Re: [ippm] Discussion on draft-brockners-ippm-ioam-data-integrity method 3 variant in @ietf110

Shwetha <shwetha.bhandari@gmail.com> Wed, 07 July 2021 07:18 UTC

Return-Path: <shwetha.bhandari@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A6653A0D35 for <ippm@ietfa.amsl.com>; Wed, 7 Jul 2021 00:18:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rJqMRK91Ul-k for <ippm@ietfa.amsl.com>; Wed, 7 Jul 2021 00:17:59 -0700 (PDT)
Received: from mail-yb1-xb30.google.com (mail-yb1-xb30.google.com [IPv6:2607:f8b0:4864:20::b30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28B1B3A0D2D for <ippm@ietf.org>; Wed, 7 Jul 2021 00:17:58 -0700 (PDT)
Received: by mail-yb1-xb30.google.com with SMTP id o139so1631371ybg.9 for <ippm@ietf.org>; Wed, 07 Jul 2021 00:17:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RjNmuQyolhtg0pYCUU/otaxhNevY0Dp3V4VIf+tIRQQ=; b=j4kmOas2e40ve+LmoXgsnW5FvpZMzyUyTXEF16I3sPuQAXTEe/vhQtlo/j1qnZsOfw PxW0iux6ZBglr21Rcf97/9A+XP42DKbKPgRbxw9DQtqQ5RrJI60srb6PTeQ5VPiSkFVt UVlCD090f8sTp9OlFqG+XOcZ5YGAjti7y/4+r9W6USeaOmwuc5QUOMBznyv+yZ8k20U+ ijJkxgK19EpQ7P2Mf4cU457PXCNSbjB7rtz/30k106dz9zaluTyNC7kgmdu0+n4RS1mw KcAKMe4mCgvsmvBHLJhhUEwHRPcaXaBlsFWokr96AC28i2jhLFpq9Bx35Wkt99MdTsFD putg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RjNmuQyolhtg0pYCUU/otaxhNevY0Dp3V4VIf+tIRQQ=; b=NtadWrI/4IySrx5+YAh9vi40f1EjSLxXBsd+DtbQlG0zk05YM+qYvso8LHCFqjZxsn biPDr2NjSjo4SRE/Wd/nzcbTpAlsL1aiFgcQ9GOUCXvHLc93f1vyXTwtPGNwns+QwMca nO3G1ZGs8x+HJD1Rxhk3UYZddDhgKYNJF3KSs3Pvdnl5wzSp2xz1Y4jEOc7IuuUSrDiC bbaJrxVCHqy5N7sBYY+WXTZuI36xVKd2wSaGVpTRHTtB4MGUHAB4FyZzHUgQjvV7jchp mm1B9YmXNTg1+tg3r5lcpXCeRLBJIX5kUqDDRoZj8uVBQJhGVjNnOVof1Y3oeeDHuNKg 6QZA==
X-Gm-Message-State: AOAM532rIodLIk+m++ccGJCSSw53zGE/1QLDZUWwTXMo0ayakUsHPTGg pxfDN9H1ORT9+J3Stg97fxVlPKIYQe95+0L/Vak=
X-Google-Smtp-Source: ABdhPJxIiycWbhUaAmU+xYyxf7G+Ey+gKIL/N2W5VkRoQ7KykJZCe9SkVKlsxEnqlr+kf4Cxh0cEZje7yXR/HJ3oCoE=
X-Received: by 2002:a25:9b08:: with SMTP id y8mr29469801ybn.417.1625642277245; Wed, 07 Jul 2021 00:17:57 -0700 (PDT)
MIME-Version: 1.0
References: <CA+SnWFEGAwm0D2-U=5DapY=4Ky0R2xP0i=tFyjme6VaLRDdwwA@mail.gmail.com> <CA+SnWFHp7_tmqPGikvOOO5CGa1905wSnfrswaXBCmg0Z7LrTqg@mail.gmail.com> <ED2E3E28-C697-4CE7-A6F3-E4CF5B89AD42@apple.com> <B393DF12-BA0A-426A-8445-AE193050501F@apple.com> <BYAPR11MB258497AB264414E5F2B83FFFDA609@BYAPR11MB2584.namprd11.prod.outlook.com> <4D7F4AD313D3FC43A053B309F97543CF0147CD0A59@njmtexg5.research.att.com> <BYAPR11MB258425AF435E41881B028C14DA7F9@BYAPR11MB2584.namprd11.prod.outlook.com>
In-Reply-To: <BYAPR11MB258425AF435E41881B028C14DA7F9@BYAPR11MB2584.namprd11.prod.outlook.com>
From: Shwetha <shwetha.bhandari@gmail.com>
Date: Wed, 7 Jul 2021 12:47:45 +0530
Message-ID: <CA+SnWFGRFDERkj8wRTen_UQy3mbs=Z94_LC6DFmcJqV8FohG3A@mail.gmail.com>
To: "Frank Brockners (fbrockne)" <fbrockne@cisco.com>
Cc: "MORTON, ALFRED C (AL)" <acm@research.att.com>, Tommy Pauly <tpauly@apple.com>, "IETF IPPM WG (ippm@ietf.org)" <ippm@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>
Content-Type: multipart/alternative; boundary="0000000000007794c505c6835638"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/RYMJRnwmW0f0NcEntFrp9pWawmg>
Subject: Re: [ippm] Discussion on draft-brockners-ippm-ioam-data-integrity method 3 variant in @ietf110
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2021 07:18:04 -0000

