IETF Logo Mail Archive

Re: [ippm] Progressing draft-ietf-ippm-ioam-conf-state

"Chengli (Cheng Li)" <c.l@huawei.com> Wed, 22 December 2021 02:42 UTC

Return-Path: <c.l@huawei.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FB913A0922 for <ippm@ietfa.amsl.com>; Tue, 21 Dec 2021 18:42:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BSR-3zd8wekG for <ippm@ietfa.amsl.com>; Tue, 21 Dec 2021 18:42:14 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BCB43A0921 for <ippm@ietf.org>; Tue, 21 Dec 2021 18:42:14 -0800 (PST)
Received: from fraeml708-chm.china.huawei.com (unknown [172.18.147.200]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4JJcxf1Fnlz6GDRB for <ippm@ietf.org>; Wed, 22 Dec 2021 10:40:22 +0800 (CST)
Received: from dggpemm500002.china.huawei.com (7.185.36.229) by fraeml708-chm.china.huawei.com (10.206.15.36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Wed, 22 Dec 2021 03:42:09 +0100
Received: from dggpemm500003.china.huawei.com (7.185.36.56) by dggpemm500002.china.huawei.com (7.185.36.229) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Wed, 22 Dec 2021 10:42:08 +0800
Received: from dggpemm500003.china.huawei.com ([7.185.36.56]) by dggpemm500003.china.huawei.com ([7.185.36.56]) with mapi id 15.01.2308.020; Wed, 22 Dec 2021 10:42:08 +0800
From: "Chengli (Cheng Li)" <c.l@huawei.com>
To: "Frank Brockners (fbrockne)" <fbrockne=40cisco.com@dmarc.ietf.org>, "xiao.min2@zte.com.cn" <xiao.min2@zte.com.cn>, "ippm@ietf.org" <ippm@ietf.org>
Thread-Topic: [ippm] Progressing draft-ietf-ippm-ioam-conf-state
Thread-Index: AQHX8nwd6XKcbCQuZ0umkB2stYpoLqw907rA
Date: Wed, 22 Dec 2021 02:42:07 +0000
Message-ID: <2d7b51fa857f478bafa84b81382e5363@huawei.com>
References: <202112101500302348450@zte.com.cn> <CY4PR11MB1672EE19AF2E99EE77BAF5D3DA779@CY4PR11MB1672.namprd11.prod.outlook.com>
In-Reply-To: <CY4PR11MB1672EE19AF2E99EE77BAF5D3DA779@CY4PR11MB1672.namprd11.prod.outlook.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.112.40.81]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/Um5o0vbiPoJjLE2Wa7kOD6nxQeU>
Subject: Re: [ippm] Progressing draft-ietf-ippm-ioam-conf-state
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Dec 2021 02:42:19 -0000

I would like to echo with the security part, cause I have the same considerations with Frank's. 

The most important question should be answered by the authors should be: how to use this mechanism is what environment? And how to ensure the security? 

P2P IPSec connection needs to be built among your network, so N nodes will need N*(N-1)/2*2 connections are needed(full-mesh and bidirectional). Is it worth to do it only for getting iOAM capabilities info? Or may be we can collect it by a controller via NETCONF/YANG or BGP-LS?  Why do we do it in data plane?


Respect,
Cheng


'''
* Security: Revision -02 does not seem to update the security section. IMHO, section 6 on security considerations should be enhanced to clearly articulate that we're dealing with very sensitive information. Consider loaning from e.g., https://datatracker.ietf.org/doc/html/rfc6241#section-9. As part of the discussion, it would be good to see an explanation where you'd expect  draft-ietf-ippm-ioam-conf-state to be used. Given the discussion in the Introduction section, you seem to assume an environment that does not have a central network management station / controller in place. Or in other terms, you seem to target a deployment, which isn't a limited domain per RFC 8799. In that case, I would expect that we have normative language that requires the use of strong authentication and encryption between the nodes (i.e., MUST use ICMP with AH and ESP..).
'''





-----Original Message-----
From: ippm [mailto:ippm-bounces@ietf.org] On Behalf Of Frank Brockners (fbrockne)
Sent: Thursday, December 16, 2021 8:54 PM
To: xiao.min2@zte.com.cn; ippm@ietf.org
Subject: Re: [ippm] Progressing draft-ietf-ippm-ioam-conf-state

Hi Xiao Min,

Thanks for posting draft-ietf-ippm-ioam-conf-state-02. I read through the updated version and looked at the diff to the 01 version (https://www.ietf.org/rfcdiff?url1=draft-ietf-ippm-ioam-conf-state-01&url2=draft-ietf-ippm-ioam-conf-state-02). Different from what you state below, I don't see any of my comments reflected. 
The two main points I mentioned in the last WG meeting were about (a) alignment with draft-ietf-ippm-ioam-yang and (b) enhancements to the security section, reflecting that the protocol you are defining is a network management protocol, and needs to be secured as such. 

