Re: [secdir] Genart last call review of draft-ietf-rmcat-eval-test-08
Mirja Kuehlewind <ietf@kuehlewind.net> Mon, 18 March 2019 16:48 UTC
Return-Path: <ietf@kuehlewind.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0238A131135; Mon, 18 Mar 2019 09:48:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2OTjvVftbSrY; Mon, 18 Mar 2019 09:48:20 -0700 (PDT)
Received: from wp513.webpack.hosteurope.de (wp513.webpack.hosteurope.de [IPv6:2a01:488:42:1000:50ed:8223::]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D24E13111D; Mon, 18 Mar 2019 09:48:20 -0700 (PDT)
Received: from 200116b82c0c770005beac1cb9537e4d.dip.versatel-1u1.de ([2001:16b8:2c0c:7700:5be:ac1c:b953:7e4d]); authenticated by wp513.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1h5vQv-0004Di-BF; Mon, 18 Mar 2019 17:48:17 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
From: Mirja Kuehlewind <ietf@kuehlewind.net>
In-Reply-To: <04aace0d-805a-406a-b44b-ffdb44a4e9df@gmail.com>
Date: Mon, 18 Mar 2019 17:48:16 +0100
Cc: Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com>, "gen-art@ietf.org" <gen-art@ietf.org>, "rmcat@ietf.org" <rmcat@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "draft-ietf-rmcat-eval-test.all@ietf.org" <draft-ietf-rmcat-eval-test.all@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <21441EC1-01EB-482E-810F-9A9AC223D7CB@kuehlewind.net>
References: <154930852182.28785.5364082865560557648@ietfa.amsl.com> <104FE636-0A18-4E3B-B7BD-F2DA3748161B@ericsson.com> <04aace0d-805a-406a-b44b-ffdb44a4e9df@gmail.com>
To: Stewart Bryant <stewart.bryant@gmail.com>
X-Mailer: Apple Mail (2.3445.101.1)
X-bounce-key: webpack.hosteurope.de;ietf@kuehlewind.net;1552927700;4d7683ef;
X-HE-SMSGID: 1h5vQv-0004Di-BF
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/zL6o-9T-g8tt9hUlAMWEfH9zLuo>
Subject: Re: [secdir] Genart last call review of draft-ietf-rmcat-eval-test-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2019 16:48:24 -0000
Hi Stewart, Thanks for your review and your careful consideration of potential risks. I wasn’t aware of RFC6815 and it’s an interesting reference, however, in the case of rmcat testing, I think it’s actually not similarity applicable. While benchmarking is designed to test extreme cases, in congestion control testing we are aiming for “realistic cases” that emulate real traffic as you will find it on the Internet today. It’s important to make clear in the draft that these tests are designed for lab tests or simulations and not to be run over the Internet, and I think the authors can add more wording for this, but the risks are lower than for RFC6815 and therefore I don’t think we need to have that reference here. Mirja > On 15. Feb 2019, at 12:45, Stewart Bryant <stewart.bryant@gmail.com> wrote: > > Hi Zahed > > The work that made me particularly conscious of the security issue in this draft was RFC6815, and although RFC6815 applies to RFC2544, I would imagine that the same considerations apply here. Perhaps a reference to RFC6815 would help the reader of this draft better appreciate the danger of running these tests outside the lab. > > I note that a statement on the need to run these tests in a controlled environment was not added to the Abstract, something which might be useful in highlighting the danger to someone supervising a lab, but not involved in the detail. > > It is really for the security directorate to decide their position, but I would have thought that it was better to emphasis (with RFC2119 language) the real danger to production networks (of all flavours, not just the Internet) of this test traffic leaking and causing disruption. > > I will leave this issue with the security reviewer from here on and take a look at the other text changes. > > - Stewart > > > On 07/02/2019 13:27, Zaheduzzaman Sarker wrote: >> Hi Stewart, >> >> Thanks for a good review. >> >> For the security consideration section, we can use stronger words if that is required. This document merely specifies test cases when people are testing their algorithm in a controlled environment and does not specify protocol usage. I was wondering if using normative language is an overkill here. For those reasons we are actually thinking of taking out 2119 usage completely. I have a modified text proposal below. >> >> Please see inline below for more. >> >> BR >> Zahed >> >> On 2019-02-04, 20:29, "Stewart Bryant" <stewart.bryant@gmail.com> wrote: >> >> Reviewer: Stewart Bryant >> Review result: Almost Ready >> I am the assigned Gen-ART reviewer for this draft. The General Area >> Review Team (Gen-ART) reviews all IETF documents being processed >> by the IESG for the IETF Chair. Please treat these comments just >> like any other last call comments. >> For more information, please see the FAQ at >> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. >> Document: draft-ietf-rmcat-eval-test-08 >> Reviewer: Stewart Bryant >> Review Date: 2019-02-04 >> IETF LC End Date: 2019-02-11 >> IESG Telechat date: Not scheduled for a telechat >> Summary: >> A well written documents an close to being ready for publication. >> I am concerned that the Security section is weak on use outside a >> controlled environment. >> There are a fair number of minor issues and nits that need attention, >> but most of them are simple to fix. >> One concern that I have that I doubt is readily fixable is that long >> multi-nested lists do not work well in paginated ASCII with line spaces >> and sometimes it is difficult to be sure of the context of a test element note. >> >> [ZS] I share the concern here, but I don’t think I have a better alternative now. >> Major issues: >> 8. Security Considerations >> The security considerations in [I-D.ietf-rmcat-eval-criteria] and the >> relevant congestion control algorithms apply. The principles for >> congestion control are described in [RFC2914], and in particular any >> new method MUST implement safeguards to avoid congestion collapse of >> the Internet. >> The evaluation of the test cases are intended to be run in a >> controlled lab environment. >> SB> I wonder if