IETF Logo Mail Archive

Re: [ippm] Zaheduzzaman Sarker's Discuss on draft-ietf-ippm-ioam-direct-export-09: (with DISCUSS)

Tal Mizrahi <tal.mizrahi.phd@gmail.com> Thu, 15 September 2022 15:13 UTC

Return-Path: <tal.mizrahi.phd@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EC5FC1526FA; Thu, 15 Sep 2022 08:13:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RphFU2SyZIHl; Thu, 15 Sep 2022 08:13:24 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F70BC1526F3; Thu, 15 Sep 2022 08:13:24 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id a14so20450320ljj.8; Thu, 15 Sep 2022 08:13:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date; bh=UIP3IUWNH1QHzMeUrgNHNRmLIuMG0pI0JTooSP0Z1ig=; b=Yy+c8QWOkMbCFtxznHUUu4su8tSEGlkkI2b2Jb6Fnvuv2AudpBRNl/54uBdPNcxQew XuLrxMajGTWl0tYkIAG52yKePntxM/rrN5Xxu//OBfeLPjFH7oY92eatZ+OTMVbkqqkk UJ7Wcm/fJaCelY8LEnX1g9yryleR97tyzHPl9Qcn/Wl9OT+sNjfWS3hobj0ekqFFzQNg gg1lUjAfYoDkDG9x12vGkOau1lUup8ZDYY2pQysLpe4tIXNbIYtm2kMOn1mUUyBueWTa hSkFArd/RVb+1Nd8E6Rw8Pli0JsBjfLQC+Ry6uB6WToU/TOW+YOJPFWopUdMzYOCP8fY lDKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date; bh=UIP3IUWNH1QHzMeUrgNHNRmLIuMG0pI0JTooSP0Z1ig=; b=HOiWdMGftqs+rwar9hy5keFqYnfnJGU8bShOHyE0oMxDs21hljqZBRAxZ5jjNbgfYA tlTsMVJDqZDuyGgyHCTZk0+HDx8N1tfkIrcpxInjLfiRiJOvWL7A/sCds2giFwbFycGq OgoXH+NwXB+7N956jrop6YTQr9dkuk3NuFwxst/OOfba4+w4yoxjP545lMotpYTA2gaK I4TIDHLRnrosYk4GVFAgUDRffqohiBijQ57D/XGuCQx6DS4uOmxYIflAcJh0uGz/fcf7 9MMgJtF1GZR+X4zfDhV05SrdAvIq+/QAHph77tAtO5vv9SxWJ6Qzs9l6YjCigCxfoekj gVow==
X-Gm-Message-State: ACrzQf2Cm7mhEbUl9ArfldWYYZ0D++ar+MOGxP2XY+AUp7LkYsKd/zGL 5Sho1CiozASSSSHXcnz+Kqje142OAXwFyVWTCiQ=
X-Google-Smtp-Source: AMsMyM6TGooFxYn4cV+IY9ybhVlLdhvGcOl7UYjAdWud8/oaaGIn3Ut5hxrB7LbaamQKXu+yGYe/+EfnIO8gAixdFRM=
X-Received: by 2002:a2e:b16d:0:b0:26a:d1da:db8 with SMTP id a13-20020a2eb16d000000b0026ad1da0db8mr64459ljm.217.1663254802095; Thu, 15 Sep 2022 08:13:22 -0700 (PDT)
MIME-Version: 1.0
References: <165653760608.27520.5309528880057245173@ietfa.amsl.com> <CABUE3Xnz+xg0y2whG0_gZzuxT6Ys9Ad+LDtSmbCaXMvWKEnMVA@mail.gmail.com> <26CD61B5-BDE8-484C-ACD9-5C1C451E2F69@ericsson.com>
In-Reply-To: <26CD61B5-BDE8-484C-ACD9-5C1C451E2F69@ericsson.com>
From: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Date: Thu, 15 Sep 2022 18:12:20 +0300
Message-ID: <CABUE3XmrqdUfG2OYsE=Lc4-QknaE7Qhb47VjsX6MoZx1cW-_zw@mail.gmail.com>
To: Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-ippm-ioam-direct-export@ietf.org" <draft-ietf-ippm-ioam-direct-export@ietf.org>, "ippm-chairs@ietf.org" <ippm-chairs@ietf.org>, "ippm@ietf.org" <ippm@ietf.org>, "tpauly@apple.com" <tpauly@apple.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/Xhgjcy93uYNwTmHUJgHggpfst7M>
Subject: Re: [ippm] Zaheduzzaman Sarker's Discuss on draft-ietf-ippm-ioam-direct-export-09: (with DISCUSS)
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2022 15:13:27 -0000

