IETF Logo Mail Archive

Re: [sfc] Éric Vyncke's Discuss on draft-ietf-sfc-nsh-integrity-06: (with DISCUSS and COMMENT)

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Wed, 14 July 2021 11:12 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 422573A088A; Wed, 14 Jul 2021 04:12:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.896
X-Spam-Level:
X-Spam-Status: No, score=-11.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=kySH531M; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=FpPmc7lj
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NL2D05WScJGd; Wed, 14 Jul 2021 04:12:01 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4605D3A0889; Wed, 14 Jul 2021 04:12:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=14202; q=dns/txt; s=iport; t=1626261121; x=1627470721; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=JwvlKLkyBT/PGyQ+tunm0qB0S3qe9I9koJd1sasG1lI=; b=kySH531M60JjIE6nVpa4ZJjZpB+JVU6IrO3L7RVFZvILkUkEFIPU9t4U 9LvGlBPN5U7xuLVobxDyecTn5GZO3hjk0RXrGQJAcV8+RYnulE0JeJ0Ah 7p1eFg/nfiWfJTZivrmzROVSXx5Zc2yhMhelBw2HXOInaNSVsxAmT/uxn k=;
X-IPAS-Result: =?us-ascii?q?A0DhAgBgxe5gl4ENJK1aHQEBAQEJARIBBQUBQIFZgVNRf?= =?us-ascii?q?loTJDGESINIA4U5iFgDgRAWiS+FFIpEgUKBEQNUCwEBAQ0BATUMBAEBhFQCF?= =?us-ascii?q?4JhAiU4EwIEAQEBAQMCAwEBAQEFAQEFAQEBAgEGBBQBAQEBAQEBAWiFOwYnD?= =?us-ascii?q?YZFAQEBAQIBEhERDAEBJRIBCwQCAQgRAwECAwIjAwICAh8RFAEFAwgCBAENB?= =?us-ascii?q?SKCTwGCVQMOIQEOmzIBgToCih96gTKBAYIHAQEGBASBSUGDMg0LgjIDBoEQK?= =?us-ascii?q?oJ7gnFTSoJJhBkIHxyBSUSBFScMEIIrNz6CIEICA4EoARIBIYMXNoIugidsB?= =?us-ascii?q?2MEFA4ZCAgGAg0TXwQVLQgHASMFBQIPKAQ4A5EECBMLB4J0R4hsgy+aSjtbC?= =?us-ascii?q?oMkijOHN4ZqBIVdBSaDY4tckGeGM4U0kFKML4Mxj3UnCAuEdAIEAgQFAg4BA?= =?us-ascii?q?QY1gT0ia1gRB3AVZQGCPlAZDoxlgToJAw0JFYM5hRSFSnM4AgYBCQEBAwkBj?= =?us-ascii?q?AsBAQ?=
IronPort-PHdr: A9a23:lYDrxxT0gNXIMydWYgn9HTDS6tpso6PLVj580XJvo7VUe6Ks8tLpO 0mMrflujVqcW4Ld5roEjufNqKnvVCQG5orJq3ENdpFAFnpnwcUblgAtGoiJXEv8KvO5aDYzG stPElRi+iLzPU1cAs2rYVrUrzW75iITHROqMw1zK6z1F4fegt7x2fq1/sjYYh5Dg3y2ZrYhR Cg=
