Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf-ippm-stamp-option-tlv-09: (with DISCUSS and COMMENT)

Martin Duke <martin.h.duke@gmail.com> Tue, 06 October 2020 19:42 UTC

MIME-Version: 1.0
References: <159901891096.15973.17525194862666459811@ietfa.amsl.com> <CA+RyBmXGemKMJR9WLoRCfA9s0rMso4QMmmCbq4u1oFeDwfX2FQ@mail.gmail.com> <CAM4esxRSEhfgLty555xk8TAB=n_P58HXMgX5DJAkUT2wuFXiUg@mail.gmail.com> <CA+RyBmW+ypcNH6Momhgj-_4sav0Zmeq+TD20kmw025sFrYpqrA@mail.gmail.com>
In-Reply-To: <CA+RyBmW+ypcNH6Momhgj-_4sav0Zmeq+TD20kmw025sFrYpqrA@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Tue, 06 Oct 2020 12:42:17 -0700
Message-ID: <CAM4esxQudE2GWe2yiW0iie2=cvtiSyBv+GESna5L-bxb8u0N4A@mail.gmail.com>
To: Greg Mirsky <gregimirsky@gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, IPPM Chairs <ippm-chairs@ietf.org>, draft-ietf-ippm-stamp-option-tlv@ietf.org, The IESG <iesg@ietf.org>, Yali Wang <wangyali11@huawei.com>, IETF IPPM WG <ippm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a15ac205b105ccfd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/Ye_SnZpzTVl2o_wBVmIaSh84IZc>
Subject: Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf-ippm-stamp-option-tlv-09: (with DISCUSS and COMMENT)
Precedence: list

OK, Ben has the token. Thanks.

On Tue, Oct 6, 2020 at 12:32 PM Greg Mirsky <gregimirsky@gmail.com> wrote:

> Hi Martin,
> I've applied the updates suggested by Ben to the working version (attached
> along with the diff). I'll be glad to upload the new version if that helps.
>
> Regards,
> Greg
>
> On Tue, Oct 6, 2020 at 12:04 PM Martin Duke <martin.h.duke@gmail.com>
> wrote:
>
>> I believe the current status of this is that Ben is awaiting another
>> version of this draft to resolve his DISCUSS. If anyone has a different
>> understanding, please say so.
>>
>> On Thu, Sep 3, 2020 at 12:44 PM Greg Mirsky <gregimirsky@gmail.com>
>> wrote:
>>
>>> Hi Ben,
>>> thank you for your comments and suggestions, all are much appreciated.
>>> Please find my notes in-lined below tagged by GIM>>. Attached are the diff
>>> and the new working version of the draft.
>>>
>>> Regards,
>>> Greg
>>>
>>> On Tue, Sep 1, 2020 at 8:55 PM Benjamin Kaduk via Datatracker <
>>> noreply@ietf.org> wrote:
>>>
>>>> Benjamin Kaduk has entered the following ballot position for
>>>> draft-ietf-ippm-stamp-option-tlv-09: Discuss
>>>>
>>>> When responding, please keep the subject line intact and reply to all
>>>> email addresses included in the To and CC lines. (Feel free to cut this
>>>> introductory paragraph, however.)
>>>>
>>>>
>>>> Please refer to
>>>> https://www.ietf.org/iesg/statement/discuss-criteria.html
>>>> for more information about IESG DISCUSS and COMMENT positions.
>>>>
>>>>
>>>> The document, along with other ballot positions, can be found here:
>>>> https://datatracker.ietf.org/doc/draft-ietf-ippm-stamp-option-tlv/
>>>>
>>>>
>>>>
>>>> ----------------------------------------------------------------------
>>>> DISCUSS:
>>>> ----------------------------------------------------------------------
>>>>
>>>> Thanks for all the updates; we've made good progress.
>>>>
>>>> I think we're still not converged on the DSCP handling, though.  I have
>>>> a bit more exposition in the COMMENT section, but in short, my
>>>> understanding is that we're setting up a session-reflector to incur
>>>> unbounded levels of risk with hard protocol requirements.  I think we
>>>> need to provide a way to bound that risk, for example by allowing the
>>>> Session-Reflector to selectively choose to treat the CoS TLV as
>>>> unimplemented (set the U flag in its reflected packet) or some other
>>>> mechanism for local policy to filter what DSCP codepoints are set in
>>>> reflected packets (ideally, indicating that the policy made a change).
>>>>
>>> GIM>> Thank you for pointing to the inter-QoS domain scenario. Clearly,
>>> it must be handled with more caution. Using the U flag is a very
>>> interesting approach. But wouldn't the Session-Sender skip the CoS TLV in
>>> the reflected packet? As a result, we may not retrieve information about
>>> the CoS mapping in the forward direction, i.e., towards the
>>> Session-Reflector. And it might be difficult for an operator to recognize
>>> whether the Session-Reflector doesn't support the particular CoS or STAMP
>>> extensions altogether. I would propose a new field being added in the CoS
>>> TLV:
>>>
>>>    -    RP (Reverse Path) - is a two-bit-long field.  A Session-Sender
>>>       MUST set the value of the RP field to 0 on transmission.
>>>
>>> And further in the section another update:
>>>    A STAMP Session-Reflector that receives a test packet with the CoS
>>>    TLV MUST include the CoS TLV in the reflected test packet.  Also, the
>>>    Session-Reflector MUST copy the value of the DSCP and ECN fields of
>>>    the IP header of the received STAMP test packet into the DSCP2 field
>>>    in the reflected test packet.  Finally, the Session-Reflector MUST
>>>    use the local policy to verify whether the CoS corresponding to the
>>>    value of the DSCP1 field is permitted in the domain.  If it is, the
>>>    Session-Reflectorset MUST set the DSCP field's value in the IP header
>>>    of the reflected test packet equal to the value of the DSCP1 field of
>>>    the received test packet.  Otherwise, the Session-Reflector MUST use
>>>    the DSCP value of the received STAMP packet and set the value of the
>>>    RP field to 1.  Upon receiving the reflected packet, if the value of
>>>    the RP field is 0, the Session-Sender will save the DSCP and ECN
>>>    values for analysis of the CoS in the reverse direction.  If the
>>>    value of the RP field in the received reflected packet is 1, only CoS
>>>    in the forward direction can be analyzed.
>>>
>>> Would these updates address your concern?
>>>
>>>>
>>>> Also, there's a bit of fallout from the flags reworking that's left to
>>>> cleanup in Section 4: we now have the Session-Sender set the U flag to
>>>> 1, so this text no longer makes sense:
>>>>
>>>> % A STAMP system, i.e., either a Session-Sender or a Session-Reflector,
>>>> % that has received a STAMP test packet with extension TLVs MUST
>>>> % validate each TLV:
>>>> %
>>>> %    If the U flag is set, the STAMP system MUST skip the processing of
>>>> %    the TLV.
>>>>
>>>> I think it should just apply to the Session-Sender for this case -- the
>>>> Session-Reflector doesn't need to check the received U flag, since the
>>>> Session-Sender will not be generating TLVs it does not understand.
>>>> (Whether or not to keep the behavior for the M and I flags as applying
>>>> to both Session-Sender and Session-Reflector vs. just Session-Sender
>>>> does not immediately seem to be of much consequence.
>>>>
>>> GIM>> Thank you for catching this. Indeed, that brakes STAMP with
>>> extensions. I think that though checking M and I flags of a
>>> Session-Reflector should not do any harm, it doesn't seem to have any
>>> benefits. Hence we may remove the Session-Reflector from the sentence and
>>> the updated introduction to the flag processing reads like below:
>>>    A STAMP Session-Sender that has received a reflected STAMP test
>>>    packet with extension TLVs MUST validate each TLV:
>>>
>>>>
>>>>
>>>> ----------------------------------------------------------------------
>>>> COMMENT:
>>>> ----------------------------------------------------------------------
>>>>
>>>> My most significant remaining comments are on the Security
>>>> Considerations (Section 6):
>>>>
>>>> The security of the HMAC mechanism is not complete, since it is
>>>> susceptible to replay attack.  As such, when HMAC is in use, it is
>>>> important to check that the received sequence numbers are (at least
