Re: [ippm] John Scudder's Discuss on draft-ietf-ippm-ioam-conf-state-07: (with DISCUSS and COMMENT)
xiao.min2@zte.com.cn Thu, 27 October 2022 09:51 UTC
Return-Path: <xiao.min2@zte.com.cn>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 173E2C14CF00; Thu, 27 Oct 2022 02:51:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CKDpH8aDtb_K; Thu, 27 Oct 2022 02:51:55 -0700 (PDT)
Received: from mxhk.zte.com.cn (mxhk.zte.com.cn [63.216.63.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69C47C14F606; Thu, 27 Oct 2022 02:51:52 -0700 (PDT)
Received: from mse-fl1.zte.com.cn (unknown [10.5.228.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mxhk.zte.com.cn (FangMail) with ESMTPS id 4Mygtt63Rrz8RTZL; Thu, 27 Oct 2022 17:51:50 +0800 (CST)
Received: from njxh01app01.zte.com.cn ([10.41.132.205]) by mse-fl1.zte.com.cn with SMTP id 29R9pfe7034867; Thu, 27 Oct 2022 17:51:41 +0800 (+08) (envelope-from xiao.min2@zte.com.cn)
Received: from mapi (njxh01app01[null]) by mapi (Zmail) with MAPI id mid201; Thu, 27 Oct 2022 17:51:44 +0800 (CST)
Date: Thu, 27 Oct 2022 17:51:44 +0800
X-Zmail-TransId: 2af9635a54b0ffffffffdaf27d88
X-Mailer: Zmail v1.0
Message-ID: <202210271751442400444@zte.com.cn>
In-Reply-To: <166681647836.46740.1588555524214771641@ietfa.amsl.com>
References: 166681647836.46740.1588555524214771641@ietfa.amsl.com
Mime-Version: 1.0
From: xiao.min2@zte.com.cn
To: jgs@juniper.net
Cc: iesg@ietf.org, draft-ietf-ippm-ioam-conf-state@ietf.org, ippm-chairs@ietf.org, ippm@ietf.org, marcus.ihlar@ericsson.com
Content-Type: multipart/mixed; boundary="=====_001_next====="
X-MAIL: mse-fl1.zte.com.cn 29R9pfe7034867
X-Fangmail-Gw-Spam-Type: 0
X-FangMail-Miltered: at cgslv5.04-192.168.250.137.novalocal with ID 635A54B6.002 by FangMail milter!
X-FangMail-Envelope: 1666864310/4Mygtt63Rrz8RTZL/635A54B6.002/10.5.228.132/[10.5.228.132]/mse-fl1.zte.com.cn/<xiao.min2@zte.com.cn>
X-Fangmail-Anti-Spam-Filtered: true
X-Fangmail-MID-QID: 635A54B6.002/4Mygtt63Rrz8RTZL
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/slHmhzKGYkVB8I8agoECMB-Zb2E>
Subject: Re: [ippm] John Scudder's Discuss on draft-ietf-ippm-ioam-conf-state-07: (with DISCUSS and COMMENT)
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2022 09:51:57 -0000
Hi John, Thank you for the review and thoughtful comments, very detailed and helpful. Please check inline my responses. Best Regards, Xiao Min Original From: JohnScudderviaDatatracker <noreply@ietf.org> To: The IESG <iesg@ietf.org>; Cc: draft-ietf-ippm-ioam-conf-state@ietf.org <draft-ietf-ippm-ioam-conf-state@ietf.org>;ippm-chairs@ietf.org <ippm-chairs@ietf.org>;ippm@ietf.org <ippm@ietf.org>;marcus.ihlar@ericsson.com <marcus.ihlar@ericsson.com>;marcus.ihlar@ericsson.com <marcus.ihlar@ericsson.com>; Date: 2022年10月27日 04:34 Subject: John Scudder's Discuss on draft-ietf-ippm-ioam-conf-state-07: (with DISCUSS and COMMENT) John Scudder has entered the following ballot position for draft-ietf-ippm-ioam-conf-state-07: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-conf-state/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- ### Clarity about scope of the document As I understand it, this document isn't intended to be an implementable protocol specification on its own; rather, "specification details for these different echo request/reply protocols are outside the scope of this document". [XM]>>> Yes, absolutely correct. If this approach is to be followed there are some changes needed. Below I provide some suggested text -- please know that I'm just supplying this as a straw man to illustrate my thinking; while you're welcome to use the text I've provided, I don't necessarily expect that. [XM]>>> Understood. The Abstract says that "This document describes an extension to the echo request/reply mechanisms". It does not. Here's an example of how it might be changed to be clearer. OLD: This document describes an extension to the echo request/reply mechanisms used in IPv6 (including Segment Routing with IPv6 data plane (SRv6)), MPLS (including Segment Routing with MPLS data plane (SR-MPLS)), Service Function Chain (SFC) and Bit Index Explicit Replication (BIER) environments, which can be used within the In situ Operations, Administration, and Maintenance (IOAM) domain, allowing the IOAM encapsulating node to discover the enabled IOAM capabilities of each IOAM transit and IOAM decapsulating