Re: [sfc] Éric Vyncke's Discuss on draft-ietf-sfc-nsh-integrity-06: (with DISCUSS and COMMENT)
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Mon, 13 September 2021 13:50 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F21133A11A2; Mon, 13 Sep 2021 06:50:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=PHGmKGbS; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=sagiEh4K
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AyjXNqSYcl6i; Mon, 13 Sep 2021 06:50:47 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 649123A119D; Mon, 13 Sep 2021 06:50:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=45971; q=dns/txt; s=iport; t=1631541047; x=1632750647; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=v4+cBTnJPU/wODOdkEy0mmHGgpFmY0Q+dmgdHYnawM0=; b=PHGmKGbS9EStZj7VbivSUBibg6LKS+t44dJbGgbBS6xHpHE5o9s6vRHW FJ0ENAibvgSCi/ACf6rfImFcMSVXeoRJuyNNBULjd1Dnt6S/b1gLMhYaZ xUhYmuBzFCjKIDioKwp6MfVNcrRVD/wYT7NuU+B53kBRAkGysw7QjhJFZ c=;
X-IPAS-Result: A0CrAACUVj9hl40NJK1aGwEBAQEBAQEBBQEBARIBAQEDAwEBAYIZgSMwUX5aEyQxhEeDSAOFOYgHA4ESFolGhR2KU4FCgREDVAsBAQENAQE1DAQBASuESAIXgisCJTgTAQIEAQEBAQMCAwEBAQEFAQEFAQEBAgEGBBQBAQEBAQEBAYEIhTsGJw2GQgEBAQECARIICR0BASUSAQQHBAIBCBEDAQIhBwMCAgIfERQGAwgCBAENBSKCTwGBflcDDiEBDp9uAYE6AoofeoExgQGCCAEBBgQEgUpBgn8NC4I0AwaBOoJ/gnVTSAEBgRqBNCKDfQgfHIFJRIEVJwwQgjA3PoIgQgIDgSgBEgFBDQmCYTaCLoZ1AWsHYwQUDhkICAYCDRNRDgQVLQgHAQIhBQUCBQofAQgEOAORGAgTCwcrgkoBRohoOIM0iVmRBzpeCoMrikCOOASFYwUsg2aLZ5EAhjiFO5Bhgh6KJoM6kAMnCAuEdAIEAgQFAg4BAQY1gUMia1gRB3AVZQGCPlEZD4xmgToJAw0JFYM7hRSFSnQ4AgYBCgEBAwkBgjmNOQEB
IronPort-PHdr: A9a23:4YshKRYxzOjLXFuoqeSD8wf/LTAzhN3EVzX9orIojrtPduKo+JGxd EDc5PA4iljPUM2b7v9fkOPZvujmXnBI+peOtn0OMfkuHx8IgMkbhUosVciCD0CoI/vjbih8F 8NHBxdp+nihOh1TH8DzL1TZvny162sUHRPyfQp4L+j4AMjclcOyguuz4JbUJQ5PgWnVXA==
IronPort-Data: A9a23:W3/POa4gGDZsE24rZ3Eo1AxRtM7HchMFZxGqfqrLsTDasY5as4F+v modXGDXOfqJYDH3ct90boS2pxwGuZ7dndMwSgdvpH08Zn8b8sCt6fZ1gavT04J+CuWZESqLO u1HMoGowPjZzRYwnz/1WlTbhSEUOZqgG/ysVYYoBggrHVU9EHZ40ko58wIEqtcAbeaRUlvlV eza+6UzCHf9s9KjGjtJg04rgEoHUMXa4Fv0jHRnDRx4lAO2e00uMX4qDfrZw00U7WVjNrXSq +7rlNlV945ClvsnIovNfr3TKiXmTlNOVOSDoiI+ZkSsvvRNjgkViP8yOqVGUFZSig+OhsBQx NN0mJPlHG/FPoWU8AgcexBcFyc7Nqpc9fqXZ3O+qseUiUbBdhMAwd03UxpwZtNeo70xWD0Xn RAbAGhlghSrivynxrm4R8Fnh98oK4/gO4Z3VnRIkmyCUa57EM2bK0nMzY9nxjVqi/9CIaf5f vcwMhRJSBDJcRIabz/7D7pnzLv32RETaQZwp0iYqqsy4nLIzx1Z373kMd6TcduPLe1OkE2wp 2/a8SL+GB5yHMeRwn+O8nutnPTnnC7nVsQVDrLQ3vJwiVOPg20eFBNTTlWw5P+iigu/Xc5SJ FYV5jsGrKUu+gqsVNaVdxy1u3GsvxMAVZxXCeJSwASE0LbV5UCHB2cDUyRMdcwOssg1RDVs3 ViM9/vsAjxmtbCZD3ia67ydoTqzIwASN2YEaiJCRgwAi/Hgp4c/khPVZtlmGa+xyNbyHFnNL yuipSw6gfAYitQGkvX99lHciDXqrZ/MJuIo2unJdkeCtFpwatH/Xp2t6GLc9OZhIICgY1bU6 RDohPOiAPAy4YClzXLWGb9WQeD0vZ5pIxWH2gY+RclJGyCFvi/9I9wNvFmSMW80aq45lSnVj Fg/UO+7zLZXOHasBUOcS93sU5xwpUQM+CiMaxw5RtNKZp40fwid8WQ+DaJx44wPuBV3+U3cE c7GGSpJMZr8If43pNZRb7xHuYLHPghkmQvuqWnTlnxLK4ZygUJ5r59YYDNiichnsMu5TPn9q L6zyuPTkUwECb2iCsUp2dFNcDjm0kTX9biv+5AIKYZv0yJNGXoqDLfq0Kg9dol+95m5Zc+Zp y3mBxcw9bYLvlWecV/iQik6MNvHBM8jxVpmbX1EFQv5gBALPNfwhI9BLMFfVed8q4ReIQtcE qBtlzOoWa8UFFwqOl01MPHAkWCVXE3721vRbnv6OWJXklwJb1Whx+IItzDHrEEmZhdbf+Nny 1F8/ms3maY+ejk=