Hi Zahed,


On Sun, Sep 11, 2022 at 8:37 PM Zaheduzzaman Sarker
<zaheduzzaman.sarker@ericsson.com> wrote:

> This is good. I haven’t noticed any requirements on exporting over a secure connection to and trusted destination in this specification. I may have missed this, could you please point me to that?


Yes, the following paragraph addresses this topic:

   Although the exporting method is not within the scope of this
   document, any exporting method MUST secure the exported data from the
   IOAM node to the receiving entity.  Specifically, an IOAM node that
   performs DEX exporting MUST send the exported data to a pre-
   configured trusted receiving entity that is in the same IOAM domain
   as the exporting IOAM node.  Furthermore, an IOAM node MUST gain
   explicit consent to export data to a receiving entity before starting
   to send exported data.

Cheers,
Tal.

On Sun, Sep 11, 2022 at 8:37 PM Zaheduzzaman Sarker
<zaheduzzaman.sarker@ericsson.com> wrote:
>
>
>
> > On 18 Aug 2022, at 15:16, Tal Mizrahi <tal.mizrahi.phd@gmail.com> wrote:
> >
> > Dear Zahed,
> >
> > Thanks for the comments.
> >
> > Here is an  updated version of the draft:
> > https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-1191a6b94b1b8ef3&q=1&e=832af60a-d8a4-4ce6-b114-803e40c69f48&u=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-ippm-ioam-direct-export%2F
> >
> > Regarding the following DISCUSS point:
> >
> > [snip]
> >> Thanks to Colin Perkins for his valuable TSVART review. I find the TSVART early
> >> reviewer's concern on rate limiting the exported traffic triggered by DEX
> >> Option-type as only protection mechanism
> >> (https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-f1a8e03896e17207&q=1&e=832af60a-d8a4-4ce6-b114-803e40c69f48&u=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Ftsv-art%2F1WNgYWGJmxLd4f3RAiDk-LJ-S8Y%2F)
> >> very valid but haven't seen it addressed. In this discuss, I would like to
> >> bring back attention to that concern and would like to discuss why there should
> >> not be a circuit breaker kind of functionality required here?
> > [snip]
> >
> > The rate limiting is just one of the security measures in this
> > document. There was a long discussion in the IPPM working group about
> > amplification attacks and how to mitigate them:
> > https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-85de22596797bb61&q=1&e=832af60a-d8a4-4ce6-b114-803e40c69f48&u=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Fippm%2FPyfokOEsBBCTtRdNYG-Vr-674Nw%2F
> > https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-a9aaeff04156da3d&q=1&e=832af60a-d8a4-4ce6-b114-803e40c69f48&u=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Fippm%2FJNiX94A7fN6tUPsA-VQizQEBWms%2F
> >
> > Following this discussion, what we came up with in order to mitigate
> > these attacks is a combination of the following components:
> > - Rate limiting (1/N) at the encap node.
> > - Export traffic rate limiting (1/N) at the exporting node.
> > - No exporting over DEX-enabled tunnels.
> > - The DEX option is not pushed into packets that already include an IOAM encap.
> > - Exporting over a secure connection to a trusted destination.
> >
> > We believe that this combination of components, which are discussed in
> > the document, provides reasonable measures to address the threat.
>
> This is good. I haven’t noticed any requirements on exporting over a secure connection to and trusted destination in this specification. I may have missed this, could you please point me to that?
>
> //Zahed
>

v2.23.0 | Report a Bug | By Email