Re: [ippm] WGLC for IOAM Flags

Greg Mirsky <gregimirsky@gmail.com> Tue, 07 September 2021 22:00 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C4E03A1AE2 for <ippm@ietfa.amsl.com>; Tue, 7 Sep 2021 15:00:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oljqiJkvwIWB for <ippm@ietfa.amsl.com>; Tue, 7 Sep 2021 15:00:26 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD56C3A1AD0 for <ippm@ietf.org>; Tue, 7 Sep 2021 15:00:25 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id q3so4203edt.5 for <ippm@ietf.org>; Tue, 07 Sep 2021 15:00:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9EDjgblFfJyXwpVqcpeI9m60V8oX8FP/4NV3tR6dIVM=; b=QZrLIXOWP4mPLcFRr8UpvuaBjy4wzIkZGAW+ImaIOfSt41muyN83tJ+uv0LEcmtmLm Hgo0fuXEY++hHzR1HxdPKAIBVMne1eUBpxBIi+skz0HKRncr8AG4y4UfEEKSSYswM4Dk TwhOl3HKkrBBHKJ7aNGgFK3Y8+aLdydIlhhR24el9M206f+EltxKU/n9meoBT8ewzeIS JQKqejYg/+I9C7fBIaT8B3UBFlN1Tb3ArqBX4tsptB0IQMHsJ+5Ie1SG0cNOcv2Tq9Ki WYrP7V9t01mJltkulkgdu1xWcTXyzrHG1j8BT3LRLzoQuUtoMmoMVlZW2BiASfXLwgT/ Y2hA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9EDjgblFfJyXwpVqcpeI9m60V8oX8FP/4NV3tR6dIVM=; b=cqKhOJcKQh8c4vtdMWJZTwxGB7DrFqo1SEP39jCOQD9ZAJoUDMRVPMmTJO5J89AnyP qCAI1ZjcSGZDg3i5F6STncBZSTw/ggkBFoqapLNlQzEHMupQJACBRRa1n3+n+jRCnl3v kbJZeq1gxbT5Meh2Q9PdTO4dCVnJwAwJdi1W+PCSAAetK9xy8T4Q+l+QthnLOSm63nJW JKZlmf2tnSn5ID02GzS/zfAKySTc8V2ARlkgU55lNBXaTiU5Z9+Ta1EQ7IIPM/rDdkIk 5lAAjwIL8rndzFU4vqf0QZctZ4Z3/4tVTy0y8fiaqzSw9FtnWvaq3eJugN5swU+lZlVe z5vQ==
X-Gm-Message-State: AOAM533xIlKyrtQP9xQlWMfAQQ+8N+T28x8J3H9WD0W7hiRtnXrNz7io MYEVXb+JQzLvGO6Mfn5l7BRyEis1fYTlxKCmXvxzLSd9lu0=
X-Google-Smtp-Source: ABdhPJysJlYu5dNfq8DPnF4ZZOr2rooxD57i8kVCawGLi1APOHeLDO3LF9jAA8r9LFVVhUYXrv1cROgSy6jBLrLOIDE=
X-Received: by 2002:aa7:ca4b:: with SMTP id j11mr429905edt.342.1631052022950; Tue, 07 Sep 2021 15:00:22 -0700 (PDT)
MIME-Version: 1.0
References: <A4F59F82-7F47-452B-9E63-0FDFBB812CEC@apple.com>
In-Reply-To: <A4F59F82-7F47-452B-9E63-0FDFBB812CEC@apple.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Tue, 7 Sep 2021 15:00:12 -0700
Message-ID: <CA+RyBmX6QDza7zwaejeduPTO95dkAWG40JXN_nOTvBDj8GTJGw@mail.gmail.com>
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
Cc: "IETF IPPM WG (ippm@ietf.org)" <ippm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000702f0005cb6ee45f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/mRuNVPnVI1re_Bz0Lobb2t9X5U8>
Subject: Re: [ippm] WGLC for IOAM Flags
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2021 22:00:34 -0000

Dear Authors, WG Chairs, and All,
I've read the latest version of the draft and have several comments and
questions to share with you. I would much appreciate the opportunity to
discuss these before I can state my support for progressing this draft
to publication.

