Re: [ippm] Is loopback/direct export amplification worse than linear?
Greg Mirsky <gregimirsky@gmail.com> Sat, 05 December 2020 01:54 UTC
Return-Path: <gregimirsky@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7E923A1187 for <ippm@ietfa.amsl.com>; Fri, 4 Dec 2020 17:54:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LV1-9dARwsCO for <ippm@ietfa.amsl.com>; Fri, 4 Dec 2020 17:54:45 -0800 (PST)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BEB83A1188 for <ippm@ietf.org>; Fri, 4 Dec 2020 17:54:44 -0800 (PST)
Received: by mail-lf1-x12c.google.com with SMTP id z21so10234111lfe.12 for <ippm@ietf.org>; Fri, 04 Dec 2020 17:54:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jhed0osT1LBYFTUXAHEHBjDLJjHihEjBO7A3b7FpPNE=; b=Z4PAAfTW/Z0pZZsxEKsCg/e2puoFOkro3fn2QNII/n3tkri5ZLwDBiH2R37NygjgQo UNs2WdkwlzvOg+LSYn3YoYGQ0i9zpxKGkvTEB8AGBOC44dok9wzPGzgxKLK3NyNzRZGN kUoIq/Pu8E3ZbqIo3K78WRM2H0jP7Hl5N8HJzd1kjpabQPDnCkaYAz44R4VWF99cr2SK QJZ88KIirq5YXpI6MVLYv01UnWxjdhVImIzabeVexdVEm8BHso/tx1saxFnuJAIgdkEt 6ah1zm1GUPDfTTi/P6+oL+fwHSve7cUm5YeEvtorz7l061SEDg76o//tyo4bpvrb3lnV qBWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jhed0osT1LBYFTUXAHEHBjDLJjHihEjBO7A3b7FpPNE=; b=dAJeCjTkmn1IN5hPYn7lh24Xl77w/qS21mWtFJozTDU5I9nlJ61RhHSEXxccBu0wZn tFUh7vmKC/+Wf3wz6ZZd5g0ke1PKS9j1DSrJXyp81C9c2vvQSwdLiUDjQL5LWdie8/gZ 9gKlUNWxth1GjVfB89KWW3cCUZcQqaF3DjfiODgpjUZyVV8/BRlTwTTjn8/hV9gMJrin mTtI2FAyoGCRb66wHdAN4pjZx+X1BSDpr4XBHYJv8I19m9T12MgII62qtBnZXWXY/8Kx ccLx+EeqPtJTEt3CpgxvWPuLEFy555xp4/IyS4p/MAZjiQEQc55X7xrqc6JtT5m+0e7D I3ug==
X-Gm-Message-State: AOAM532qzvJrrX3O4We6Q0zfSzeEZtYmCl1fv/ycpYpNYig4hgU89AC6 tFERlSHbswkyNTHHNMVOlH4YoikxDqvUv5tiEhQ=
X-Google-Smtp-Source: ABdhPJyyv7mwXAFwrltq/8oi0TURRsyUOdjvj1PAUT8xTnp81W++DpvoVzKB+p+3LO9caUapSU5tYeWSDQBsXzJBh+g=
X-Received: by 2002:a19:500a:: with SMTP id e10mr1182739lfb.193.1607133282860; Fri, 04 Dec 2020 17:54:42 -0800 (PST)
MIME-Version: 1.0
References: <CAM4esxQiaRoCb9-7eBMy4yoCv28=St2XN-8AF7DwPiC2HU_Fzw@mail.gmail.com> <CA+RyBmVfW0kAwinNUCWmouqi1gg+cN5G8Ks1y3Jh+nokLqmeUA@mail.gmail.com> <CAM4esxSQEJ=r0WrG=6yg-Cwfa==8kJVxTAi3gmboZgtOsncHdw@mail.gmail.com> <CA+RyBmUyUo2qHgFRTw=cnCzeVuB880D1sGBmPR4tPtRhdYew0g@mail.gmail.com> <CAM4esxQbx-HYgc9O4stg22aUO1ZLG5Q5VtyztqjsrTf-yta54A@mail.gmail.com>
In-Reply-To: <CAM4esxQbx-HYgc9O4stg22aUO1ZLG5Q5VtyztqjsrTf-yta54A@mail.gmail.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Fri, 04 Dec 2020 17:54:32 -0800
Message-ID: <CA+RyBmWq5v4GY5G+M+ivS04ZUQVf_RphOxpDSMAWTDFJvWMtyg@mail.gmail.com>
To: Martin Duke <martin.h.duke@gmail.com>
Cc: IETF IPPM WG <ippm@ietf.org>, Greg Mirsky <gregory.mirsky@ztetx.com>
Content-Type: multipart/alternative; boundary="0000000000006e822905b5ade0b6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/VtYFodcXU534oTcSiB1R9mHIsNk>
Subject: Re: [ippm] Is loopback/direct export amplification worse than linear?