Hi All,

A new version of the IOAM data integrity has been posted :
https://datatracker.ietf.org/doc/html/draft-brockners-ippm-ioam-data-integrity-02

This addresses the feedback and discussion during IETF 110 and in this
email thread:
1. Recommends one method for carrying data integrity for IOAM options.
Other methods discussed are moved to Appendix.
2. Introduces asymmetric key based signing variant to it.
3. Adds IOAM data integrity option format and IANA considerations.
4. Updates overhead considerations to include sampling.

Looking forward to continued discussion on this here and at the upcoming
IPPM wg meeting.

Thanks,
Shwetha

On Sun, Mar 28, 2021 at 3:52 PM Frank Brockners (fbrockne) <
fbrockne@cisco.com> wrote:

> Hi Al,
>
>
>
> Thanks much – and I fully agree that we need to keep the deployment and
> associated cost aspects in mind when designing a solution for IOAM
> data-fields integrity.  We should also acknowledge that while integrity
> protection might be considered important for some future deployment,
> current uses of early implementations of IOAM or similar are in “limited
> and isolated domains” and they do well without an integrity protection
> solution. So we’re talking about a “niche” for now, though one which might
> become more important in the future if IOAM would get applied to “not so
> trusted environments”.  We can expect integrity protection to add a
> non-negligible burden on a deployment – hence we need to come up with a
> solution that is modular enough, so that operators and implementors can
> choose how they cut the balance between “protection” and “cost”.
>
>
>
> The ”Performance and Diagnostic Metrics (PDM) team” (Michael, Nalini)
> already reached out – with the plan to investigate whether we can’t create
> a single solution which would cover PDM and IOAM – something that everyone
> would for sure appreciate.
>
>
>
> Per your (great!) suggestion, I’m cc’ing Ben for any help / pointers to
> additional folks who might be interested in helping us design an adequate
> solution.
>
>
>
> Thanks, Frank
>
>
>
> *From:* MORTON, ALFRED C (AL) <acm@research.att.com>
> *Sent:* Samstag, 27. März 2021 18:38
> *To:* Frank Brockners (fbrockne) <fbrockne@cisco.com>om>; Tommy Pauly <
> tpauly@apple.com>gt;; Tommy Pauly <tpauly@apple.com>om>; Shwetha <
> shwetha.bhandari@gmail.com>
> *Cc:* IETF IPPM WG (ippm@ietf.org) <ippm@ietf.org>
> *Subject:* RE: [ippm] Discussion on
> draft-brockners-ippm-ioam-data-integrity method 3 variant in @ietf110
>
>
>
> Hi Frank, Tommy, and all,
>
>
>
> TL;DR: No solution, just trying to refine the problem statement and
> suggestion to seek SEC advice.
>
>
>
> I haven’t followed the integrity discussions closely, but hearing the
> review of options at the IETF-110/IPPM session, and additional details for
> the options that Frank described below, it seems we could use some expert
> advice. There is a perpetual tension between protection from various
> attacks and the protocol performance achievable in practice, especially
> when considering per-packet integrity. IOW, if the security measures drag
> down too hard on performance, they won’t be used in practice.
>
>
>
> In a successful end-game, we will have balanced the (possibly increased)
> risks inherent in the selected security measures with the practical
> per-packet implementation (requiring high packet-per-second rates, wide
> distribution, and other deployment needs).
>
>
>
> I’m a very interested spectator here, because we may need to solve this
> problem again for packet streams used in high-capacity testing with
> widespread deployment.
>
>
>
> So, advice in the form of a recommended solution to our particular problem
> with an acceptable level of risk, from SEC-Dir, SEC-ADs, or elsewhere,
> might help us winnow-down the choices.
>
>
>
> hope this helps,
>
> Al
>
>
>
>
>
> *From:* ippm [mailto:ippm-bounces@ietf.org <ippm-bounces@ietf.org>] *On
> Behalf Of *Frank Brockners (fbrockne)
> *Sent:* Saturday, March 27, 2021 10:54 AM
> *To:* Tommy Pauly <tpauly@apple.com>om>; Tommy Pauly <
> tpauly=40apple.com@dmarc.ietf.org>gt;; Shwetha <shwetha.bhandari@gmail.com>
> *Cc:* IETF IPPM WG (ippm@ietf.org) <ippm@ietf.org>
> *Subject:* Re: [ippm] Discussion on
> draft-brockners-ippm-ioam-data-integrity method 3 variant in @ietf110
>
>
>
> Hi Tommy, IPPM WG,
>
>
>
> We’ll look into the update after the Easter break. Before that, I’d
> greatly appreciate further input and thoughts on the preferred methods.
>
>
>
> In our IPPM WG meeting during IETF 110, you voiced a preference for Method