   - The Abstract states that:

   In-situ Operations, Administration, and Maintenance (IOAM) records
   operational and telemetry information in packets while they traverse
   a path between two points in the network.

I think that is not a complete description of IOAM options as it excludes
the Direct Export option. It might be easier to improve by
s/records/collects/. Also, what, in your opinion, is the distinction
between operational and telemetry information? I think that operational
information collected from remote nodes is one example of telemetry
information. What do you think?


   - nit s/the the/the/
   - I think that Abstract and Introduction can be improved by explaining
   the purpose of defining the Loopback and Active flags. What each of them is
   intended to achieve and improve?
   - It is stated in the Introduction that:

   This document defines
   two new flags in the Pre-allocated and Incremental Trace options: the
   Loopback and Active flags.
Does that mean that neither of the two flags is applicable in the Direct
Export option? Should draft-ietf-ippm-ioam-direct-export have an explicit
statement regarding the applicability of the Loopback and Active flags? And
if any is applicable, describe the behavior of an IOAM node receiving it.


   - In Section 4 the purpose of using the Loopback flag is explained as:

   Loopback allows an IOAM encapsulating node to trace the path to a
   given destination, and to receive per-hop data about both the forward
   and the return path.
In my previous comments, I've pointed out that the Loopback mode is just a
special case of the Direct Export option. In addition to that, I would
appreciate your explanation of how the IOAM encapsulating node receives
per-hop data about the return path. How does that work, for example, in an
MPLS or SFC NSH environment?


   - Further it Section 4, it is stated that:

   The two IOAM looped back copies are
   terminated by the encapsulating node.
But I don't see any technical explanation that could sustain that
assumption. As I understand the diagram in figure 1, a transit node doesn't
know the identity of the IOAM encapsulating node. Correct? If that is the
case, where does the transit node direct the looped packet?
It seems that the text in the last paragraph attempts to walk around my
questions. But I don't find that paragraph sufficient. It lacks the
normative language to guide a developer to produce resilient
implementation. For example, how to interpret:
   Loopback can be used only if a return path from transit nodes and
   destination nodes towards the source (encapsulating node) exists.
That reads like a recommendation, not a requirement. As a result, an
implementation may transmit an IOAM packet with the Loopback fag set
regardless of whether there's a return path or not. Then, how must a
transit node process such an IOAM packet?


   - A very concerning statement I've found in Section 4.1

   The encapsulating node either generates synthetic packets with an
   IOAM trace option that has the Loopback flag set ...
IOAM has been defined as a hybrid measurement protocol. This statement
implies that it is to be used as an active OAM protocol (all per RFC 7799
definitions). The requirements for active OAM protocols in terms of their
applicability and, most of, security are very different from those set for
a hybrid measurement protocol. I believe that extending IOAM into an active
mode of measurement requires more discussion and the audience from other
IETF WGs, e.g., 6man, SFC, BIER, MPLS, BFD, RTGWG.


   - The next statement explains the use case for the Loopback flag:

   Loopback is used
   either proactively or on-demand, i.e., when a failure is detected.
That is the same use of ICMP and LSP Ping. What is the benefit of using the
Loopback flag instead of readily available ICMP? Does it work as L2
Linktrace? I don't see that as a sufficient benefit considering the
complexity, exclusions, and risks associated and identified in the draft.
It is clear that there are tools like ICMP and LSP Ping that adequately
address scenarios listed in the draft. Don't see any technical reason for
the introduction of another mechanism that does not have any significant
benefit compared to the existing OAM tools. Especially, considering the
limited information that is allowed to be collected using the Loopback IOAM
flag ("every transit node that processes this trace option only adds a
single data field, which is the Hop_Lim and node_id data field"). With the
abundance of information and additional verification achieved using ICMP
and LSP Ping, there's even less rationale in the introduction of this
over-complex and unnatural mechanism.