node. NEW: There is a need to extend echo request/reply mechanisms used in IPv6 (including Segment Routing with IPv6 data plane (SRv6)), MPLS (including Segment Routing with MPLS data plane (SR-MPLS)), Service Function Chain (SFC) and Bit Index Explicit Replication (BIER) environments, for use within the In situ Operations, Administration, and Maintenance (IOAM) domain, allowing the IOAM encapsulating node to discover the enabled IOAM capabilities of each IOAM transit and IOAM decapsulating node. Although this document does not itself specify the necessary extensions, it specifies formats and objects that can be used in such specifications, and provides guidelines and requirements for their development. [XM]>>> It seems this comment is similar to that one made by Alvaro Retana. Does the abstract proposed by Alvaro work for you? NEW Abstract: This document describes a generic format for use in echorequest/reply mechanisms, which can be used within an In situOperations, Administration, and Maintenance (IOAM) domain, allowingthe IOAM encapsulating node to discover the enabled IOAM capabilitiesof each IOAM transit and IOAM decapsulating node. The generic formatis intended to be used with a variety of data planes such as IPv6,MPLS, Service Function Chain (SFC) and Bit Index Explicit Replication (BIER). I think the Introduction also needs to be cleaned up. Saying that "specification details... are outside the scope" undersells the scope of what's needed. For example, maybe these changes would work in the Introduction: OLD: This document describes an extension to the echo request/reply mechanisms used in IPv6 (including SRv6), MPLS (including SR-MPLS), SFC and BIER environments, which can be used within the IOAM domain, allowing the IOAM encapsulating node to discover the enabled IOAM capabilities of each IOAM transit and IOAM decapsulating node. NEW: This document specifies formats and objects that can be used in the extension of echo request/reply mechanisms used in IPv6 (including SRv6), MPLS (including SR-MPLS), SFC and BIER environments, which can be used within the IOAM domain, allowing the IOAM encapsulating node to discover the enabled IOAM capabilities of each IOAM transit and IOAM decapsulating node. [XM]>>> The new text you provided looks good to me. Tend to use it. OLD: Note that specification details for these different echo request/ reply protocols are outside the scope of this document. It is expected that each such protocol extension would be specified by an RFC and jointly designed by the working group that develops or maintains the echo request/reply protocol and the IETF IP Performance Measurement (IPPM) Working Group. NEW: It is expected that the specification of the instantiation of each of these extensions will be done in the form of an RFC jointly designed by the working group that develops or maintains the echo request/reply protocol and the IETF IP Performance Measurement (IPPM) Working Group. [XM]>>> The new text you provided looks good to me. Tend to use it. ### Clarity of formats Because this document is specifying things (or trying to) in absence of any concrete instantiation, it's difficult for me to evaluate if the formats as specified are complete and unambiguous. For now I've left my detailed discussion of this in my COMMENT section, and am optimistic that we can sort it out. However, I'm putting a placeholder here in case that problem turns out to be thornier than hoped. [XM]>>> Understood. Hope my responses can make your evaluation easier. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- # John Scudder, RTG AD, comments for draft-ietf-ippm-ioam-conf-state-07 CC @jgscudder ## COMMENTS ### Section 1 ``` Fate sharing is a common requirement for all kinds of active OAM packets, echo request is among them, in this document that means echo request is required to traverse a path of IOAM data packet. This requirement can be achieved by, e.g., applying same explicit path or ECMP processing to both echo request and IOAM data packet. ``` Explicit path, yes, but it's known that you can't simply expect to "apply same ECMP processing" to two quite distinct packets, without carefully arranging for that to happen. If this is a requirement (and the paragraph says it is) then I think it's necessary to be clearer about how it's to be achieved. [XM]>>> OK. Propose to add some new