IETF Logo Mail Archive

Re: [ippm] Roman Danyliw's Discuss on draft-ietf-ippm-ioam-data-12: (with DISCUSS and COMMENT)

Roman Danyliw <rdd@cert.org> Wed, 11 August 2021 20:40 UTC

Return-Path: <rdd@cert.org>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B73B33A239D; Wed, 11 Aug 2021 13:40:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UyIarp09YLwF; Wed, 11 Aug 2021 13:40:18 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0129.outbound.protection.office365.us [23.103.208.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 666813A2372; Wed, 11 Aug 2021 13:40:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=zkrdkSeC4CGUpIfS5YyLuqUyqgD1GAdgNlnOo6dCxzsQI30PsmaBhUx7X8FFtY3dJRD7N5FNB7bm1Jp3hO35NnekI2t0Mf9wOaCBWvO8Lq6P5pTcqhQIEX2LvWbQ9CL0LMPrqvQpsDmY49EtTNuvDKBf8YuKNkNYf2wio8hUkxHcK1K5YJZY79QQAarZxlnl0q7joNYHd9QgvBk4mqdtFuqplEZjtbG7mjhQ5Ygy/DoX6CniJm9QyLpW3fTY7HsQSlCGbezpxEvY7IPTnkrJhe9kdJr65v0d/Xbm/85A1NDmaLbQq2AbgTXbULp8PCMNe5EiAeYMwo2nbYPe50Mltg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ck1UNM2ZKyHOHlNZMPToJdjjNQJ+kVin8YQjSYIj0JE=; b=PNDMe/szvW2OL8ARCopjhNXqOzLgxs1Oz7GiuBLVIslySWt7qqe4kMs4nSVO2zECoFuNeKcJ/F/DKW+i9a6ewOo2Wo9STXvAqc6YDT9cRvspspS/BN9uSJYyF9jIVBoB8sNZyP4A0cP+H8L3uca+09ECChN4NlJ6z3JE/eGtFQKDQxMrbpqOLHa7MK9frvmCPVNO3LcmsuJlUBn7x5OJ7AuQUicvVCCUOcXDgtyAjwOuXy8OX608mI86D21ivQpfEZscguZwp/rKGPsIKGQkXhaAc1pgorO/0STBuNRSW9tquhqFhfB+W7y1wjkRjBYIDez2+EhkevMWgQiGbpDxsw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM (52.145.69.12) by BN1P110MB0097.NAMP110.PROD.OUTLOOK.COM (23.103.22.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.21; Wed, 11 Aug 2021 20:40:14 +0000
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::93b:40b5:d4b6:9650]) by BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::93b:40b5:d4b6:9650%5]) with mapi id 15.20.4394.025; Wed, 11 Aug 2021 20:40:14 +0000
From: Roman Danyliw <rdd@cert.org>
To: "Frank Brockners (fbrockne)" <fbrockne=40cisco.com@dmarc.ietf.org>, The IESG <iesg@ietf.org>
CC: Al Morton <acm@research.att.com>, "ippm-chairs@ietf.org" <ippm-chairs@ietf.org>, "draft-ietf-ippm-ioam-data@ietf.org" <draft-ietf-ippm-ioam-data@ietf.org>, "ippm@ietf.org" <ippm@ietf.org>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-ippm-ioam-data-12: (with DISCUSS and COMMENT)
Thread-Index: AQHXIL84FDxTnDCVKE6g9Zd6MEHHA6rHZdYAgKgxPgA=
Date: Wed, 11 Aug 2021 20:40:14 +0000
Message-ID: <BN1P110MB0939EB2AF6420A71E46C4865DCF89@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
References: <161659835537.18895.9718541717885407286@ietfa.amsl.com> <BYAPR11MB25840FD7338E2C066DD9312CDA429@BYAPR11MB2584.namprd11.prod.outlook.com>
In-Reply-To: <BYAPR11MB25840FD7338E2C066DD9312CDA429@BYAPR11MB2584.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cert.org;
