IETF Logo Mail Archive

Re: [ippm] Is loopback/direct export amplification worse than linear?

Greg Mirsky <gregimirsky@gmail.com> Wed, 02 December 2020 23:06 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C12FB3A0762 for <ippm@ietfa.amsl.com>; Wed, 2 Dec 2020 15:06:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bt3i-PdHImsL for <ippm@ietfa.amsl.com>; Wed, 2 Dec 2020 15:06:20 -0800 (PST)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44BD83A07C0 for <ippm@ietf.org>; Wed, 2 Dec 2020 15:06:20 -0800 (PST)
Received: by mail-lj1-x235.google.com with SMTP id y16so374679ljk.1 for <ippm@ietf.org>; Wed, 02 Dec 2020 15:06:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+L5m6XBOlK5nIxPrnXw0YP3bdwkB7yxSZudWrohpw1c=; b=S+S6Ts2G2nAKF5TbeT7a3q7pFSsD65eSeo60gm2efm/MSuo5+33FXrONFAlqvME5bR 29z/H07tF5z9vA5KLDdT0XE4HJMWQNQnAn6HQVskrRcHlPoB5PfaLLjcSmp/RwB921Hj A2Y9gMutP1FrwsdoJbwQ4dOBe4u/nbjfeOhJvS6s+XRIEN2X/s4pBr3OZfIXcyRuylNl keurmnIudhqW6urUjQTkd/s+v9qKgU+FDbXUqmelY7JoKn3Xf/vGPY5KslSqo8OjScCQ RrNKbO/nRN8N0kFGnIfkJtTNE3TyZRyoI6OqoCUgwvoFi86WYY/aeTc/Du8UW+MT9pdl 7vHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+L5m6XBOlK5nIxPrnXw0YP3bdwkB7yxSZudWrohpw1c=; b=KcT/CLOdgFMO+K3IsH35I1Roq3mOeOjHGGhr1TjHB6oUhMX2k3bDFMQGswYAMwsW+U QxGysnnFu47cVmBj7Er57dVg1EdlslM0hAfDfE7Fs8evhtbWj/P6Y/j5uamwOdt9A8LQ qhV35BoKghFuyd/r3ut91QTzU72uQGkglZPik03JskHZUQRD8lRfZ+2yATcp7EJAphkH BUkBI5bXYr1azuSuorPDHaKIZcyr8SFuZvx4/xhF+i2LKWnrEZsnNrfsI6nPJuRi6jlY 9YXDQ5Uz1Tk51dEnPzF0HXGUG6RdJUmQIz2dxATktAMt7TX9hS0RE6FrlGUi9qVo7lOT 1ebw==
X-Gm-Message-State: AOAM533hAkMd25slWrZuTTFEps8oilxNxqJS6bMONBEhLRlzGNyWPxRO XVADxdstIuyaPoxEZhXLwEdpVXiKQCuEMcdvrZ8=
X-Google-Smtp-Source: ABdhPJyu2osWsprwm+WSIfWuVPhEHid+Xln2gCxktqLFds4MPZx1T4NtjSGBBBqcnYiAD2D5tJVb7CjQ6UiWyWPFHZg=
X-Received: by 2002:a2e:984e:: with SMTP id e14mr84296ljj.110.1606950378071; Wed, 02 Dec 2020 15:06:18 -0800 (PST)
MIME-Version: 1.0
References: <CAM4esxQiaRoCb9-7eBMy4yoCv28=St2XN-8AF7DwPiC2HU_Fzw@mail.gmail.com>
In-Reply-To: <CAM4esxQiaRoCb9-7eBMy4yoCv28=St2XN-8AF7DwPiC2HU_Fzw@mail.gmail.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Wed, 02 Dec 2020 15:06:07 -0800
Message-ID: <CA+RyBmVfW0kAwinNUCWmouqi1gg+cN5G8Ks1y3Jh+nokLqmeUA@mail.gmail.com>
To: Martin Duke <martin.h.duke@gmail.com>
Cc: IETF IPPM WG <ippm@ietf.org>, Greg Mirsky <gregory.mirsky@ztetx.com>
Content-Type: multipart/alternative; boundary="00000000000074ec0905b5834a23"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/fsaqhAfZXthfKRHXRe30ZjL8ZIc>
Subject: Re: [ippm] Is loopback/direct export amplification worse than linear?
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2020 23:06:24 -0000