text on "apply same ECMP processing" as below. NEW Specific to apply same ECMP processing to both echo request and IOAM data packet, one possible way is to populate the same value(s) of ECMP affecting field(s) in the echo request. ### Section 3.1, Default-Namespace-ID ``` A list of IOAM Namespace-IDs (one or more Namespace-IDs) MUST be included in this container in the echo request, and if present, the Default-Namespace-ID 0x0000 MUST be placed at the begining of the list of IOAM Namespace-IDs. The IOAM encapsulating node requests only the enabled IOAM capabilities that match one of the Namespace-IDs. The Namespace-ID has the same definition as what's specified in Section 4.3 of [RFC9197]. ``` - You specify that if present 0x0000 must be placed at the beginning of the list. Is there any other sorting requirement on the list, or is that the only mandated ordering? [XM]>>> That's the only mandated ordering. - It wasn't clear to me from a quick perusal of RFC 9197 §4.3 whether a request carrying 0x0000 would elicit replies for all Namespace-IDs (since 0x0000 matches everything) or if it would elicit replies only for capabilities that have no configured non-default namespace, or are explicitly configured with namespace 0x0000. Can you either clarify this in the text, or if you think it's clear from the reference, help me understand what makes it clear? [XM]>>> As I understand it, a request carrying 0x0000 would elicit replies only for capabilities that are explicitly configured with namespace 0x0000. Also note that namespace 0x0000 is the default one, so if there is no any other namespace configured, then all capabilities configured are for namespace 0x0000 by default. Propose to add some text as below. NEW An IOAM Capabilities Query carrying only the Default-Namespace-ID 0x0000 would elicit replies only for capabilities that are explicitly configured with the Default-Namespace-ID 0x0000. - If the first guess above is correct (0x0000 elicits replies for all Namespace-IDs) then it would seem that if the list contains 0x0000, it's pointless to include anything else in the list, and that might be worth pointing out in the text. [XM]>>> Pls see above my explanation. - If the first guess above is correct, that would also prompt comments on the use of Namespace-ID field in Sections 3.2.x, but we can address that if needed. [XM]>>> Pls see above my explanation. ### Section 3.1, container format, padding ``` The IOAM Capabilities Query Container has a container header that is used to identify the type and optionally length of the container payload, and the container payload (List of IOAM Namespace-IDs) is zero-padded to align to a 4-octet boundary. The length, structure, and definition of the IOAM Capabilities Query Container Header depends on the specific environment it is applied at. ``` I regret I'm not sufficiently familiar with all the different bearer protocols you're envisioning embedding this container in. So I'll just ask, - Why is the length of the payload said to be optional, when it's a (presumably variable-length) list? Does this relate to a bearer protocol where the length of the list is inferred some other way, or what? [XM]>>> Yes, this relates to ICMPv6 which has no length field in its header, and the length field in the IPv6 header would be used otherwise. - The specification that the payload is zero-padded to 4-octet alignment carries some implications. Let's explore these with an example. Suppose we want to signal a single Namespace-ID, 0x0001. Then presumably the payload has to be 0x0001 0x0000, once the mandated pad bytes are added. Is the receiver supposed to know that it ignores the 0x0000 value (which is otherwise the Default-Namespace-ID) because it comes at the end of the list, not the beginning as the previous paragraph required? If so, this seems worth calling out. If not, how is the receiver supposed to know where payload ends and padding begins? [XM]>>> In your example, I believe the last 0x0000 should be treated as padding by the receiver. Do you see a need for some new text? ### Section 3.2, container format, padding Similar questions to those above apply to: ``` The IOAM Capabilities Response Container has a container header that is used to identify the type and optionally length of the container payload, and the container payload (List of IOAM Capabilities Objects) is