   - The last paragraph states the requirement:

   IOAM encapsulating nodes MUST NOT push an IOAM encapsulation with the
   Loopback flag onto data packets that already include an IOAM
   encapsulation.
I couldn't find any guidance on how an IOAM node that receives such invalid
combination processes the packet.



   - It is assumed that the identity of the IOAM encapsulating node is
   known to the node that is expected to sent a copy of the received packet
   back. But what if that is not the case? How must that node act?
   - I believe that there's inconsistency between Figure 1 and the
   following text in Section 4.2

   Thus, the
   source address of the original packet is used as the destination
   address in the copied packet.
It seems that the text assumes that the IOAM encapsulating node adds also a
network layer encapsulation. But how would it work, for example, in SFC NSH
data plane? Or MPLS?


   - Section 4.4 states that

   If the Node ID matches the current
   IOAM node, it indicates that this is a looped back packet that was
   initiated by the current IOAM node, and processed accordingly.
But according to the definition of node_id in Section 5.4.2.1
of draft-ietf-ippm-ioam-data, "Node identifier field to uniquely identify a
node within the IOAM-Namespace and associated IOAM-Domain." It appears that
simply comparing Node IDs is not sufficient to verify that the node
received its looped back packet. What is your opinion?


   - If, as stated in Section 5,

   It [Active flag] is not intended as a replacement for existing
   active OAM protocols, which may run in higher layers and make use of
   the Active flag.
Then the question, What is the purpose of the Active flag? Existing active
protocols, Fault Management and Performance Monitoring, are identified by,
for example, use of a well-known destination port number or, in case of
MPLS, Generic Associated Channel type. There's no apparent need of using
IOAM option header to identify the payload as a control message of an
active OAM protocol. On the contrary, that would likely cause more
confusion and challenges to interoperation among different implementations.


   - Three cases analyzed in Section 5 require special consideration, as
   these likely present the motivation for the introduction of the Active flag:
      - the first use case is not really using the Active flag at all and
      thus the text doesn't seem adding any value to the draft;
      - it is not clear what is viewed as the benefit of using the Active
      flag compared with using any of the existing active OAM protocols in the
      second use case. I would appreciate it if you can clarify that for me.
      Since an SFC NSH network is used as an example, is it required that a
      Service Function (SF) or an SF Proxy process the IOAM header with Active
      flag set? Or would a Service Function Forwarder (SFF) avoid sending a
      packet with the IOAM header that has an Active flag set? And can you
      compare that with the procedures defined in the Active OAM for SFC
      draft
      <https://datatracker.ietf.org/doc/draft-ietf-sfc-multi-layer-oam/>?
      - My questions for the third use case described in Section 5 are the
      same as above because I don't see the benefit of using a replicated data
      packet (less benefits if it is truncated) compared to a special
test packet.
   - In my conclusion on the Active flag, I don't see any clear benefit of
   introducing it and using whether in place or in addition to the existing
   active OAM protocols.

I am looking forward to your feedback and the continued discussion.

Regards,
Greg

On Mon, Aug 30, 2021 at 1:58 PM Tommy Pauly <tpauly=
40apple.com@dmarc.ietf.org> wrote:

> Hello IPPM,
>
> This email starts a Working Group Last Call on two related IOAM
> documents, draft-ietf-ippm-ioam-flags
> and draft-ietf-ippm-ioam-direct-export.
>
> In-situ OAM Loopback and Active Flags
> https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-flags/
> https://datatracker.ietf.org/doc/html/draft-ietf-ippm-ioam-flags-06
>
> In-situ OAM Direct Exporting
> https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-direct-export/
> https://datatracker.ietf.org/doc/html/draft-ietf-ippm-ioam-direct-export-06
>
> Please provide feedback by replying to this email with your reviews and if
> you think these documents are ready to progress, by *Wednesday, September
> 15*.
>
> Best,
> Tommy & Ian
>
> _______________________________________________
> ippm mailing list
> ippm@ietf.org
> https://www.ietf.org/mailman/listinfo/ippm
>