IronPort-HdrOrdr: A9a23:/C0pjq8QNW7jN6BwKAduk+AtI+orL9Y04lQ7vn2ZKCYlEfBw+P rCoB1273PJYVUqOE3I++rvBEDoexq1n6KcG+EqVotKNDOW2ldAR7sC0WKN+VLd8gTFh4hg/J YlUZJTTPX2EFhBlM7/pCm+Dto6ytWf7aaywcfYwHEFd3APGthdxjY8KDy2VmVwWQlYBYEkDt 694ddKvDCtYGkQdYCaAXYCNtKzwOHjpdbFWzJDPRI99wWUrTSm7tfBYn2l4is=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.84,239,1620691200"; d="scan'208";a="741187829"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 14 Jul 2021 11:11:59 +0000
Received: from mail.cisco.com (xbe-rcd-004.cisco.com [173.37.102.19]) by alln-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id 16EBBxIr029923 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Wed, 14 Jul 2021 11:11:59 GMT
Received: from xfe-rcd-003.cisco.com (173.37.227.251) by xbe-rcd-004.cisco.com (173.37.102.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Wed, 14 Jul 2021 06:11:59 -0500
Received: from xfe-aln-004.cisco.com (173.37.135.124) by xfe-rcd-003.cisco.com (173.37.227.251) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Wed, 14 Jul 2021 06:11:59 -0500
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-004.cisco.com (173.37.135.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Wed, 14 Jul 2021 06:11:59 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GTtva3QSRki7NSgbY1WpSSkQYIDJNP6s00v4NeQmWAVaZgLRcWBDdnpnC6JyNwHjzkdbrLmO3kvlSUDxYsENV/vHIEka6ZllMFeK3+lDf1rktPy8bKyFprekpoXD8jLE3pF3KZQSxIXYO1EUBKv9dW1sN0y45387wJXJ/3McNN48T4laC4ueocgGfdjJAnmTmncMi0vdOZIwde1ITKXWeyJXf97fMzz4wPk7l+Ap3JnbZCbupBJR9hnFeCLhhMpcaVp/MMdQEYnOM1T4zTXC7TKxGPxGmKF7VU0Vw/FRAuIV8LwNtouwzokgoyo7sYIHuiQcMF5A/W4vNBcqY63evQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JwvlKLkyBT/PGyQ+tunm0qB0S3qe9I9koJd1sasG1lI=; b=bfR95sDKodYEZmv5593begeBgvwAh5IqqxPKRDquneQjOneh1J+T9Fj9ahmCTlg5+SbBM/avfq+k9I22fC1asi8JOp0BOyHQ01taGIItwyH/wKX56MF0hXffbSEUuEb8Aao9S2oPx2pT2mgjDvb6nNZ5ZP65xrEy3+BQFenma2hyO0diMw3UjubKEqd2uMu56Owzww2klPb5ymdTMbHwYZqbA3MAaeqLkbVs2kE73sy9mx6GC6XfMNRw4/U6HgiZwHRRfh8HhzO6dfxCGVCLYeov48kVszmopEU77pyR3g0fqZUwRqi8hAGNveOt6xI7svA+8n7b9lGy6Zr6QdWQeg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JwvlKLkyBT/PGyQ+tunm0qB0S3qe9I9koJd1sasG1lI=; b=FpPmc7ljmSVcCh+WaihkTTXzVOQOI+M0YO6rBlovT0R967t4FUrZYJZsPJE1a3AH5VTHmgfKWFeapYnfli0zwy49A++huuippdokSZS1skiynv8y3WAhrNQNoRXuwuQxQmQWRYZLeD3EyYpv2OWeg/Ta77fkvoedFR4AQp04d5U=
