Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf-ippm-stamp-option-tlv-09: (with DISCUSS and COMMENT)
Martin Duke <martin.h.duke@gmail.com> Tue, 06 October 2020 19:42 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86D583A0B3E; Tue, 6 Oct 2020 12:42:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d2K0yaYKZ3hs; Tue, 6 Oct 2020 12:42:30 -0700 (PDT)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D6C63A0DF9; Tue, 6 Oct 2020 12:42:30 -0700 (PDT)
Received: by mail-io1-xd30.google.com with SMTP id k25so14335026ioh.7; Tue, 06 Oct 2020 12:42:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ie9za4egtehDAS+rhze1LhuRYRImAkl3nhTOluCrydA=; b=i7OJWLVygsI7A1GTlC1FDnP6L4mxmrvI0RF7I9KdVgtvkmg1VAb77hlqRskcqcBAzZ Y+pB5IzmmFuG9MqSmfXY7FeYdBy1ZOybUM3MSnqB08WhA5xPgzUMZbFa5W2iQocgAVeZ KI1ia6d0BwHEBuDBoeBM3SEQEeOqy4IQAFtEkKOUKZm9a/4QcbWcH4eCn5Nsx6WmpRVn SEo04Y+IbZvwf/gfwhsn/zF+NBQVQYss4iwfMbzV70C9JIo3W6G5k/DXPtQpnIx9jb/r 8ICh7QlNywrN/UVMNK0AKlxj45x+xqyaZ/o8uch1/PRL7cLDUBNtcXMbABFcg8Ky91yf OlUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ie9za4egtehDAS+rhze1LhuRYRImAkl3nhTOluCrydA=; b=SrErORYXxGR/ava8W0xgHD1omD+1lPjQxUDKOEm3f9QQNkzvK6Uvy/JBvpoDtSH/YA JzZPzS+F66uOhrG3O7ZbP5WEvtX8YWN8LTHGEfN3nhITKlvqH7zAmD2AOwIi9a4sBBUf tnwGLzItX/IRjjeVllCg4DY1llF2VIYQEEWbIcOD3s3FDPg3Oc6ny1efmRUIjv78jgPU JD7FhLhvajoap2TMDun0Y8Gdb8bTCJv67RfLRPC1xcIizv6bwUH8u+srWXUp23CTpg7B U25p1ZG3ukF8bxxaivFNG/iWTT5KLjCa4jV4mTBEwgfoQuVmyHK5fjF9AHgpxLCClrbo eI9A==
X-Gm-Message-State: AOAM532cIWmtZHvUGbL4z6y2V28R4+np2BRrk4TUdnUcMEQyJFmUndtj o3VF7agP5nm7hJHdqAY7oDredCUPeK/83LhsaoI=
X-Google-Smtp-Source: ABdhPJzEw/JueqnslaCM3KQjKVaef/9ZBZG+3zE3WH6QwF0ZxVpTTRE1o/Ah3ATxMl2+wZ67wS6oyHNvc8MYfH/Y1cs=
X-Received: by 2002:a02:ccdb:: with SMTP id k27mr2726680jaq.103.1602013349631; Tue, 06 Oct 2020 12:42:29 -0700 (PDT)
MIME-Version: 1.0
References: <159901891096.15973.17525194862666459811@ietfa.amsl.com> <CA+RyBmXGemKMJR9WLoRCfA9s0rMso4QMmmCbq4u1oFeDwfX2FQ@mail.gmail.com> <CAM4esxRSEhfgLty555xk8TAB=n_P58HXMgX5DJAkUT2wuFXiUg@mail.gmail.com> <CA+RyBmW+ypcNH6Momhgj-_4sav0Zmeq+TD20kmw025sFrYpqrA@mail.gmail.com>
In-Reply-To: <CA+RyBmW+ypcNH6Momhgj-_4sav0Zmeq+TD20kmw025sFrYpqrA@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Tue, 06 Oct 2020 12:42:17 -0700
Message-ID: <CAM4esxQudE2GWe2yiW0iie2=cvtiSyBv+GESna5L-bxb8u0N4A@mail.gmail.com>
To: Greg Mirsky <gregimirsky@gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, IPPM Chairs <ippm-chairs@ietf.org>, draft-ietf-ippm-stamp-option-tlv@ietf.org, The IESG <iesg@ietf.org>, Yali Wang <wangyali11@huawei.com>, IETF IPPM WG <ippm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a15ac205b105ccfd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/Ye_SnZpzTVl2o_wBVmIaSh84IZc>
Subject: Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf-ippm-stamp-option-tlv-09: (with DISCUSS and COMMENT)
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2020 19:42:34 -0000
OK, Ben has the token. Thanks. On Tue, Oct 6, 2020 at 12:32 PM Greg Mirsky <gregimirsky@gmail.com> wrote: > Hi Martin, > I've applied the updates suggested by Ben to the working version (attached > along with the diff). I'll be glad to upload the new version if that helps. > > Regards, > Greg > > On Tue, Oct 6, 2020 at 12:04 PM Martin Duke <martin.h.duke@gmail.com> > wrote: > >> I believe the current status of this is that Ben is awaiting another >> version of this draft to resolve his DISCUSS. If anyone has a different >> understanding, please say so. >> >> On Thu, Sep 3, 2020 at 12:44 PM Greg Mirsky <gregimirsky@gmail.com> >> wrote: >> >>> Hi Ben, >>> thank you for your comments and suggestions, all are much appreciated. >>> Please find my notes in-lined below tagged by GIM>>. Attached are the diff >>> and the new working version of the draft. >>> >>> Regards, >>> Greg >>> >>> On Tue, Sep 1, 2020 at 8:55 PM Benjamin Kaduk via Datatracker < >>> noreply@ietf.org> wrote: >>> >>>> Benjamin Kaduk has entered the following ballot position for >>>> draft-ietf-ippm-stamp-option-tlv-09: Discuss >>>> >>>> When responding, please keep the subject line intact and reply to all >>>> email addresses included in the To and CC lines. (Feel free to cut this >>>> introductory paragraph, however.) >>>> >>>> >>>> Please refer to >>>> https://www.ietf.org/iesg/statement/discuss-criteria.html >>>> for more information about IESG DISCUSS and COMMENT positions. >>>> >>>> >>>> The document, along with other ballot positions, can be found here: >>>> https://datatracker.ietf.org/doc/draft-ietf-ippm-stamp-option-tlv/ >>>> >>>> >>>> >>>> ---------------------------------------------------------------------- >>>> DISCUSS: >>>> ---------------------------------------------------------------------- >>>> >>>> Thanks for all the updates; we've made good progress. >>>> >>>> I think we're still not converged on the DSCP handling, though. I have >>>> a bit more exposition in the COMMENT section, but in short, my >>>> understanding is that we're setting up a session-reflector to incur >>>> unbounded levels of risk with hard protocol requirements. I think we >>>> need to provide a way to bound that risk, for example by allowing the >>>> Session-Reflector to selectively choose to treat the CoS TLV as >>>> unimplemented (set the U flag in its reflected packet) or some other >>>> mechanism for local policy to filter what DSCP codepoints are set in >>>> reflected packets (ideally, indicating that the policy made a change). >>>> >>> GIM>> Thank you for pointing to the inter-QoS domain scenario. Clearly, >>> it must be handled with more caution. Using the U flag is a very >>> interesting approach. But wouldn't the Session-Sender skip the CoS TLV in >>> the reflected packet? As a result, we may not retrieve information about >>> the CoS mapping in the forward direction, i.e., towards the >>> Session-Reflector. And it might be difficult for an operator to recognize >>> whether the Session-Reflector doesn't support the particular CoS or STAMP >>> extensions altogether. I would propose a new field being added in the CoS >>> TLV: >>> >>> - RP (Reverse Path) - is a two-bit-long field. A Session-Sender >>> MUST set the value of the RP field to 0 on transmission. >>> >>> And further in the section another update: >>> A STAMP Session-Reflector that receives a test packet with the CoS >>> TLV MUST include the CoS TLV in the reflected test packet. Also, the >>> Session-Reflector MUST copy the value of the DSCP and ECN fields of >>> the IP header of the received STAMP test packet into the DSCP2 field >>> in the reflected test packet. Finally, the Session-Reflector MUST >>> use the local policy to verify whether the CoS corresponding to the >>> value of the DSCP1 field is permitted in the domain. If it is, the >>> Session-Reflectorset MUST set the DSCP field's value in the IP header >>> of the reflected test packet equal to the value of the DSCP1 field of >>> the received test packet. Otherwise, the Session-Reflector MUST use >>> the DSCP value of the received STAMP packet and set the value of the >>> RP field to 1. Upon receiving the reflected packet, if the value of >>> the RP field is 0, the Session-Sender will save the DSCP and ECN >>> values for analysis of the CoS in the reverse direction. If the >>> value of the RP field in the received reflected packet is 1, only CoS >>> in the forward direction can be analyzed. >>> >>> Would these updates address your concern? >>> >>>> >>>> Also, there's a bit of fallout from the flags reworking that's left to >>>> cleanup in Section 4: we now have the Session-Sender set the U flag to >>>> 1, so this text no longer makes sense: >>>> >>>> % A STAMP system, i.e., either a Session-Sender or a Session-Reflector, >>>> % that has received a STAMP test packet with extension TLVs MUST >>>> % validate each TLV: >>>> % >>>> % If the U flag is set, the STAMP system MUST skip the processing of >>>> % the TLV. >>>> >>>> I think it should just apply to the Session-Sender for this case -- the >>>> Session-Reflector doesn't need to check the received U flag, since the >>>> Session-Sender will not be generating TLVs it does not understand. >>>> (Whether or not to keep the behavior for the M and I flags as applying >>>> to both Session-Sender and Session-Reflector vs. just Session-Sender >>>> does not immediately seem to be of much consequence. >>>> >>> GIM>> Thank you for catching this. Indeed, that brakes STAMP with >>> extensions. I think that though checking M and I flags of a >>> Session-Reflector should not do any harm, it doesn't seem to have any >>> benefits. Hence we may remove the Session-Reflector from the sentence and >>> the updated introduction to the flag processing reads like below: >>> A STAMP Session-Sender that has received a reflected STAMP test >>> packet with extension TLVs MUST validate each TLV: >>> >>>> >>>> >>>> ---------------------------------------------------------------------- >>>> COMMENT: >>>> ---------------------------------------------------------------------- >>>> >>>> My most significant remaining comments are on the Security >>>> Considerations (Section 6): >>>> >>>> The security of the HMAC mechanism is not complete, since it is >>>> susceptible to replay attack. As such, when HMAC is in use, it is >>>> important to check that the received sequence numbers are (at least >>>> mostly) monotonic and to detect replays. While replayed packets do not >>>> always indicate an attack (depending on the network technology) they are >>>> still a noteworthy condition, and we should say something about whether >>>> we expect to produce a response to each received instance or to suppress >>>> replies to replayed input. >>>> >>> GIM>> Is there a reliable mechanism to distinguish between an >>> out-of-order duplicated packet and a replayed packet? I've checked RFC 5357 >>> TWAMP for any suggestion and believe that there is no special consideration >>> by a Session-Reflector for an out-of-order duplicated packet. The TWAMP >>> Session-Reflector does not monitor whether the sequence numbers of the >>> received test packets are in the monotonically increasing sequence. STAMP >>> is designed to be comparable with TWAMP and have some level of >>> interoperability. Hence, discarding what appears as a replayed packet at a >>> STAMP Session-Reflector might be less desirable behavior. If we follow >>> TWAMP's behavior, what else can be done at the Session-Reflector to >>> strengthen the security? >>> >>>> >>>> Monitoring and optional control of DSCP do not appear to introduce >>>> any additional security threat to hosts that communicate with STAMP >>>> as defined in [RFC8762]. As this specification defined the mechanism >>>> to test DSCP mapping, this document inherits all the security >>>> >>>> I'm afraid I still don't understand the reasoning here. In my >>>> understanding, the risk stems from the semantics of the DCSP field being >>>> (for at least some codepoints) site-local, there not being a guarantee >>>> that the session-sender and session-reflector are on the same network >>>> (and thus, using the same DSCP semantics), and the hard requirement for >>>> the Session-Reflector to set the DCSP value indicated by the >>>> Session-Sender. A mechanism for a remote entity to induce generation of >>>> local packets with unspecified semantics is a risk that cannot be >>>> qualified at protocol-design time, since the possible outcomes are >>>> inherently unspecified. This is analogous to the situation with >>>> undefined behavior in programming languages like C -- the programmer is >>>> flat-out required to avoid it, because literally anything could go wrong >>>> if undefined behavior is