[mpls] Benjamin Kaduk's No Objection on draft-ietf-mpls-sfl-framework-10: (with COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Sat, 19 September 2020 02:20 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: mpls@ietf.org
Delivered-To: mpls@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D9B13A1225; Fri, 18 Sep 2020 19:20:30 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-mpls-sfl-framework@ietf.org, mpls-chairs@ietf.org, mpls@ietf.org, Tarek Saad <tsaad.net@gmail.com>, tsaad.net@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.17.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <160048203054.2264.18266224554288373562@ietfa.amsl.com>
Date: Fri, 18 Sep 2020 19:20:30 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/mpls/ZJ8V5A0BP74PdWSgbtTof51ps1A>
Subject: [mpls] Benjamin Kaduk's No Objection on draft-ietf-mpls-sfl-framework-10: (with COMMENT)
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2020 02:20:36 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-mpls-sfl-framework-10: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-mpls-sfl-framework/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I agree with the TSV-ART reviewer that some discussion of how/why the RFC 8372 requirements are met would have been welcome. Other than that, I basically only have nits and minor comments; this is pretty straightforward and well-specified. Section 1 The Introduction is essentially a verbatim copy of the Abstract with formatting changes. It seems likely that the Introduction could be expanded slightly if desired. [RFC8372] (MPLS Flow Identification Considerations) describes the requirement for introducing flow identities within the MPLS nit: "requirement" singular or "requirements" plural? (It itself seems to only claim to give "considerations" relevant for flow identification.) architecture. This document describes a method of accomplishing this nit: the second "this" that is to be accomplished doesn't have a terribly precise referent -- it is in some sense "accomplishing the task of meeting the requirements" but not "accomplishing the requirements". by using a technique called Synonymous Flow Labels (SFL) in which labels which mimic the behaviour of other labels provide the identification service. These identifiers can be used to trigger per-flow operations on the packet at the receiving label switching router. nit: we currently introduce the LSR acronym in Section 3 but this seems to be the first non-Abstract usage. Section 3 An SFL is defined to be a label that causes exactly the same behaviour at the egress Label Switching Router (LSR) as the label it replaces, but in addition also causes an agreed action to take place on the packet. There are many possible additional actions such as nit: is this "agreed action" on the path or also at the egress? If at the egress, then "exactly the same behavior" is debatable, in a pedantic sense. the measurement of the number of received packets in a flow, triggering IPFIX inspection, triggering other types of Deep Packet nit: while IPFIX appears on https://www.rfc-editor.org/materials/abbrev.expansion.txt it is not marked as "well-known", thus probably merits expansion. acceptable for scaling reasons. We therefore have no choice but to introduce an additional label. Where penultimate hop popping (PHP) is in use, the semantics of this additional label can be similar to the LSP label. Where PHP is not in use, the semantics are similar to an MPLS explicit NULL [RFC3032]. In both of these cases the label has the additional semantics of the SFL. [I note that here we weaken the statement to be only "similar to", not "exactly the same".] Finally we need to consider the case where there is no MPLS application label such as occurs when sending IP over an LSP. In nit/editorial: I would consider mentioning the application label earlier, to accentuate the contrasting case being introduced here. Section 4 As noted in Section 3 it is necessary to consider two cases: [...] 2. Single label stack (editorial) Some minor rewording in Section 3 to specifically mention the "single label stack" case in such terms would probably help the document feel more cohesive. (I assume it's meant to be the converse of the "application label present" case, i.e., the "there is no MPLS application label such as occurs when sending IP over an LSP" case.) Section 4.1 At the egress LSR the LSP label is popped (if present). Then the SFL is processed in exactly the same way as the corresponding application label would have been processed. [Just noting that "exact" is used here; I have no specific comment] Section 4.1.1 that the SFL is synonymous with. However it is recognised that, if there is an applications need, the SFL MAY be to some other value. (nit) Barry