Re: [ippm] Is loopback/direct export amplification worse than linear?
Martin Duke <martin.h.duke@gmail.com> Fri, 04 December 2020 22:53 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C4FB3A0E18 for <ippm@ietfa.amsl.com>; Fri, 4 Dec 2020 14:53:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qlg1UQ0DgVMk for <ippm@ietfa.amsl.com>; Fri, 4 Dec 2020 14:53:48 -0800 (PST)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71EA83A0CDF for <ippm@ietf.org>; Fri, 4 Dec 2020 14:53:48 -0800 (PST)
Received: by mail-io1-xd30.google.com with SMTP id r9so7421099ioo.7 for <ippm@ietf.org>; Fri, 04 Dec 2020 14:53:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dH9LKQvEExbsQ2OHWc57ivdTYxyFXRHEzNlt0dE42v8=; b=kmtgM8V6xh7dorzx9zStxoBsR3xERDmUFijY30NjMtIH7swrftduEUttf9XkF1H9mq Z4VheXuI1YkC2ZGAsGbvnhTDDW2fePQmZ7cPykcGfI5oAXseJDyDY8QygcdY1Sc2Sb+e 42Co/v86BN7za4CJA1ErLsfvbtXj3CZFuYYB2eqjVpcZCS+6DT42SsUOaQW8lH3f3Ti/ 6Xo9zQ0SWsIIGNkOtz/xi3beqoWvKmDQ/WlsXXXn8sIhm9dMHrB5MHbk1LJwWJk74SxF mYV7IG+P3w0X3bQ08jNut9NvVo+XsZdNJ1ZQA/igwx8dF5XOidOfrfVrj08lqbitR14t QvNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dH9LKQvEExbsQ2OHWc57ivdTYxyFXRHEzNlt0dE42v8=; b=L1lgrWkGoZkcJVTLCm8dT7TtFzBHdF0F7hNElch8QU0T242L04yP3kDRgXxo8uE8QP XoHq7TM7HrMBjZac72zkae51+5PN/1ufwtnivwMxr5JM1PmJrvJZS4wahaK0kNoy3zSq y246U9LaO95PSvdGJiMcxoMDLT+9bJ1VYRAwQn5U33OF4fMTB+e6E0sZ84bs/hJINTR2 +dVBRPyk1l+TqTni/bz8gfsyPIsSdC/OxlxofRueIQG76Sfi5biPk9WFBHR7zelqOs9H f3EGQhJYGQegvJQ2DRI89jeJQlwNgWz/x211HeGnHvcVjpjzSqGbRswArl4E50bA2nmY KlRw==
X-Gm-Message-State: AOAM531aFGy8w0guAB5VTM7r0pI/QC/+ewbFxJcyz7JqM6G9inN7Uz7S pDcVpVp629roDXlVQPq5hkTcfXY/jkRDpS85BZo=
X-Google-Smtp-Source: ABdhPJyDCLQqjoHxuxALRvDoqy6DxNNQ+yAmx61sumgYUyqSEFZRiWZyLhujCIYzM4HKj4PHU2cIkabmVl17iuTNwkw=
X-Received: by 2002:a05:6638:1247:: with SMTP id o7mr8942320jas.31.1607122427493; Fri, 04 Dec 2020 14:53:47 -0800 (PST)
MIME-Version: 1.0
References: <CAM4esxQiaRoCb9-7eBMy4yoCv28=St2XN-8AF7DwPiC2HU_Fzw@mail.gmail.com> <CA+RyBmVfW0kAwinNUCWmouqi1gg+cN5G8Ks1y3Jh+nokLqmeUA@mail.gmail.com>
In-Reply-To: <CA+RyBmVfW0kAwinNUCWmouqi1gg+cN5G8Ks1y3Jh+nokLqmeUA@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Fri, 04 Dec 2020 14:53:36 -0800
Message-ID: <CAM4esxSQEJ=r0WrG=6yg-Cwfa==8kJVxTAi3gmboZgtOsncHdw@mail.gmail.com>
To: Greg Mirsky <gregimirsky@gmail.com>
Cc: IETF IPPM WG <ippm@ietf.org>, Greg Mirsky <gregory.mirsky@ztetx.com>
Content-Type: multipart/alternative; boundary="00000000000066c0b605b5ab592b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/SFXrGWm0x7iPbXfVlZ5PZ4OG12o>
Subject: Re: [ippm] Is loopback/direct export amplification worse than linear?