IronPort-HdrOrdr: A9a23:sqBHL6NJUKS35cBcT5j255DYdb4zR+YMi2TDiHoRdfUFSKKlfp 6V88jzjSWE9wr4WBkb6Le90dq7MA3hHP9OkMks1NKZPDUO11HYV72KgbGSpgEIXheOitK1tp 0QMJSWaueAd2SS5PySiGLTfrpQo6jkzEnrv5ai854Hd3ANV0gU1XYANu/tKDwOeOApP+tcKL Osou584xawc3Ueacq2QlMfWfLYmtHNnJX6JTYbGh8O8mC1/HGVwY+/NyLd8gYVUjtJz7tn23 PCiRbF6qKqtOz+4gPA1lXU849dlLLau55+7Y23+4wowwfX+0CVjbdaKuS/VfcO0bmSAWMR4Z 7xStEbTp9OAj3qDzuISFDWqnjdOX4Vmg/fIBmj8CbeSQiTfkNkNyKH7rgpLicxonBQzu2Vms hwrhGknosSAhXakCvn4d/UExlsi0qvuHIn1fUelnpFTOIlGfNsRKEkjQlo+a07bW/HAUEcYZ 9TJdCZ4OwTfUKRbnjfsGUqyNuwXm4rFhPDRkQZoMSa3zVfgXg8liIjtYIit2ZF8Ih4R4hP5u zCPKgtnLZSTtUOZaY4AOsaW8O4BmHEXBqJOmOPJlbsEr0BJhv22tHKyaRw4PvvdI0DzZM0lp iEWFREtXQqc0arEsGK1I0jyGGHfIx8Z0Wk9ih63ek5hlTRfsueDcSzciFmryL7mYRrPiTyYY fFBK5r
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.85,290,1624320000"; d="scan'208,217";a="753405950"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 13 Sep 2021 13:50:45 +0000
Received: from mail.cisco.com (xbe-rcd-002.cisco.com [173.37.102.17]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id 18DDojEe000624 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Mon, 13 Sep 2021 13:50:45 GMT
Received: from xfe-aln-004.cisco.com (173.37.135.124) by xbe-rcd-002.cisco.com (173.37.102.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Mon, 13 Sep 2021 08:50:44 -0500
Received: from xfe-rcd-002.cisco.com (173.37.227.250) by xfe-aln-004.cisco.com (173.37.135.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Mon, 13 Sep 2021 08:50:44 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-002.cisco.com (173.37.227.250) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Mon, 13 Sep 2021 08:50:44 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HDw78UL9QPgdCFBv8eMF6tR93LrKHKSGRcXC2MpAx+VRzPcqV95lIHAaGmSlWot8ZL9uKhF6XORERokVQIpkZMMvrxZZNgui/gvMKQ/WgVVKeQi6hk24NH0zVZG/MlSAb5oMGaWKFjWlTvsBCz7fRM5k3kVCvcBwLIIhOfa+gBusd3MGWlB6w+295zdoRf9VaGJ/ZC7jVMI5403ArGg7ERQtIcfFoUGzNGFK2kilTwQEH9cKOBr0/mwfMsTY2APwwdwbebRmDQrkWj92vIUYVhqaT6a3OgIXhhKT37C1M6C73ge8IEm2OsN7G0TLvC0PRonjZ80jqOnGBfHTYeyOpw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=v4+cBTnJPU/wODOdkEy0mmHGgpFmY0Q+dmgdHYnawM0=; b=jhCxynxXiWq2VZx0OIDoIDVwFafdJ6elK/YAYzKf66qZEj74JWnEwXte8MkRlDhq0q+5eajUVszOMn8cWhTmD/B+Ou+PwXOVc0R2odrv2kAkM6BMtSp3M6DF/NRCezz0zSSSpu5xR49eP2wXH1H6GGy/V/CxOeXClmIAOZZRrzlEpbBALyPL64qEhrNqMfxBofg/lRF8WJYXuTBnYCspBETx503XB/9olTlZw5Zzad3YnCW67tBuCD0RTdN5J1Lb1AQBd4R1nnwrlB4gRLvSZCkfTy94egbtNW8ADo8xMWgz5s31mZwPOXLfP9gqBPVo2zeglh3Wq3YgMhDVaV+otA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=v4+cBTnJPU/wODOdkEy0mmHGgpFmY0Q+dmgdHYnawM0=; b=sagiEh4Ke7DxPHuTkOSMOmn2VOkYZuIWcq8CnV5BGF2ChmaICVqB2H1+OSqjB2+fUgQUgs3K5FEUWqj5+nNbu0R3U0/ns1le0iB1cVAzpbvqKj548FTtWQzWPa2dh4yUlmEeFRflk/mxRJTu+lw1Cx9nGXvpeqSvlwOmtEmgQTw=
Received: from PH0PR11MB4966.namprd11.prod.outlook.com (2603:10b6:510:42::21) by PH0PR11MB4982.namprd11.prod.outlook.com (2603:10b6:510:37::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.17; Mon, 13 Sep 2021 13:50:42 +0000
