Re: [ippm] Zaheduzzaman Sarker's Discuss on draft-ietf-ippm-ioam-direct-export-09: (with DISCUSS)

Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com> Mon, 19 September 2022 09:14 UTC

Return-Path: <zaheduzzaman.sarker@ericsson.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F7E5C14F73B; Mon, 19 Sep 2022 02:14:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.68
X-Spam-Level:
X-Spam-Status: No, score=-2.68 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AbpMMNQopreg; Mon, 19 Sep 2022 02:14:17 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20056.outbound.protection.outlook.com [40.107.2.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE16AC14F727; Mon, 19 Sep 2022 02:14:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=E6thmu3RBKOuOWnHITzWPjXKKuKUw3jIJH8yXXBC9vCugyqoCYZpwFDRQi+UwceR1cM0VYnzplZb3jcTACuMibMwUcU364lENK2qBTumegbtQJaEKvm36VBimf8U2Wjd1RsN1K6sVQX6ywIzsec2detx+aNTD4GFu+cT4ebGpFDPz53032X9N1qWpvk/OPKN0aXe+iVsDf+M0j4am/U/hCbLHUkfbgYBmNZGk+VBO4Oh7I52iaTrFp6HwfjyWjSSOGzcS4zC3r8M+jswacRhnnUI2KoyG75OPGF5ZcjK1gubsHGruDb6mQ9BRR7f/xadEa9z19OnbB0UabslXn7FpA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oy9JP7lG/6AUF7cS9ut3y/AChl9zy+wbqBWb9P5J6MI=; b=hmMnTD9G+SZDUiXbpeiEE+Htbwk5Kd+TvW62qUm/g6ZCNtFN1kwae9kZk9nvTvzifv4y4H/uF6EW+Fqtc4cCBW9vkNe2QG9jDtgkmo1bDkeQ23jyiRo29EnXijb9U/zi7ARnUCb5aFjDjfkqO2NdY9fC5F+2PTyMgnTqhx4VccuFvdytMhP/8kU1H7XMW4Pf+SvESmeIUxCIwdKiCUvS7i182HOMT0aBueWtlPTVn33WO4ELSfJCU914bEx/ku7BwFB9yMNdiFg/uPq4e5+gE+EdaU+/zR4V1bAu8OhvBxDErdk06DKmSk7w6j5d0mLbQpowgVQmejYlvlY0LPsUPw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oy9JP7lG/6AUF7cS9ut3y/AChl9zy+wbqBWb9P5J6MI=; b=AMOhqcsWKi0EZjeCdS2zR4gyGMcVJrFVo1GiunFKUWZl5Ms79tYSp3nnk0S+vQNotiEMHfhcw+IkLDK8aDCUgvoXpREqekXgJqDP++obCY15kNpwemvNp5wXsSVg5pvJCxMWcitfvAhyup5Si6xW/aPeDg3SLADLLDCU1dkHCBQ=
Received: from HE1PR07MB4187.eurprd07.prod.outlook.com (2603:10a6:7:98::23) by AS8PR07MB7800.eurprd07.prod.outlook.com (2603:10a6:20b:394::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5654.14; Mon, 19 Sep 2022 09:14:12 +0000
Received: from HE1PR07MB4187.eurprd07.prod.outlook.com ([fe80::dd85:77ac:c888:698e]) by HE1PR07MB4187.eurprd07.prod.outlook.com ([fe80::dd85:77ac:c888:698e%5]) with mapi id 15.20.5654.012; Mon, 19 Sep 2022 09:14:11 +0000
From: Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com>