More specifically: 
* Alignment with draft-ietf-ippm-ioam-yang: 
The IPPM WG is in the process of defining a YANG module for IOAM: draft-ietf-ippm-ioam-yang. We should have a single, comprehensive model for config information for IOAM. That model can then be rendered into different transports (be it JSON, XML, or yet another format - to then be carried over a e.g. ICMP in your case). Right now draft-ietf-ippm-ioam-conf-state heads down a path of defining a new set of management objects - many are similar to what draft-ietf-ippm-ioam-yang already defines, some they are less comprehensive, some hint at additional information that draft-ietf-ippm-ioam-yang does not cover yet: E.g.,  you define a "Pre-allocated Tracing Capabilities Object" where draft-ietf-ippm-ioam-yang  has a "Preallocated Tracing Profile" defined. You define ingress interface fields, which is information, which is more comprehensively defined by the ioam-filter grouping. You define specific fields to describe the timestamp format used by a node, which is information that should be described as part of the ioam-info container - and which is currently missing in draft-ietf-ippm-ioam-yang; point well taken :-). It is interesting to note that draft-ietf-ippm-ioam-conf-state does not even reference draft-ietf-ippm-ioam-yang.
From my perspective we should have one single data model for IOAM configuration - and that is the YANG module defined in draft-ietf-ippm-ioam-yang. Let's make sure that this model covers all the information required to properly manage IOAM. Then draft-ietf-ippm-ioam-conf-state would be solely focused on defining how that YANG module (from draft-ietf-ippm-ioam-yang) would be rendered into e.g., ICMP as a carrier protocol. 

* Security: Revision -02 does not seem to update the security section. IMHO, section 6 on security considerations should be enhanced to clearly articulate that we're dealing with very sensitive information. Consider loaning from e.g., https://datatracker.ietf.org/doc/html/rfc6241#section-9. As part of the discussion, it would be good to see an explanation where you'd expect  draft-ietf-ippm-ioam-conf-state to be used. Given the discussion in the Introduction section, you seem to assume an environment that does not have a central network management station / controller in place. Or in other terms, you seem to target a deployment, which isn't a limited domain per RFC 8799. In that case, I would expect that we have normative language that requires the use of strong authentication and encryption between the nodes (i.e., MUST use ICMP with AH and ESP..).

In addition to the above, I struggle to understand the "Operational Guide" in section 4: Could you shed a bit more light on how you expect things to work - and what a target deployment environment would look like? It seems that you assume that you don't know the network nor the destination addresses in your network: Do you expect that you would do regular "ICMP echo sweeps" in your network? Do you expect that, while doing the expanding ring search, an ICMP time exceeded message would also carry the "IOAM Capabilities Response Container Header", so that the capabilities container would not only be carried in the echo reply message but also in the time exceeded message? 

Thanks, Frank

(BTW - Note that due to the upcoming holiday season, replies might be delayed).

> -----Original Message-----
> From: ippm <ippm-bounces@ietf.org> On Behalf Of xiao.min2@zte.com.cn
> Sent: Friday, 10 December 2021 08:01
> To: ippm@ietf.org
> Subject: [ippm] Progressing draft-ietf-ippm-ioam-conf-state
> 
> Hi IPPM WG,
> 
> The -02 version of draft-ietf-ippm-ioam-conf-state has been posted.
> There are mainly two changes, one is on IOAM Tracing Capabilities 
> Objects to make them applicable to ICMPv6 extensions, another one is 
> on IOAM Proof-of- Transit Capabilities Object to make it aligned with 
> the updated IOAM-Data document.
> Also note that I've had an offline discussion with wg chairs and Frank 
> Brockners, my conclusion is that Frank's concern raised at IETF 112 
> has been addressed. If that's not the case, please speak up.
> With that said, I think this draft is ready for WGLC.
> 
> Best Regards,
> Xiao Min
> 
> _______________________________________________
> ippm mailing list
> ippm@ietf.org
> https://www.ietf.org/mailman/listinfo/ippm
_______________________________________________
ippm mailing list
ippm@ietf.org
https://www.ietf.org/mailman/listinfo/ippm

v2.23.0 | Report a Bug | By Email