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 22:53:52 -0000
thanks Greg. I hope I'm understanding you correctly these are critiques of the drafts largely unrelated to mine? On Wed, Dec 2, 2020 at 3:06 PM Greg Mirsky <gregimirsky@gmail.com> wrote: > Hi Martin, > thank you for highlighting some troublesome characteristics of using the > Loopback flag in IOAM. I agree that draft-ietf-ippm-ioam-flags could > tighten up the description of scenarios when the Loopback flag is used. > Also, it seems that the behavior of Direct Export > <https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-direct-export/?include_text=1> can > benefit from more clarifications. Now I've read both drafts taking notes > and present them to you below: > *draft-ietf-ippm-ioam-flags:* > > - draft-ietf-ippm-ioam-data defined IOAM as a method to record > "operational and telemetry information in the packet while the packet > traverses a path between two points in the network". It is an example of a > hybrid measurement method, per RFC 7799 classification. The introduction of > the Loopback and Active flags clearly makes IOAM into an active method and > thus it should be discussed as a protocol that originates test packets, > including potential security threats it may be used to create. > - If the purpose of the Loopback flag is producing a series of > responses from traversed nodes, then it might be much easier to use not a > copy of the original packet but a different packet to respond to the sender > (similar to CFM's LTM/LTR). That will avoid any risk of reverse-path > amplification. > - It is not clear what kind of path is expected in "a return path from > transit nodes and destination nodes towards the source (encapsulating node) > exists"? For example, if IOAM is used in an SFC environment, would Loopback > require the use of an SFP to the sender? > - It is not clear what establishes "the identity of the [IOAM] > encapsulating node". Some examples would be helpful. > - There seems to be a disconnect in handling unexpected looped IOAM > packet: > > In the second paragraph Section 4 it is stated: > "If an encapsulating node receives a looped back packet that was not > originated from the current encapsulating node, the packet is dropped." > > But in the second from the last paragraph of the same section is noted > that: > "If there is no match in the Node ID, the packet is processed like a > conventional IOAM-encapsulated packet." > > > - The following probably may be expressed using the definitions from > the IANA registry: > > An IOAM trace option that has the loopback bit set MUST have the > value '1' in the most significant bit of IOAM-Trace-Type, and '0' in > the rest of the bits of IOAM-Trace-Type. > > like that: > An IOAM Trace Option that has the Loopback bit set MUST have the > "hop_Lim and node_id in short format" bit set IOAM-Trace-Type, and MUST > have all other bits of IOAM-Trace-Type cleared. > > > - What is the value of collecting "hop_Lim and node_id in short > format" on the return path of a packet looped back by an intermediate node? > As I understand it, only that information can be collected if the Loopback > flag is set. Please correct me if that is not the case. > - Can you point where it is specified that when using the Loopback > "the packet does not have any payload"? Earlier in Section 4 action of an > intermediate node is explained: > > A loopback bit that is set indicates to the transit nodes processing > this option that they are to create a copy of the received packet and > send the copy back to the source of the packet. > > One can understand that the looped back packet is a carbon copy of the > original packet less the Loopback flag being cleared. And the actions of > the encapsulating node are described as: > The encapsulating node either generates synthetic packets with an > IOAM trace option that has the loopback flag set, or sets the loopack > flag in a subset of the in-transit data packets. > > Which suggests that, at least in the latter case, the packet with the > Loopback flag set does have a payload. > > > - One of the essential aspects of defining an active measurement > protocol is the specification of the expected rates that test packets be > generated for the intended purpose of the protocol. Some protocols provide > a mechanism to negotiate that rate either through its control-plane > component or as part of bringing the test session to Up state. I couldn't > find any discussion of the expected purpose of using the Active flag, nor > sufficient information that would help to set reasonable limits on > processing packets with the Active flag set. Also, even though the document > is on the Standards track, I find normative language in relation to the > security impact of Loopback and Active flags being underused. > - Applying rate limits throughout the IOAM domain might be cumbersome. > I think that stronger security methods must be defined making using the > Loopback and Active options more secure. For example, using authentication > to ensure the identity