there shouldn't me a MUST in that sentence? >> SB> There have been issues on SP networks with users running unsuitable >> SB> performance benchmarks on live networks, including complaints to the >> SB> operators concerning the results achieved. >> Hence, the applications, simulators and >> network nodes ought to be well-behaved and should not impact the >> desired results. It is important to take appropriate caution to >> avoid leaking non-responsive traffic from unproven congestion >> avoidance techniques onto the open Internet. >> SB> Again I am surprised this is not much stronger in prohibiting >> SB> use on the Internet. >> >> [ZS] what about : >> >> " The evaluation of the test cases are intended to be run in a >> controlled lab environment. Hence, the applications, simulators and >> network nodes must be well-behaved and should not impact the >> desired results. Moreover, proper measures must be taken to >> avoid leaking non-responsive traffic from unproven congestion >> avoidance techniques onto the open Internet. " >> ======== >> Minor issues: >> This memo describes a set of test cases for evaluating congestion >> control algorithm proposals for real-time interactive media. >> SB> It would be useful to add here the statement in the abstract that >> SB> these tests should be done in a controlled environment. >> [ZS] The abstract mentions the this "This document describes >> the test cases to be used in the performance evaluation of such >> congestion control algorithms in a controlled environment." >> >> We can repeat that in the intro as well. >> =========== >> Expected behavior: depending on the convergence observed in test case >> 5.1 and 5.2, the candidate algorithm may be able to avoid congestion >> collapse. In the worst case, the media stream will fall to the >> minimum media bit rate. >> SB> Do you need to specify the variant of TCP? You do state it later, but some >> comment here would be useful. >> >> [ZS] Not sure what would be useful to describe here more, the expected behaviour is not really coupled to what TCP congestion control is used, the general demand is to avoid congestion collapse here. >> SB> What behaviour do you expect the TCP to show. >> It would be bad if SB> an aggressive media application kill the TCP completely. >> >> [ZS] I don’t think we should say anything about TCP behaviour here. The idea is to test the new congestion control behaviour with available TCP behaviours not vice versa. But TCP can certainly improve its performance from the test results (. >> ============ >> the first flow >> (S1) MUST arrive at a steady-state rate approximately twice of that >> of the other two flows (S2 and S3). >> SB> I am not sure what you mean by priority I assume that you mean >> SB> QoS ranking in the routing system. In which case I don't see >> SB> how you can expect the result you specify. >> >> [ZS] no this is not about routing priority on the network nodes, this is at the media sender. When a media sender has multiple flows that shares the same bottleneck then the media sender can use techniques to distribute the available bandwidth to the multiple flows that it is sending. The point here is the media flows should get their share of the available bandwidth as per the priority set by the application. >> ============ >> Expected behavior: the candidate algorithm is expected to achieve >> full utilization at both bottleneck links without starving any of the >> three congestion controlled media flows. >> SB> I am not sure what you mean by this. Do you mean that the bottlenecks >> SB> will saturate, but make no comment about how much of the bottleneck >> SB> capacity each flow gets for itself? >> >> [ZS] bottlenecks will saturate -- yes. The success criteria --- the existence of multiple bottleneck should not result in flow starvation to any flows that is sharing those bottlenecks. Yes, there is no comment on fairness here explicitly. Not sure we need one here, do we? >> ============ >> Nits/editorial comments: >> [ZS] thanks for those nits. will take care of them. >> Checking nits according to https://www.ietf.org/id-info/checklist : >> ---------------------------------------------------------------------------- >> ** There are 9 instances of too long lines in the document, the longest one >> being 4 characters in excess of 72. >> == Outdated reference: A later version (-06) exists of >> draft-ietf-rmcat-wireless-tests-05 >> =========== >> 3. Structure of Test cases >> SB> In the text below it was sometimes hard to get the context right in the >> SB> triple (or more) nested list. Please consider using subsections or some >> other SB> demarcation. >> =========== >> + Bottleneck queue type: for example, Droptail, FQ-CoDel, or >> PIE. >> SB> There need references, and by convention expansion on first use. >> ========== >> + Path loss ratio: characterizes the non-congested, additive, >> losses to be generated on the end-to-end path. MUST >> SB> s/MUST/This MUST/ ? >> ========== >> B. Variation in sending bit rate and goodput. Mainly observing >> the frequency and magnitude of oscillations. >> SB> goodput needs a reference or a definition. I don't think it is a >> universally known term. >> =========== >> Expected behavior: the candidate algorithm is expected to detect the >> path capacity constraint, converges to the bottleneck link's capacity >> SB> s/converges/converge/ >> =========== >> Due to asymmetric nature of the link >> SB> s/Due to/Due to the/ >> =========== >> SB> Is there a diagram error in the figure above? >> Figure 6: Testbed Topology for TCP vs congestion controlled media >> Flows >> =========== >> have the same bandwidth share on the link. It has to make it's way >> SB>s/it's/its/ >> =========== >> The candidate algorithm MUST reflect the relative priorities >> assigned to each media flow. In the previous example, >> SB> An explicit reference to the test would help the reader >> ========== >> >
- Re: [secdir] Genart last call review of draft-iet… Stewart Bryant
- Re: [secdir] Genart last call review of draft-iet… Mirja Kuehlewind