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Dec 2020 01:54:49 -0000
Hi Martin, thank you for the clarification, I've missed that scenario. I'll need to look through all proposed IOAM encapsulations again. For some reason, I was assuming that the presence of IOAM in a data packet is always explicitly encoded and that can be used to differentiate between an IOAM and non-IOAM packet. Regards, Greg On Fri, Dec 4, 2020 at 5:12 PM Martin Duke <martin.h.duke@gmail.com> wrote: > My argument is that it doesn't matter if the DEX is non-IOAM; the point is > if the signature of this packet happens to match the criteria on some other > IOAM domain, we end up in trouble. > > On Fri, Dec 4, 2020 at 4:53 PM Greg Mirsky <gregimirsky@gmail.com> wrote: > >> Hi Martin, >> I thought of them as "concerns" ;) >> I share your concerns regarding the impact of the Loopback flag. I think >> that if the returned packet travels back out-of-band, not as IOAM-esque >> packet that might mitigate some risks associated with the Loopback. And >> though I don't think that the DEX draft explicitly states that the IOAM >> data collected on a node is exported to a collector out-of-band, i.e., not >> as an IOAM packet, as well, I'd like the WG to consider this approach. >> The rest of my notes reflect my earlier comments. >> >> Regards, >> Greg >> >> On Fri, Dec 4, 2020 at 2:53 PM Martin Duke <martin.h.duke@gmail.com> >> wrote: >> >>> thanks Greg. >>> >>> I hope I'm understanding you correctly these are critiques of the drafts >>> largely unrelated to mine? >>> >>> On Wed, Dec 2, 2020 at 3:06 PM Greg Mirsky <gregimirsky@gmail.com> >>> wrote: >>> >>>> Hi Martin, >>>> thank you for highlighting some troublesome characteristics of using >>>> the Loopback flag in IOAM. I agree that draft-ietf-ippm-ioam-flags could >>>> tighten up the description of scenarios when the Loopback flag is used. >>>> Also, it seems that the behavior of Direct Export >>>> <https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-direct-export/?include_text=1> can >>>> benefit from more clarifications. Now I've read both drafts taking notes >>>> and present them to you below: >>>> *draft-ietf-ippm-ioam-flags:* >>>> >>>> - draft-ietf-ippm-ioam-data defined IOAM as a method to record >>>> "operational and telemetry information in the packet while the packet >>>> traverses a path between two points in the network". It is an example of a >>>> hybrid measurement method, per RFC 7799 classification. The introduction of >>>> the Loopback and Active flags clearly makes IOAM into an active method and >>>> thus it should be discussed as a protocol that originates test packets, >>>> including potential security threats it may be used to create. >>>> - If the purpose of the Loopback flag is producing a series of >>>> responses from traversed nodes, then it might be much easier to use not a >>>> copy of the original packet but a different packet to respond to the sender >>>> (similar to CFM's LTM/LTR). That will avoid any risk of reverse-path >>>> amplification. >>>> - It is not clear what kind of path is expected in "a return path >>>> from transit nodes and destination nodes towards the source (encapsulating >>>> node) exists"? For example, if IOAM is used in an SFC environment, would >>>> Loopback require the use of an SFP to the sender? >>>> - It is not clear what establishes "the identity of the [IOAM] >>>> encapsulating node". Some examples would be helpful. >>>> - There seems to be a disconnect in handling unexpected looped IOAM >>>> packet: >>>> >>>> In the second paragraph Section 4 it is stated: >>>> "If an encapsulating node receives a looped back packet that was not >>>> originated from the current encapsulating node, the packet is dropped." >>>> >>>> But in the second from the last paragraph of the same section is noted >>>> that: >>>> "If there is no match in the Node ID, the packet is processed like a >>>> conventional IOAM-encapsulated packet." >>>> >>>> >>>> - The following probably may be expressed using the definitions >>>> from the IANA registry: >>>> >>>> An IOAM trace option that has the loopback bit set MUST have the >>>> value '1' in the most significant bit of IOAM-Trace-Type, and '0' in >>>> the rest of the bits of IOAM-Trace-Type. >>>> >>>> like that: >>>> An IOAM Trace Option that has the Loopback bit set MUST have the >>>> "hop_Lim and node_id in short format" bit set IOAM-Trace-Type, and >>>> MUST >>>> have all other bits of IOAM-Trace-Type cleared. >>>> >>>> >>>> - What is the value of collecting "hop_Lim and node_id in short >>>> format" on the return path of a packet looped back by an intermediate node? >>>> As I understand it, only that information can be collected if the Loopback >>>> flag is set. Please correct me if that is not the case. >>>> - Can you point where it is specified that when using the Loopback >>>> "the packet does not have any payload"? Earlier in Section 4 action of an >>>> intermediate node is explained: >>>> >>>> A loopback bit that is set indicates to the transit nodes processing >>>> this option that they are to create a copy of the received packet and >>>> send the copy back to the source of the packet. >>>> >>>> One can understand that the looped back packet is a carbon copy of the >>>> original packet less the Loopback flag being cleared. And the actions of >>>> the encapsulating node are described as: >>>> The encapsulating node either generates synthetic packets with an >>>> IOAM trace option that has the loopback flag set, or sets the loopack >>>> flag in a subset of the in-transit data packets. >>>> >>>> Which suggests that, at least in the latter case, the packet with the >>>> Loopback flag set does have a payload. >>>> >>>> >>>> - One of the essential aspects of defining an active measurement >>>> protocol is the specification of the expected rates that test packets be >>>> generated for the intended purpose of the protocol. Some protocols provide >>>> a mechanism to negotiate that rate either through its control-plane >>>> component or as part of bringing the test session to Up state. I couldn't >>>> find any discussion of the expected purpose of using the Active flag, nor >>>> sufficient information that would help to set reasonable limits on >>>> processing packets with the Active flag set. Also, even though the document >>>> is on the Standards track, I find normative language in relation to the >>>> security impact of Loopback and Active flags being underused. >>>> - Applying rate limits throughout the IOAM domain might be >>>> cumbersome. I think that stronger security methods must be defined making >>>> using the Loopback and Active options more secure. For example, using >>>> authentication to ensure the identity of the encapsulating IOAM node that >>>> imposed the Loopback or Active option. >>>> >>>> *draft-ietf-ippm-ioam-direct-export* >>>> >>>> - Section 3.1 includes very important assumption: >>>> >>>> The option [DEX] can be read but not modified by transit nodes. >>>> >>>> That brings the question What protects the DEX option in particular and >>>> IOAM-Option-Types in general? >>>> >>>> >>>> - The description of the processing of the DEX option by >>>> encapsulating, transit, and decapsulating nodes in an IOAM domain in all >>>> cases states "MAY export the requested IOAM data". What are other possible >>>> behaviors of nodes processing the DEX option? >>>> - In the last paragraph of Section 3.1 stated: >>>> >>>> A transit IOAM node that does not support the DEX option SHOULD >>>> ignore it. >>>> >>>> What are other allowed behaviors of a node, whether transit or >>>> decapsulating? Report an error? Discard the packet with the DEX option? >>>> >>>> >>>> - Though considerations for performance impact at a collector(s) is >>>> sensible, it seems that the impact on the node exporting telemetry >>>> information triggered by the DEX should also be considered. >>>> - Applying rate limits throughout the IOAM domain might be >>>> cumbersome. I think that there could be other methods to improve the >>>> security of the DEX