Re: [ippm] Fw: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt

"nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com> Fri, 02 July 2021 14:51 UTC

Return-Path: <nalini.elkins@insidethestack.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB1BF3A2133 for <ippm@ietfa.amsl.com>; Fri, 2 Jul 2021 07:51:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eIwLVi0zhRfE for <ippm@ietfa.amsl.com>; Fri, 2 Jul 2021 07:51:19 -0700 (PDT)
Received: from sonic316-26.consmr.mail.ne1.yahoo.com (sonic316-26.consmr.mail.ne1.yahoo.com [66.163.187.152]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACE413A2134 for <ippm@ietf.org>; Fri, 2 Jul 2021 07:51:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1625237478; bh=2L38GL3EVTUBeodCFC+PtCZ3PQB4Of2woqp/gCEVguo=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To; b=rPp8jUfMRxTtKO5mxisIBWlWVvV5YOusVjvCqing8tXdFvAk8epQVKHRKcOcYd4pAt96oCc2kR2KTKXH+8+S150oWh/CQ0T7Dia3Y2KZOFFB/TUKlZcMt3Beqawj+vMoAFuWZuH4QkWG9F3tCllJrSffkLTDPxxlhEtnOy1/AZiIE7x41FT69qkk7wGMWKXlFDJh2CzIUl+UK3ixGppgNiTWmhfm9aPUTKfXvjDxjseL6lzS/jEj+Hoyvl6gtr9YaCZedS/jhLIKpcLR6y+cPp0MKZ+rifgs2YAFCLqgEl5DreoByZyrqCqLhrKXMjR2UOCmIaU/MIoWnw0K3TKBVA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1625237478; bh=L7kT8Zbv0plflA9MVXtSk65G53HpKnQ4GuhpGry4K9Z=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=EEMpsu2A1bJAL/8EJgt3WfCLgNjV8UyEsYvu+TPLB+Dd9BmD6T0j1KCl48HOONLkgetaXdhnV7fNSHrhEcze57qUzMSLnuibD1nQNld/9hQ36GoW6mDOnNtSxgf/fcuUay7FhQnOjzrCHNvgHmbODTqvz1EDMLkiujRYzb7oNgEkSfYFXecXm/f5cOWSJUenoUylBwnOTdUsDlUFpz2B+9eDmuaf/LAeKDURmz6TwFcCN2YOBh7fzTUJWsgv8iNcveO37cZDweWk4Brf6lRJ5uaC5wDGU5WvASfFTe7ukRkH6qcwsgzCr8gOEEbZ+Bagiv9ygX56QMHYGgUUwja5wQ==
X-YMail-OSG: h1Zk2YcVM1k.gWWtTOXbF_gRCSQC54L4iz7MvlOEshR6EOoSfS4_rfOpR6vdKJ4 D72fIIsj_ASROXOYMOjQaIUrTu9Urji9HmXBoYEJBOjT0b4z9RKdiA3YhUMU704EBYawGaHApyTi 4Qz3XvDHf2s8afaVooLXrnNkQZK7gt5tOqTb9J2dOaMGPsNF7oSnpmDeHYR1XEb0ez8iu6fgCvuF SHITek8fc0gZS.cfYchdrYHFU46KsrQtbqOrSoPqlrMd4XnkCvlVCGElC5ddNX_Gtfc5.IsvBHe8 P9.IQunCTxEkX2Cwj891wUXxylRmQf02EJFJgvIh8evT0KsKZH98B9rEYb2mED2dtG6tHd_JZ6lL nC9cAQMGrx4.K4awYV3KWkCNajiUin0.n.imxnUuZx2yMFzW8ROYxZvMycmN7uivuoJNzRGahKNk iwkrfFMC6KqM6HKEC1tVMhp8bEKgjOuIFMl.VZ2pKZUsNIbgPeKIK94CgYtMu3rPefxcg9EgRv75 Tcd3tfNQB1o_XutYYCBYisljFl.U.1HfqjMbUD0sw6sxD1ac7d98wcwi2q4D1k0bdv7ysdFmonxH XX5lzhPHZ8SJMYKgzGQFCU.2HYAPlC5GcNEduDmu_gjd389SZ46yTDwbqGuYH7e1af7VQqb.zcqe nP6sTVaUkrmWVA.DXRnpP35EqH9uCXL2Jcdj6mI.j5gsUAXIcbYaM9u61s_ZyKPvAbtZZ.mDB5o2 hOmeqpKOGaU.yDeOANCR1FnuU61UpUf.AY4D.Lq7TiXQy2UVay4l7rhCIT_0e0eBbadImMU7EzDQ FULiY8z199JHdqxRKcU_dU3i4169kXPakiLyVJ0gS_sYyKL8nfKDKSDH7NflhKU77pjeuOHvzs3X Vx0SE2gkNz1jDO5DEgK7BYszMf7K6F7TStWI2xm_hPK3UlH6KahG1MLiYWXFi6rhuvuy.hQkBkYe