Hi Martin,
thank you for highlighting some troublesome characteristics of using the
Loopback flag in IOAM. I agree that draft-ietf-ippm-ioam-flags could
tighten up the description of scenarios when the Loopback flag is used.
Also, it seems that the behavior of Direct Export
<https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-direct-export/?include_text=1>
can
benefit from more clarifications. Now I've read both drafts taking notes
and present them to you below:
*draft-ietf-ippm-ioam-flags:*

   - draft-ietf-ippm-ioam-data defined IOAM as a method to record
   "operational and telemetry information in the packet while the packet
   traverses a path between two points in the network". It is an example of a
   hybrid measurement method, per RFC 7799 classification. The introduction of
   the Loopback and Active flags clearly makes IOAM into an active method and
   thus it should be discussed as a protocol that originates test packets,
   including potential security threats it may be used to create.
   - If the purpose of the Loopback flag is producing a series of
   responses from traversed nodes, then it might be much easier to use not a
   copy of the original packet but a different packet to respond to the sender
   (similar to CFM's LTM/LTR). That will avoid any risk of reverse-path
   amplification.
   - It is not clear what kind of path is expected in "a return path from
   transit nodes and destination nodes towards the source (encapsulating node)
   exists"? For example, if IOAM is used in an SFC environment, would Loopback
   require the use of an SFP to the sender?
   - It is not clear what establishes "the identity of the [IOAM]
   encapsulating node". Some examples would be helpful.
   - There seems to be a disconnect in handling unexpected looped IOAM
   packet:

In the second paragraph Section 4 it is stated:
"If an encapsulating node receives a looped back packet that was not
originated from the current encapsulating node, the packet is dropped."

But in the second from the last paragraph of the same section is noted that:
"If there is no match in the Node ID, the packet is processed like a
conventional IOAM-encapsulated packet."


   - The following probably may be expressed using the definitions from the
   IANA registry:

   An IOAM trace option that has the loopback bit set MUST have the
   value '1' in the most significant bit of IOAM-Trace-Type, and '0' in
   the rest of the bits of IOAM-Trace-Type.

like that:
   An IOAM Trace Option that has the Loopback bit set MUST have the
   "hop_Lim and node_id in short format" bit set IOAM-Trace-Type, and MUST
   have all other bits of IOAM-Trace-Type cleared.


   - What is the value of collecting "hop_Lim and node_id in short format"
   on the return path of a packet looped back by an intermediate node? As I
   understand it, only that information can be collected if the Loopback flag
   is set. Please correct me if that is not the case.
   - Can you point where it is specified that when using the Loopback "the
   packet does not have any payload"? Earlier in Section 4 action of an
   intermediate node is explained:

   A loopback bit that is set indicates to the transit nodes processing
   this option that they are to create a copy of the received packet and
   send the copy back to the source of the packet.

One can understand that the looped back packet is a carbon copy of the
original packet less the Loopback flag being cleared. And the actions of
the encapsulating node are described as:
   The encapsulating node either generates synthetic packets with an
   IOAM trace option that has the loopback flag set, or sets the loopack
   flag in a subset of the in-transit data packets.

Which suggests that, at least in the latter case, the packet with the
Loopback flag set does have a payload.


   - One of the essential aspects of defining an active measurement
   protocol is the specification of the expected rates that test packets be
   generated for the intended purpose of the protocol. Some protocols provide
   a mechanism to negotiate that rate either through its control-plane
   component or as part of bringing the test session to Up state. I couldn't
   find any discussion of the expected purpose of using the Active flag, nor
   sufficient information that would help to set reasonable limits on
   processing packets with the Active flag set. Also, even though the document
   is on the Standards track, I find normative language in relation to the
   security impact of Loopback and Active flags being underused.
   - Applying rate limits throughout the IOAM domain might be cumbersome. I
   think that stronger security methods must be defined making using the
   Loopback and Active options more secure. For example, using authentication
   to ensure the identity of the encapsulating IOAM node that imposed the
   Loopback or Active option.

