Re: [ippm] Zaheduzzaman Sarker's Discuss on draft-ietf-ippm-ioam-direct-export-09: (with DISCUSS)

Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com> Sun, 11 September 2022 17:37 UTC

Return-Path: <zaheduzzaman.sarker@ericsson.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE598C1524B6; Sun, 11 Sep 2022 10:37:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.679
X-Spam-Level:
X-Spam-Status: No, score=-2.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VQ-iu-RY8Z_2; Sun, 11 Sep 2022 10:37:29 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150078.outbound.protection.outlook.com [40.107.15.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6A03C1524B2; Sun, 11 Sep 2022 10:37:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=n4raFFYSVE8SIRV1KX/mlzt2dTdBWwEQ9y6tMGvQKAB07LDCtoQ47o5Ud7osg8KO8beHP0Re74eKH1SVyAMNIk/klTe388LNIsfdJjbHs1mpL5DrP1MycrQ4jIARXPHFFble5IRt20B+XoRwlDTAE+RbFMb1x9CD9VzuzcxIVtPjFumTvI6zzpQWUjzqWfrPPAQBFbor/WaQdHRhSz8TODoioMWFXGPeYvQrig8KTjD7hYUec3qEWh4d+tB8pPpIxaaFGlfrWUzjVsVtXvwtT8zn+GO52tZe0di9pY3Kvq2LmdPvj2SMSFLlT/Y4JEO+Ag2tV0evYk0n6syw/MjUMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FrjRG520sF7PtOzJ/go9s7SvWv9ilgbytWEdQOXAFAo=; b=ccksELT0ztC1Dwk7krokJceAsCPgoE18kJrT4sZIoDj1iF9Z+I5ssHUX+cnK6kv3f1rML7AA4weFTRgF5XweyB+4SjWnm0qdSxasAjV1HbPfZVOa08gVmfZbmWM4hIoqhH8JIcWCFU2GxhfY4mXmEfU3ihRoBpS/+cbIU8JvoBbAAngjxQqfrlwgjzLIiW2SYb2vDzOcYApNAHcPrM2MXDj8tX42S2mtrAQEiUKlcXWUwderlw6r0bwN5P/24fDriXaL6GQfQalKUwKrwSfsK3TWuiGzaF06etKcoRqQWFLYI+jjxodFssUzxSisndKuI94pthNpODDt53BCDgdbzw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FrjRG520sF7PtOzJ/go9s7SvWv9ilgbytWEdQOXAFAo=; b=TmLYYCkQwdPv8j7cO2vdz2obQIoth2KJAt3nLqHioWW/Xr4hWEaOl0UNxoGxP7duM9tdF1FLngBm1ouLInA7RXSeQk5rDbwk8C8vZNxE3/J7QqUH3H4JyhnKe9lG50YMN5vOfz2KogERBDD4cycJ+9MHOv4BTDbmuc6HQdUdGV8=
Received: from HE1PR07MB4187.eurprd07.prod.outlook.com (2603:10a6:7:98::23) by VI1PR07MB6223.eurprd07.prod.outlook.com (2603:10a6:800:137::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.22; Sun, 11 Sep 2022 17:37:19 +0000
Received: from HE1PR07MB4187.eurprd07.prod.outlook.com ([fe80::dd85:77ac:c888:698e]) by HE1PR07MB4187.eurprd07.prod.outlook.com ([fe80::dd85:77ac:c888:698e%5]) with mapi id 15.20.5612.022; Sun, 11 Sep 2022 17:37:19 +0000
From: Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com>
To: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-ippm-ioam-direct-export@ietf.org" <draft-ietf-ippm-ioam-direct-export@ietf.org>, "ippm-chairs@ietf.org" <ippm-chairs@ietf.org>, "ippm@ietf.org" <ippm@ietf.org>, "tpauly@apple.com" <tpauly@apple.com>
Thread-Topic: Zaheduzzaman Sarker's Discuss on draft-ietf-ippm-ioam-direct-export-09: (with DISCUSS)
Thread-Index: AQHYi/4IVKA9KrRhB0CDiDhy1ymqwK208Y2AgCYAvQA=
Date: Sun, 11 Sep 2022 17:37:19 +0000
Message-ID: <26CD61B5-BDE8-484C-ACD9-5C1C451E2F69@ericsson.com>
References: <165653760608.27520.5309528880057245173@ietfa.amsl.com> <CABUE3Xnz+xg0y2whG0_gZzuxT6Ys9Ad+LDtSmbCaXMvWKEnMVA@mail.gmail.com>
In-Reply-To: <CABUE3Xnz+xg0y2whG0_gZzuxT6Ys9Ad+LDtSmbCaXMvWKEnMVA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.120.41.1.1)
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: HE1PR07MB4187:EE_|VI1PR07MB6223:EE_
x-ms-office365-filtering-correlation-id: 52d5adae-71fd-4438-322a-08da941c46f6