of the encapsulating IOAM node that imposed the > Loopback or Active option. > > *draft-ietf-ippm-ioam-direct-export* > > - Section 3.1 includes very important assumption: > > The option [DEX] can be read but not modified by transit nodes. > > That brings the question What protects the DEX option in particular and > IOAM-Option-Types in general? > > > - The description of the processing of the DEX option by > encapsulating, transit, and decapsulating nodes in an IOAM domain in all > cases states "MAY export the requested IOAM data". What are other possible > behaviors of nodes processing the DEX option? > - In the last paragraph of Section 3.1 stated: > > A transit IOAM node that does not support the DEX option SHOULD ignore > it. > > What are other allowed behaviors of a node, whether transit or > decapsulating? Report an error? Discard the packet with the DEX option? > > > - Though considerations for performance impact at a collector(s) is > sensible, it seems that the impact on the node exporting telemetry > information triggered by the DEX should also be considered. > - Applying rate limits throughout the IOAM domain might be cumbersome. > I think that there could be other methods to improve the security of the > DEX option. > - I can understand that the identity of a collector(s) of exported > information can be provisioned via the management or control plane. But I > also believe that there must be a discussion of why the Loopback option is > not a special case of the DEX option. > > Regards, > Greg > > On Sun, Nov 15, 2020 at 9:45 PM Martin Duke <martin.h.duke@gmail.com> > wrote: > >> I recognize that the loopback and direct export drafts discuss potential >> amplification results, as a path of length N will generate N packets for >> each IOAM packet -- a linear relationship. As these are discussed in the >> draft with proposed mitigation, in an editorial sense the job is done. >> Whether giving people this kind of foot gun is a good idea is a separate >> question, but reasonable people can disagree. >> >> However, if I understand correctly, certain pathological combinations of >> IOAM namespaces could result in amplification far worse than linear. >> >> 1) Loopback loops >> Imagine there is an IOAM namespace that covers the path from Hop A to Hop >> D. There is a separate namespace entirely contained in A-D, from hop B from >> hop C. Both namespaces enable loopback. >> A >> --------------------------------------------------------D >> >> B-------------------------------C >> >> So a user packet is traveling from A to D. There will be (D-A) loopback >> packets headed towards A. The (D - C) loopback packets that generated >> between C and D will travel through the encapsulating node at C and then >> trigger further loopbacks to C. Thus the total number of packets generated >> by the single user packet is >> (D - A) + (D - C)(C - B) >> and obviousy there could be several of these smaller namespaces, or >> nested namespaces, that aggravate the amplification further. >> >> 2) Direct Export >> Direct Export potentially has even worse properties. Suppose namespace A, >> N_A hops across, direct exports to a node that is reachable across >> namespace B. Namespace B, N_B hops across, direct exports to a node >> reachable across namespace A. >> >> Thus a single user packet sent over namespace A will generate N_A packets >> that traverse Namespace B. This will, in turn, generate N_A * N_B packets >> that traverse namespace A, which in turn triggers N_A ^ 2 * N_B packets, >> and so on. >> >> In fact, if the namespaces direct export with probability exactly,1/N_A >> and 1/N_B, the same level of traffic will ping-pong infinitely. Any more >> than that, and the traffic will steadily increase to infinity. If the >> probability is 1, the growth is exponential. >> >> **************** >> >> This analysis, if correct, raises three questions that I can think of: >> - Are these corner cases plausible? >> - If so, and they occurred, would the namespace administrators >> necessarily be aware of each other? If not, I'm concerned that this is >> unsafe to deploy. >> - Do phenomena like this indicate that the design is brittle and putting >> in some "considerations" doesn't really mitigate the dangers here? >> >> Martin >> >> >> >> >> _______________________________________________ >> ippm mailing list >> ippm@ietf.org >> https://www.ietf.org/mailman/listinfo/ippm >> >
- [ippm] Is loopback/direct export amplification wo… Martin Duke
- Re: [ippm] Is loopback/direct export amplificatio… Tal Mizrahi
- Re: [ippm] Is loopback/direct export amplificatio… Martin Duke
- Re: [ippm] Is loopback/direct export amplificatio… Haoyu Song
- Re: [ippm] Is loopback/direct export amplificatio… Martin Duke
- Re: [ippm] Is loopback/direct export amplificatio… Greg Mirsky
- Re: [ippm] Is loopback/direct export amplificatio… Martin Duke
- Re: [ippm] Is loopback/direct export amplificatio… Greg Mirsky
- Re: [ippm] Is loopback/direct export amplificatio… Martin Duke
- Re: [ippm] Is loopback/direct export amplificatio… Greg Mirsky