To: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-ippm-ioam-direct-export@ietf.org" <draft-ietf-ippm-ioam-direct-export@ietf.org>, "ippm-chairs@ietf.org" <ippm-chairs@ietf.org>, "ippm@ietf.org" <ippm@ietf.org>, "tpauly@apple.com" <tpauly@apple.com>
Thread-Topic: Zaheduzzaman Sarker's Discuss on draft-ietf-ippm-ioam-direct-export-09: (with DISCUSS)
Thread-Index: AQHYi/4IVKA9KrRhB0CDiDhy1ymqwK208Y2AgCYAvQCABiDTAIAF5UEA
Date: Mon, 19 Sep 2022 09:14:11 +0000
Message-ID: <783A4A80-6E31-4A09-BD79-596DB79ADB4D@ericsson.com>
References: <165653760608.27520.5309528880057245173@ietfa.amsl.com> <CABUE3Xnz+xg0y2whG0_gZzuxT6Ys9Ad+LDtSmbCaXMvWKEnMVA@mail.gmail.com> <26CD61B5-BDE8-484C-ACD9-5C1C451E2F69@ericsson.com> <CABUE3XmrqdUfG2OYsE=Lc4-QknaE7Qhb47VjsX6MoZx1cW-_zw@mail.gmail.com>
In-Reply-To: <CABUE3XmrqdUfG2OYsE=Lc4-QknaE7Qhb47VjsX6MoZx1cW-_zw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.120.41.1.1)
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: HE1PR07MB4187:EE_|AS8PR07MB7800:EE_
x-ms-office365-filtering-correlation-id: 8b344554-3b92-4913-c4e6-08da9a1f50f2
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: P4HrC48qi0woImlr84vd1wGhXajM44ikDGdzIfk7pgN21rQfHE0zdwtICjh6LjlrftjpmhLrYebhPPu0D1E4Ck2GKKGEQLyphhBFPDucvqLKn2vj6R6Lz2/+RJZrnMs9hfRXfKjUNRCbdFYD/AqmFCOgsR/TTe/nxVjOj9gS5LmkNFJSFuaZCoib76qHeeYzoJEJwYvGebVx5x5YkHrn0+t3HBcvoGGIJAmgjhNA0ZxvpIXAGzpdWFTSi7r78lFGk9k0HgxiGkF4NT37kgwiU18xT3skTTO4xvIp2M3qk/xbEE93xdjYBw3iPKnDsfzS+M6oheKz+RkpiPPMIj03guxnrgf0Lpwuv4RuKxUBENdRr7i8bXeEdzlLNiaZh5os3CKDy+b/VdzDtvZUODX+TnbLzUH8DO0RHIcWKgaJbU12nOoOP+F6517Nj1ynH50pgNyPZvyXVszGRuHXv9fBH/rHkEULYTjxagXPBpuSVeY6pAvHI8TtSYK+xdM3LKk7BoXPMMREO9UxsIDekJGQ3Hdv5lv5xQZ895KvLglM8oVLjbht+5N6BGS9xvrLCCauFKbSJAtE+YR6XL+IwR/YBrZTNhwHkjtkdKtRj4w238XffK08jiBkeKpStC/6hONKi/a6m4LsupV/yOe77zQCt1spXVvXkxr6Jc8fBykDs5S2qZ/83D2nk0Z8D3CGsp4HKFLjx3tmByjzcNc5FteaOYlk5NCmOqnLLyUKcXKT2KWU5EUWbMjD2GdTNAC8SgY1BVVY2eGmvnqHrYNoVl78Kzz/5uUw5ovmtjVfBeTpuAVoqKDp4AmYZPry+DewOjX8Ek2kpiMdUbmEKFBRuyE22xH8LuaOwMuzFG4Iem6S4iA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB4187.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(39860400002)(346002)(376002)(396003)(366004)(136003)(451199015)(36756003)(86362001)(33656002)(6486002)(71200400001)(6916009)(54906003)(99936003)(966005)(38070700005)(316002)(122000001)(38100700002)(82960400001)(8676002)(6506007)(478600001)(6512007)(26005)(53546011)(91956017)(76116006)(66556008)(66476007)(66446008)(64756008)(4326008)(66946007)(41300700001)(8936002)(2616005)(2906002)(83380400001)(186003)(5660300002)(44832011)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: hjGuWxJSL98aG3bAYD3W06Ci5mvhO88ItDOzgfPYtsIGTWutHk/O8aLDMv4sviEwZE9Du1AIqMPCw3p8yIzF6PPXIy4yBBe/HrC7RFtFtZHH6+786EQDmk3wXLpZp4ID9rEDUElhv81QiYDoaB8M+GBZYDHBKWL49SLTDxVD6WppSGurd8FCL7l/3jIIXSNYeMuq7ssREq/RZlG5aVZwKIWBDB9A7SurcAmmLHzmAlleYkWsMfS6ZarFqQqK0e61kiWUTxz9t7wu9pB1JgEkKX5u63q9y+hOwgu2AZ/6/abq9cmS8jLEyqtgP1Ss1w4Qy4HPqFWeKS1HRn2asAXeUQ33Y3lnFFPZFSvRedaEqM9wDZKF15YWkUOBb4Lq8h9t2qcUUbl1BTWMPb/9OxSAn2NQdnfoRWBGrs9t+NiVt7Ne98PMghXudPWCisU+dFBJnA0dK4QV3TVsHKecy/GKgEaeQO6ivfRxu++92GfS1sngub/3CBi3Lp0QdeMMSU9NUnPc8F+GS7dSTSCxZIZTPoQWzLqidPg8fSZzDtoKdG9ULMkkofmCI3Tavf+SfVsNhn0GdWkaHxN9NJmm12xguEa1uYvCwh4N1riR9mnEfwWGfm3gTX9fyR8klKfnmRewoH6rCMRRbgfqoRbHVnfetJsxQu5buAPUh5DRD9epNWnsz0VhudvgnBOi7erGL7m04Ieo+usCDQ3JHESqYoF381AHffH6AwhWTdmvWHMWODtAKYsq3k5LB1dxMJyfrUaDLaJ5tCvQXiE6CrKCmXiDDz+n3dAhhPyjfx758Ucff2FlblDpy13eULfUoUbpgKqzbF5uGbycjK4lvP19Kxqy1FdHjIAySmnzYsNJqn2jpcMmWONbW5mzBdHsbswSyT07Yom/a9+9GUO+JIgsSeR2WdKkj5Rg/Kd8BEAoeq8WY3jkwHhWt/gOOvElkMhfgleA5tp1Cd0Lv0GQY3e+qvPcv4U/qQBP4lDi44vnKHW+6YQWzmvIUKpydGWKH9SU2u+B/lXqXIKAEzyokRGumAmmO0wO0NatphAOCvB8yea7px3o/WXUcImg0e9xkvG0XAhag7lQaDHrNZSTXow8GZZfDwODr9/c3ZnzD7mkV4ldyvMwxGN4OPtpm604gb4XM11hHDNVxLpDnrYHzyzIypz8ku+RH2/iuumHBfe0+6zAquXiBhoLJe2iXxvdPA5M9HLPCPBv2TCiJfHFxLeKcsX3IyTPPn9Sj9CXCZN5UFAfVZ6E077KHErikiO826HmnJxhn4z3w1RWGQTwUQRKCiC8lRn/Bbu9DkOp3aG9vLBiFykcz77RL69u9c1keRWrznZtvTnbIzUoc9MKq2ldVIqXl7AlokfQPfinyBrUMWgtjfYhmvt2HX6i6zgz+OdWv3pntQ6uaAJ2jytXrosZaCLG7ygGSunV4Ab0qdy066MDPprS+6/OHAipUXPKcELF+kPYztrYndRBbjLI4vCwbdTINT8fGaGWqibjbKXKLoUuQF+VtGyAIgWhN5CdF9NWGYegDttU7ShFYqC5vmRvOmFxeFgPmABTQ8w6omJXTD2nk6ybCs2rmKd2ODunxY7rfG9XKtqm9fKqIADEf9k+eyho1gEVmtgj2NTsRi06jkbHN1k=
Content-Type: multipart/signed; boundary="Apple-Mail=_FCF8924C-642B-4475-AFC1-C8262CBF8F5A"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB7800
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/V57WN3UqWsvRizzC2glmVNK-Zpc>
Subject: Re: [ippm] Zaheduzzaman Sarker's Discuss on draft-ietf-ippm-ioam-direct-export-09: (with DISCUSS)
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Sep 2022 09:14:22 -0000

I have noticed that paragraph, however,  I didn’t interpreted that immediately to use of secure connection in that paragraph. May be we should be a bit more specific/descriptive about what is included in the "secure the export of data”. 

