IETF Logo Mail Archive

Re: [ippm] Is loopback/direct export amplification worse than linear?

Martin Duke <martin.h.duke@gmail.com> Fri, 04 December 2020 22:53 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C4FB3A0E18 for <ippm@ietfa.amsl.com>; Fri, 4 Dec 2020 14:53:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qlg1UQ0DgVMk for <ippm@ietfa.amsl.com>; Fri, 4 Dec 2020 14:53:48 -0800 (PST)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71EA83A0CDF for <ippm@ietf.org>; Fri, 4 Dec 2020 14:53:48 -0800 (PST)
Received: by mail-io1-xd30.google.com with SMTP id r9so7421099ioo.7 for <ippm@ietf.org>; Fri, 04 Dec 2020 14:53:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dH9LKQvEExbsQ2OHWc57ivdTYxyFXRHEzNlt0dE42v8=; b=kmtgM8V6xh7dorzx9zStxoBsR3xERDmUFijY30NjMtIH7swrftduEUttf9XkF1H9mq Z4VheXuI1YkC2ZGAsGbvnhTDDW2fePQmZ7cPykcGfI5oAXseJDyDY8QygcdY1Sc2Sb+e 42Co/v86BN7za4CJA1ErLsfvbtXj3CZFuYYB2eqjVpcZCS+6DT42SsUOaQW8lH3f3Ti/ 6Xo9zQ0SWsIIGNkOtz/xi3beqoWvKmDQ/WlsXXXn8sIhm9dMHrB5MHbk1LJwWJk74SxF mYV7IG+P3w0X3bQ08jNut9NvVo+XsZdNJ1ZQA/igwx8dF5XOidOfrfVrj08lqbitR14t QvNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dH9LKQvEExbsQ2OHWc57ivdTYxyFXRHEzNlt0dE42v8=; b=L1lgrWkGoZkcJVTLCm8dT7TtFzBHdF0F7hNElch8QU0T242L04yP3kDRgXxo8uE8QP XoHq7TM7HrMBjZac72zkae51+5PN/1ufwtnivwMxr5JM1PmJrvJZS4wahaK0kNoy3zSq y246U9LaO95PSvdGJiMcxoMDLT+9bJ1VYRAwQn5U33OF4fMTB+e6E0sZ84bs/hJINTR2 +dVBRPyk1l+TqTni/bz8gfsyPIsSdC/OxlxofRueIQG76Sfi5biPk9WFBHR7zelqOs9H f3EGQhJYGQegvJQ2DRI89jeJQlwNgWz/x211HeGnHvcVjpjzSqGbRswArl4E50bA2nmY KlRw==
X-Gm-Message-State: AOAM531aFGy8w0guAB5VTM7r0pI/QC/+ewbFxJcyz7JqM6G9inN7Uz7S pDcVpVp629roDXlVQPq5hkTcfXY/jkRDpS85BZo=
X-Google-Smtp-Source: ABdhPJyDCLQqjoHxuxALRvDoqy6DxNNQ+yAmx61sumgYUyqSEFZRiWZyLhujCIYzM4HKj4PHU2cIkabmVl17iuTNwkw=
X-Received: by 2002:a05:6638:1247:: with SMTP id o7mr8942320jas.31.1607122427493; Fri, 04 Dec 2020 14:53:47 -0800 (PST)
MIME-Version: 1.0
References: <CAM4esxQiaRoCb9-7eBMy4yoCv28=St2XN-8AF7DwPiC2HU_Fzw@mail.gmail.com> <CA+RyBmVfW0kAwinNUCWmouqi1gg+cN5G8Ks1y3Jh+nokLqmeUA@mail.gmail.com>
In-Reply-To: <CA+RyBmVfW0kAwinNUCWmouqi1gg+cN5G8Ks1y3Jh+nokLqmeUA@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Fri, 04 Dec 2020 14:53:36 -0800
Message-ID: <CAM4esxSQEJ=r0WrG=6yg-Cwfa==8kJVxTAi3gmboZgtOsncHdw@mail.gmail.com>
To: Greg Mirsky <gregimirsky@gmail.com>
Cc: IETF IPPM WG <ippm@ietf.org>, Greg Mirsky <gregory.mirsky@ztetx.com>
Content-Type: multipart/alternative; boundary="00000000000066c0b605b5ab592b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/SFXrGWm0x7iPbXfVlZ5PZ4OG12o>
Subject: Re: [ippm] Is loopback/direct export amplification worse than linear?
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 22:53:52 -0000

thanks Greg.

