Re: [netmod] Performance considerations for draft-ietf-netmod-nmda-diff

"Carey, Timothy (Nokia - US)" <timothy.carey@nokia.com> Thu, 18 July 2019 11:59 UTC

Return-Path: <timothy.carey@nokia.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EE1E12060D for <netmod@ietfa.amsl.com>; Thu, 18 Jul 2019 04:59:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 61_OSDpKzKjR for <netmod@ietfa.amsl.com>; Thu, 18 Jul 2019 04:59:11 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-am5eur03on0703.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe08::703]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 462EB1201CA for <netmod@ietf.org>; Thu, 18 Jul 2019 04:59:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Aip0eyH4dbZpdu/ZuUxfDcl6+CyyF8ueja4giR0pwP1j0LVLZETrKMXPtNBmw+GgUBk/eAJBVG2fPW0mdTjcmM4D+tjttjiUBt85AwtWaJDu2yuUhRaGOU1Xh/7yCo23anGVa23LSrdpmiujYEzbJU/uqXsXBYdo05Ck+0+Z/vgSZfACD7yb/cIDGX0s79I31VE9E3EdGf4G2tMIbmBh1RgakJyhyWBBxO8AtlaEqWbiFtOLoS9a1NZfomaaBgUCkjSTjajNON8VwSDDhfiScnTQhK7+DDKBx+XMfnkG+QHKRq4Kg+Y1LV1IOoZp73aLVNG+HahWt3siMc7mN17OwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1PkjmGGHSivR3BSI7utYNP9Um3snJD0KCWV1xdnJk1Q=; b=axgWK3FMCoOaSFlfGsg98fUwGs6nhPEwNAkEEIJaKNU0KbqZz4Sy3OjTbzziEBVa6irjr34+xJ2tj4l3UuuxDQF9qpLnd7+yWgLxov0cvAitvzJD9J8mOs1AtHuP7zkeXqCNHFAxh0wqectQk82bNHmItAeIBOzENBrkKU75R54BCKQquy2D0vOmTULtshh3Fkz72VAm8ih1AcPzGZjDmhALiEEMEdkAHsyittud1kY9yWJlA+F6aFR/g7lBdeLonNkEMAO5YU/VMQgjpzLLLc8PG7fd/W+IkTKQm1NykAXPhfWegxwIuMClT81UEYtgdxA+7PX/8tgRk6UtEFcuGw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=nokia.com;dmarc=pass action=none header.from=nokia.com;dkim=pass header.d=nokia.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1PkjmGGHSivR3BSI7utYNP9Um3snJD0KCWV1xdnJk1Q=; b=YUKCIl0yLyXn3u8utXuGfHoQIOzqSXpSO6R4VpKIs7w8CqQZdwf3+W98a4id9x44FcmsUDj3auWNs23NDOTgEGwVKohpuKBSUliYW93HMysHgZXvCr1a2GVxa/ko4R3woFhK/zpm2D953KAr0u0eX1dj+Sd5UJbeSHfstPuuh9g=
Received: from DB7PR07MB5980.eurprd07.prod.outlook.com (20.178.106.225) by DB7PR07MB4793.eurprd07.prod.outlook.com (52.135.136.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2094.7; Thu, 18 Jul 2019 11:59:09 +0000
Received: from DB7PR07MB5980.eurprd07.prod.outlook.com ([fe80::884e:4d4:9076:85ce]) by DB7PR07MB5980.eurprd07.prod.outlook.com ([fe80::884e:4d4:9076:85ce%5]) with mapi id 15.20.2094.009; Thu, 18 Jul 2019 11:59:08 +0000
From: "Carey, Timothy (Nokia - US)" <timothy.carey@nokia.com>
To: Alexander Clemm <alex@futurewei.com>, "netmod@ietf.org" <netmod@ietf.org>
Thread-Topic: Performance considerations for draft-ietf-netmod-nmda-diff
Thread-Index: AdU8mwwresgJ1xYdQyq/B5ZPUQgj9gAKkXgQACaXvRA=
Date: Thu, 18 Jul 2019 11:59:08 +0000
Message-ID: <DB7PR07MB5980798C5BA4404626655437EFC80@DB7PR07MB5980.eurprd07.prod.outlook.com>
References: <DB7PR07MB5980D16768F38512610D2B44EFC90@DB7PR07MB5980.eurprd07.prod.outlook.com> <BYAPR13MB2296278768172EB1AB949BD3DBC90@BYAPR13MB2296.namprd13.prod.outlook.com>
In-Reply-To: <BYAPR13MB2296278768172EB1AB949BD3DBC90@BYAPR13MB2296.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=timothy.carey@nokia.com;
x-originating-ip: [12.216.73.99]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 26c8b71e-f78a-460c-de46-08d70b775724
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:DB7PR07MB4793;
x-ms-traffictypediagnostic: DB7PR07MB4793:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <DB7PR07MB47938D2A0AC47E4954D14BD1EFC80@DB7PR07MB4793.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 01026E1310
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(396003)(346002)(39860400002)(136003)(376002)(366004)(199004)(189003)(51444003)(2906002)(2501003)(81166006)(53546011)(486006)(76116006)(476003)(6506007)(7736002)(102836004)(6436002)(86362001)(256004)(11346002)(8936002)(52536014)(446003)(66066001)(478600001)(55016002)(81156014)(68736007)(66476007)(66946007)(606006)(54896002)(316002)(229853002)(5660300002)(6116002)(186003)(9686003)(76176011)(6306002)(9326002)(25786009)(3846002)(236005)(790700001)(66556008)(99286004)(64756008)(74316002)(7696005)(14454004)(53936002)(6246003)(8676002)(71190400001)(71200400001)(110136005)(66446008)(33656002)(26005)(14444005); DIR:OUT; SFP:1102; SCL:1; SRVR:DB7PR07MB4793; H:DB7PR07MB5980.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: DoEREvCE6Sy8WIM2J0rW6TrIocj9WjvJOCqX0dSmH+t+49SwchfJqkxDCGubKxUMKObIoTdMArjjMzWfqx5N2F7eY8yLspAJoP5C855ZdWMWEJJGhDODHHn6ZVN8Q3KXoB1dYyapJEk2968vbbDpQHMZ/wAHhtiLmVnvBE+6D9pLhFBtQI8BEWFcaAYc3+ormKoSGZdR+U00h64aBdYMuo6jrPGbP03/Sh/rbbsp6iBW6Zavfsrl373pVvBWiZnu/fFPplGe55Huj1VjRnPgT0818MThdmWzOFk1cMEW0DcBZ9VTzyyfvcwqxS6AVQUeZFsWqBGjhriSB//STCXtcpyQ5L1stvqH1L3PDOj2dWuVBbzOOqZ1wsrgiEGxktxpdQLN/gAQGIu/MEXutLI+usI1fA1hRGshqQGfICHpeCs=
Content-Type: multipart/alternative; boundary="_000_DB7PR07MB5980798C5BA4404626655437EFC80DB7PR07MB5980eurp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 26c8b71e-f78a-460c-de46-08d70b775724
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jul 2019 11:59:08.4993 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: timothy.carey@nokia.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB4793
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/e_iAVwdl9MX8QGHL1ZQi5yd3uP0>
Subject: Re: [netmod] Performance considerations for draft-ietf-netmod-nmda-diff
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jul 2019 11:59:14 -0000