Received: from PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::596b:9fa6:18d4:67e7]) by PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::596b:9fa6:18d4:67e7%8]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 13:50:42 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: tirumal reddy <kondtir@gmail.com>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "Vigoureux, Martin (Nokia - FR/Paris-Saclay)" <martin.vigoureux@nokia.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-sfc-nsh-integrity@ietf.org" <draft-ietf-sfc-nsh-integrity@ietf.org>, "sfc-chairs@ietf.org" <sfc-chairs@ietf.org>, "sfc@ietf.org" <sfc@ietf.org>, "gregimirsky@gmail.com" <gregimirsky@gmail.com>
Thread-Topic: Éric Vyncke's Discuss on draft-ietf-sfc-nsh-integrity-06: (with DISCUSS and COMMENT)
Thread-Index: AQHXd+EWUzPhovDiy06QVDjdApotHKtBE6GQgAFgQoD//+tvgIBgHyGA
Date: Mon, 13 Sep 2021 13:50:42 +0000
Message-ID: <31B62CC4-2F26-4452-9DD6-511A376CDEFA@cisco.com>
References: <162617866082.13596.2398814614966286542@ietfa.amsl.com> <15473_1626195281_60EDC551_15473_51_1_787AE7BB302AE849A7480A190F8B9330353BE8EC@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <94FF1F19-7004-42C5-8560-C99A2FEEF71A@cisco.com> <CAFpG3gfrDC67OhKLmLEWkmH1E3ResxsOouHwxjCgVDwBk7N3OQ@mail.gmail.com>
In-Reply-To: <CAFpG3gfrDC67OhKLmLEWkmH1E3ResxsOouHwxjCgVDwBk7N3OQ@mail.gmail.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.52.21080801
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b16ca597-8125-489b-ec24-08d976bd7a8c
x-ms-traffictypediagnostic: PH0PR11MB4982:
x-microsoft-antispam-prvs: <PH0PR11MB498293B8939BED1CE6AF91DFA9D99@PH0PR11MB4982.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: T+LIH5cEA8bGd+S1sWLBOdKE4VHBrDayB/zQnhMkM9/MjmGlkxWl/Ilwm8X3AS7TdU+M/V68MbjqzUuqNyuohOCTeNnFbRet0YvUHeY72TYnE9zwSz1F6GqyZZq9xE4L/SROZJMHW0J48hwR2vxcWiM4HEZNs1wxbEUsTrEB0jqXlJNJWIGqzU4ze+Ti88lyK7JQnUDug3Be9tjgI7qZ+2F9JyhQtKTw7nenjaEokkVlXZpVyLaNUhbtKfv/rlqFXAW0ZA2LjM1CG8YXXCTyFfbQSS0eP2lIo2/eQfYCpOViDG5/ouNlbJgbwlatOv5MnoB2Qk78F9UAXvftc36CAdea+F/DubkwmKffv2EEy9mBbZxnSkC1twk2vfpf8t+cqGUPvkUOCAxR8L2I1rMOkjbE9kyJdFmYWQaJU/D4TmTh3qJk+xqKWUE1u5PkdaclACHAzqwWCq3U3ySf05LqY6af0BXPfhxGSOeyMVptB/1C5F0w1f4Ode/tDNIC7KIHYLATd+jA8zi3jEPKwwTVoVr0z0Cczd4hxeayFcl5EIyY7US1ioJScN51O4BFMDiZiogJU1Ab3zSC4WBeRCSxESWG2FVFp2vpiZVcJRCHCzLjHaH2+QdlMnfXzq3nh0h5m6ezkIDQ0z+DwG1/ELPn9i6TcKr4/L30ckgbJRHCVITn5bQB+eWNWxoV4S96O8sNJBWxxusIJZMaZH8rCdXYEK7Q9hadep5NVlkp5fsyMgIKVxhYcYf8DzvPccRz4/NSESHLBEIBNMSUU7ORG0d80NZ82cdjXq8txLN33NY2cSRpfcn5TKbr7l8hvOa2mraXweR2RC3LMSKAmyqBUypJM/U9HxbXlhrD0W4/5gHSFyA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB4966.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(346002)(376002)(136003)(39860400002)(366004)(478600001)(83380400001)(186003)(2616005)(8936002)(30864003)(38070700005)(122000001)(38100700002)(71200400001)(166002)(5660300002)(53546011)(966005)(6506007)(66446008)(33656002)(86362001)(54906003)(110136005)(36756003)(2906002)(4326008)(316002)(76116006)(91956017)(66946007)(64756008)(224303003)(66476007)(66556008)(6512007)(6486002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: rsMwuzaGYZ+esP3JtVtl3969lcPG48seiSPK1cx9BDM6cwZzOXg4ojTWUqlDsTpZNdAa+y+Z4Ws+337Yd7yHbcg01zpV3A47BukU71/uDmVSQ9RciEcAZPJ0vicDUnQCMsk5XdUa6yno9fqIq7SR9UtfL9ksTyQcMi89vZCVOZhWifBOzte4X1Jc5/M3PLIEbYkrXISER7kOKTkjIrsVv/qvMAs2ksZHKetIjloCt25BOMR5LwKvpCJU3UbNKCUkSkaDQxtIsoCzVBRjvdnR39IvRkHRaB2KTtZtA+aE6Bz72iswBVyPaGWxQQw+pVkhwnokIg5T4THG8mWDyQiEU6KzT4GcDf4/9xuRkyjIs4TuE1KxUFNQw/tgkTK/9d+fqkNIeGfL+5jz7DX755/1Vl90ATgty3oImkvJevtNcS+7qZQ/7jzcus/2OTQGx5N94NjL0kZz1/42Cq3uzenBrowCPpe4ixqwEa7XwkwR4IirP3dlXa/gUqAA2bvcPBJqTtTxq2LzGnaMIkDIDdz9ixNoN2y2uNembLt8P0B3N58LFhSZbPmJvaRvhnj8HFYPSqd+NUmIWdfXmHOOBVXOwzX1lVSAK1WohXAAbsaruKBuyAfALBqtxPVd52d380sgl6F7K2XDR4eV6fAFByWCATjZY8dgQV1IsMpN61k79mqJSDkaHBu8nDQP20CetZAT0iocbDFzkowLh/TEmBa5z99wtAWFa4byP9CBpgyNgi1+dbuArYb7rwxl72pQKEIOQ4HeOwcYNfDX7NQAf7WCAFSIzdFZbtJlSN+4bUbNwvCiR/30DVdP0NwFmN7BVNmGur/d8Ytr7IBxNyNMKKh6hEeF/MkRadaGQhkTe4lk6hLuTdQC/6VA4dcFMkdoceTL/ykaj5FqK5RCAFesiEKGlRENGdQdUlkiEBsasxVgYwbMleKjpl90H9h7BI+bgJYJa0lbli9uYp08l3iR3ParRirZatqYy4BV+FRqoec6P5cjXCDVLJDVhuJoBVfaFJYoUiUslJ/5waXSeVcqgFUm5Irht/oKvs9pVdqjYxRmR4mADvee7or3ZkGDL6LfPRrCaNlpNOwDa+cS1E3o+sFLZQmPbQCJOIE15J4VVBkQrpXmqNudKMQBMiUKKxy4cdm07b40+im0HFeLjLCKU90Kfp4RzIaAgtxuxtmt0crHpcJ/ut55sLiMFUToR/owxCiCoshze8TCGR4qUUzusvKAaWVwjxSy+ulTysAPzFQVdWQmnYyINxEP5rDmUd0aqnBouCJEtvqqUjnSF1SPKt2qVfgGOQytzBeO3WscRRREhttST7jLuREq8vcWbTlRuT+Ya0jcZMNgN81nxxb56e+TCvUE6UCCnzViisPhKllehvpF9AMI9Y/AynCOVttIQFZP2dCBbSk3RwdPgz+tekZAVA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_31B62CC42F2644529DD6511A376CDEFAciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b16ca597-8125-489b-ec24-08d976bd7a8c
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Sep 2021 13:50:42.4786 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: y4n6PuQx8+HnOJGy54BAR+wESpw5BVoiu81uB+l6yjiMW4sBFesKru5xppKH5UXyrgbT2EDoNLSTgY5DwRqgGw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB4982
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.17, xbe-rcd-002.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/IIrSXMwTyBhdcjQ7VMWTTlGjKvE>
Subject: Re: [sfc] Éric Vyncke's Discuss on draft-ietf-sfc-nsh-integrity-06: (with DISCUSS and COMMENT)
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Sep 2021 13:50:53 -0000
Hello Tiru, Your proposed text indeed addresses my remaining issue. I am clearing my DISCUSS in the coming minutes as Med also addressed earlier my other DISCUSS points. Regards and sorry for belated reply, -éric PS: your reply was lost in the ‘fury’ ot the IETF week, sorry about that and please thank your AD, Martin Vigoureux, for sending me today a gentle nudge... PS2: if IESG members do not respond, then ALWAYS feel free to send a reminder as we are mere overloaded human beings :-) From: tirumal reddy <kondtir@gmail.com> Date: Wednesday, 14 July 2021 at 13:58 To: Eric Vyncke <evyncke@cisco.com> Cc: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, The IESG <iesg@ietf.org>, "draft-ietf-sfc-nsh-integrity@ietf.org" <draft-ietf-sfc-nsh-integrity@ietf.org>, "sfc-chairs@ietf.org" <sfc-chairs@ietf.org>, "sfc@ietf.org" <sfc@ietf.org>, "gregimirsky@gmail.com" <gregimirsky@gmail.com> Subject: Re: Éric Vyncke's Discuss on draft-ietf-sfc-nsh-integrity-06: (with DISCUSS and COMMENT) Hi Eric, We will update text in Section 7.2 as follows to address the comment : The NSH imposer sets the MAC field to zero and then computes the message integrity for the target NSH data (depending on the integrity protection scope discussed in