option. >>>> - I can understand that the identity of a collector(s) of exported >>>> information can be provisioned via the management or control plane. But I >>>> also believe that there must be a discussion of why the Loopback option is >>>> not a special case of the DEX option. >>>> >>>> Regards, >>>> Greg >>>> >>>> On Sun, Nov 15, 2020 at 9:45 PM Martin Duke <martin.h.duke@gmail.com> >>>> wrote: >>>> >>>>> I recognize that the loopback and direct export drafts discuss >>>>> potential amplification results, as a path of length N will generate N >>>>> packets for each IOAM packet -- a linear relationship. As these are >>>>> discussed in the draft with proposed mitigation, in an editorial sense the >>>>> job is done. Whether giving people this kind of foot gun is a good idea is >>>>> a separate question, but reasonable people can disagree. >>>>> >>>>> However, if I understand correctly, certain pathological combinations >>>>> of IOAM namespaces could result in amplification far worse than linear. >>>>> >>>>> 1) Loopback loops >>>>> Imagine there is an IOAM namespace that covers the path from Hop A to >>>>> Hop D. There is a separate namespace entirely contained in A-D, from hop B >>>>> from hop C. Both namespaces enable loopback. >>>>> A >>>>> --------------------------------------------------------D >>>>> >>>>> B-------------------------------C >>>>> >>>>> So a user packet is traveling from A to D. There will be (D-A) >>>>> loopback packets headed towards A. The (D - C) loopback packets that >>>>> generated between C and D will travel through the encapsulating node at C >>>>> and then trigger further loopbacks to C. Thus the total number of packets >>>>> generated by the single user packet is >>>>> (D - A) + (D - C)(C - B) >>>>> and obviousy there could be several of these smaller namespaces, or >>>>> nested namespaces, that aggravate the amplification further. >>>>> >>>>> 2) Direct Export >>>>> Direct Export potentially has even worse properties. Suppose namespace >>>>> A, N_A hops across, direct exports to a node that is reachable across >>>>> namespace B. Namespace B, N_B hops across, direct exports to a node >>>>> reachable across namespace A. >>>>> >>>>> Thus a single user packet sent over namespace A will generate N_A >>>>> packets that traverse Namespace B. This will, in turn, generate N_A * N_B >>>>> packets that traverse namespace A, which in turn triggers N_A ^ 2 * N_B >>>>> packets, and so on. >>>>> >>>>> In fact, if the namespaces direct export with probability >>>>> exactly,1/N_A and 1/N_B, the same level of traffic will ping-pong >>>>> infinitely. Any more than that, and the traffic will steadily increase to >>>>> infinity. If the probability is 1, the growth is exponential. >>>>> >>>>> **************** >>>>> >>>>> This analysis, if correct, raises three questions that I can think of: >>>>> - Are these corner cases plausible? >>>>> - If so, and they occurred, would the namespace administrators >>>>> necessarily be aware of each other? If not, I'm concerned that this is >>>>> unsafe to deploy. >>>>> - Do phenomena like this indicate that the design is brittle and >>>>> putting in some "considerations" doesn't really mitigate the dangers here? >>>>> >>>>> Martin >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> ippm mailing list >>>>> ippm@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/ippm >>>>> >>>>
- [ippm] Is loopback/direct export amplification wo… Martin Duke
- Re: [ippm] Is loopback/direct export amplificatio… Tal Mizrahi
- Re: [ippm] Is loopback/direct export amplificatio… Martin Duke
- Re: [ippm] Is loopback/direct export amplificatio… Haoyu Song
- Re: [ippm] Is loopback/direct export amplificatio… Martin Duke
- Re: [ippm] Is loopback/direct export amplificatio… Greg Mirsky
- Re: [ippm] Is loopback/direct export amplificatio… Martin Duke
- Re: [ippm] Is loopback/direct export amplificatio… Greg Mirsky
- Re: [ippm] Is loopback/direct export amplificatio… Martin Duke
- Re: [ippm] Is loopback/direct export amplificatio… Greg Mirsky