u2pCiit._ye0hw68L_ugjkct2tw8rxAibkir0u0QQG5dPSN.sYA_nfqZusv2o1Jqj7glpa5tqAXa iExoPH.q_WaQGtkR9v.nmfPW_XnCywyINWVuMDyIqCzkHR6RIiv6tJsT7L6TdzoKzMEcaINPhlP3 qfaUOPJDqz7Pm1eligx4e1.W0OKsDUaThBPZ9RN0NuncoH_.2KjMsZ83tRqfci1aM.dQo0M05VGD tOwNqhEMtlMFSqZFBck.iawKeoqL871JoOceIGLyL5QfoCliZNlS94pg8eibegbV63vrPps7MZTP sNnW4geCJ8yZYXBT2buei3IXDCrOjNou8ro1dB8cJJ346vnK69kEb5djRF5pokzGLObAR1uYhf4S _xPv077OUzE9WOnqUBgnNuHtWmwwdWDRTBpaENSIMdFz4P51VAP9O_r8iCNsqM8.u48RjIT7HDAr JjwayKHzYWgWQroFRk7cGzfA8etK9pUolKY0yYLJtwBc1diNL7vRjatdSKIBa3NYWvV9c3z53D23 6NjqESwzbk.8WG8Zd1DBZ4AbuLTIC5de8EFNni2VRtcnObDQR3XqSKsvZzcjBkp_ZHpS76Fnl.30 TA8waIO4S9tqzw0QN93.eDBwjxJTbmUVA.Vqq8FAxuBS2TJ8CzeruxJPsPxmFy1msJRRV5zG7QV7 9vsBqPE9Ir0PynfuMGiuu3ZCpktPFKiFKuBOrRHZtGrYwPkjKNKjH2XEf5N.VHYOs3YJ2JUYVtXH leENvBngSGpaXZ1ruMS15bEYsPmab2AOKtANrHHZkQ5hc6ez3shwjpnKSmDFylZk4CZPEgGr8ht3 1ozzcCD.JEmNcYhuGz5Rd7gzKLSDVnC4C1EVjIwV.UTFIIa0x7Mw3HrTxyFVNZZIl03eAWXxiqsF XRt9G3_Bf8rXk1D1sLcJe0Ic5FfHzBNmhM7MHsBzMmNyVzokF6eJMmb28TxMhOfaDEemM7vTWxZx jon8ayBbNHG6lYjHBu2dDiuKc5rJHvtzUFinoJVrFDSret58fTgmTJkAfHypoxEyDMYO0z2h9AXu kVLdU_KmrVgQNj3BIrTTWE.jCJoUxYACM2YSRaZqCTI2vH53WyFahVNk92drF_vK0W6q9g.sPk8o CECmrFxD4gfoCh1SPT6CHgddAqUEq3Ran48KQAgVue6SUVP.oGjh0cxQRs1MkVtQhsRk.GNrAiMp BHgYVCoaRom10DBpgICNU3aS.YHu_Q8h6kJIVRggmgoGVBTxi2.fd7NSmIYs1pMQCWpk9aZ52DMw r4wSgisUoQNTCnxPT.HersHoIOc2CY0u3dnsu8ViXRpSZDzpd9Gqn.kNv0MXJ1a_AWzGUReCHuqZ etzMpqG.7X347uI97l9qCL5ayszcEZx6g5EhhYE8dXfSJDKgaDxhUpUj7TbMtXEh5S4IVP84FlCw WBgXfOtxvZnyHJdEYPZGJrIl_45eVrKifdgsnXQXxb4CMGlagG7ETuY15fTHZI06QCBV9JjtzBKN FWAFXn9dfZcqjM4yWCwRSvx2qSFyqhz_EwuIkakt_npLvj0rDY0xOrCdCihs13qVQE7EFcTyGudJ ARmp8pZNEZ0VsmmIBuRR9zJcm.Ba20Atf_XlVvlUQ024aoZDeTp9evsLenq98Z1MV04dW3_o6WAG oa0wHVBRPt2Mx15qq7mI.yANvB70N6Fk8HR0iTTx3xKpNNskGk92i6j_.YyFISo5pWQ--
X-Sonic-MF: <nalini.elkins@insidethestack.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 2 Jul 2021 14:51:18 +0000
Date: Fri, 2 Jul 2021 14:51:16 +0000 (UTC)
From: "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>
To: Paolo Volpato <paolo.volpato@huawei.com>
Cc: "draft-elkins-ippm-encrypted-pdmv2@ietf.org" <draft-elkins-ippm-encrypted-pdmv2@ietf.org>, IETF IPPM WG <ippm@ietf.org>
Message-ID: <321940002.978208.1625237476169@mail.yahoo.com>
In-Reply-To: <eeaf7db6b5af4ef79bb51a543ab728df@huawei.com>
References: <162256330634.19677.3885804345914692467@ietfa.amsl.com> <28584824.2341925.1622563579715@mail.yahoo.com> <721002155.671981.1625161479360@mail.yahoo.com> <eeaf7db6b5af4ef79bb51a543ab728df@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Mailer: WebService/1.1.18469 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/f8U1B2KLa6cW_XEc1fVT1iL7QRs>
Subject: Re: [ippm] Fw: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jul 2021 14:51:26 -0000

