Re: [ippm] Discussion on draft-brockners-ippm-ioam-data-integrity method 3 variant in @ietf110

"MORTON, ALFRED C (AL)" <> Sat, 27 March 2021 17:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 596063A05AC for <>; Sat, 27 Mar 2021 10:38:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.496
X-Spam-Status: No, score=-2.496 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Li3QCDKGiLcW for <>; Sat, 27 Mar 2021 10:38:52 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DA82C3A0637 for <>; Sat, 27 Mar 2021 10:38:51 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id 12RHYD6H016202; Sat, 27 Mar 2021 13:38:47 -0400
Received: from ( []) by with ESMTP id 37j05nwhju-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 27 Mar 2021 13:38:46 -0400
Received: from (localhost []) by (8.14.5/8.14.5) with ESMTP id 12RHcj61076514; Sat, 27 Mar 2021 12:38:45 -0500
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id 12RHcbg3076393 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 27 Mar 2021 12:38:38 -0500
Received: from ( []) by (Service) with ESMTP id EA6C54068F83; Sat, 27 Mar 2021 17:38:37 +0000 (GMT)
Received: from (unknown []) by (Service) with ESMTP id C03C44068F82; Sat, 27 Mar 2021 17:38:37 +0000 (GMT)
Received: from (localhost []) by (8.14.5/8.14.5) with ESMTP id 12RHcap4000660; Sat, 27 Mar 2021 12:38:37 -0500
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id 12RHcSxn130710; Sat, 27 Mar 2021 12:38:29 -0500
Received: from ( []) by (Postfix) with ESMTP id 1E22910A1AAA; Sat, 27 Mar 2021 13:38:28 -0400 (EDT)
Received: from ([fe80::b09c:ff13:4487:78b6]) by ([fe80::e881:676b:51b6:905d%12]) with mapi id 14.03.0513.000; Sat, 27 Mar 2021 13:38:50 -0400
From: "MORTON, ALFRED C (AL)" <>
To: "Frank Brockners (fbrockne)" <>, Tommy Pauly <>, Tommy Pauly <>, Shwetha <>
Thread-Topic: [ippm] Discussion on draft-brockners-ippm-ioam-data-integrity method 3 variant in @ietf110
Date: Sat, 27 Mar 2021 17:38:28 +0000
Message-ID: <>
References: <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4D7F4AD313D3FC43A053B309F97543CF0147CD0A59njmtexg5resea_"
MIME-Version: 1.0
X-Proofpoint-ORIG-GUID: g_IwsU3jjtBhkUcagzidlp-hZsfbiflX
X-Proofpoint-GUID: g_IwsU3jjtBhkUcagzidlp-hZsfbiflX
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-27_07:2021-03-26, 2021-03-27 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 mlxscore=0 suspectscore=0 mlxlogscore=999 bulkscore=0 phishscore=0 spamscore=0 clxscore=1011 priorityscore=1501 adultscore=0 lowpriorityscore=0 malwarescore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2103250000 definitions=main-2103270141
Archived-At: <>
Subject: Re: [ippm] Discussion on draft-brockners-ippm-ioam-data-integrity method 3 variant in @ietf110
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 27 Mar 2021 17:38:56 -0000

Hi Frank, Tommy, and all,

TL;DR: No solution, just trying to refine the problem statement and suggestion to seek SEC advice.

I haven’t followed the integrity discussions closely, but hearing the review of options at the IETF-110/IPPM session, and additional details for the options that Frank described below, it seems we could use some expert advice. There is a perpetual tension between protection from various attacks and the protocol performance achievable in practice, especially when considering per-packet integrity. IOW, if the security measures drag down too hard on performance, they won’t be used in practice.

In a successful end-game, we will have balanced the (possibly increased) risks inherent in the selected security measures with the practical per-packet implementation (requiring high packet-per-second rates, wide distribution, and other deployment needs).

I’m a very interested spectator here, because we may need to solve this problem again for packet streams used in high-capacity testing with widespread deployment.