*draft-ietf-ippm-ioam-direct-export*

   - Section 3.1 includes very important assumption:

  The option [DEX] can be read but not modified by transit nodes.

That brings the question What protects the DEX option in particular and
IOAM-Option-Types in general?


   - The description of the processing of the DEX option by encapsulating,
   transit, and decapsulating nodes in an IOAM domain in all cases states "MAY
   export the requested IOAM data". What are other possible behaviors of nodes
   processing the DEX option?
   - In the last paragraph of Section 3.1 stated:

  A transit IOAM node that does not support the DEX option SHOULD ignore it.

What are other allowed behaviors of a node, whether transit or
decapsulating? Report an error? Discard the packet with the DEX option?


   - Though considerations for performance impact at a collector(s) is
   sensible, it seems that the impact on the node exporting telemetry
   information triggered by the DEX should also be considered.
   - Applying rate limits throughout the IOAM domain might be cumbersome. I
   think that there could be other methods to improve the security of the DEX
   option.
   - I can understand that the identity of a collector(s) of exported
   information can be provisioned via the management or control plane. But I
   also believe that there must be a discussion of why the Loopback option is
   not a special case of the DEX option.

Regards,
Greg

On Sun, Nov 15, 2020 at 9:45 PM Martin Duke <martin.h.duke@gmail.com> wrote:

> I recognize that the loopback and direct export drafts discuss potential
> amplification results, as a path of length N will generate N packets for
> each IOAM packet -- a linear relationship. As these are discussed in the
> draft with proposed mitigation, in an editorial sense the job is done.
> Whether giving people this kind of foot gun is a good idea is a separate
> question, but reasonable people can disagree.
>
> However, if I understand correctly, certain pathological combinations of
> IOAM namespaces could result in amplification far worse than linear.
>
> 1) Loopback loops
> Imagine there is an IOAM namespace that covers the path from Hop A to Hop
> D. There is a separate namespace entirely contained in A-D, from hop B from
> hop C. Both namespaces enable loopback.
>                            A
> --------------------------------------------------------D
>
>  B-------------------------------C
>
> So a user packet is traveling from A to D. There will be (D-A) loopback
> packets headed towards A. The (D - C) loopback packets that generated
> between C and D will travel through the encapsulating node at C and then
> trigger further loopbacks to C. Thus the total number of packets generated
> by the single user packet is
> (D - A) + (D - C)(C - B)
> and obviousy there could be several of these smaller namespaces, or nested
> namespaces, that aggravate the amplification further.
>
> 2) Direct Export
> Direct Export potentially has even worse properties. Suppose namespace A,
> N_A hops across, direct exports to a node that is reachable across
> namespace B. Namespace B, N_B hops across, direct exports to a node
> reachable across namespace A.
>
> Thus a single user packet sent over namespace A will generate N_A packets
> that traverse Namespace B. This will, in turn, generate N_A * N_B packets
> that traverse namespace A, which in turn triggers N_A ^ 2 * N_B packets,
> and so on.
>
> In fact, if the namespaces direct export with probability exactly,1/N_A
> and 1/N_B, the same level of traffic will ping-pong infinitely. Any more
> than that, and the traffic will steadily increase to infinity. If the
> probability is 1, the growth is exponential.
>
> ****************
>
> This analysis, if correct, raises three questions that I can think of:
> - Are these corner cases plausible?
> - If so, and they occurred, would the namespace administrators necessarily
> be aware of each other? If not, I'm concerned that this is unsafe to deploy.
> - Do phenomena like this indicate that the design is brittle and putting
> in some "considerations" doesn't really mitigate the dangers here?
>
> Martin
>
>
>
>
> _______________________________________________
> ippm mailing list
> ippm@ietf.org
> https://www.ietf.org/mailman/listinfo/ippm
>

v2.23.0 | Report a Bug | By Email