zero-padded to align to a 4-octet boundary. ``` That is, considering you've disclaimed defining specifics about the semantics of the header, how is the recipient of one of these things supposed to know how to ignore the zero-padding? I do see that all the objects you've defined in this document are a multiple of four bytes long (if we assume their unspecified headers are a multiple of four byte long, that is!) so no padding would ever be required for a payload consisting only of these objects, and thus my question wouldn't apply. But if that's the answer to my question, then the final clause I quote above (about zero-padding) should just be removed. [XM]>>> Will remove the final clause you quoted above (about zero-padding). ### Section 3.2, object format, padding ``` Similar to the container, each object has an object header that is used to identify the type and length of the object payload, and the object payload is zero-padded to align to a 4-octet boundary. ``` Similar to the above, in some cases there will be a need to know how to separate payload from padding. In all the objects you defined in Sections 3.2.x this is unnecessary (*if* you assume the unspecified header is 4-octet aligned itself) since you've carefully specified them so that they don't require padding. It might be more straightforward to just mandate that future object specifications have a length that is a multiple of four octets, as all of your current ones do. That defers the question of what to do about variable payloads to the specification of the -- notional? -- object that has such a payload. [XM]>>> Will remove the final clause you quoted above (about zero-padding). Do you see a need for some new text? ### Section 4 You talk about TTL in the first paragraph. Do you mean "TTL or Hop Limit"? [XM]>>> You're right. Eric Vyncke has made the similar comment. Propose to change the TTL definition in the abbreviations section as below. OLD TTL: Time to Live NEW TTL: Time to Live, this is also the Hop Limit field in the IPv6 header. ### Section 6, integrity protection You talk about integrity protection in passing. Let's assume a deployment hasn't enabled any kind of integrity protection. Have you done any analysis of what kind of mischief an attacker could cause by inserting incorrect capabilities in a forged response? [XM]>>> Before I read your question, no :-) I think one possible mischief is that the IOAM encapsulated data packet could be dropped due to its size exceeds the path MTU, another one is that the added IOAM header could not be processed by the nodes along the path. ### Section 6, MBZ fields You suggest checking the must-be-zero reserved fields and reporting an exception if they aren't zero. Often, such reserved fields are expected to be extended in future, and indeed this is what you indicate in this spec too.. I guess since the packets terminate at the recipient of the reply, it's not terribly harmful to police that these be zero, but it would likely create an awfully noisy set of exceptions in the case of a partially rolled-out extension. Is this really a good recommendation? The more usual practice is of the form "must be zero on Tx, must be ignored on Rx". [XM]>>> Make sense. Will remove "whether all the reserved fields are set to zero" from the penultimate paragraph of the security section, and add "and MUST be ignored when non-zero" as suggested by Paul Wouters and you. ## Notes This review is in the ["IETF Comments" Markdown format][ICMF], You can use the [`ietf-comments` tool][ICT] to automatically convert this review into individual GitHub issues. [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md [ICT]: https://github.com/mnot/ietf-comments
- [ippm] John Scudder's Discuss on draft-ietf-ippm-… John Scudder via Datatracker
- Re: [ippm] John Scudder's Discuss on draft-ietf-i… xiao.min2
- Re: [ippm] John Scudder's Discuss on draft-ietf-i… John Scudder
- Re: [ippm] John Scudder's Discuss on draft-ietf-i… xiao.min2
- Re: [ippm] John Scudder's Discuss on draft-ietf-i… John Scudder
- Re: [ippm] John Scudder's Discuss on draft-ietf-i… xiao.min2
- Re: [ippm] John Scudder's Discuss on draft-ietf-i… xiao.min2
- Re: [ippm] John Scudder's Discuss on draft-ietf-i… xiao.min2
- Re: [ippm] John Scudder's Discuss on draft-ietf-i… John Scudder
- Re: [ippm] John Scudder's Discuss on draft-ietf-i… xiao.min2