I hope I'm understanding you correctly these are critiques of the drafts
largely unrelated to mine?

On Wed, Dec 2, 2020 at 3:06 PM Greg Mirsky <gregimirsky@gmail.com> wrote:

> Hi Martin,
> thank you for highlighting some troublesome characteristics of using the
> Loopback flag in IOAM. I agree that draft-ietf-ippm-ioam-flags could
> tighten up the description of scenarios when the Loopback flag is used.
> Also, it seems that the behavior of Direct Export
> <https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-direct-export/?include_text=1> can
> benefit from more clarifications. Now I've read both drafts taking notes
> and present them to you below:
> *draft-ietf-ippm-ioam-flags:*
>
>    - draft-ietf-ippm-ioam-data defined IOAM as a method to record
>    "operational and telemetry information in the packet while the packet
>    traverses a path between two points in the network". It is an example of a
>    hybrid measurement method, per RFC 7799 classification. The introduction of
>    the Loopback and Active flags clearly makes IOAM into an active method and
>    thus it should be discussed as a protocol that originates test packets,
>    including potential security threats it may be used to create.
>    - If the purpose of the Loopback flag is producing a series of
>    responses from traversed nodes, then it might be much easier to use not a
>    copy of the original packet but a different packet to respond to the sender
>    (similar to CFM's LTM/LTR). That will avoid any risk of reverse-path
>    amplification.
>    - It is not clear what kind of path is expected in "a return path from
>    transit nodes and destination nodes towards the source (encapsulating node)
>    exists"? For example, if IOAM is used in an SFC environment, would Loopback
>    require the use of an SFP to the sender?
>    - It is not clear what establishes "the identity of the [IOAM]
>    encapsulating node". Some examples would be helpful.
>    - There seems to be a disconnect in handling unexpected looped IOAM
>    packet:
>
> In the second paragraph Section 4 it is stated:
> "If an encapsulating node receives a looped back packet that was not
> originated from the current encapsulating node, the packet is dropped."
>
> But in the second from the last paragraph of the same section is noted
> that:
> "If there is no match in the Node ID, the packet is processed like a
> conventional IOAM-encapsulated packet."
>
>
>    - The following probably may be expressed using the definitions from
>    the IANA registry:
>
>    An IOAM trace option that has the loopback bit set MUST have the
>    value '1' in the most significant bit of IOAM-Trace-Type, and '0' in
>    the rest of the bits of IOAM-Trace-Type.
>
> like that:
>    An IOAM Trace Option that has the Loopback bit set MUST have the
>    "hop_Lim and node_id in short format" bit set IOAM-Trace-Type, and MUST
>    have all other bits of IOAM-Trace-Type cleared.
>
>
>    - What is the value of collecting "hop_Lim and node_id in short
>    format" on the return path of a packet looped back by an intermediate node?
>    As I understand it, only that information can be collected if the Loopback
>    flag is set. Please correct me if that is not the case.
>    - Can you point where it is specified that when using the Loopback
>    "the packet does not have any payload"? Earlier in Section 4 action of an
>    intermediate node is explained:
>
>    A loopback bit that is set indicates to the transit nodes processing
>    this option that they are to create a copy of the received packet and
>    send the copy back to the source of the packet.
>
> One can understand that the looped back packet is a carbon copy of the
> original packet less the Loopback flag being cleared. And the actions of
> the encapsulating node are described as:
>    The encapsulating node either generates synthetic packets with an
>    IOAM trace option that has the loopback flag set, or sets the loopack
>    flag in a subset of the in-transit data packets.
>
> Which suggests that, at least in the latter case, the packet with the
> Loopback flag set does have a payload.
>
>
>    - One of the essential aspects of defining an active measurement
>    protocol is the specification of the expected rates that test packets be
>    generated for the intended purpose of the protocol. Some protocols provide
>    a mechanism to negotiate that rate either through its control-plane
>    component or as part of bringing the test session to Up state. I couldn't
>    find any discussion of the expected purpose of using the Active flag, nor
>    sufficient information that would help to set reasonable limits on
>    processing packets with the Active flag set. Also, even though the document
>    is on the Standards track, I find normative language in relation to the