Paolo,

Thanks so much for your comments.

> At a first glance, it seems to me that PDMv2 is expected to be used mainly in the enterprise domain. Is it so?

Yes.

> Do you have any thoughts on what may happen if e.g. a multinational company runs the protocol over multiple external
> backbones where the IPv6 extension headers (in general, not necessarily just the destination options header) may not be
> handled? Does this represent a serious issue?

We need to do a more in depth study in this area.  I have done some minor testing with PDM enabled servers located in Singapore, San Jose and Europe.   These were not blocked.   I am well-aware that a number of studies in v6ops shows IPv6 extension headers being blocked.   

Having said that, I am hoping that enterprises will let PDM extension headers through their firewalls because of the functionality they provide.   

APNIC has been kind enough to give our team a grant for IPv6 deployment at enterprises.  We are applying again and we wish to do an in-depth study on PDM (and potential blockage / performance) in particular as a part of the new grant.   


> Also,  I assume that PDMv2 is mainly used by end stations (e.g. hosts instead of routers). If this is the case, then I don’t expect > that the performance degradation due to encryption is a serious issue. Do you see other different cases where instead 
> degradation may be a concern?

Our cryptographers are working on a full answer to this question.  But, what I can say for now, is that there is always a cost for the choices that you make.  We have thought over and over again about how to make our implementation as light-weight as possible.   I hope to be able to explain more at the IPPM session at IETF111,


Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360






On Friday, July 2, 2021, 07:25:51 AM PDT, Paolo Volpato <paolo.volpato@huawei.com> wrote: 





Hi Nalini,

Thanks for advising.

