGPEt_y6TJzs1LDe7doABOv.BQwkPIAdMV8tMTMBOi0t3AejhwGHbq65VyTPbZu5RD.9AtZzBL PBMEZaTS_mQH91h.8AGyXEOcyEMrmdZUBFaDI75EO4kzBr.0kkPZjT1MM3tUC5SOWf0AtOHN3g1e .BL8c9TGO
X-Sonic-MF: <ameyanrd@yahoo.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.sg3.yahoo.com with HTTP; Mon, 5 Jul 2021 16:48:51 +0000
Date: Mon, 5 Jul 2021 16:48:49 +0000 (UTC)
From: Ameya Deshpande <ameyanrd@yahoo.com>
To: "ippm@ietf.org" <ippm@ietf.org>, "Hamilton, Robert" <rhamilton=40cas.org@dmarc.ietf.org>, "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>
Message-ID: <1402651859.5739390.1625503729029@mail.yahoo.com>
In-Reply-To: <1732873610.1690997.1625502432340@mail.yahoo.com>
References: <162256330634.19677.3885804345914692467@ietfa.amsl.com> <28584824.2341925.1622563579715@mail.yahoo.com> <721002155.671981.1625161479360@mail.yahoo.com> <c0651506a3fb437c9300b1fc14206560@cas.org> <1732873610.1690997.1625502432340@mail.yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_5739389_1072957223.1625503729025"
X-Mailer: WebService/1.1.18469 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/QiBkf_UxlOaJhSFq1QdrUfG6IyY>
Subject: Re: [ippm] Fw: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jul 2021 16:49:06 -0000

 Hi Robert,
Thanks for your comments. Please check the inline comments.
> - The latest HPKE draft expired just last week. That means it's some time before general implementation. I'm a mainframer, mostly, so I suspect that makes it even longer before I'll see implementation for _production_ use. Further, I don't want the implementation of PDM in more secure environments delayed because of encryption-method concerns. 

We have kept an option for no-encryption in PDMv2 as well. And it is kept exactly for
 the same reason you mentioned. Connections over encrypted medium (say VPN tunnels),link-local network, or any secured company domain can choose to use PDMv2 unencrypted.
> - When we generate the PDM structure and determine the timing, we want that to be as close to the wire as possible. The PDM timing was very granular, so this will add a variable amount of time to the time the packet is determined to be spending in transmission; the encryption delay is now part of the transmission time.
Yes, for a PDM-to-PDM machine, the round trip time, a.k.a DELTATLS, will include the two encryptionand two decryption times. We are trying our best to minimize any added timing due to the encryption in PDMv2, but we feel that encryption is important, so we're trying to achieve a correct balance.
Thanks,Ameya Deshpande

    On Monday, 5 July, 2021, 9:57:51 pm IST, nalini.elkins@insidethestack.com <nalini.elkins@insidethestack.com> wrote:  
 
 Hi Robert,[Posting for some of the co-authors.]We fully agree with your concerns. However, we’re confident that HPKE will reach the RFC status soon. Moreover, also other protocols (e.g., MLS, see https://www.ietf.org/archive/id/draft-ietf-mls-architecture-06.txt) are using it.About HPKE itself, there are two different aspects to consider: HPKE (as an architecture, API, etc.) and the cryptographic functions used by HKPE. While HPKE is still in draft, the cryptographic functions are well-known and proven. Hence, we don’t expect any concern related to the encryption methods used by HPKE.The fact that Tommy confirms that it is being implemented and deployed reinforces our confidence on the fact that its availability is not going to be a critical point.
In any case, we will take this point into consideration, as it is a valid concern.
Best regards,
Nalini, Tom, and Adnan
  

    On Thursday, July 1, 2021, 02:05:31 PM PDT, Hamilton, Robert <rhamilton=40cas.org@dmarc.ietf.org> wrote:  
 
 I am interested in the encryption of the PDM header, just because I've done symmetric-key encryption with pseudorandom numbers and pseudorandom obfuscation algorithms for key management. I see that we are interested in using HPKE. I have just a few concerns:

 - The latest HPKE draft expired just last week. That means it's some time before general implementation. I'm a mainframer, mostly, so I suspect that makes it even longer before I'll see implementation for _production_ use. Further, I don't want the implementation of PDM in more secure environments delayed because of encryption-method concerns.

 - When we generate the PDM structure and determine the timing, we want that to be as close to the wire as possible. The PDM timing was very granular, so this will add a variable amount of time to the time the packet is determined to be spending in transmission; the encryption delay is now part of the transmission time.

Still reviewing; I'll be back with more thoughts.

