Re: [ippm] Shepherd Review of draft-ietf-ippm-stamp-05
Greg Mirsky <gregimirsky@gmail.com> Mon, 22 April 2019 17:01 UTC
Return-Path: <gregimirsky@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68BA012012B; Mon, 22 Apr 2019 10:01:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.598
X-Spam-Level:
X-Spam-Status: No, score=-0.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_COMMENT_SAVED_URL=1.391, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_HTML_ATTACH=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q0KQKvFcom_n; Mon, 22 Apr 2019 10:01:22 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 261CA120091; Mon, 22 Apr 2019 10:01:21 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id u17so9480792lfi.3; Mon, 22 Apr 2019 10:01:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BLIga0CDyV82UjHE38lNX25FDO6tJry8uAI6TIM1qKQ=; b=Sb40+UXbPCmfQskOnwwjB2HT7S+2UhIyb8ztIBD3oTkjItwRkrmcFLTZoCkovOTW4g tu7tgodX25jMHHOIVTFggIy7G6p2LcpdaxBC/h0+JkQs7cJOU/wvthSOvdwIFZE7N3tt NcOfb9DX1U4f2OIBm5E6xjmrGdfZCTxihp3bxyirmaKM2pp87Sci0BxiwEJ5zYEEbjzq fztnShqIAhwasvH6vjRW+9Kx+2kt8S6YWtZe7QtxTt1yoQm1uD2y/4weJcwh2QbIW/nx /m91s2WSPe3XMrVSalNi3qlNU89YybE5OM8olimhMiplqwcqecW0Ejm0jSs6uYQPAUHV r8Zw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BLIga0CDyV82UjHE38lNX25FDO6tJry8uAI6TIM1qKQ=; b=M+yJomx3kyy1bu9yYdujJ1ZL0QPpWbU6pafQQgwy3h9tz2a2G8ZI0R84/d19u5zvmo AVusGVSamwGc80PGrElfkwpZYrT7Fbx1AhpsH+Df9X0g50LddoNzmXVqjPcgf+kurlxf bL7qV4gQff9vtFL+uqnBHGqUiWOgWtzEJnqDSFrpBjqZVWhoUE8cenoUUR9zfY0hOT1Y WNVUBzO9EZo1+WxwElwyyITxNqzgDwIwHGwkc8sxUP+bgIhF5FaaQmDd1ITNoA69R4TB 2gvEYJuTkNgNbZbvnD1zQUQ2ow16asJ0loCueidIFiwd42St+ZAeH8GGE/nPavrmx+oP S8Jw==
X-Gm-Message-State: APjAAAV1Ycn9Nax3MGI9fBKF/KcSRE4+CEwNQs6pImxndJdighGR7Xql 88yJYp3wRSf1bnD2JwtkKqBTe3BGFZCy/xV2SrI=
X-Google-Smtp-Source: APXvYqwYryDY1M9tPpN9aReXXt4JkpK5PKfIqDJd615Am3any5EkoSepw3qDTFnGkPTTFYWArE422opoS5pQrjrp7Ys=
X-Received: by 2002:a19:7014:: with SMTP id h20mr11352184lfc.158.1555952479229; Mon, 22 Apr 2019 10:01:19 -0700 (PDT)
MIME-Version: 1.0
References: <CABUE3XmYJM_GC-ntFnt3Gk0376CGjz6HtXxcyKaZ=D=xnWeGMw@mail.gmail.com>
In-Reply-To: <CABUE3XmYJM_GC-ntFnt3Gk0376CGjz6HtXxcyKaZ=D=xnWeGMw@mail.gmail.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Mon, 22 Apr 2019 10:01:07 -0700
Message-ID: <CA+RyBmXWG5DEpjgvgDcUfKP6_2kSCm_zhE7EKaek7SE9xfUKHQ@mail.gmail.com>
To: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Cc: "Foote, Footer (Nokia - CA)" <footer.foote@nokia.com>, guo.jun2@zte.com.cn, Henrik Nydell <hnydell@accedian.com>, IETF IPPM WG <ippm@ietf.org>, IPPM Chairs <ippm-chairs@ietf.org>
Content-Type: multipart/mixed; boundary="000000000000d0001a0587216a08"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/Wni51dfSW-UMgi7EwmKtKuTnYIA>
Subject: Re: [ippm] Shepherd Review of draft-ietf-ippm-stamp-05
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Apr 2019 17:01:28 -0000
Hi Tal, please find the proposed updates in-lined and tagged GIM>>. Also, attached are the diff and the updated working version of the draft. Much appreciate your comments. Regards, Greg On Sun, Apr 14, 2019 at 10:54 PM Tal Mizrahi <tal.mizrahi.phd@gmail.com> wrote: > Dear Authors, > > Having reviewed the document, I found that it is clear and > straightforward, and that it is almost ready to be submitted to the IESG, > with a few minor comments below. > > I will highly appreciate if you can post an updated draft, and afterwards > we will proceed with the publication process. > > Thanks, > Tal. > > > Comments: > > - Section 1: I would suggest to mention that TWAMP Light is a lightweight > architecture of a TWAMP deployment that is presented in RFC 5357. > GIM>> I've used the characterization of the TWAMP Light as provided in RFC 8545: OLD TEXT: One of such is Performance Measurement from IP Edge to Customer Equipment using TWAMP Light from Broadband Forum ([BBF.TR-390]). NEW TEXT: One of such is Performance Measurement from IP Edge to Customer Equipment using TWAMP Light from Broadband Forum [BBF.TR-390] used as the reference TWAMP Light that, according to [RFC8545], includes sub-set of TWAMP-Test functions in combination with other applications that provide, for example, control and security. - Section 2: > - The term OSS/BSS should be defined. > - The acronym SDN should be spelled out in its first appearance. > GIM>> I've added the explanation of what OSS/BSS does and removed the SDN acronym as it is the only place being used in the draft: OLD TEXT: Command Line Interface, OSS/BSS using SNMP or SDN using Netconf/YANG are but a few examples. NEW TEXT: Command Line Interface, OSS/BSS (operations support system/business support system as a combination of two systems used to support a range of telecommunication services) using SNMP or controllers in Software-Defined Networking using Netconf/YANG are but a few examples. - Section 4: > - "Unauthenticated