//Zahed

> On 15 Sep 2022, at 17:12, Tal Mizrahi <tal.mizrahi.phd@gmail.com> wrote:
> 
> Hi Zahed,
> 
> 
> On Sun, Sep 11, 2022 at 8:37 PM Zaheduzzaman Sarker
> <zaheduzzaman.sarker@ericsson.com> wrote:
> 
>> This is good. I haven’t noticed any requirements on exporting over a secure connection to and trusted destination in this specification. I may have missed this, could you please point me to that?
> 
> 
> Yes, the following paragraph addresses this topic:
> 
>   Although the exporting method is not within the scope of this
>   document, any exporting method MUST secure the exported data from the
>   IOAM node to the receiving entity.  Specifically, an IOAM node that
>   performs DEX exporting MUST send the exported data to a pre-
>   configured trusted receiving entity that is in the same IOAM domain
>   as the exporting IOAM node.  Furthermore, an IOAM node MUST gain
>   explicit consent to export data to a receiving entity before starting
>   to send exported data.
> 
> Cheers,
> Tal.
> 
> On Sun, Sep 11, 2022 at 8:37 PM Zaheduzzaman Sarker
> <zaheduzzaman.sarker@ericsson.com> wrote:
>> 
>> 
>> 
>>> On 18 Aug 2022, at 15:16, Tal Mizrahi <tal.mizrahi.phd@gmail.com> wrote:
>>> 
>>> Dear Zahed,
>>> 
>>> Thanks for the comments.
>>> 
>>> Here is an  updated version of the draft:
>>> https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-1191a6b94b1b8ef3&q=1&e=832af60a-d8a4-4ce6-b114-803e40c69f48&u=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-ippm-ioam-direct-export%2F
>>> 
>>> Regarding the following DISCUSS point:
>>> 
>>> [snip]
>>>> Thanks to Colin Perkins for his valuable TSVART review. I find the TSVART early
>>>> reviewer's concern on rate limiting the exported traffic triggered by DEX
>>>> Option-type as only protection mechanism
>>>> (https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-f1a8e03896e17207&q=1&e=832af60a-d8a4-4ce6-b114-803e40c69f48&u=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Ftsv-art%2F1WNgYWGJmxLd4f3RAiDk-LJ-S8Y%2F)
>>>> very valid but haven't seen it addressed. In this discuss, I would like to
>>>> bring back attention to that concern and would like to discuss why there should
>>>> not be a circuit breaker kind of functionality required here?
>>> [snip]
>>> 
>>> The rate limiting is just one of the security measures in this
>>> document. There was a long discussion in the IPPM working group about
>>> amplification attacks and how to mitigate them:
>>> https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-85de22596797bb61&q=1&e=832af60a-d8a4-4ce6-b114-803e40c69f48&u=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Fippm%2FPyfokOEsBBCTtRdNYG-Vr-674Nw%2F
>>> https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-a9aaeff04156da3d&q=1&e=832af60a-d8a4-4ce6-b114-803e40c69f48&u=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Fippm%2FJNiX94A7fN6tUPsA-VQizQEBWms%2F
>>> 
>>> Following this discussion, what we came up with in order to mitigate
>>> these attacks is a combination of the following components:
>>> - Rate limiting (1/N) at the encap node.
>>> - Export traffic rate limiting (1/N) at the exporting node.
>>> - No exporting over DEX-enabled tunnels.
>>> - The DEX option is not pushed into packets that already include an IOAM encap.
>>> - Exporting over a secure connection to a trusted destination.
>>> 
>>> We believe that this combination of components, which are discussed in
>>> the document, provides reasonable measures to address the threat.
>> 
>> This is good. I haven’t noticed any requirements on exporting over a secure connection to and trusted destination in this specification. I may have missed this, could you please point me to that?
>> 
>> //Zahed