x-originating-ip: [128.237.16.24]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bca93871-13ff-4463-25fd-08d95d0838f5
x-ms-traffictypediagnostic: BN1P110MB0097:
x-microsoft-antispam-prvs: <BN1P110MB009762940F9F8D8C90596D0EDCF89@BN1P110MB0097.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:6108;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: lVws+qSqw3klE31qbakEy2pfcsDHhdrwZ0eaQBDiwfGQCTu0DDT4jBJBrXjdWoavkUBjHVQb2WMVV9bIzcimW+LWehd1HHUwCOvSXDoeJinh/JkQ7N7hh3H/rwsrZzuqlGA6jdxkexKm4OgWJJlctIrTlZQ25KmULTFAXuEvGkFwEVQksrQm6sxWBcF5Vi27Zqn28NYCHOnSSb1F6T8jtWE94sjL2SOEg0FPfGU8+hN7LxirzOoNFi2f1n1TJjXrMX1rKBKLUGbwV0WOVf7Iwa1doKY6cujHNEm8Mr95z+gw1XKxb24fzP1ymVcYM731O0XDgw6eTPznxcIAoE7Wdb8FhBdonU/ugO0EV+yhZ14tsmfpymBEIf6Md1bVWg8tYyGSI/tmvVdx2Mv+irfZWpJvR/g5Ld04MHRFfUJ+e3LdHqRdZoOoHsgCA3TNuMxD8BvujIfEPt0FEXfjxT3r8DFTLTDZLRO5T1zS1peiXjfswXa240a800D5hLwPOxGC8t8UabZnCWbhwIo7hNIRFGAuSzUs8yyaNTtvPkM0VmfP9B9aFBw+N4QQCaLrwgIAUzDXmNYfShHgNQca2dqSlL/YlmDS7Zl7aeaxniF0qGh/N+5mL/6glMK8Xo89sRtiUEU6UBKJxmVjPgw8qF/5LWkhsvR2kkbr2M1M1qvJ5ldWLvoESqljb5f5DR5yVzFhTjjmTk2aXXIUGPg11bzEnA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(346002)(366004)(376002)(39850400004)(396003)(136003)(66446008)(64756008)(66556008)(66476007)(66574015)(55016002)(66946007)(38100700002)(8936002)(9686003)(8676002)(26005)(186003)(71200400001)(33656002)(52536014)(54906003)(7696005)(478600001)(86362001)(83380400001)(53546011)(6506007)(966005)(2906002)(122000001)(316002)(76116006)(110136005)(5660300002)(38070700005)(4326008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: VMhnlOUw8f5azv4W/GOir4kGPNOaPEoxEhr71U5GraCNknxjS+T7Z420b98/xU1XcIRgLoX7+C8J+MGr+XkVIXNBGubiioIrrwA9ZBA49qo5JgVavw2KANO8OqMUhUJJoWBR/cva72yIRA6jdUFl7zLYEreYq+a2rhFda/6x7QDsCpjh8ggLoDsSfuFcyC7N7iktCn9T0UYMjKz4cf7sbezlGDAYuodclqsqBCGELnrfYdXv56SaCFGHjRXdnwodNJ7rZLf5SE2VDX4hNCX+8r50ekK0n+ucJGocZA0pPK2tt76/LH0Ts+wN1zAhwTUV82H+k8u+WGMng+jROTN5J2l16nK6GY+GSeeJCUOxDfFVp8bLQjqz7SWRWmZ0jqTjk/aKCXOhTYSFr+LkCk0NeVcb4dLh3wdwore7zJlEl3R00/nQQlChUtydD8+gqjNQWeYIk45jqpHf4WsZg4jcSHec2bzJKSEaxNoSWLg7CzQAQ7mXylEA+CGKSl/VOdcCQ0FafPDS/EP+pYNk/4XwMr0hKKikCipHb3wdqE0f44IAGxtSf1QxIGm0XqUEKwWXp9RMRULX7NId2loONYRKzmVsogW+bYWmcWntRo31/gU/0yQqNExIls+0MJgmp5/ixACJQCpxz40lrU7dIMJfj4XOOG69o7U0XhaWd65SuNCQXttFknV7Te32Q/H58Idb0lyEmps0YCUptajjsQddog==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: bca93871-13ff-4463-25fd-08d95d0838f5
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2021 20:40:14.5138 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1P110MB0097
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/mhUcsoxn08m9tOXHPH4zTT3Y6dY>
Subject: Re: [ippm] Roman Danyliw's Discuss on draft-ietf-ippm-ioam-data-12: (with DISCUSS and COMMENT)
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Aug 2021 20:40:24 -0000