Received: from PH0PR11MB4966.namprd11.prod.outlook.com (2603:10b6:510:42::21) by PH0PR11MB5111.namprd11.prod.outlook.com (2603:10b6:510:3c::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.26; Wed, 14 Jul 2021 11:11:58 +0000
Received: from PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::6d61:c160:def1:bc64]) by PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::6d61:c160:def1:bc64%4]) with mapi id 15.20.4308.027; Wed, 14 Jul 2021 11:11:58 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-sfc-nsh-integrity@ietf.org" <draft-ietf-sfc-nsh-integrity@ietf.org>, "sfc-chairs@ietf.org" <sfc-chairs@ietf.org>, "sfc@ietf.org" <sfc@ietf.org>, "gregimirsky@gmail.com" <gregimirsky@gmail.com>
Thread-Topic: =?utf-8?B?w4lyaWMgVnluY2tlJ3MgRGlzY3VzcyBvbiBkcmFmdC1pZXRmLXNmYy1uc2gt?= =?utf-8?Q?integrity-06:_(with_DISCUSS_and_COMMENT)?=
Thread-Index: AQHXd+EWUzPhovDiy06QVDjdApotHKtBE6GQgAFgQoA=
Date: Wed, 14 Jul 2021 11:11:57 +0000
Message-ID: <94FF1F19-7004-42C5-8560-C99A2FEEF71A@cisco.com>
References: <162617866082.13596.2398814614966286542@ietfa.amsl.com> <15473_1626195281_60EDC551_15473_51_1_787AE7BB302AE849A7480A190F8B9330353BE8EC@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <15473_1626195281_60EDC551_15473_51_1_787AE7BB302AE849A7480A190F8B9330353BE8EC@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.51.21071101
authentication-results: orange.com; dkim=none (message not signed) header.d=none;orange.com; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a9b4c2cf-cc00-419f-c654-08d946b83242
x-ms-traffictypediagnostic: PH0PR11MB5111:
x-microsoft-antispam-prvs: <PH0PR11MB5111CC21E8807B035C791E7FA9139@PH0PR11MB5111.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sHW+DINcIePRpe+Xlqz5vfomi1wJooJZ3ji2Lc5VWwGzpeb0xObTm7+AwHGRbLJTRZTdMAWo9ed2SJNsctfa9Uif4vSrqO8i59LSGTxR8Z3y8ncZU2o5h6Olb1UpPT88tEI6e9GJOrxAgD+10rQtGYeRGDC3SsOZW+wyqe646euJpli79PvVfFj232/1wrk+8wuUAZQwtw8WNVXSMGgxoXQP23ijUXYBsApBVX0S44BZrAiX4TvYenDka7S66bU+vArAX5BF6RQAbPX9KSfsUVzQVnLfcBXDLQW4OrBONYOqjsC5hXSXf35jpIlGsILROxEO7mRUjDphhS/yYQxv8v2/PWRuLyfJsDyI4nWLkVXERLSjhatMIEHI/bzMUmk1GlaHlIKRXQ0qHMhZEvS/CyaJf89g+IkqTolFMxSzrhhsUPwxobMT5oUd9IAic3jPDoF67KI47xwDtwvOU8v4WPeIc0M4UwujMIRZiPXmk/PM3FiWV26i/FhI6wOqW6K1Mn85gjtOlARq5SZcdlUX3oLLqxrGPE7Bcf+A88okojKPFManbT3+tUK+5EbufJod+PcazQ7Q9p7I2hIat7XA3zY0w8QGLUSuZ8+W/b3MHg9bDX4tFyKXAflYPEVo/610l6uUEuyrJxi7OB38GptP7avpBx9XrrE7Ii5bIAY9vL04kjwwVQCGLjhJa0PQP4kM2UMHbNvGrOhrq90BGMGW5s4DFyDPc9COrEK/GwArYxV58nE1Np2n27Q1MCZtFbOzeFhbLNir95CPYa0nRuNgM8MmvvGiP5NrRuM/Ddevu8cSk9LLKpDiYIEcbJ6fhoXJzFNTgllRAnWd8FQ+p98CztgUFNupIxJt7vQk3Cu/nmI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB4966.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(39860400002)(346002)(136003)(366004)(396003)(376002)(53546011)(6506007)(66556008)(8936002)(224303003)(66946007)(2906002)(66446008)(186003)(66476007)(2616005)(36756003)(110136005)(478600001)(91956017)(54906003)(86362001)(71200400001)(966005)(76116006)(6486002)(64756008)(316002)(5660300002)(4326008)(122000001)(38100700002)(33656002)(83380400001)(6512007)(45980500001)(38070700004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?WFowYmc1MnFISHFKdGlCNjlrdkJzNDNmZTRrSGswUitzenlpckxXZXBRb2xt?= =?utf-8?B?c1BqSmJiZld5dmEreTdaS05OQnhQS0tDUEVDdnpPYWFkazJOcjgvNjZYTzBL?= =?utf-8?B?K1g0c01hSEYxSEtLeXpnREhFNGU2QWVuaDZscG0zenpWeGVQY2lwL3ZvTW1C?= =?utf-8?B?aTR4M1RPTDNDd2JMY0VFbGlSeFRaUUxkWnJXVDhFV0JWNFczaHpmbjk0NGpm?= =?utf-8?B?ckdadmdoOUJBTWlzbU91WUFRNkFMckI2cHIwc01oaE8yOXFrYkFlRTlEb3FE?= =?utf-8?B?L3VxZzJ5WEVWZ0xER3pIWHh5SEJ1V05meTVZNUlJenNjV0JkZ1NKUnBZTXdG?= =?utf-8?B?NWtzQWNvelpHUVg3UnhuOHZJTDdYMkRiT0lnbUxiQU0zZ2RMRWc1Y3hlZ3A2?= =?utf-8?B?STUweE5yUGhKWU5KRWh2YWM3cjl0dWRZeGhYQmRMWTJaa3Vyck05SGVqL2Zn?= =?utf-8?B?b1FxdzJTelpGMnpZSU9SOGZSeTY3eFRMOWlkOUF0djNLcERjcXEzMzcxTUlC?= =?utf-8?B?QzBuMHV0YTRJTjFJL1h0L3Zybnl5ZzduMGdjaFZZdjdhbytpd1dBVEZtQVlT?= =?utf-8?B?emtMM2FNUVVxYllxWmM3ZzJpMVRuRGhZWEFoWUM1cE5TOUlOckdlaHR0Ukha?= =?utf-8?B?bCswbmk5ZUpHTVIvOHl5RlpkQ094RE8vZ2VqTW1VTHhnNTZwQWtlUitzcHYw?= =?utf-8?B?WmlDYld3cWo0ZElPVElJb3JhNVE1R0x1RjErWUNRQjF1UUxaZGRnSzd4TXpj?= =?utf-8?B?cUx4djI3bVBxVjVib3dnVzgzSUREM08rS2FWRnFjMXFzTmh6aFg1U3BBZCtU?