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AjnMX2Eldcwc/sdwd4VlFKRxObTaPeTLafNhuBzDH/7smhzfVKnUBYSFIxSj0cXpYU4sdPXZI+DBIPEmyCLnwWdwYnu0Y92+gjmEhaz2DsFbNYPGUHFyAWi66P2FcTU1Yc4P03+lBeD0U1aqzfjL3b+WSr0LtEpEfsaUQiUBAGEAme0gTuT+LgiVq+VQF0321+MOxuGrdRF+B4vt+gFSvHM5fUnqaIq7sIc69ffHUZjDVGDW75i3/YXuHZuXJlZYDkvq2mFAcqZtD8xXjAY/l3bL2CzoZNxcjmj0ueKPbV6ftHkZMHclmTPM/lwOTSuWtIHq2KOZH/ZQprkNK36VoXH7s3BBcEgtfldlN+BPz6aW+KvXgvhtyJj7dnzAtg/g9FiFTfz/iPK3IQMsomtF3U52rebNbNmJdgEs8Jy/I2+v/oqE/IZAbIIDB9kdgElL8SzsyQcCWUyBBh2ObJQ0FhksL7Cx0K9CoBFhlLkgRRw26riay3KTQgkVctSYvF6c1dI6rPFZmkC5emOLdQc9R+PURXVE+lWgJnGxqKKtJcbJw7Pkm33zsiOJ7W/MZHt+l6ZpAC1kojcD/WbaDjvzYfoqxiNQHlCpdooMWQRA5tPcONtMudykQfkz213QCHRUqwjBETt47efr7xQa7wNANvyC8T30fq1HjD73OkLNl9SYiQSIEKsY5pl1rCKt4XvnFJFhJaJybx9n+EwKGvcFhczsj8S3w8ebJzeAdykzZRqxjngaCbsic4y62eYShArcPqdSriasgcr4h6X6bwHGupLOwDnSUZHj/ihey5It+/TRku4+9LqiIMoBQWacS4SvxBwVImiJYP4KpqcQFYBoNGxlIzWSSlXB4Il7xu3SdLDjsHoiI0AtEHOwdNULOoe2u0NUQRyuC5GKQpmN20v0W7qDhB1jbuyR8tzDQGziIH4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB4187.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(376002)(39860400002)(366004)(396003)(346002)(136003)(2616005)(186003)(6486002)(26005)(966005)(83380400001)(33656002)(2906002)(478600001)(316002)(54906003)(6916009)(36756003)(6506007)(6512007)(44832011)(53546011)(82960400001)(38070700005)(99936003)(38100700002)(122000001)(86362001)(71200400001)(5660300002)(8936002)(8676002)(66476007)(66446008)(66556008)(64756008)(41300700001)(4326008)(91956017)(76116006)(66946007)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 695VB4OI4gpCV5LLDEQFq03qQCMJeo35d0lv5Pp4AKla3LmIkWUoGxl/aM2Xt6n/o1B1qY6nxInQfBVpod/ZNt9fyNdk7Jg0i0GMou3a5zd7F+OXGADvhxMDZ8S46FKJRAcAcTbjkObpGj/H3LIAedKjuXo0EAFfJlUkCmVPphZGeTjpXWXkOeDSdvIOLXT7APs9dlQG7z/jP3NaIGe6EU2sdGklIK5rtQ0iJtGLXiq3BZCHinflHKvOStwIfxwYq6pOWJSPYovRdUbvJXm5He6rYp3LbS9W6TbzPrEAbvZQ1Bds+gKoUvrHRrWQZqXZtqbIwpudsxIJ0o4EoR7W037crzPZoIwUygB4BeGCS81ujYgAE6iYEK8BYVrvQ/cQcZ/+6kDsRcxsMPK3gS5xwJRckMtnfGkoBhyOLHPXA6Ow25t1i5twtBkJd7KColpZq9PlGmPtg7MUEbB95Vu7zgzIFVD6Us6JyxmGZS9KbDo+OUTsxmsd3TWF9zSevS7La7MzM42Lcdq+WyIpQ8Ga98MZFoIxHKP7hQQxQ+2GtT1eP/vdpbE832lAmLOPtwxFDgqWIjmpgwsIYPp2zIvaLUsaz0gpGd2uErtPJrzEaNVPK9BaJEJoNew27Y4FEA4HGHQ/HNmxYB1vCgkGHBPZjks4lNcUJ4rHlb7NmyqSKJesjNc1OCfADJz1h8Skl/QAbBtYkWGSL6PKJ14FZGmuapgmjkq3OHIDSQa84XQ0Xr2HsOQUSBBzq400LBevKvzHUbXbrMrQ9TGcYLFTEIqhmd8HnhKoXrA0yn+8cvIEACTY1+z/1PJNkvvSaC5z48wZ0mVqkzP64H9nHXCMC9o8n9wo0m/X6rp5UHFpIkVCW6lO+bJA5X3skqq3ZPOUYbHJnN7l0nV4NXO5FPykdbTHzK+E804c+uFIyoszm0+12A1Q9qFo/XR8HCp4b/yQZYZjlM/5rNAn27wbFsSGB+39TsNWa16TzVdibpEjwJRx9S28gjgngFIW8Vjwipb+hWlnDJMZf2pVfsKceLO33nPEBg5MZufkXyktyngFL5POsaADG/u0U0XSXepEWXEWagKbj1slznsyo9sVkN1hOrM9coA8Gqyua6MPV+wXDEnXwoVXvkuuDjK7n0w5ldtaa1evi5QiitBgw6cN+M2sD+cd3CufRcCcicO+n6Ug5Sb9A4WScyDU5cze6j9pu1fculhyd0RbgKN+k7tofXojgXNboNvAhHfYcWdyo1pq8q7RLVjJeG8gu2Nx0092FrAI9xZRnv0N8G8kUwJQLBw8+NckkW5RFNqqoiiJFVqg1RWatGmTeJOU1k9ML5arjdCNCLOv4OvnIicUpV4yPCsb7Stvp2iL56eTKxuBpezjbb3f0eIa8lKXivIar/FoHlYmPJ0r/z14ivHQBIQxa5nEqdDnNOHxX8LpmK+bvTNYYFU8ijmqJEFr8HXk6Xyly3X74zYiMYrURPmkXe1q54Y07kqdxi36BSwT7s6LA6N2pnF2b0hR4xvnPnS/fBO54mDoEU7oUoIgycpYzhkST1QCDA2QpJZoe2G7lyRTSJUubqduG2BKzkCDjP0euiwRV6AH5KHx3t3K3dQAlsXA7whAfJzJBnFzuw9UBV1E4EiFUJSSbrY=
Content-Type: multipart/signed; boundary="Apple-Mail=_B6073A59-E4F8-421B-A68D-C279BA6DF22C"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB6223
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/oqxDR2ylyb9E1PoCCATA-QerlVY>
Subject: Re: [ippm] Zaheduzzaman Sarker's Discuss on draft-ietf-ippm-ioam-direct-export-09: (with DISCUSS)
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Sep 2022 17:37:33 -0000


