Re: [ippm] Progressing draft-ietf-ippm-ioam-conf-state

xiao.min2@zte.com.cn Fri, 17 December 2021 02:28 UTC

Return-Path: <xiao.min2@zte.com.cn>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31F393A0FC0 for <ippm@ietfa.amsl.com>; Thu, 16 Dec 2021 18:28:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, CTE_8BIT_MISMATCH=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vImZ6Mo6HuMf for <ippm@ietfa.amsl.com>; Thu, 16 Dec 2021 18:28:52 -0800 (PST)
Received: from mxhk.zte.com.cn (mxhk.zte.com.cn [63.216.63.35]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48E0A3A0FB9 for <ippm@ietf.org>; Thu, 16 Dec 2021 18:28:51 -0800 (PST)
Received: from mse-fl1.zte.com.cn (unknown [10.30.14.238]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mxhk.zte.com.cn (FangMail) with ESMTPS id 4JFXwc1lzzz6FK1j; Fri, 17 Dec 2021 10:28:48 +0800 (CST)
Received: from njxapp03.zte.com.cn ([10.41.132.202]) by mse-fl1.zte.com.cn with SMTP id 1BH2SZKU068546; Fri, 17 Dec 2021 10:28:35 +0800 (GMT-8) (envelope-from xiao.min2@zte.com.cn)
Received: from mapi (njxapp02[null]) by mapi (Zmail) with MAPI id mid201; Fri, 17 Dec 2021 10:28:35 +0800 (CST)
Date: Fri, 17 Dec 2021 10:28:35 +0800
X-Zmail-TransId: 2afa61bbf5d321e1dd9b
X-Mailer: Zmail v1.0
Message-ID: <202112171028356091854@zte.com.cn>
In-Reply-To: <CY4PR11MB1672EE19AF2E99EE77BAF5D3DA779@CY4PR11MB1672.namprd11.prod.outlook.com>
References: 202112101500302348450@zte.com.cn, CY4PR11MB1672EE19AF2E99EE77BAF5D3DA779@CY4PR11MB1672.namprd11.prod.outlook.com
Mime-Version: 1.0
From: xiao.min2@zte.com.cn
To: fbrockne@cisco.com
Cc: ippm@ietf.org, tpauly@apple.com
Content-Type: text/plain; charset="UTF-8"
X-MAIL: mse-fl1.zte.com.cn 1BH2SZKU068546
X-Fangmail-Gw-Spam-Type: 0
X-FangMail-Miltered: at cgslv5.04-192.168.250.138.novalocal with ID 61BBF5E0.001 by FangMail milter!
X-FangMail-Envelope: 1639708128/4JFXwc1lzzz6FK1j/61BBF5E0.001/10.30.14.238/[10.30.14.238]/mse-fl1.zte.com.cn/<xiao.min2@zte.com.cn>
X-Fangmail-Anti-Spam-Filtered: true
X-Fangmail-MID-QID: 61BBF5E0.001/4JFXwc1lzzz6FK1j
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/QqJYx5PUpUn5xSDyBgjMwOYtvsk>
Subject: Re: [ippm] Progressing draft-ietf-ippm-ioam-conf-state
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Dec 2021 02:28:58 -0000

Hi Frank,

Thanks for your thorough review and thoughtful comments.
I apologize if I misinterpreted your mind.
Considering that your holiday season is coming, before digging into technical details, I suggest that we discuss the IOAM deployment environment first.
As you may have noticed while reading through draft-ietf-ippm-ioam-conf-state-02, in the introduction section it says
"A centralized controller which owns the enabled IOAM capabilities of each IOAM device could be used in some IOAM deployments.  The IOAM encapsulating node can discover the enabled IOAM capabilities infomation from the centralized controller, using, for example, NETCONF/YANG, PCEP, or BGP.  In the IOAM deployment scenario where there is no centralized controller, NETCONF/YANG or IGP may be used by the IOAM encapsulating node to discover these IOAM capabilities information."
I know you're the primary author of both IOAM-Data and IOAM-Deployment documents, so I have a fundamental question to you: Is the above statement correct or not?
More specifically, if you can confirm that "the IOAM deployment scenario where there is no centralized controller" doesn't exist at all, on both the mailing list and the IOAM-Deployment document, then I suggest IPPM WG to abandon draft-ietf-ippm-ioam-conf-state, that would save the energy of the whole wg including you and me.

