Re: [ippm] Is loopback/direct export amplification worse than linear?
Martin Duke <martin.h.duke@gmail.com> Wed, 25 November 2020 18:22 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 939573A1530 for <ippm@ietfa.amsl.com>; Wed, 25 Nov 2020 10:22:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UvFUJQ5xCpdh for <ippm@ietfa.amsl.com>; Wed, 25 Nov 2020 10:22:24 -0800 (PST)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35AAF3A1526 for <ippm@ietf.org>; Wed, 25 Nov 2020 10:22:24 -0800 (PST)
Received: by mail-io1-xd35.google.com with SMTP id o8so3090095ioh.0 for <ippm@ietf.org>; Wed, 25 Nov 2020 10:22:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8Js7gi1keztAa+XAVXpJu407oFMu8GqpJKe53sbAaa8=; b=mEPfPwrDdu6bSeeGXlwITBodlQQevOY/uZxTh3GeFpC/g3kWW8UPMWTqxs2YYmTuER aXdQW5oUpRYAe1NNmYNmYYi5oaCMAYh5PdEDSH/eHudq1rUa5VkyxE5oKXZgqXMXpm29 FCKIWoGJIBbA4inRO46ZziRXTX2rk5IlFqlmEW1oROXWg7yFA8poaIpx0LzW1s0uXipT x1nAesNpYqvn3W4wIY4A3kEg/EEiVa1Mj80U8t+VJ7349ewMmCdMk7cRmfqnZ3ZhQKpY BkosbfO8b/bw7ICf0xXDS88LHJWt/xB7WKZQ2UsAwC32U6QcarMHU7RMl8iApSEVcwTb Nxgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8Js7gi1keztAa+XAVXpJu407oFMu8GqpJKe53sbAaa8=; b=qcA0/own5zNg62l4oux5zyKkm4vKnowvYC6EgOfvKbbryCymdeKE4K+GBsgU84Dbun p1wjfHuHWYh5iDkVdQDOSI3wUlkfQOfWGhsqAJ+YaMt1PGFJArXgEvify0rKGrWs3dHN DxSlpvZo9HdgbwOJZZKubojOkLOAuxuktWzRY/gd2qrFE/WGbkU/LoDPhclCnFnhdPtY UacV6uvYakY2xPBeT2f9pnvzvYLJ/o1hgTq4CbbOD9gmW58MsSmJ5ufAsvcaSV5giLH9 4/qER04+ZZ0w9IxYdcDHxhssrA0CxSLaaUVcv+T/h5li57CvQ7oDa9Po1hnGaG3uwt17 V6dw==
X-Gm-Message-State: AOAM533tBdP4IDoYo/V8eBN/j10Knhc23oxVJgFMPYFuif+BjT0FGYU5 8HF7F7wwgHQdNGEmj23aIS4s3uZP5mtwULOMWn0=
X-Google-Smtp-Source: ABdhPJx48CZg2vPD2A2MOhkihAoQx3ks5qppQ5R2ooOz7Ex3Q4XzH0l0Z+iaS5djs9PuLqTN7ZuNAmT5mndmdIfnIRM=
X-Received: by 2002:a02:4:: with SMTP id 4mr4458403jaa.121.1606328543311; Wed, 25 Nov 2020 10:22:23 -0800 (PST)
MIME-Version: 1.0
References: <CAM4esxQiaRoCb9-7eBMy4yoCv28=St2XN-8AF7DwPiC2HU_Fzw@mail.gmail.com> <CABUE3Xm5A+6Jrw64ZnxUbu_avy5UNi3m2cUsiKzMJ-_BviiNrg@mail.gmail.com>
In-Reply-To: <CABUE3Xm5A+6Jrw64ZnxUbu_avy5UNi3m2cUsiKzMJ-_BviiNrg@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Wed, 25 Nov 2020 10:22:14 -0800
Message-ID: <CAM4esxQpymtFa4OkGXG2QojLi9NXGWjMzj=TWfeGAxCaeaZkeQ@mail.gmail.com>
To: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Cc: IETF IPPM WG <ippm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000377c0c05b4f282b3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/UMluZlthNvDhkQV-ULnxSOfPMwg>
Subject: Re: [ippm] Is loopback/direct export amplification worse than linear?