R;


Rob Hamilton
Infrastructure Engineer
Chemical Abstracts Service

-----Original Message-----
From: ippm <ippm-bounces@ietf.org> On Behalf Of nalini.elkins@insidethestack.com
Sent: Thursday, July 1, 2021 1:45 PM
To: IETF IPPM WG <ippm@ietf.org>
Cc: draft-elkins-ippm-encrypted-pdmv2@ietf.org
Subject: [EXT] Re: [ippm] Fw: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt

[Actual Sender is ippm-bounces@ietf.org]

IPPM,

Please do take a look at this draft.

I think that iOAM will need encryption as well.   We have spent quite a bit of time thinking over these issues.  We even have 2 cryptographers from Italy involved as co-authors.   I want to do a side meeting where we can have quite a bit more time to discuss this but would love to have comments from the group on the list.

I am very reluctant to push PDM out to the wider world without encryption.  I feel that we will become the attacker's best friend.
We have modified the Linux kernel to include PDM but as I say, without encryption, we do not wish to release.


Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
https://smex12-5-en-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=www.insidethestack.com&umid=61654d20-9615-453c-80b2-c06c82268e9d&auth=3c97381e9a30865a1a3f3ad58750d85b2b059558-86a3cb083390e2163fd0daaf45646c2a55adf702
(831) 659-8360






On Tuesday, June 1, 2021, 09:06:39 AM PDT, nalini.elkins@insidethestack.com <nalini.elkins@insidethestack.com> wrote: 





Hello IPPMers!

We have just posted a new draft to encrypt PDM data.   We feel that this is an important feature to add before promoting widespread adoption of PDM.

We would appreciate any thoughts or comments from the group.

Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
https://smex12-5-en-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=www.insidethestack.com&umid=61654d20-9615-453c-80b2-c06c82268e9d&auth=3c97381e9a30865a1a3f3ad58750d85b2b059558-86a3cb083390e2163fd0daaf45646c2a55adf702
(831) 659-8360






----- Forwarded Message -----

From: "internet-drafts@ietf.org" <internet-drafts@ietf.org>
To: mackermann@bcbsm.com <mackermann@bcbsm.com>om>; Adnan Rashid <adnan.rashid@unifi.it>it>; Ameya Deshpande <ameyanrd@gmail.com>om>; Michael Ackermann <mackermann@bcbsm.com>om>; Nalini Elkins <nalini.elkins@insidethestack.com>om>; Tommaso Pecorella <tommaso.pecorella@unifi.it>
Sent: Tuesday, June 1, 2021, 12:01:47 PM EDT
Subject: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt



A new version of I-D, draft-elkins-ippm-encrypted-pdmv2-00.txt
has been successfully submitted by Nalini Elkins and posted to the
IETF repository.

Name:        draft-elkins-ippm-encrypted-pdmv2
Revision:    00
Title:        Encrypted IPv6 Performance and Diagnostic Metrics Version 2 (EPDMv2) Destination Option
Document date:    2021-06-01
Group:        Individual Submission
Pages:        16
URL:            https://www.ietf.org/archive/id/draft-elkins-ippm-encrypted-pdmv2-00.txt
Status:        https://datatracker.ietf.org/doc/draft-elkins-ippm-encrypted-pdmv2/
Htmlized:      https://datatracker.ietf.org/doc/html/draft-elkins-ippm-encrypted-pdmv2


Abstract:
  RFC8250 describes an optional Destination Option (DO) header embedded
  in each packet to provide sequence numbers and timing information as
  a basis for measurements.  As this data is sent in clear- text, this
  may create an opportunity for malicious actors to get information for
  subsequent attacks.  This document defines PDMv2 which has a
  lightweight handshake (registration procedure) and encryption to
  secure this data.  Additional performance metrics which may be of use
  are also defined.

                                                                                  


The IETF Secretariat




_______________________________________________
ippm mailing list
ippm@ietf.org
https://www.ietf.org/mailman/listinfo/ippm

_______________________________________________
ippm mailing list
ippm@ietf.org
https://www.ietf.org/mailman/listinfo/ippm
Confidentiality Notice: This electronic message transmission, including any attachment(s), may contain confidential, proprietary, or privileged information from CAS, a division of the American Chemical Society ("ACS"). If you have received this transmission in error, be advised that any disclosure, copying, distribution, or use of the contents of this information is strictly prohibited. Please destroy all copies of the message and contact the sender immediately by either replying to this message or calling 614-447-3600.
_______________________________________________
ippm mailing list
ippm@ietf.org
https://www.ietf.org/mailman/listinfo/ippm
  _______________________________________________
ippm mailing list
ippm@ietf.org
https://www.ietf.org/mailman/listinfo/ippm