Re: [ippm] Warren Kumari's Discuss on draft-ietf-ippm-rfc8321bis-02: (with DISCUSS)
Giuseppe Fioccola <giuseppe.fioccola@huawei.com> Wed, 13 July 2022 08:07 UTC
Return-Path: <giuseppe.fioccola@huawei.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DD47C138FA4; Wed, 13 Jul 2022 01:07:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6VxbOXzpR-rn; Wed, 13 Jul 2022 01:07:38 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C61EC15AD43; Wed, 13 Jul 2022 01:07:38 -0700 (PDT)
Received: from fraeml710-chm.china.huawei.com (unknown [172.18.147.206]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4LjVVM33Ctz6H7Wv; Wed, 13 Jul 2022 16:03:07 +0800 (CST)
Received: from fraeml714-chm.china.huawei.com (10.206.15.33) by fraeml710-chm.china.huawei.com (10.206.15.59) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Wed, 13 Jul 2022 10:07:29 +0200
Received: from fraeml714-chm.china.huawei.com ([10.206.15.33]) by fraeml714-chm.china.huawei.com ([10.206.15.33]) with mapi id 15.01.2375.024; Wed, 13 Jul 2022 10:07:29 +0200
From: Giuseppe Fioccola <giuseppe.fioccola@huawei.com>
To: Warren Kumari <warren@kumari.net>, The IESG <iesg@ietf.org>
CC: "draft-ietf-ippm-rfc8321bis@ietf.org" <draft-ietf-ippm-rfc8321bis@ietf.org>, "ippm-chairs@ietf.org" <ippm-chairs@ietf.org>, "ippm@ietf.org" <ippm@ietf.org>, "tpauly@apple.com" <tpauly@apple.com>
Thread-Topic: Warren Kumari's Discuss on draft-ietf-ippm-rfc8321bis-02: (with DISCUSS)
Thread-Index: AQHYllFj9a2HBIfRg0KSrvj5THPyNK1766zA
Date: Wed, 13 Jul 2022 08:07:29 +0000
Message-ID: <9ff14ebf27bf4eaea557bdd392a5d16c@huawei.com>
References: <165767291717.5123.13652670730872623488@ietfa.amsl.com>
In-Reply-To: <165767291717.5123.13652670730872623488@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.81.216.74]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/ZBy2hlhsme1XBr5XFkWmZDJuVlk>
Subject: Re: [ippm] Warren Kumari's Discuss on draft-ietf-ippm-rfc8321bis-02: (with DISCUSS)
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 08:07:40 -0000
Hi Warren, Thanks for the review. Please find my replies inline tagged as [GF]. Note that I plan to address your comments in the next version. Best Regards, Giuseppe -----Original Message----- From: Warren Kumari via Datatracker <noreply@ietf.org> Sent: Wednesday, July 13, 2022 2:42 AM To: The IESG <iesg@ietf.org> Cc: draft-ietf-ippm-rfc8321bis@ietf.org; ippm-chairs@ietf.org; ippm@ietf.org; tpauly@apple.com; tpauly@apple.com Subject: Warren Kumari's Discuss on draft-ietf-ippm-rfc8321bis-02: (with DISCUSS) Warren Kumari has entered the following ballot position for draft-ietf-ippm-rfc8321bis-02: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-ippm-rfc8321bis/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Section 7.1 says: "The Alternate Marking Method is an example of a solution limited to a controlled domain [RFC8799]. A controlled domain is a managed network that selects, monitors, and controls access by enforcing policies at the domain boundaries, in order to discard undesired external packets entering the domain and check internal packets leaving the domain. [...] It must be possible to control the domain boundaries, and use specific precautions if traffic traverses the Internet." "Controlled domain" isn't a magic incantation you invoke to make all security issues disappear. Your definition of controlled domain sounds suspiciously like "the network should magically stop bad packets, and evil people wanting to do bad things!!!!". RFC8799 does not define what makes a domain, nor how the boundary is protected. Instead, it "it shows the need for a precise definition of "limited domain membership" and for mechanisms to allow nodes to join a domain securely and to find other members, including boundary nodes." and notes that "the Internet does not have a well-defined concept of limited domains" and further that "Domain boundaries that are defined administratively (e.g., by address filtering rules in routers) are prone to leakage caused by human error, especially if the limited domain traffic appears otherwise normal to the boundary routers. In this case, the network operator needs to take active steps to protect the boundary." The document states that "For security reasons, the Alternate Marking Method is RECOMMENDED only for controlled domains." - but you have not defined how a network operator is expected to define and enforce the domain