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2020 18:22:29 -0000
Hi Tal, I believe this text adequately describes my concerns, so you've done what you can in terms of updating the draft. Thanks. I am increasingly skeptical that protocols with these dynamics are a good thing to deploy in the internet, regardless of what we put in the Security Considerations. I would certainly like to hear the opinions of other people in the WG on this topic. Martin On Wed, Nov 25, 2020 at 1:34 AM Tal Mizrahi <tal.mizrahi.phd@gmail.com> wrote: > Hi Martin, > > Thanks for raising these points. > We have discussed these points today at the IOAM design team meeting, > and we suggest to mention these scenarios in the drafts. > We believe the reader should be aware of these scenarios, but that the > mitigations that are already described in the draft are sufficient at > this point. > > Regarding issue (1) the following text is proposed to be added to the > security considerations section of the flag draft: > > Some of the security threats that were discussed in this document may > be worse in a wide area network in which there are nested IOAM > domains. For example, if there are two nested IOAM domains that use > loopback, then a looped-back copy in the outer IOAM domain may be > forwarded through another (inner) IOAM domain and may be subject to > loopback in that (inner) IOAM domain, causing the amplification to be > worse than in the conventional case. > > > Regarding issue (2), the following text is proposed for the DEX draft: > > The amplification effect of DEX may be worse in wide area networks in > which there are multiple IOAM domains. For example, if DEX is used in > IOAM domain 1 for exporting IOAM data to a receiving entity, then the > exported packets of domain 1 can be forwarded through IOAM domain 2, > in which they are subject to DEX. The exported packets of domain 2 may > in turn be forwarded through another IOAM domain (or through domain > 1), and theoretically this recursive amplification may continue > infinitely. > > Thanks, > Tal. > > On Mon, Nov 16, 2020 at 7:45 AM Martin Duke <martin.h.duke@gmail.com> > wrote: > > > > I recognize that the loopback and direct export drafts discuss potential > amplification results, as a path of length N will generate N packets for > each IOAM packet -- a linear relationship. As these are discussed in the > draft with proposed mitigation, in an editorial sense the job is done. > Whether giving people this kind of foot gun is a good idea is a separate > question, but reasonable people can disagree. > > > > However, if I understand correctly, certain pathological combinations of > IOAM namespaces could result in amplification far worse than linear. > > > > 1) Loopback loops > > Imagine there is an IOAM namespace that covers the path from Hop A to > Hop D. There is a separate namespace entirely contained in A-D, from hop B > from hop C. Both namespaces enable loopback. > > A > --------------------------------------------------------D > > > B-------------------------------C > > > > So a user packet is traveling from A to D. There will be (D-A) loopback > packets headed towards A. The (D - C) loopback packets that generated > between C and D will travel through the encapsulating node at C and then > trigger further loopbacks to C. Thus the total number of packets generated > by the single user packet is > > (D - A) + (D - C)(C - B) > > and obviousy there could be several of these smaller namespaces, or > nested namespaces, that aggravate the amplification further. > > > > 2) Direct Export > > Direct Export potentially has even worse properties. Suppose namespace > A, N_A hops across, direct exports to a node that is reachable across > namespace B. Namespace B, N_B hops across, direct exports to a node > reachable across namespace A. > > > > Thus a single user packet sent over namespace A will generate N_A > packets that traverse Namespace B. This will, in turn, generate N_A * N_B > packets that traverse namespace A, which in turn triggers N_A ^ 2 * N_B > packets, and so on. > > > > In fact, if the namespaces direct export with probability exactly,1/N_A > and 1/N_B, the same level of traffic will ping-pong infinitely. Any more > than that, and the traffic will steadily increase to infinity. If the > probability is 1, the growth is exponential. > > > > **************** > > > > This analysis, if correct, raises three questions that I can think of: > > - Are these corner cases plausible? > > - If so, and they occurred, would the namespace administrators > necessarily be aware of each other? If not, I'm concerned that this is > unsafe to deploy. > > - Do phenomena like this indicate that the design is brittle and putting > in some "considerations" doesn't really mitigate the dangers here? > > > > Martin > > > > > > > > > > _______________________________________________ > > ippm mailing list > > ippm@ietf.org > > https://www.ietf.org/mailman/listinfo/ippm >
- [ippm] Is loopback/direct export amplification wo… Martin Duke
- Re: [ippm] Is loopback/direct export amplificatio… Tal Mizrahi
- Re: [ippm] Is loopback/direct export amplificatio… Martin Duke
- Re: [ippm] Is loopback/direct export amplificatio… Haoyu Song
- Re: [ippm] Is loopback/direct export amplificatio… Martin Duke
- Re: [ippm] Is loopback/direct export amplificatio… Greg Mirsky
- Re: [ippm] Is loopback/direct export amplificatio… Martin Duke
- Re: [ippm] Is loopback/direct export amplificatio… Greg Mirsky
- Re: [ippm] Is loopback/direct export amplificatio… Martin Duke
- Re: [ippm] Is loopback/direct export amplificatio… Greg Mirsky