>    security impact of Loopback and Active flags being underused.
>    - Applying rate limits throughout the IOAM domain might be cumbersome.
>    I think that stronger security methods must be defined making using the
>    Loopback and Active options more secure. For example, using authentication
>    to ensure the identity of the encapsulating IOAM node that imposed the
>    Loopback or Active option.
>
> *draft-ietf-ippm-ioam-direct-export*
>
>    - Section 3.1 includes very important assumption:
>
>   The option [DEX] can be read but not modified by transit nodes.
>
> That brings the question What protects the DEX option in particular and
> IOAM-Option-Types in general?
>
>
>    - The description of the processing of the DEX option by
>    encapsulating, transit, and decapsulating nodes in an IOAM domain in all
>    cases states "MAY export the requested IOAM data". What are other possible
>    behaviors of nodes processing the DEX option?
>    - In the last paragraph of Section 3.1 stated:
>
>   A transit IOAM node that does not support the DEX option SHOULD ignore
> it.
>
> What are other allowed behaviors of a node, whether transit or
> decapsulating? Report an error? Discard the packet with the DEX option?
>
>
>    - Though considerations for performance impact at a collector(s) is
>    sensible, it seems that the impact on the node exporting telemetry
>    information triggered by the DEX should also be considered.
>    - Applying rate limits throughout the IOAM domain might be cumbersome.
>    I think that there could be other methods to improve the security of the
>    DEX option.
>    - I can understand that the identity of a collector(s) of exported
>    information can be provisioned via the management or control plane. But I
>    also believe that there must be a discussion of why the Loopback option is
>    not a special case of the DEX option.
>
> Regards,
> Greg
>
> On Sun, Nov 15, 2020 at 9:45 PM Martin Duke <martin.h.duke@gmail.com>
> wrote:
>
>> I recognize that the loopback and direct export drafts discuss potential
>> amplification results, as a path of length N will generate N packets for
>> each IOAM packet -- a linear relationship. As these are discussed in the
>> draft with proposed mitigation, in an editorial sense the job is done.
>> Whether giving people this kind of foot gun is a good idea is a separate
>> question, but reasonable people can disagree.
>>
>> However, if I understand correctly, certain pathological combinations of
>> IOAM namespaces could result in amplification far worse than linear.
>>
>> 1) Loopback loops
>> Imagine there is an IOAM namespace that covers the path from Hop A to Hop
>> D. There is a separate namespace entirely contained in A-D, from hop B from
>> hop C. Both namespaces enable loopback.
>>                            A
>> --------------------------------------------------------D
>>
>>  B-------------------------------C
>>
>> So a user packet is traveling from A to D. There will be (D-A) loopback
>> packets headed towards A. The (D - C) loopback packets that generated
>> between C and D will travel through the encapsulating node at C and then
>> trigger further loopbacks to C. Thus the total number of packets generated
>> by the single user packet is
>> (D - A) + (D - C)(C - B)
>> and obviousy there could be several of these smaller namespaces, or
>> nested namespaces, that aggravate the amplification further.
>>
>> 2) Direct Export
>> Direct Export potentially has even worse properties. Suppose namespace A,
>> N_A hops across, direct exports to a node that is reachable across
>> namespace B. Namespace B, N_B hops across, direct exports to a node
>> reachable across namespace A.
>>
>> Thus a single user packet sent over namespace A will generate N_A packets
>> that traverse Namespace B. This will, in turn, generate N_A * N_B packets
>> that traverse namespace A, which in turn triggers N_A ^ 2 * N_B packets,
>> and so on.
>>
>> In fact, if the namespaces direct export with probability exactly,1/N_A
>> and 1/N_B, the same level of traffic will ping-pong infinitely. Any more
>> than that, and the traffic will steadily increase to infinity. If the
>> probability is 1, the growth is exponential.
>>
>> ****************
>>
>> This analysis, if correct, raises three questions that I can think of:
>> - Are these corner cases plausible?
>> - If so, and they occurred, would the namespace administrators
>> necessarily be aware of each other? If not, I'm concerned that this is
>> unsafe to deploy.
>> - Do phenomena like this indicate that the design is brittle and putting
>> in some "considerations" doesn't really mitigate the dangers here?
>>
>> Martin
>>
>>
>>
>>
>> _______________________________________________
>> ippm mailing list
>> ippm@ietf.org
>> https://www.ietf.org/mailman/listinfo/ippm
>>
>

v2.23.0 | Report a Bug | By Email