Hi Frank!

> -----Original Message-----
> From: iesg <iesg-bounces@ietf.org> On Behalf Of Frank Brockners (fbrockne)
> Sent: Monday, April 26, 2021 11:38 AM
> To: Roman Danyliw <rdd@cert.org>; The IESG <iesg@ietf.org>
> Cc: Al Morton <acm@research.att.com>; ippm-chairs@ietf.org; draft-ietf-ippm-
> ioam-data@ietf.org; ippm@ietf.org
> Subject: RE: Roman Danyliw's Discuss on draft-ietf-ippm-ioam-data-12: (with
> DISCUSS and COMMENT)
> 
> Hi Roman,
> 
> Thanks a lot for your review - and sorry for the delay in responding. Please see
> inline ("..FB").
> 
> > -----Original Message-----
> > From: Roman Danyliw via Datatracker <noreply@ietf.org>
> > Sent: Mittwoch, 24. März 2021 16:06
> > To: The IESG <iesg@ietf.org>
> > Cc: draft-ietf-ippm-ioam-data@ietf.org; ippm-chairs@ietf.org;
> > ippm@ietf.org; Al Morton <acm@research.att.com>; acm@research.att.com
> > Subject: Roman Danyliw's Discuss on draft-ietf-ippm-ioam-data-12:
> > (with DISCUSS and COMMENT)
> >
> > Roman Danyliw has entered the following ballot position for
> > draft-ietf-ippm-ioam-data-12: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut
> > this introductory paragraph, however.)
> >
> >
> > Please refer to
> > https://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-data/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > Please clarify what constitutes the edge or boundary of the IOAM domain.
> > Consider:
> >
> > (a) Section 4.
> > IOAM is a
> >    network domain focused feature, with "network domain" being a set of
> >    network devices or entities within a single administration.
> > …
> > Designers of
> >    protocol encapsulations for IOAM specify mechanisms to ensure that
> >    IOAM data stays within an IOAM domain.  In addition, the operator of
> >    such a domain is expected to put provisions in place to ensure that
> >    IOAM data does not leak beyond the edge of an IOAM domain.
> >
> > (b) Section 5.3.
> > Namespace identifiers allow devices which are IOAM capable to
> >    determine: …
> > whether IOAM-Option-Type(s) has to be removed from the packet,
> >       e.g. at a domain edge or domain boundary.
> >
> > (a) suggests that the filtering occurs on the basis of the single
> > administrative domain.  However, (b) suggests that namespace
> > identifiers are part of the filtering decision; which suggests that
> > sub-domains can be created in a given domain which should be partitioned
> from each other.
> >
> > The Security Considerations should be clearer on who does the IOAM
> > information filtering, on what criteria and on what boundary.
> 
> 
> ...FB: Eric already suggested in his review that we refer to RFC 8799 and an
> IOAM domain classifies as a "Limited Domain" per RFC 8799, which we plan to
> do for the next revision.
> And per your comment, namespaces can indeed be used for further
> segmentation of the single administrative domain.
> 
> Given that draft-ietf-ippm-ioam-data is focused on the definition of data-fields,
> we created a "sister" document, which is to discuss all deployment related
> aspects of IOAM: draft-brockners-opsawg-ioam-deployment (we're working on
> an updated version as we speak). Domains and nodes are discussed in section 3,
> see  https://tools.ietf.org/html/draft-brockners-opsawg-ioam-deployment-
> 02#section-3. With regards to filtering at the edge of the administrative
> domain, draft-brockners-opsawg-ioam-deployment states the following
> 
>    The role of an IOAM-encapsulating, IOAM-transit or IOAM-decapsulating
>    node is always performed within a specific IOAM-Namespace.  This
>    means that an IOAM node which is e.g. an IOAM-decapsulating node for
>    IOAM-Namespace "A" but not for IOAM-Namespace "B" will only remove
>    the IOAM-Option-Types for IOAM-Namespace "A" from the packet.  An
>    IOAM decapsulating node situated at the edge of an IOAM domain
>    removes all IOAM-Option-Types and associated encapsulation headers
>    for all IOAM-Namespaces from the packet.
> 
> Does this clarify things? And if so, are you ok to keep "data fields definition"
> and "deployment aspects" separated in the two different documents?
> Otherwise, we would need to create redundancies between the documents,
> which are a bit hard to keep in synch.

Thanks for -14.  If I understand things correctly, the text I was concerned about in Section 5.3, "o  whether IOAM-Option-Type(s) have to be removed from the packet, e.g. at a domain edge or domain boundary" is roughly saying that any Option-Type needs to be combined with the Namespace to completely understand it's semantics and how it should be actioned.  One of this actions (to the substance of the quoted text) could be to de-encapsulation because that particular Option-Type has reached its particular boundary.  The key principle that I wasn't following (correct me if I have it wrong) is that each namespace constitutes a different "IOAM Domain" and that a single "network domain" (under the control of a single administrative entity) may have multiple, overlapping "IOAM Domains".

If the above is correct, then I think language in Section 3 of draft-brockners-opsawg-ioam-deployment is clear as is your explanation above.  Could you please add a bit of that clarification to the document.  I see the text about limited domain per Eric and concur with the sentiment of not repeating text already in the ops document.  With the use of four types of domains across the two documents (deployment, network, limited, and IOAM), I would offer this refinement to clear up this architecture principle (and leaves the rest of the text unchanged):

Section 4.

OLD
A limited domain which uses IOAM is called an "IOAM domain".  An IOAM
   domain is bounded by its perimeter or edge.  

NEW (feel free to polish)
A limited domain which uses IOAM may operate one or more "IOAM domain", each disambiguated through separate namespace identifiers.  An IOAM domain is bounded by its perimeter or edge.  IOAM domains may overlap inside the limited domain.
 
Regards,
Roman

v2.23.0 | Report a Bug | By Email