= =?utf-8?B?U1FiTmp3YmZ2WmRhZnBjRVByc2hieGRSbEJhY3VzYk9tY1htQ3dPdzA4MTVV?= =?utf-8?B?UkVMbWJrN3Y3VTJrbWRPSWo0aGhZeDQ1cWJjRjVRRUNzYVFxSnpkWkg4QnpR?= =?utf-8?B?RlBza3lCZS9pbVI0RlNzdEd0K254OVdhUURWSis4T0dWaDFOaU4zbzZWUWM1?= =?utf-8?B?MUVZd3ZaSXVyai9KWFV5b1d5TnNqTTdPeDVjOVNxOG9EenZvR2JiM1dxcDE0?= =?utf-8?B?N2pRdVQ4T0tqZWhNdmZITmtPaXJXRmxXT08zUzlzSzI2ZGNLOW5xK1I5Ykdm?= =?utf-8?B?bkw4SjZBbTl6Vk8rdkhpWm9BNHZWbW1UQ2dEc3l3amZSZ2J6QVRxYzZZZEF6?= =?utf-8?B?d0xRWDhkaDBRN2dabGNoaXpyWWdTblNTQWZ2UTdkeXFUeFhvRnNoSWtaQUlW?= =?utf-8?B?RUQycTEzZUtvWkJzTllSL091ejZFbHBRVDFyRk5ESHVZSmo0bVdKclROUi9m?= =?utf-8?B?NWoxOHpmN1BxcDhTSFBOdkdXSHN1VzJaQnpWOEZaN0wwbnZsSi8wa09ab0Nk?= =?utf-8?B?ZlFPVkN5K3hlcW5vZHZDamxZclVYY0VxamtYSTlnWGZaMFF1bll4S3pDRm5J?= =?utf-8?B?T0QySEQvakxFd3pEV2JZYTY2d2QzOVNodzljVmVDdUtKa3A0c2RZcXh3dUNR?= =?utf-8?B?em5YYS9FMVRLTUpPVUE2YkpQenRBRWJtdUZ6Z3VZR0RvS0JRTnQ2ajZPRXp5?= =?utf-8?B?bVQwcWtBbm9FcC9Db3BsWlFPa3dFejl0aTcrVXFieVExRm9RVDJGanhvbC9P?= =?utf-8?B?cCtiVklFWFpaMUV4Yk5sSDBadzJUSEJkVXVLOGdZekVweTN3QVovekNWUDM5?= =?utf-8?B?dmZOZzh4bktFUVhkdEdnTDh5d2NoeFU5SXJlZVRocVlXVUl1T2Z5RWVUYW4r?= =?utf-8?B?VzRONDlaZW5SdFJHQzFnNUNvMlNOTFRscGV4R3BLSGhLNm1TNjlHZUorSE5J?= =?utf-8?B?bFk3YWc2bjVWZzFEc1E2TlVGbzcvK0R1YVVXVHp6M0pjblJ5dnh4RWcxZnFh?= =?utf-8?B?T1RuQ2JWMEt1dWhReHdDd1B4MnlVRXhVRlh3S2lFMFBKZGc9PQ==?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <2BE45D8F4C95B145A05D18692826A14F@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a9b4c2cf-cc00-419f-c654-08d946b83242
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2021 11:11:57.9126 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: H/NKaa36xPu7mBwZuHGbB0LkHwkwOoDdo86oo5UnEYhpC7JQ/a9yOkxYvf05ourTkKV8w8EK9ayy2vQefgr9cw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5111
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.19, xbe-rcd-004.cisco.com
X-Outbound-Node: alln-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/BBCz-YdmpN-yBx6pCrtsn115rg8>
Subject: Re: [sfc] =?utf-8?q?=C3=89ric_Vyncke=27s_Discuss_on_draft-ietf-sfc-n?= =?utf-8?q?sh-integrity-06=3A_=28with_DISCUSS_and_COMMENT=29?=
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jul 2021 11:12:06 -0000