Section 5) using MAC_KEY and HMAC algorithm. It then inserts the computed digest in the MAC field in the "MAC and Encrypted Metadata" Context Header. Cheers, -Tiru On Wed, 14 Jul 2021 at 16:42, Eric Vyncke (evyncke) <evyncke@cisco.com<mailto:evyncke@cisco.com>> wrote: Hello Med, Thank you for your prompt reply. See below for EV>, still holding my DISCUSS mainly around the "how to compute the MAC as it includes the MAC field itself" Regards -éric -----Original Message----- From: "mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>" <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>> Date: Tuesday, 13 July 2021 at 18:54 To: Eric Vyncke <evyncke@cisco.com<mailto:evyncke@cisco.com>>, The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc: "draft-ietf-sfc-nsh-integrity@ietf.org<mailto:draft-ietf-sfc-nsh-integrity@ietf.org>" <draft-ietf-sfc-nsh-integrity@ietf.org<mailto:draft-ietf-sfc-nsh-integrity@ietf.org>>, "sfc-chairs@ietf.org<mailto:sfc-chairs@ietf.org>" <sfc-chairs@ietf.org<mailto:sfc-chairs@ietf.org>>, "sfc@ietf.org<mailto:sfc@ietf.org>" <sfc@ietf.org<mailto:sfc@ietf.org>>, "gregimirsky@gmail.com<mailto:gregimirsky@gmail.com>" <gregimirsky@gmail.com<mailto:gregimirsky@gmail.com>> Subject: RE: Éric Vyncke's Discuss on draft-ietf-sfc-nsh-integrity-06: (with DISCUSS and COMMENT) Hi Eric, Thank you for the review. Please see inline. Cheers, Med > -----Message d'origine----- > De : Éric Vyncke via Datatracker [mailto:noreply@ietf.org<mailto:noreply@ietf.org>] > Envoyé : mardi 13 juillet 2021 14:18 > À : The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> > Cc : draft-ietf-sfc-nsh-integrity@ietf.org<mailto:draft-ietf-sfc-nsh-integrity@ietf.org>; sfc-chairs@ietf.org<mailto:sfc-chairs@ietf.org>; > sfc@ietf.org<mailto:sfc@ietf.org>; gregimirsky@gmail.com<mailto:gregimirsky@gmail.com>; gregimirsky@gmail.com<mailto:gregimirsky@gmail.com> > Objet : Éric Vyncke's Discuss on draft-ietf-sfc-nsh-integrity-06: > (with DISCUSS and COMMENT) > > Éric Vyncke has entered the following ballot position for > draft-ietf-sfc-nsh-integrity-06: Discuss > > When responding, please keep the subject line intact and reply to > all email addresses included in the To and CC lines. (Feel free to > cut this introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss- > criteria.html > for more information about DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-sfc-nsh-integrity/ > > > > -------------------------------------------------------------------- > -- > DISCUSS: > -------------------------------------------------------------------- > -- > > Thank you for the work put into this document. > > Special thanks to Greg Mirsky for his shepherding especially about > his summary of the WG consensus. > > Please find below some blocking DISCUSS point (which should be easy > to fix), some non-blocking COMMENT points (but replies would be > appreciated), and one nit. > > I hope that this helps to improve the document, > > Regards, > > -éric > > == DISCUSS == > > I failed to spot the order of the operations for the integrity and > confidentiality operations, e.g., I did not find on what the HMAC is > computed: > in the