boundary; simply saying that the network should select, monitor, and control access by enforcing policies at the domain boundaries, in order to discard undesired external packets doesn't explain how the network should do this. How exactly does the network know what packets are marked? How does the operator filter these? What matching rule can be applied at the boundary to make sure that marked packets do not enter or exit the network? [GF]: I see your point. I think that, in draft-ietf-6man-ipv6-alt-mark we have a very detailed definition of "Controlled Domain" and I can include more details in RFC8321bis as well. For example: "A controlled domain is a managed network where it is required to select, monitor and control the access to the network by enforcing policies at the domain boundaries in order to discard undesired external packets entering the domain and check the internal packets leaving the domain. It does not necessarily mean that a controlled domain is a single administrative domain or a single organization. A controlled domain can correspond to a single administrative domain or can be composed by multiple administrative domains under a defined network management. Indeed, some scenarios may imply that the Alternate Marking Method involves more than one domain, but in these cases, it is RECOMMENDED that the multiple domains create a whole controlled domain while traversing the external domain by employing IPsec [RFC4301] authentication and encryption or other VPN technology that provides full packet confidentiality and integrity protection. In a few words, it must be possible to control the domain boundaries and eventually use specific precautions if the traffic traverse the Internet." [GF]: I want to keep the definition general since the security concerns may change based on the specific protocol or extension where AltMark is applied. In this regard, IOAM and AltMark are both on-path telemetry techniques and are both applied to controlled domain. But, looking at RFC9197, I see just the following definitions of Controlled Domain and terminology from 8799 seems used in a normative way. I can simply follow the example of RFC9197. Is it ok with you? "IOAM is focused on "limited domains", as defined in [RFC8799]. For IOAM, a limited domain could, for example, be an enterprise campus using physical connections between devices or an overlay network using virtual connections/tunnels for connectivity between said devices. A limited domain that uses IOAM may constitute one or multiple "IOAM-Domains", each disambiguated through separate namespace identifiers. An IOAM-Domain is bounded by its perimeter or edge. IOAM-Domains may overlap inside the limited domain. Designers of protocol encapsulations for IOAM specify mechanisms to ensure that IOAM data stays within an IOAM-Domain. In addition, the operator of such a domain is expected to put provisions in place to ensure that IOAM data does not leak beyond the edge of an IOAM-Domain using, for example, packet filtering methods. The operator SHOULD consider the potential operational impact of IOAM to mechanisms, such as ECMP processing (e.g., load- balancing schemes based on packet length could be impacted by the increased packet size due to IOAM), PMTU (i.e., ensure that the MTU of all links within a domain is sufficiently large to support the increased packet size due to IOAM), and ICMP message handling (i.e., in case of IPv6, IOAM support for ICMPv6 echo request/reply is desired, which would translate into ICMPv6 extensions to enable IOAM-Data-Fields to be copied from an echo request message to an echo reply message)." " Notably, IOAM is expected to be deployed in limited domains, thus confining the potential attack vectors to within the limited domain. A limited administrative domain provides the operator with the means to select, monitor, and control the access of all the network devices, making these devices trusted by the operator. Indeed, in order to limit the scope of threats mentioned above to within the current limited domain, the network operator is expected to enforce policies that prevent IOAM traffic from leaking outside of the IOAM- Domain and prevent IOAM data from outside the domain to be processed and used within the domain."
- [ippm] Warren Kumari's Discuss on draft-ietf-ippm… Warren Kumari via Datatracker
- Re: [ippm] Warren Kumari's Discuss on draft-ietf-… Giuseppe Fioccola