> 3 – broken up into a “Method 3a – with symmetric key (the current Method
> 3)” and a “Method 3b – with asymmetric keys”.
>
>
>
> Per the discussion, the Method 3 approach suffers from the challenges that
> one would need to provision a secret per packet, which is a significant
> effort – but provides for replay protection. Detecting whether a secret has
> already been used or not is detectable by the verifier. Method 4 also
> provides for replay protection given that it also uses a secret per packet
> and at the same time is to help the secret provisioning issue, given that
> we’d only bootstrap a key generator on the nodes and would then leverage
> Key-IDs – which makes “secrets per packet” much more manageable.
>
>
>
> Per the note above, during the WG discussion, a preference was voiced for
> “Method 3” – but at the same time, asked for avoiding a secret per packet –
> but re-using the secret for multiple packets, e.g. defined by duration or
> number of packets. How would we arrive at a solution for replay
> protection in that case?
>
> Options we could consider include:
> (a) Include the payload (or portions of the payload) into the signing
> process, so that the signed IOAM data becomes unique and cannot be easily
> re-used for future packets.
>
> (b) Include an additional “identifier” or “nonce” as part of the
> IOAM-data, which would make the IOAM-data and thus the signature unique –
> which could be checked and tracked by the verifiers.
>
> (c) ? any other options ?
>
>
>
> Thoughts? Opinions? Preferences?
>
>
>
> While evolving the design for Method3 (or better 3a and 3b), I’d suggest
> that we keep Method 4 on the table for now.
>
>
>
> Thanks, Frank
>
>
>
> *From:* Tommy Pauly <tpauly@apple.com>
> *Sent:* Freitag, 26. März 2021 21:58
> *To:* Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>rg>; Shwetha <
> shwetha.bhandari@gmail.com>gt;; Frank Brockners (fbrockne) <
> fbrockne@cisco.com>
> *Cc:* IETF IPPM WG (ippm@ietf.org) <ippm@ietf.org>
> *Subject:* Re: [ippm] Discussion on
> draft-brockners-ippm-ioam-data-integrity method 3 variant in @ietf110
>
>
>
> Just checking here—when could we expect an updated proposal for the
> integrity document? Once we can converge on a set of approaches we like, we
> would like to get this prepared for a WG adoption.
>
>
>
> Best,
>
> Tommy
>
>
>
> On Mar 12, 2021, at 6:30 AM, Tommy Pauly <
> tpauly=40apple.com@dmarc.ietf.org> wrote:
>
>
>
> Thanks, that’d be great to see the variants of Method 3 like that!
>
>
>
> Best,
>
> Tommy
>
>
>
> On Mar 8, 2021, at 8:31 PM, Shwetha <shwetha.bhandari@gmail.com> wrote:
>
>
>
> My bad, it should be possible to reverse the process for validation and
> retrieve the previous signature in the reverse order. We will update the
> draft to have Method 3 with both symmetric/asymmetric variants.
>
>
>
> Thanks,
>
> Shwetha
>
>
>
> On Tue, Mar 9, 2021 at 7:07 AM Shwetha <shwetha.bhandari@gmail.com> wrote:
>
> During the session 1 of ippm at IETF 110, it was suggested to consider
> introducing a variant of method 3
> in  draft-brockners-ippm-ioam-data-integrity with asymmetric keys.
>
>
>
>
>
> When we were designing the methods to protect integrity of the entire IOAM
> data collected at each node, the node chains it's own node data with the
> signature from the previous node and overwrites the signature:
>
> Trace signature = sign([Trace Signature || its node_data_list[x] hash])
>
>
>
> In the symmetric key case this operation can be validated by reversing the
> operation by the validator who has the shared secret from each node.
>
> However this will not work if nodes use their private keys to sign and
> validator has the public key to validate as it can only validate but not
> derive a specific node's signature to reverse the operation.
>
>
>
> So I think the space optimized  method to overwrite the signature at each
> node cannot be modified to use asymmetric keys easily. Will be happy to
> discuss ideas to create a space optimized asymmetric key based solution.
>
>
>
> Thanks
>
> Shwetha
>
>
>
> _______________________________________________
> ippm mailing list
> ippm@ietf.org
> https://www.ietf.org/mailman/listinfo/ippm
> <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/ippm__;!!BhdT!04mWk9x-Ut5K0ecNHfnt8g_vEeQPXwZx8oP_51cSZNUP214MyjqOchkEeA3R$>
>
>
>
> _______________________________________________
> ippm mailing list
> ippm@ietf.org
> https://www.ietf.org/mailman/listinfo/ippm
> <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/ippm__;!!BhdT!04mWk9x-Ut5K0ecNHfnt8g_vEeQPXwZx8oP_51cSZNUP214MyjqOchkEeA3R$>
>
>
>