Hi Alex,

As long as there isn't any requirements of specific error messages (like resource exceeded) that you want to use if the requests cannot be fulfilled, I think that might be ok; obviously the concern may be security related but also simply related to resource constraints - an authorized system could ask for a comparison that the device simply couldn't complete. That gets lost in security section.

BR,
Tim

From: Alexander Clemm <alex@futurewei.com>
Sent: Wednesday, July 17, 2019 1:38 PM
To: Carey, Timothy (Nokia - US) <timothy.carey@nokia.com>om>; netmod@ietf.org
Subject: RE: Performance considerations for draft-ietf-netmod-nmda-diff

Hi Tim,

this aspect is currently mentioned in the security considerations, specifically the last paragraph (https://tools.ietf.org/html/draft-ietf-netmod-nmda-diff-02#page-14), mentioning the fact that comparing datastores for differences requires a certain amount of processing resources, which could be leveraged by an attacker to consume resources via illegitimate requests, and outlining mitigations (ranging from NACM, to limiting the number of requests per time interval and reserving the option to reject a request).   Do you think this is sufficient?   Adding a separate performance considerations section is of course possible but would be somewhat redundant.

--- Alex

From: netmod <netmod-bounces@ietf.org<mailto:netmod-bounces@ietf.org>> On Behalf Of Carey, Timothy (Nokia - US)
Sent: Wednesday, July 17, 2019 5:50 AM
To: netmod@ietf.org<mailto:netmod@ietf.org>
Subject: [netmod] Performance considerations for draft-ietf-netmod-nmda-diff

Hi,

In reviewing the NMDA differences draft, a comment was made that we need to be careful resources requirements placed on the target elements in order to perform the comparison.
In some situations the datastores can be quite large and the compute capabilities (CPU, memory) somewhat constrained. Should we add a performance consideration section in this draft with maybe how we would expect a server to respond if the requirements of the request or the associated response exceed the "current" capabilities of the target?

BR,
Tim