> On 18 Aug 2022, at 15:16, Tal Mizrahi <tal.mizrahi.phd@gmail.com> wrote:
> 
> Dear Zahed,
> 
> Thanks for the comments.
> 
> Here is an  updated version of the draft:
> https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-1191a6b94b1b8ef3&q=1&e=832af60a-d8a4-4ce6-b114-803e40c69f48&u=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-ippm-ioam-direct-export%2F
> 
> Regarding the following DISCUSS point:
> 
> [snip]
>> Thanks to Colin Perkins for his valuable TSVART review. I find the TSVART early
>> reviewer's concern on rate limiting the exported traffic triggered by DEX
>> Option-type as only protection mechanism
>> (https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-f1a8e03896e17207&q=1&e=832af60a-d8a4-4ce6-b114-803e40c69f48&u=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Ftsv-art%2F1WNgYWGJmxLd4f3RAiDk-LJ-S8Y%2F)
>> very valid but haven't seen it addressed. In this discuss, I would like to
>> bring back attention to that concern and would like to discuss why there should
>> not be a circuit breaker kind of functionality required here?
> [snip]
> 
> The rate limiting is just one of the security measures in this
> document. There was a long discussion in the IPPM working group about
> amplification attacks and how to mitigate them:
> https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-85de22596797bb61&q=1&e=832af60a-d8a4-4ce6-b114-803e40c69f48&u=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Fippm%2FPyfokOEsBBCTtRdNYG-Vr-674Nw%2F
> https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-a9aaeff04156da3d&q=1&e=832af60a-d8a4-4ce6-b114-803e40c69f48&u=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Fippm%2FJNiX94A7fN6tUPsA-VQizQEBWms%2F
> 
> Following this discussion, what we came up with in order to mitigate
> these attacks is a combination of the following components:
> - Rate limiting (1/N) at the encap node.
> - Export traffic rate limiting (1/N) at the exporting node.
> - No exporting over DEX-enabled tunnels.
> - The DEX option is not pushed into packets that already include an IOAM encap.
> - Exporting over a secure connection to a trusted destination.
> 
> We believe that this combination of components, which are discussed in
> the document, provides reasonable measures to address the threat.

This is good. I haven’t noticed any requirements on exporting over a secure connection to and trusted destination in this specification. I may have missed this, could you please point me to that?

//Zahed