Hello Med,

Thank you for your prompt reply.

See below for EV>, still holding my DISCUSS mainly around the "how to compute the MAC as it includes the MAC field itself"

Regards

-éric

-----Original Message-----
From: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>
Date: Tuesday, 13 July 2021 at 18:54
To: Eric Vyncke <evyncke@cisco.com>om>, The IESG <iesg@ietf.org>
Cc: "draft-ietf-sfc-nsh-integrity@ietf.org" <draft-ietf-sfc-nsh-integrity@ietf.org>rg>, "sfc-chairs@ietf.org" <sfc-chairs@ietf.org>rg>, "sfc@ietf.org" <sfc@ietf.org>rg>, "gregimirsky@gmail.com" <gregimirsky@gmail.com>
Subject: RE: Éric Vyncke's Discuss on draft-ietf-sfc-nsh-integrity-06: (with DISCUSS and COMMENT)

    Hi Eric, 

    Thank you for the review. 

    Please see inline. 

    Cheers,
    Med

    > -----Message d'origine-----
    > De : Éric Vyncke via Datatracker [mailto:noreply@ietf.org]
    > Envoyé : mardi 13 juillet 2021 14:18
    > À : The IESG <iesg@ietf.org>
    > Cc : draft-ietf-sfc-nsh-integrity@ietf.org; sfc-chairs@ietf.org;
    > sfc@ietf.org; gregimirsky@gmail.com; gregimirsky@gmail.com
    > Objet : Éric Vyncke's Discuss on draft-ietf-sfc-nsh-integrity-06:
    > (with DISCUSS and COMMENT)
    > 
    > Éric Vyncke has entered the following ballot position for
    > draft-ietf-sfc-nsh-integrity-06: Discuss
    > 
    > When responding, please keep the subject line intact and reply to
    > all email addresses included in the To and CC lines. (Feel free to
    > cut this introductory paragraph, however.)
    > 
    > 
    > Please refer to https://www.ietf.org/iesg/statement/discuss-
    > criteria.html
    > for more information about DISCUSS and COMMENT positions.
    > 
    > 
    > The document, along with other ballot positions, can be found here:
    > https://datatracker.ietf.org/doc/draft-ietf-sfc-nsh-integrity/
    > 
    > 
    > 
    > --------------------------------------------------------------------
    > --
    > DISCUSS:
    > --------------------------------------------------------------------
    > --
    > 
    > Thank you for the work put into this document.
    > 
    > Special thanks to Greg Mirsky for his shepherding especially about
    > his summary of the WG consensus.
    > 
    > Please find below some blocking DISCUSS point (which should be easy
    > to fix), some non-blocking COMMENT points (but replies would be
    > appreciated), and one nit.
    > 
    > I hope that this helps to improve the document,
    > 
    > Regards,
    > 
    > -éric
    > 
    > == DISCUSS ==
    > 
    > I failed to spot the order of the operations for the integrity and
    > confidentiality operations, e.g., I did not find on what the HMAC is
    > computed:
    > in the unencrypted or encrypted field ?

    [Med] Isn't this covered by this text: 

       Using the secret key (K) and authenticated encryption algorithm, the
       NSH imposer encrypts the Context Headers (as set, for example, in
       Section 3), computes the message integrity for the target NSH data,
       and inserts the resulting payload in the "MAC and Encrypted Metadata"
       Context Header (Section 5).  The entire Context Header carrying a
       privacy-sensitive metadata is encrypted (that is, including the MD
       Class, Type, Length, and associated metadata of each Context Header).

EV> the text could be made clearer by using "then" rather than simple ","
EV> but I STRONGLY suggest to move this explanation earlier at the very beginning of section 7 (or 7.1) and not like now in section 7.3
EV> BTW, this is indeed the expected order to avoid DoS

    > 
    > -- Section 5.1 --
    > What is the unit of "key length", I assume a length expressed in
    > octets but it is not specified.

    [Med] Yes. Fixed. Thank you for catching this. 

EV> __

    > 
    > -- Section 7.2 --
    > What is the "A" used in the HMAC computation ?

    [Med] This is: Additional Authenticated Data (A) (mentioned in 4.2).

EV> fair enough, suggest to write that the terminology of section 4.2 is used there.
    > 
    > The formula specifies HMAC-SHA-256-128() but what if another HMAC is
    > used ?

    [Med] Please note that the text says: "can be illustrated as follows:". 

    That is for illustration purposes. 

EV> could also be made more obvious with " The Message Authentication Code (T) computation process for additional authentication text (A) with HMAC-SHA-256-128() can be illustrated as follows:"

    > Section 7.3 use MAC() which is more flexible.
    > 
    > As the MAC field is included in the integrity protected header,
    > please specify the value of this field when computing the HMAC (I
    > assume 0 but let's be clear)

EV> still waiting for an answer on this issue (so keeping my DISCUSS ballot)

    > 
    > -- Section 7.5 --
    > What is the expected behavior when a NSH does not contain a "MAC and
    > Encrypted Metadata" Context Header ? §1 hints to packet drop ?
    > Should there be a local policy for this case ?

    [Med] This is covered here: 

       It MUST log an error at least once per the
       SPI for which the "MAC and Encrypted Metadata" Context Header is
       missing.

EV> honestly, not clear from the text. Please consider adding "In this case, it MUST..."

