IETF Logo Mail Archive

Re: [ippm] Is loopback/direct export amplification worse than linear?

Martin Duke <martin.h.duke@gmail.com> Wed, 25 November 2020 18:22 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 939573A1530 for <ippm@ietfa.amsl.com>; Wed, 25 Nov 2020 10:22:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UvFUJQ5xCpdh for <ippm@ietfa.amsl.com>; Wed, 25 Nov 2020 10:22:24 -0800 (PST)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35AAF3A1526 for <ippm@ietf.org>; Wed, 25 Nov 2020 10:22:24 -0800 (PST)
Received: by mail-io1-xd35.google.com with SMTP id o8so3090095ioh.0 for <ippm@ietf.org>; Wed, 25 Nov 2020 10:22:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8Js7gi1keztAa+XAVXpJu407oFMu8GqpJKe53sbAaa8=; b=mEPfPwrDdu6bSeeGXlwITBodlQQevOY/uZxTh3GeFpC/g3kWW8UPMWTqxs2YYmTuER aXdQW5oUpRYAe1NNmYNmYYi5oaCMAYh5PdEDSH/eHudq1rUa5VkyxE5oKXZgqXMXpm29 FCKIWoGJIBbA4inRO46ZziRXTX2rk5IlFqlmEW1oROXWg7yFA8poaIpx0LzW1s0uXipT x1nAesNpYqvn3W4wIY4A3kEg/EEiVa1Mj80U8t+VJ7349ewMmCdMk7cRmfqnZ3ZhQKpY BkosbfO8b/bw7ICf0xXDS88LHJWt/xB7WKZQ2UsAwC32U6QcarMHU7RMl8iApSEVcwTb Nxgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8Js7gi1keztAa+XAVXpJu407oFMu8GqpJKe53sbAaa8=; b=qcA0/own5zNg62l4oux5zyKkm4vKnowvYC6EgOfvKbbryCymdeKE4K+GBsgU84Dbun p1wjfHuHWYh5iDkVdQDOSI3wUlkfQOfWGhsqAJ+YaMt1PGFJArXgEvify0rKGrWs3dHN DxSlpvZo9HdgbwOJZZKubojOkLOAuxuktWzRY/gd2qrFE/WGbkU/LoDPhclCnFnhdPtY UacV6uvYakY2xPBeT2f9pnvzvYLJ/o1hgTq4CbbOD9gmW58MsSmJ5ufAsvcaSV5giLH9 4/qER04+ZZ0w9IxYdcDHxhssrA0CxSLaaUVcv+T/h5li57CvQ7oDa9Po1hnGaG3uwt17 V6dw==
X-Gm-Message-State: AOAM533tBdP4IDoYo/V8eBN/j10Knhc23oxVJgFMPYFuif+BjT0FGYU5 8HF7F7wwgHQdNGEmj23aIS4s3uZP5mtwULOMWn0=
X-Google-Smtp-Source: ABdhPJx48CZg2vPD2A2MOhkihAoQx3ks5qppQ5R2ooOz7Ex3Q4XzH0l0Z+iaS5djs9PuLqTN7ZuNAmT5mndmdIfnIRM=
X-Received: by 2002:a02:4:: with SMTP id 4mr4458403jaa.121.1606328543311; Wed, 25 Nov 2020 10:22:23 -0800 (PST)
MIME-Version: 1.0
References: <CAM4esxQiaRoCb9-7eBMy4yoCv28=St2XN-8AF7DwPiC2HU_Fzw@mail.gmail.com> <CABUE3Xm5A+6Jrw64ZnxUbu_avy5UNi3m2cUsiKzMJ-_BviiNrg@mail.gmail.com>
In-Reply-To: <CABUE3Xm5A+6Jrw64ZnxUbu_avy5UNi3m2cUsiKzMJ-_BviiNrg@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Wed, 25 Nov 2020 10:22:14 -0800
Message-ID: <CAM4esxQpymtFa4OkGXG2QojLi9NXGWjMzj=TWfeGAxCaeaZkeQ@mail.gmail.com>
To: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Cc: IETF IPPM WG <ippm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000377c0c05b4f282b3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/UMluZlthNvDhkQV-ULnxSOfPMwg>
Subject: Re: [ippm] Is loopback/direct export amplification worse than linear?
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2020 18:22:29 -0000

Hi Tal,

I believe this text adequately describes my concerns, so you've done what
you can in terms of updating the draft. Thanks.