I have a couple of general questions.

At a first glance, it seems to me that PDMv2 is expected to be used mainly in the enterprise domain. Is it so? 
Do you have any thoughts on what may happen if e.g. a multinational company runs the protocol over multiple external backbones where the IPv6 extension headers (in general, not necessarily just the destination options header) may not be handled? Does this represent a serious issue?

Also,  I assume that PDMv2 is mainly used by end stations (e.g. hosts instead of routers). If this is the case, then I don’t expect that the performance degradation due to encryption is a serious issue. Do you see other different cases where instead degradation may be a concern?

Regards
Paolo

-----Original Message-----
From: ippm [mailto:ippm-bounces@ietf.org] On Behalf Of nalini.elkins@insidethestack.com
Sent: Thursday, July 1, 2021 7:45 PM
To: IETF IPPM WG <ippm@ietf.org>
Cc: draft-elkins-ippm-encrypted-pdmv2@ietf.org
Subject: Re: [ippm] Fw: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt

IPPM,

Please do take a look at this draft.

I think that iOAM will need encryption as well.   We have spent quite a bit of time thinking over these issues.  We even have 2 cryptographers from Italy involved as co-authors.   I want to do a side meeting where we can have quite a bit more time to discuss this but would love to have comments from the group on the list.

I am very reluctant to push PDM out to the wider world without encryption.  I feel that we will become the attacker's best friend.
We have modified the Linux kernel to include PDM but as I say, without encryption, we do not wish to release.


Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360






On Tuesday, June 1, 2021, 09:06:39 AM PDT, nalini.elkins@insidethestack.com <nalini.elkins@insidethestack.com> wrote: 





Hello IPPMers!

We have just posted a new draft to encrypt PDM data.   We feel that this is an important feature to add before promoting widespread adoption of PDM.

We would appreciate any thoughts or comments from the group.

Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360






----- Forwarded Message -----

From: "internet-drafts@ietf.org" <internet-drafts@ietf.org>
To: mackermann@bcbsm.com <mackermann@bcbsm.com>om>; Adnan Rashid <adnan.rashid@unifi.it>it>; Ameya Deshpande <ameyanrd@gmail.com>om>; Michael Ackermann <mackermann@bcbsm.com>om>; Nalini Elkins <nalini.elkins@insidethestack.com>om>; Tommaso Pecorella <tommaso.pecorella@unifi.it>
Sent: Tuesday, June 1, 2021, 12:01:47 PM EDT
Subject: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt



A new version of I-D, draft-elkins-ippm-encrypted-pdmv2-00.txt
has been successfully submitted by Nalini Elkins and posted to the IETF repository.

Name:        draft-elkins-ippm-encrypted-pdmv2
Revision:    00
Title:        Encrypted IPv6 Performance and Diagnostic Metrics Version 2 (EPDMv2) Destination Option Document date:    2021-06-01
Group:        Individual Submission
Pages:        16
URL:            https://www.ietf.org/archive/id/draft-elkins-ippm-encrypted-pdmv2-00.txt
Status:        https://datatracker.ietf.org/doc/draft-elkins-ippm-encrypted-pdmv2/
Htmlized:      https://datatracker.ietf.org/doc/html/draft-elkins-ippm-encrypted-pdmv2


Abstract:
  RFC8250 describes an optional Destination Option (DO) header embedded
  in each packet to provide sequence numbers and timing information as
  a basis for measurements.  As this data is sent in clear- text, this
  may create an opportunity for malicious actors to get information for
  subsequent attacks.  This document defines PDMv2 which has a
  lightweight handshake (registration procedure) and encryption to
  secure this data.  Additional performance metrics which may be of use
  are also defined.

                                                                                  


The IETF Secretariat




_______________________________________________
ippm mailing list
ippm@ietf.org
https://www.ietf.org/mailman/listinfo/ippm


_______________________________________________
ippm mailing list
ippm@ietf.org
https://www.ietf.org/mailman/listinfo/ippm