>>>> mostly) monotonic and to detect replays.  While replayed packets do not
>>>> always indicate an attack (depending on the network technology) they are
>>>> still a noteworthy condition, and we should say something about whether
>>>> we expect to produce a response to each received instance or to suppress
>>>> replies to replayed input.
>>>>
>>> GIM>> Is there a reliable mechanism to distinguish between an
>>> out-of-order duplicated packet and a replayed packet? I've checked RFC 5357
>>> TWAMP for any suggestion and believe that there is no special consideration
>>> by a Session-Reflector for an out-of-order duplicated packet. The TWAMP
>>> Session-Reflector does not monitor whether the sequence numbers of the
>>> received test packets are in the monotonically increasing sequence. STAMP
>>> is designed to be comparable with TWAMP and have some level of
>>> interoperability. Hence, discarding what appears as a replayed packet at a
>>> STAMP Session-Reflector might be less desirable behavior. If we follow
>>> TWAMP's behavior, what else can be done at the Session-Reflector to
>>> strengthen the security?
>>>
>>>>
>>>>    Monitoring and optional control of DSCP do not appear to introduce
>>>>    any additional security threat to hosts that communicate with STAMP
>>>>    as defined in [RFC8762].  As this specification defined the mechanism
>>>>    to test DSCP mapping, this document inherits all the security
>>>>
>>>> I'm afraid I still don't understand the reasoning here.  In my
>>>> understanding, the risk stems from the semantics of the DCSP field being
>>>> (for at least some codepoints) site-local, there not being a guarantee
>>>> that the session-sender and session-reflector are on the same network
>>>> (and thus, using the same DSCP semantics), and the hard requirement for
>>>> the Session-Reflector to set the DCSP value indicated by the
>>>> Session-Sender.  A mechanism for a remote entity to induce generation of
>>>> local packets with unspecified semantics is a risk that cannot be
>>>> qualified at protocol-design time, since the possible outcomes are
>>>> inherently unspecified.  This is analogous to the situation with
>>>> undefined behavior in programming languages like C -- the programmer is
>>>> flat-out required to avoid it, because literally anything could go wrong
>>>> if undefined behavior is triggered.
>>>>
>>> GIM>> I agree that the inter-QoS domain case requires more consideration
>>> in the Security section. I propose the updated text below:
>>>
>>>    As this specification defined the mechanism to test DSCP mapping,
>>>    this document inherits all the security considerations discussed in
>>>    [RFC2474].  Monitoring and optional control of DSCP using the CoS TLV
>>>    may be used across the Internet so that the Session-Sender and the
>>>    Session-Reflector are located in domains that use different CoS
>>>    profiles.  Thus, it is essential that an operator verifies the set of
>>>    CoS values that are used in the Session-Reflector's domain.  Also, an
>>>    implementation of a Session-Reflector SHOULD support a local policy
>>>    to confirm whether the value sent by the Session-Sender can be used
>>>    as the value of the DSCP field.  Section 4.4 defines the use of that
>>>    local policy.
>>>
>>>
>>>
>>>>
>>>> This is especially risky when there is the possibility for the
>>>> Session-Reflector to act on packets that do not have any form of
>>>> authentication (i.e., could be spoofed from off-path).  But we do not
>>>> mention this risk at all, let alone give guidance on its mitigation.
>>>> (Discussion of the security considerations of unauthenticated operation
>>>> would ideally be generalized to all actions/TLVs that have side effects,
>>>> not just the specific case of setting the DSCP codepoint.)
>>>>
>>> GIM>> It seems very challenging for a STAMP system to differentiate
>>> between a duplicate and/or out-of-order test packet and a replayed packet
>>> because one of the metrics STAMP test measures is the network re-ordering
>>> metric per RFC 4737 <https://tools.ietf.org/html/rfc4737>. We may
>>> recommend that the rate-limiting of test packets be selected
>>> conservatively.
>>>
>>>>
>>>> Section 4.2
>>>>
>>>> I'd suggest saying that all fields that are not filled are transmitted
>>>> with all bits set to zero.
>>>>
>>> GIM>> Thank you for the helpful suggestion. Appended Section 4.2:
>>>    Note that all fields not filled by either a Session-Sender or
>>>    Session-Reflector are transmitted with all bits set to zero.
>>>
>>>>
>>>> Section 4.2.1
>>>>
>>>>    o  Source MAC Address sub-TLV - is a 12-octet-long sub-TLV.  The Type
>>>>       value is TBA9.  The value of the Length field MUST equal to 8.
>>>>       The Value field is a 12-octet-long MBZ field that MUST be zeroed
>>>>       on transmission and ignored on receipt.
>>>>
>>>> Value should be 8-octets-long, no?
>>>>
>>> GIM>> Thank you for catching it! You are absolutely correct. Fixed this
>>> and a similar in:
>>>    o  Source EUI-64 Address sub-TLV - is a 12-octet-long sub-TLV that
>>>       includes the EUI-64 source MAC address.  The Type value is TBA11.
>>>       The value of the Length field MUST equal to 8.  The Value field
>>>       consists of an eight-octet-long EUI-64 field.
>>>
>>>
>>>
>>>> Section 4.2.2
>>>>
>>>>    A Session-Sender MAY include the Source MAC Address sub-TLV is the
>>>>    Location TLV.  If the Session-Reflector receives the Location TLV
>>>>
>>>> nit: s/is/in/
>>>>
>>> GIM>> Thank you. Fixed (and three more places in the same sub-section).
>>>
>>>>
>>>> Section 4.3
>>>>
>>>>    MUST NOT fill any information fields except for STAMP TLV Flags,
>>>>    Type, and Length.  All other fields MUST be filled with zeroes The
>>>>
>>>> nit: missing full stop.
>>>>
>>> GIM>> Done.
>>>
>>

[ippm] Benjamin Kaduk's Discuss on draft-ietf-ipp… Benjamin Kaduk via Datatracker
Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Greg Mirsky
Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Martin Duke
Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Martin Duke
Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Greg Mirsky
Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Martin Duke
Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Greg Mirsky
Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
Re: [ippm] Benjamin Kaduk's Discuss on draft-ietf… Greg Mirsky