    > 
    > 
    > --------------------------------------------------------------------
    > --
    > COMMENT:
    > --------------------------------------------------------------------
    > --
    > 
    > 
    > I second Alvaro's and Lars' point about formally updating RFC 8300.
    > 
    > Quite often in the text "privacy-sensitive metadata" is used but
    > encryption is not only required for privacy but also to protect
    > operational data from attackers (i.e., not linked to privacy), is
    > there a real need to qualify "metadata" with "privacy-sensitive",
    > i.e., "confidential metadata" may be more appropriate ?

    [Med] We use this term because we can easily argue why we included statement such as:

     " In an SFC-enabled domain where the above attacks are possible, (1)
       NSH data MUST be integrity-protected and replay-protected, and (2)
       privacy-sensitive NSH metadata MUST be encrypted for confidentiality
       preservation purposes."

    Other types can be encrypted as per: 

       Classifier(s), NSH-aware SFs, and SFC proxies are instructed with the
       set of Context Headers (privacy-sensitive metadata, typically) that
       must be encrypted.

EV> let's say that we disagree __ but this is non-blocking anyway

    > 
    > -- Section 4.1.1 --
    > The use of 'metadata' (notably in table 1) for 'context headers' is
    > confusing for a first-time reader. Any chance to be consistent and
    > only use 'context headers' ?

    [Med] Will see how to make this better, but please that we do have the following before table 1: 

    "Context Header(s): Carries metadata..."

    > 
    > -- Section 4.2 --
    > At first reading, I am confused by the use of the word 'secret key'
    > for what appears to be a 'shared key'. Or is this 'secret key' never
    > shared and simply used to generate the secondary keys, which are
    > then shared ? Even if discussed later, some early explanations would
    > be welcome.

    [Med] We are using similar wording as in RFC7518.

EV> I fail to see this wording in RFC 7518

    > 
    > -- Section 5.1 --
    > Is there a good reason why the field name "key length" is not "key
    > ID length" ?

    [Med] Only for esthetic matters of the figures. Can fix that if you prefer. 

    |Key ID Length| vs | Key Length |

EV> this would be clearer IMHO but editorial hence non-blocking

    > 
    > I also find very strange to define "Length: variable" as the header
    > field itself as a fixed length, simply state "unsigned integer".

    [Med] We are echoing Section 2.5.1 of RFC8300.

EV> like above, I fail to see this similarity in the section 2.5.1 of RFC 8300 "Indicates the length of the variable-length metadata, in bytes."
    > 
    > As timestamp can include fractions of second, which is a good thing,
    > then please reword "expressed in seconds relative" to indicate that
    > fraction of second is included.

    [Med] OK.

    > 
    > The 32-bit epoch will wrap around in 2036, should this I-D already
    > consider what to do at that moment ?

    [Med] Hmm. We say that it wraps in 2106 :-)

EV> I should have spot the different epoch ;-)

    > 
    > -- Section 8 --
    > Indeed MTU is always an interesting 'problem' but how is this
    > extension different than plain NSH ? The NSH neither increases nor
    > decreases on the fly with this document.

    [Med] It varies as we can add/strip context headers as the packet progress in the service chain. 

EV> Amazing that this was accepted by the IESG in RFC 8300 years ago... when net-pgm RFC had to remove the header insertion.

    > 
    > == NITS ==
    > 
    > -- Section 3 --
    > Should 'figure 1' be 'table 1' per consistency with section 4.1.1 ?

    [Med] It should. Will be fixed. Thanks. 

    > 
    > 


    _________________________________________________________________________________________________________________________

    Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
    pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
    a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
    Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

    This message and its attachments may contain confidential or privileged information that may be protected by law;
    they should not be distributed, used or copied without authorisation.
    If you have received this email in error, please notify the sender and delete this message and its attachments.
    As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
    Thank you.

v2.8.7 | Report a Bug | By Email