unencrypted or encrypted field ? [Med] Isn't this covered by this text: Using the secret key (K) and authenticated encryption algorithm, the NSH imposer encrypts the Context Headers (as set, for example, in Section 3), computes the message integrity for the target NSH data, and inserts the resulting payload in the "MAC and Encrypted Metadata" Context Header (Section 5). The entire Context Header carrying a privacy-sensitive metadata is encrypted (that is, including the MD Class, Type, Length, and associated metadata of each Context Header). EV> the text could be made clearer by using "then" rather than simple "," EV> but I STRONGLY suggest to move this explanation earlier at the very beginning of section 7 (or 7.1) and not like now in section 7.3 EV> BTW, this is indeed the expected order to avoid DoS > > -- Section 5.1 -- > What is the unit of "key length", I assume a length expressed in > octets but it is not specified. [Med] Yes. Fixed. Thank you for catching this. EV> __ > > -- Section 7.2 -- > What is the "A" used in the HMAC computation ? [Med] This is: Additional Authenticated Data (A) (mentioned in 4.2). EV> fair enough, suggest to write that the terminology of section 4.2 is used there. > > The formula specifies HMAC-SHA-256-128() but what if another HMAC is > used ? [Med] Please note that the text says: "can be illustrated as follows:". That is for illustration purposes. EV> could also be made more obvious with " The Message Authentication Code (T) computation process for additional authentication text (A) with HMAC-SHA-256-128() can be illustrated as follows:" > Section 7.3 use MAC() which is more flexible. > > As the MAC field is included in the integrity protected header, > please specify the value of this field when computing the HMAC (I > assume 0 but let's be clear) EV> still waiting for an answer on this issue (so keeping my DISCUSS ballot) > > -- Section 7.5 -- > What is the expected behavior when a NSH does not contain a "MAC and > Encrypted Metadata" Context Header ? §1 hints to packet drop ? > Should there be a local policy for this case ? [Med] This is covered here: It MUST log an error at least once per the SPI for which the "MAC and Encrypted Metadata" Context Header is missing. EV> honestly, not clear from the text. Please consider adding "In this case, it MUST..." > > > -------------------------------------------------------------------- > -- > COMMENT: > -------------------------------------------------------------------- > -- > > > I second Alvaro's and Lars' point about formally updating RFC 8300. > > Quite often in the text "privacy-sensitive metadata" is used but > encryption is not only required for privacy but also to protect > operational data from attackers (i.e., not linked to privacy), is > there a real need to qualify "metadata" with "privacy-sensitive", > i.e., "confidential metadata" may be more appropriate ? [Med] We use this term because we can easily argue why we included statement such as: " In an SFC-enabled domain where the above attacks are possible, (1) NSH data MUST be integrity-protected and replay-protected, and (2) privacy-sensitive NSH metadata MUST be encrypted