triggered. >>>> >>> GIM>> I agree that the inter-QoS domain case requires more consideration >>> in the Security section. I propose the updated text below: >>> >>> As this specification defined the mechanism to test DSCP mapping, >>> this document inherits all the security considerations discussed in >>> [RFC2474]. Monitoring and optional control of DSCP using the CoS TLV >>> may be used across the Internet so that the Session-Sender and the >>> Session-Reflector are located in domains that use different CoS >>> profiles. Thus, it is essential that an operator verifies the set of >>> CoS values that are used in the Session-Reflector's domain. Also, an >>> implementation of a Session-Reflector SHOULD support a local policy >>> to confirm whether the value sent by the Session-Sender can be used >>> as the value of the DSCP field. Section 4.4 defines the use of that >>> local policy. >>> >>> >>> >>>> >>>> This is especially risky when there is the possibility for the >>>> Session-Reflector to act on packets that do not have any form of >>>> authentication (i.e., could be spoofed from off-path). But we do not >>>> mention this risk at all, let alone give guidance on its mitigation. >>>> (Discussion of the security considerations of unauthenticated operation >>>> would ideally be generalized to all actions/TLVs that have side effects, >>>> not just the specific case of setting the DSCP codepoint.) >>>> >>> GIM>> It seems very challenging for a STAMP system to differentiate >>> between a duplicate and/or out-of-order test packet and a replayed packet >>> because one of the metrics STAMP test measures is the network re-ordering >>> metric per RFC 4737 <https://tools.ietf.org/html/rfc4737>. We may >>> recommend that the rate-limiting of test packets be selected >>> conservatively. >>> >>>> >>>> Section 4.2 >>>> >>>> I'd suggest saying that all fields that are not filled are transmitted >>>> with all bits set to zero. >>>> >>> GIM>> Thank you for the helpful suggestion. Appended Section 4.2: >>> Note that all fields not filled by either a Session-Sender or >>> Session-Reflector are transmitted with all bits set to zero. >>> >>>> >>>> Section 4.2.1 >>>> >>>> o Source MAC Address sub-TLV - is a 12-octet-long sub-TLV. The Type >>>> value is TBA9. The value of the Length field MUST equal to 8. >>>> The Value field is a 12-octet-long MBZ field that MUST be zeroed >>>> on transmission and ignored on receipt. >>>> >>>> Value should be 8-octets-long, no? >>>> >>> GIM>> Thank you for catching it! You are absolutely correct. Fixed this >>> and a similar in: >>> o Source EUI-64 Address sub-TLV - is a 12-octet-long sub-TLV that >>> includes the EUI-64 source MAC address. The Type value is TBA11. >>> The value of the Length field MUST equal to 8. The Value field >>> consists of an eight-octet-long EUI-64 field. >>> >>> >>> >>>> Section 4.2.2 >>>> >>>> A Session-Sender MAY include the Source MAC Address sub-TLV is the >>>> Location TLV. If the Session-Reflector receives the Location TLV >>>> >>>> nit: s/is/in/ >>>> >>> GIM>> Thank you. Fixed (and three more places in the same sub-section). >>> >>>> >>>> Section 4.3 >>>> >>>> MUST NOT fill any information fields except for STAMP TLV Flags, >>>> Type, and Length. All other fields MUST be filled with zeroes The >>>> >>>> nit: missing full stop. >>>> >>> GIM>> Done. >>> >>
- [ippm] Benjamin Kaduk's Discuss on draft-ietf-ipp… Benjamin Kaduk via Datatracker
- Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Greg Mirsky
- Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Martin Duke
- Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Martin Duke
- Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Greg Mirsky
- Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Martin Duke
- Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Greg Mirsky
- Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Greg Mirsky