already noted the missing "set", but I think it's also "the TTL and TC bits in the SFL" and not the SFL itself -- the SFL itself is inherently a different value, otherwise it would be called the "identical flow label" and we probably wouldn't be writing a document about it :) Section 4.2 I wondered to myself for Figure 1, and wonder out loud here for Figure 2, if we can make some indication that the "May be PHPed" applies to both the "Normal" label stack as well as to the "with SFL" label stack. (For Figure 1 it was vertically aligned, but is not so, here.) If the LSP label is present, it processed exactly as it would normally processed and then it is popped. This reveals the SFL which in the case of [RFC6374] measurements is simply counted and then discarded. In this respect the processing of the SFL is synonymous nit: it's not entirely clear to me why this specific case merits mention of RFC 6374 measurement but we don't want to mention it anywhere earlier. Section 4.3 Is the Aggregate SFL also in some sense "synonymous with Explicit NULL" (as was mentioned in Figure 2)? Section 5 2. The operator can elect to use [RFC6790] Entropy Labels in a network that fully supports this type of ECMP. If this approach is adopted, the intervening MPLS network MUST NOT load balance on any packet field other than the entropy label. Note that this is stricter than the text in Section 4.2 of [RFC6790]. In networks Is Section 4.2 ("Ingress LSR") really the best reference in RFC 6790? Section 4.3 seems much more relevant, to me. in which the ECMP decision is independent of both the value of any other label in the label stack, and the MPLS payload, the path of the flow with the SFL will be congruent with the path without the SFL. (side note) what would the ECMP decision be made on, in that case? A random number generator? Section 6 Thank you for noting the privacy considerations even though the incremental exposure is fairly small! I might note that whenever IPFIX or other DPI techniques are used, their relevant privacy considerations apply. The inclusion of originating and/or flow information in a packet provides more identity information and hence potentially degrades the privacy of the communication. Whilst the inclusion of the additional At risk of banality, I suggest "potentially degrades the privacy of the communiation to an attacker in position to observe the added identifier", to subtly emphasize that the relevant attacker here has capabilities that already allow for similar types of attack. That is, what's new for the attacker here is that they get some signal as to how the ingress decides to classify traffic -- they already have all the traffic in the first place and could be doing their own classification on it. granularity does allow greater insight into the flow characteristics it does not specifically identify which node originated the packet other than by inspection of the network at the point of ingress, or inspection of the control protocol packets. This privacy threat may nit: I suggest s/other than by/unless the attacker can/; s/inspection of/inspect/ (since the attacker needs to both observe the labeled traffic and obtain the origination-mapping information in order to effectuate the identification). Section 7 I think that the type of attack opened up by having multiple synonyms for conceptulaly "the same traffic", that Tero noted in the secdir review, would be in cases where the attacker is sending traffic over the LSP in question and knows both the classification algorithm used to apply the SFL and the nature of the DPI performed on SFL-marked traffic, and is thus able to ensure that whatever nefarious things they are doing that would have been noticed by the DPI instead take the non-DPI path and remain undetected. Now, AFAICT the type of DPI envisioned here is mostly not going to be looking for nefarious things, and even the existence of such nefarious things that need to be going over this LSP that the attacker can already send traffic over seems a bit contrived, but that's my take on the additional incremental attack that this mechanism opens up. There are no new security issues associated with the MPLS dataplane. Any control protocol used to request SFLs will need to ensure the legitimacy of the request. I'd suggest mentioning authorization checks as well -- a request can in some sense still be "legitimate" even if the requestor is not currently authorized to receive the service. Section 10.2 Hmm, in some reading "can elect to use [RFC6790] Entropy Labels" [..] MUST NOT load balance on any packet field other than the entropy label" makes 6790 a normative reference (required reading for an optional feature).
- [mpls] Benjamin Kaduk's No Objection on draft-iet… Benjamin Kaduk via Datatracker