I am increasingly skeptical that protocols with these dynamics are a good
thing to deploy in the internet, regardless of what we put in the Security
Considerations. I would certainly like to hear the opinions of other people
in the WG on this topic.

Martin

On Wed, Nov 25, 2020 at 1:34 AM Tal Mizrahi <tal.mizrahi.phd@gmail.com>
wrote:

> Hi Martin,
>
> Thanks for raising these points.
> We have discussed these points today at the IOAM design team meeting,
> and we suggest to mention these scenarios in the drafts.
> We believe the reader should be aware of these scenarios, but that the
> mitigations that are already described in the draft are sufficient at
> this point.
>
> Regarding issue (1) the following  text is proposed to be added to the
> security considerations section of the flag draft:
>
> Some of the security threats that were discussed in this document may
> be worse in a wide area network in which there are nested IOAM
> domains. For example, if there are two nested IOAM domains that use
> loopback, then a looped-back copy in the outer IOAM domain may be
> forwarded through another (inner) IOAM domain and may be subject to
> loopback in that (inner) IOAM domain, causing the amplification to be
> worse than in the conventional case.
>
>
> Regarding issue (2), the following text is proposed for the DEX draft:
>
> The amplification effect of DEX may be worse in wide area networks in
> which there are multiple IOAM domains. For example, if DEX is used in
> IOAM domain 1 for exporting IOAM data to a receiving entity, then the
> exported packets of domain 1 can be forwarded through IOAM domain 2,
> in which they are subject to DEX. The exported packets of domain 2 may
> in turn be forwarded through another IOAM domain (or through domain
> 1), and theoretically this recursive amplification may continue
> infinitely.
>
> Thanks,
> Tal.
>
> On Mon, Nov 16, 2020 at 7:45 AM Martin Duke <martin.h.duke@gmail.com>
> wrote:
> >
> > I recognize that the loopback and direct export drafts discuss potential
> amplification results, as a path of length N will generate N packets for
> each IOAM packet -- a linear relationship. As these are discussed in the
> draft with proposed mitigation, in an editorial sense the job is done.
> Whether giving people this kind of foot gun is a good idea is a separate
> question, but reasonable people can disagree.
> >
> > However, if I understand correctly, certain pathological combinations of
> IOAM namespaces could result in amplification far worse than linear.
> >
> > 1) Loopback loops
> > Imagine there is an IOAM namespace that covers the path from Hop A to
> Hop D. There is a separate namespace entirely contained in A-D, from hop B
> from hop C. Both namespaces enable loopback.
> >                            A
> --------------------------------------------------------D
> >
> B-------------------------------C
> >
> > So a user packet is traveling from A to D. There will be (D-A) loopback
> packets headed towards A. The (D - C) loopback packets that generated
> between C and D will travel through the encapsulating node at C and then
> trigger further loopbacks to C. Thus the total number of packets generated
> by the single user packet is
> > (D - A) + (D - C)(C - B)
> > and obviousy there could be several of these smaller namespaces, or
> nested namespaces, that aggravate the amplification further.
> >
> > 2) Direct Export
> > Direct Export potentially has even worse properties. Suppose namespace
> A, N_A hops across, direct exports to a node that is reachable across
> namespace B. Namespace B, N_B hops across, direct exports to a node
> reachable across namespace A.
> >
> > Thus a single user packet sent over namespace A will generate N_A
> packets that traverse Namespace B. This will, in turn, generate N_A * N_B
> packets that traverse namespace A, which in turn triggers N_A ^ 2 * N_B
> packets, and so on.
> >
> > In fact, if the namespaces direct export with probability exactly,1/N_A
> and 1/N_B, the same level of traffic will ping-pong infinitely. Any more
> than that, and the traffic will steadily increase to infinity. If the
> probability is 1, the growth is exponential.
> >
> > ****************
> >
> > This analysis, if correct, raises three questions that I can think of:
> > - Are these corner cases plausible?
> > - If so, and they occurred, would the namespace administrators
> necessarily be aware of each other? If not, I'm concerned that this is
> unsafe to deploy.
> > - Do phenomena like this indicate that the design is brittle and putting
> in some "considerations" doesn't really mitigate the dangers here?
> >
> > Martin
> >
> >
> >
> >
> > _______________________________________________
> > ippm mailing list
> > ippm@ietf.org
> > https://www.ietf.org/mailman/listinfo/ippm
>

v2.23.0 | Report a Bug | By Email