for confidentiality preservation purposes." Other types can be encrypted as per: Classifier(s), NSH-aware SFs, and SFC proxies are instructed with the set of Context Headers (privacy-sensitive metadata, typically) that must be encrypted. EV> let's say that we disagree __ but this is non-blocking anyway > > -- Section 4.1.1 -- > The use of 'metadata' (notably in table 1) for 'context headers' is > confusing for a first-time reader. Any chance to be consistent and > only use 'context headers' ? [Med] Will see how to make this better, but please that we do have the following before table 1: "Context Header(s): Carries metadata..." > > -- Section 4.2 -- > At first reading, I am confused by the use of the word 'secret key' > for what appears to be a 'shared key'. Or is this 'secret key' never > shared and simply used to generate the secondary keys, which are > then shared ? Even if discussed later, some early explanations would > be welcome. [Med] We are using similar wording as in RFC7518. EV> I fail to see this wording in RFC 7518 > > -- Section 5.1 -- > Is there a good reason why the field name "key length" is not "key > ID length" ? [Med] Only for esthetic matters of the figures. Can fix that if you prefer. |Key ID Length| vs | Key Length | EV> this would be clearer IMHO but editorial hence non-blocking > > I also find very strange to define "Length: variable" as the header > field itself as a fixed length, simply state "unsigned integer". [Med] We are echoing Section 2.5.1 of RFC8300. EV> like above, I fail to see this similarity in the section 2.5.1 of RFC 8300 "Indicates the length of the variable-length metadata, in bytes." > > As timestamp can include fractions of second, which is a good thing, > then please reword "expressed in seconds relative" to indicate that > fraction of second is included. [Med] OK. > > The 32-bit epoch will wrap around in 2036, should this I-D already > consider what to do at that moment ? [Med] Hmm. We say that it wraps in 2106 :-) EV> I should have spot the different epoch ;-) > > -- Section 8 -- > Indeed MTU is always an interesting 'problem' but how is this > extension different than plain NSH ? The NSH neither increases nor > decreases on the fly with this document. [Med] It varies as we can add/strip context headers as the packet progress in the service chain. EV> Amazing that this was accepted by the IESG in RFC 8300 years ago... when net-pgm RFC had to remove the header insertion. > > == NITS == > > -- Section 3 -- > Should 'figure 1' be 'table 1' per consistency with section 4.1.1 ? [Med] It should. Will be fixed. Thanks. > > _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [sfc] Éric Vyncke's Discuss on draft-ietf-sfc-nsh… Éric Vyncke via Datatracker
- Re: [sfc] Éric Vyncke's Discuss on draft-ietf-sfc… mohamed.boucadair
- Re: [sfc] Éric Vyncke's Discuss on draft-ietf-sfc… Eric Vyncke (evyncke)
- Re: [sfc] Éric Vyncke's Discuss on draft-ietf-sfc… tirumal reddy
- Re: [sfc] Éric Vyncke's Discuss on draft-ietf-sfc… mohamed.boucadair
- Re: [sfc] Éric Vyncke's Discuss on draft-ietf-sfc… Eric Vyncke (evyncke)
- Re: [sfc] Éric Vyncke's Discuss on draft-ietf-sfc… tirumal reddy