Best Regards,
Xiao Min
------------------原始邮件------------------
发件人:FrankBrockners(fbrockne)
收件人:肖敏10093570;ippm@ietf.org;
抄送人:Tommy Pauly;
日 期 :2021年12月16日 20:56
主 题 :RE: [ippm] Progressing draft-ietf-ippm-ioam-conf-state
Hi Xiao Min,
Thanks for posting draft-ietf-ippm-ioam-conf-state-02. I read through the updated version and looked at the diff to the 01 version (https://www.ietf.org/rfcdiff?url1=draft-ietf-ippm-ioam-conf-state-01&url2=draft-ietf-ippm-ioam-conf-state-02) Different from what you state below, I don't see any of my comments reflected.
The two main points I mentioned in the last WG meeting were about (a) alignment with draft-ietf-ippm-ioam-yang and (b) enhancements to the security section, reflecting that the protocol you are defining is a network management protocol, and needs to be secured as such.
More specifically:
* Alignment with draft-ietf-ippm-ioam-yang:
The IPPM WG is in the process of defining a YANG module for IOAM: draft-ietf-ippm-ioam-yang. We should have a single, comprehensive model for config information for IOAM. That model can then be rendered into different transports (be it JSON, XML, or yet another format - to then be carried over a e.g. ICMP in your case). Right now draft-ietf-ippm-ioam-conf-state heads down a path of defining a new set of management objects - many are similar to what draft-ietf-ippm-ioam-yang already defines, some they are less comprehensive, some hint at additional information that draft-ietf-ippm-ioam-yang does not cover yet: E.g.,  you define a "Pre-allocated Tracing Capabilities Object" where draft-ietf-ippm-ioam-yang  has a "Preallocated Tracing Profile" defined. You define ingress interface fields, which is information, which is more comprehensively defined by the ioam-filter grouping. You define specific fields to describe the timestamp format used by a node, which is information that should be 
 described as part of the ioam-info container - and which is currently missing in draft-ietf-ippm-ioam-yang; point well taken :-). It is interesting to note that draft-ietf-ippm-ioam-conf-state does not even reference draft-ietf-ippm-ioam-yang.
>From my perspective we should have one single data model for IOAM configuration - and that is the YANG module defined in draft-ietf-ippm-ioam-yang. Let's make sure that this model covers all the information required to properly manage IOAM. Then draft-ietf-ippm-ioam-conf-state would be solely focused on defining how that YANG module (from draft-ietf-ippm-ioam-yang) would be rendered into e.g., ICMP as a carrier protocol.
* Security: Revision -02 does not seem to update the security section. IMHO, section 6 on security considerations should be enhanced to clearly articulate that we're dealing with very sensitive information. Consider loaning from e.g., https://datatracker.ietf.org/doc/html/rfc6241#section-9. As part of the discussion, it would be good to see an explanation where you'd expect  draft-ietf-ippm-ioam-conf-state to be used. Given the discussion in the Introduction section, you seem to assume an environment that does not have a central network management station / controller in place. Or in other terms, you seem to target a deployment, which isn't a limited domain per RFC 8799. In that case, I would expect that we have normative language that requires the use of strong authentication and encryption between the nodes (i.e., MUST use ICMP with AH and ESP..).
In addition to the above, I struggle to understand the "Operational Guide" in section 4: Could you shed a bit more light on how you expect things to work - and what a target deployment environment would look like? It seems that you assume that you don't know the network nor the destination addresses in your network: Do you expect that you would do regular "ICMP echo sweeps" in your network? Do you expect that, while doing the expanding ring search, an ICMP time exceeded message would also carry the "IOAM Capabilities Response Container Header", so that the capabilities container would not only be carried in the echo reply message but also in the time exceeded message?
Thanks, Frank
(BTW - Note that due to the upcoming holiday season, replies might be delayed).
> -----Original Message-----
> From: ippm <ippm-bounces@ietf.org> On Behalf Of xiao.min2@zte.com.cn
> Sent: Friday, 10 December 2021 08:01
> To: ippm@ietf.org
> Subject: [ippm] Progressing draft-ietf-ippm-ioam-conf-state
>
> Hi IPPM WG,
>
> The -02 version of draft-ietf-ippm-ioam-conf-state has been posted.
> There are mainly two changes, one is on IOAM Tracing Capabilities Objects to
> make them applicable to ICMPv6 extensions, another one is on IOAM Proof-of-
> Transit Capabilities Object to make it aligned with the updated IOAM-Data
> document.
> Also note that I've had an offline discussion with wg chairs and Frank Brockners,
> my conclusion is that Frank's concern raised at IETF 112 has been addressed. If
> that's not the case, please speak up.
> With that said, I think this draft is ready for WGLC.
>
> Best Regards,
> Xiao Min
>
> _______________________________________________
> ippm mailing list
> ippm@ietf.org
> https://www.ietf.org/mailman/listinfo/ippm