[mpls] Benjamin Kaduk's No Objection on draft-ietf-mpls-sfl-framework-10: (with COMMENT)

[Benjamin Kaduk via Datatracker <noreply@ietf.org>]

Benjamin Kaduk has entered the following ballot position for
draft-ietf-mpls-sfl-framework-10: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-mpls-sfl-framework/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

I agree with the TSV-ART reviewer that some discussion of how/why the
RFC 8372 requirements are met would have been welcome.

Other than that, I basically only have nits and minor comments; this is
pretty straightforward and well-specified.

Section 1

The Introduction is essentially a verbatim copy of the Abstract with
formatting changes.  It seems likely that the Introduction could be
expanded slightly if desired.

   [RFC8372] (MPLS Flow Identification Considerations) describes the
   requirement for introducing flow identities within the MPLS

nit: "requirement" singular or "requirements" plural?  (It itself seems
to only claim to give "considerations" relevant for flow identification.)

   architecture.  This document describes a method of accomplishing this

nit: the second "this" that is to be accomplished doesn't have a
terribly precise referent -- it is in some sense "accomplishing the task
of meeting the requirements" but not "accomplishing the requirements".

   by using a technique called Synonymous Flow Labels (SFL) in which
   labels which mimic the behaviour of other labels provide the
   identification service.  These identifiers can be used to trigger
   per-flow operations on the packet at the receiving label switching
   router.

nit: we currently introduce the LSR acronym in Section 3 but this seems
to be the first non-Abstract usage.

Section 3

   An SFL is defined to be a label that causes exactly the same
   behaviour at the egress Label Switching Router (LSR) as the label it
   replaces, but in addition also causes an agreed action to take place
   on the packet.  There are many possible additional actions such as

nit: is this "agreed action" on the path or also at the egress?  If at
the egress, then "exactly the same behavior" is debatable, in a pedantic
sense.

   the measurement of the number of received packets in a flow,
   triggering IPFIX inspection, triggering other types of Deep Packet

nit: while IPFIX appears on
https://www.rfc-editor.org/materials/abbrev.expansion.txt it is not
marked as "well-known", thus probably merits expansion.

   acceptable for scaling reasons.  We therefore have no choice but to
   introduce an additional label.  Where penultimate hop popping (PHP)
   is in use, the semantics of this additional label can be similar to
   the LSP label.  Where PHP is not in use, the semantics are similar to
   an MPLS explicit NULL [RFC3032].  In both of these cases the label
   has the additional semantics of the SFL.

[I note that here we weaken the statement to be only "similar to", not
"exactly the same".]

   Finally we need to consider the case where there is no MPLS
   application label such as occurs when sending IP over an LSP.  In

nit/editorial: I would consider mentioning the application label
earlier, to accentuate the contrasting case being introduced here.

Section 4

   As noted in Section 3 it is necessary to consider two cases:
   [...]
   2.  Single label stack

(editorial) Some minor rewording in Section 3 to specifically mention
the "single label stack" case in such terms would probably help the
document feel more cohesive.  (I assume it's meant to be the converse of
the "application label present" case, i.e., the "there is no MPLS
application label such as occurs when sending IP over an LSP" case.)

Section 4.1

   At the egress LSR the LSP label is popped (if present).  Then the SFL
   is processed in exactly the same way as the corresponding application
   label would have been processed.

[Just noting that "exact" is used here; I have no specific comment]

Section 4.1.1

   that the SFL is synonymous with.  However it is recognised that, if
   there is an applications need, the SFL MAY be to some other value.

(nit) Barry already noted the missing "set", but I think it's also "the
TTL and TC bits in the SFL" and not the SFL itself -- the SFL itself is
inherently a different value, otherwise it would be called the
"identical flow label" and we probably wouldn't be writing a document
about it :)

Section 4.2

I wondered to myself for Figure 1, and wonder out loud here for Figure
2, if we can make some indication that the "May be PHPed" applies to
both the "Normal" label stack as well as to the "with SFL" label stack.
(For Figure 1 it was vertically aligned, but is not so, here.)

   If the LSP label is present, it processed exactly as it would
   normally processed and then it is popped.  This reveals the SFL which
   in the case of [RFC6374] measurements is simply counted and then
   discarded.  In this respect the processing of the SFL is synonymous

nit: it's not entirely clear to me why this specific case merits mention of
RFC 6374 measurement but we don't want to mention it anywhere earlier.

Section 4.3

Is the Aggregate SFL also in some sense "synonymous with Explicit NULL"
(as was mentioned in Figure 2)?

Section 5

   2.  The operator can elect to use [RFC6790] Entropy Labels in a
       network that fully supports this type of ECMP.  If this approach
       is adopted, the intervening MPLS network MUST NOT load balance on
       any packet field other than the entropy label.  Note that this is
       stricter than the text in Section 4.2 of [RFC6790].  In networks

Is Section 4.2 ("Ingress LSR") really the best reference in RFC 6790?
Section 4.3 seems much more relevant, to me.

       in which the ECMP decision is independent of both the value of
       any other label in the label stack, and the MPLS payload, the
       path of the flow with the SFL will be congruent with the path
       without the SFL.

(side note) what would the ECMP decision be made on, in that case?  A
random number generator?

Section 6

Thank you for noting the privacy considerations even though the
incremental exposure is fairly small!

I might note that whenever IPFIX or other DPI techniques are used, their
relevant privacy considerations apply.

   The inclusion of originating and/or flow information in a packet
   provides more identity information and hence potentially degrades the
   privacy of the communication.  Whilst the inclusion of the additional

At risk of banality, I suggest "potentially degrades the privacy of the
communiation to an attacker in position to observe the added
identifier", to subtly emphasize that the relevant attacker here has
capabilities that already allow for similar types of attack.  That is,
what's new for the attacker here is that they get some signal as to how
the ingress decides to classify traffic -- they already have all the
traffic in the first place and could be doing their own classification
on it.

   granularity does allow greater insight into the flow characteristics
   it does not specifically identify which node originated the packet
   other than by inspection of the network at the point of ingress, or
   inspection of the control protocol packets.  This privacy threat may

nit: I suggest s/other than by/unless the attacker can/; s/inspection
of/inspect/ (since the attacker needs to both observe the labeled
traffic and obtain the origination-mapping information in order to
effectuate the identification).

Section 7

I think that the type of attack opened up by having multiple synonyms
for conceptulaly "the same traffic", that Tero noted in the secdir
review, would be in cases where the attacker is sending traffic over the
LSP in question and knows both the classification algorithm used to
apply the SFL and the nature of the DPI performed on SFL-marked traffic,
and is thus able to ensure that whatever nefarious things they are doing
that would have been noticed by the DPI instead take the non-DPI path
and remain undetected.  Now, AFAICT the type of DPI envisioned here is
mostly not going to be looking for nefarious things, and even the
existence of such nefarious things that need to be going over this LSP
that the attacker can already send traffic over seems a bit contrived,
but that's my take on the additional incremental attack that this
mechanism opens up.

   There are no new security issues associated with the MPLS dataplane.
   Any control protocol used to request SFLs will need to ensure the
   legitimacy of the request.

I'd suggest mentioning authorization checks as well -- a request can in
some sense still be "legitimate" even if the requestor is not currently
authorized to receive the service.

Section 10.2

Hmm, in some reading "can elect to use [RFC6790] Entropy Labels" [..]
MUST NOT load balance on any packet field other than the entropy label"
makes 6790 a normative reference (required reading for an optional
feature).