STAMP test packets are compatible on the wire with > unauthenticated TWAMP-Test [RFC5357] packet formats." > Please explain what "compatible" means. The format defined in STAMP is > identical to RFC 5357? Can be configured to a specific mode in which it is > identical to RFC 5357? An RFC 5357 TWAMP node can interoperate with a STAMP > node? You may want to add a reference here to section 4.4. > GIM>> Thank you for the detailed questions and the recommendation. Please consider the update below: OLD TEXT: Unauthenticated STAMP test packets are compatible on the wire with unauthenticated TWAMP-Test [RFC5357] packet formats. NEW TEXT: Unauthenticated STAMP test packets, defined in Section 4.1.1 and Section 4.2.1, ensure interworking between STAMP and TWAMP Light as described in Section 4.4. packet formats. - Section 4.1.1.: > - Please clarify that the timestamp field is as specified in RFC 5357 and > RFC 8186. > GIM>> I've added references to RFC 5357 and RFC 8186 as follows: OLD TEXT: o Timestamp is eight octets long field. STAMP node MUST support Network Time Protocol (NTP) version 4 64-bit timestamp format [RFC5905]. STAMP node MAY support IEEE 1588v2 Precision Time Protocol truncated 64-bit timestamp format [IEEE.1588.2008]. NEW TEXT: o Timestamp is eight octets long field. STAMP node MUST support Network Time Protocol (NTP) version 4 64-bit timestamp format [RFC5905], the format used in [RFC5357]. STAMP node MAY support IEEE 1588v2 Precision Time Protocol truncated 64-bit timestamp format [IEEE.1588.2008], the format used in [RFC8186]. - "The Reflect Octets capability defined in [RFC6038]." ==> "This field is > used for the Reflect Octets capability defined in [RFC6038]." > GIM>> Thank you for the helpful suggestion. Done. - Section 4.1.2. + 4.2.2. + 4.3: > - Please clarify that the HMAC field is as defined in RFC 5357, and covers > the same fields as defined in RFC 5357. > GIM>> Hashed Message Authentication Code is defined in RFC 2104. Unlike OWAMP or TWAMP that use HMAC-SHA-1, in STAMP we use HMAC-SHA-256. And in STAMP HMAC also protects optional extensions. I hope that the addition of the forward reference to Section 4.3 in 4.1.2 and 4.2.2 is acceptable. > - Section 4.2.1.: > - "the TTL field" ==> "the TTL field in IPv4 (or Hop Limit in IPv6)" > GIM>> Thank you. Accepted and done. > - Section 4.3: > - "If confidentiality protection for STAMP is required, encryption at the > higher level MUST be used." > Please elaborate, preferably with an example. IPsec is at a lower layer > than STAMP, so not sure "higher level" is clear to the reader. > GIM>> STAMP can be sent over its IPsec tunnel or share the IPsec tunnel of the flow which performance is monitored. Please consider this update: OLD TEXT: If confidentiality protection for STAMP is required, encryption at the higher level MUST be used. NEW TEXT: If confidentiality protection for STAMP is required, encryption at the higher level MUST be used. For example, STAMP packets could be transmitted in the dedicated IPsec tunnel or share the IPsec tunnel with the monitored flow. - Section 5: > - This section should be more detailed. You may want to say that the > general security considerations of TWAMP are discussed in RFC 5357. You may > also want to explain that the main difference between STAMP and TWAMP is > the control plane, and you may want to make note that STAMP configuration > procedures should be secured in order to mitigate attacks at the control > plane. > GIM>> Yes, agree. The Security Considerations section is a bit terse. Here's the updated text: 6. Security Considerations In general, all the security considerations related to TWAMP-Test, discussed in [RFC5357]apply to STAMP. Since STAMP uses the well- known UDP port number allocated for the OWAMP-Test/TWAMP-Test Receiver port, the security considerations and measures to mitigate the risk of the attack using the registered port number documented in Section 6 [RFC8545] equally apply to STAMP. Because the control and management of a STAMP test are outside the scope of this specification only the more general requirement is set: To mitigate the possible attack vector, the control and management of a STAMP test session MUST use the secured transport. Use of HMAC-SHA-256 in the authenticated mode protects the data integrity of the STAMP test packets. - References: > - I suggest to move "[BBF.TR-390]" to the informative references. > GIM>> Agreed and done. > - draft-ietf-ippm-port-twamp-test ==> RFC 8545. > GIM>> Done > - Minor nit: > - "less the length" ==> "minus the length" > GIM>> Thank you. Done.
- [ippm] Shepherd Review of draft-ietf-ippm-stamp-05 Tal Mizrahi
- Re: [ippm] Shepherd Review of draft-ietf-ippm-sta… Greg Mirsky
- Re: [ippm] Shepherd Review of draft-ietf-ippm-sta… Greg Mirsky
- Re: [ippm] Shepherd Review of draft-ietf-ippm-sta… Tal Mizrahi