So, advice in the form of a recommended solution to our particular problem with an acceptable level of risk, from SEC-Dir, SEC-ADs, or elsewhere, might help us winnow-down the choices.

hope this helps,

From: ippm [] On Behalf Of Frank Brockners (fbrockne)
Sent: Saturday, March 27, 2021 10:54 AM
To: Tommy Pauly <>; Tommy Pauly <>; Shwetha <>
Subject: Re: [ippm] Discussion on draft-brockners-ippm-ioam-data-integrity method 3 variant in @ietf110

Hi Tommy, IPPM WG,

We’ll look into the update after the Easter break. Before that, I’d greatly appreciate further input and thoughts on the preferred methods.

In our IPPM WG meeting during IETF 110, you voiced a preference for Method 3 – broken up into a “Method 3a – with symmetric key (the current Method 3)” and a “Method 3b – with asymmetric keys”.

Per the discussion, the Method 3 approach suffers from the challenges that one would need to provision a secret per packet, which is a significant effort – but provides for replay protection. Detecting whether a secret has already been used or not is detectable by the verifier. Method 4 also provides for replay protection given that it also uses a secret per packet and at the same time is to help the secret provisioning issue, given that we’d only bootstrap a key generator on the nodes and would then leverage Key-IDs – which makes “secrets per packet” much more manageable.

Per the note above, during the WG discussion, a preference was voiced for “Method 3” – but at the same time, asked for avoiding a secret per packet – but re-using the secret for multiple packets, e.g. defined by duration or number of packets. How would we arrive at a solution for replay protection in that case?
Options we could consider include:
(a) Include the payload (or portions of the payload) into the signing process, so that the signed IOAM data becomes unique and cannot be easily re-used for future packets.
(b) Include an additional “identifier” or “nonce” as part of the IOAM-data, which would make the IOAM-data and thus the signature unique – which could be checked and tracked by the verifiers.
(c) ? any other options ?

Thoughts? Opinions? Preferences?

While evolving the design for Method3 (or better 3a and 3b), I’d suggest that we keep Method 4 on the table for now.

Thanks, Frank

From: Tommy Pauly <<>>
Sent: Freitag, 26. März 2021 21:58
To: Tommy Pauly <<>>; Shwetha <<>>; Frank Brockners (fbrockne) <<>>
Cc: IETF IPPM WG (<>) <<>>
Subject: Re: [ippm] Discussion on draft-brockners-ippm-ioam-data-integrity method 3 variant in @ietf110

Just checking here—when could we expect an updated proposal for the integrity document? Once we can converge on a set of approaches we like, we would like to get this prepared for a WG adoption.


On Mar 12, 2021, at 6:30 AM, Tommy Pauly <<>> wrote:

Thanks, that’d be great to see the variants of Method 3 like that!


On Mar 8, 2021, at 8:31 PM, Shwetha <<>> wrote:

My bad, it should be possible to reverse the process for validation and retrieve the previous signature in the reverse order. We will update the draft to have Method 3 with both symmetric/asymmetric variants.


On Tue, Mar 9, 2021 at 7:07 AM Shwetha <<>> wrote:
During the session 1 of ippm at IETF 110, it was suggested to consider introducing a variant of method 3 in  draft-brockners-ippm-ioam-data-integrity with asymmetric keys.

When we were designing the methods to protect integrity of the entire IOAM data collected at each node, the node chains it's own node data with the signature from the previous node and overwrites the signature:
Trace signature = sign([Trace Signature || its node_data_list[x] hash])

In the symmetric key case this operation can be validated by reversing the operation by the validator who has the shared secret from each node.
However this will not work if nodes use their private keys to sign and validator has the public key to validate as it can only validate but not derive a specific node's signature to reverse the operation.

So I think the space optimized  method to overwrite the signature at each node cannot be modified to use asymmetric keys easily. Will be happy to discuss ideas to create a space optimized asymmetric key based solution.


ippm mailing list<><;!!BhdT!04mWk9x-Ut5K0ecNHfnt8g_vEeQPXwZx8oP_51cSZNUP214MyjqOchkEeA3R$>

ippm mailing list<><;!!BhdT!04mWk9x-Ut5K0ecNHfnt8g_vEeQPXwZx8oP_51cSZNUP214MyjqOchkEeA3R$>