Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-sfc-nsh-tlv-09: (with DISCUSS and COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Mon, 21 March 2022 09:58 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E889D3A19B9; Mon, 21 Mar 2022 02:58:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.721
X-Spam-Level:
X-Spam-Status: No, score=-1.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.186, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KkwQub6t9d1u; Mon, 21 Mar 2022 02:58:49 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EAC73A19A5; Mon, 21 Mar 2022 02:58:44 -0700 (PDT)
Received: from mit.edu (c-73-169-244-254.hsd1.wa.comcast.net [73.169.244.254]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 22L9wYtQ006285 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 21 Mar 2022 05:58:40 -0400
Date: Mon, 21 Mar 2022 02:58:34 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: wei.yuehua@zte.com.cn
Cc: martin.vigoureux@nokia.com, draft-ietf-sfc-nsh-tlv@ietf.org, sfc-chairs@ietf.org, iesg@ietf.org, sfc@ietf.org, gregimirsky@gmail.com
Message-ID: <20220321095834.GQ13021@mit.edu>
References: <202112031730532332374@zte.com.cn>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <202112031730532332374@zte.com.cn>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/K_IlB1oFs0xSnQWRLX4AevuZg6U>
Subject: Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-sfc-nsh-tlv-09: (with DISCUSS and COMMENT)
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2022 09:58:59 -0000
Hi Yuehua, My apologies for not replying until now. I think I saw the updated versions of the draft and did not notice that there were still some active topics in the email thread (not reflected in the draft yet). On Fri, Dec 03, 2021 at 05:30:53PM +0800, wei.yuehua@zte.com.cn wrote: > Dear Ben, > Thank you. please see the commet resolution inline with Yuehua>> > > To Martin, I really appreciate if you could provide comments to Yuehua-2 and Yuehau-6. > > Best Regards, > Yuehua Wei > ZTE Corporation > ------------------原始邮件------------------ > 发件人:BenjaminKadukviaDatatracker > 收件人:The IESG; > 抄送人:draft-ietf-sfc-nsh-tlv@ietf.org;sfc-chairs@ietf.org;sfc@ietf.org;gregimirsky@gmail.com; > 日 期 :2021年11月30日 02:59 > 主 题 :[sfc] Benjamin Kaduk's Discuss on draft-ietf-sfc-nsh-tlv-09: (with DISCUSS and COMMENT) > Benjamin Kaduk has entered the following ballot position for > draft-ietf-sfc-nsh-tlv-09: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-sfc-nsh-tlv/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > (1) RFC 8300 is pretty clear that "Metadata privacy and security > considerations are a matter for the documents that define metadata > format." Some of the metadata context headers defined in this document > clearly have privacy considerations that need to be documented (e.g., > policy ID and source/destination group serve to concretely identify > flows that are related in some way), though some may not have much that > needs documenting (e.g., the forwarding context metadata seems to just > be extracting out information that is already present in the packet > being wrapped). Regardless, we need to have some discussion of the > privacy and security considerations of the new metadata context headers, > even if that is just "no new considerations" for some of them. > > Yuehua-1>>Thank you, I update the section to ver10 per you, Stig and John's comments. please take a look and provide further comments Unfortunately, I don't think that even the text in the -13 is providing what is needed here. (It is good text to have, but is generic to attacks on context headers in general, and authentication of context headers in general.) My expectation is that for each of the seven context headers that this document defines, we take a careful look at them in turn and document any privacy and/or security considerations that apply to the information carried in that specific context header. (In some cases we may also have to consider the encoding used, in addition to the information content, but I do not remember that being relevant here.) This could, for example, take the form of a table or list that covers each context header in turn. (If, after having done the work, it ends up being a list of mostly "no special considerations", we might consider formatting it differently, but we definitely need to do the analysis on each context header in turn.) > (2) I think we need to discuss the Flow ID context header further. Is > it intended to just be a container to hold a flow identifier already > present in the contained packet (such as the IPv6 Flow Label or MPLS > Entropy Label that are called out), or can it also be used to apply a > new flow identifier at the SFC layer? > > The named examples of a flow ID are both 20 bits long; if that is an > exhaustive listing, shouldn't we update the figure accordingly (to > include Length=3, four leading bits of padding, and a trailing byte of > padding)? If that is not an exhaustive listing and longer flow > identifiers are expected, how do we know what length of flow identifier > is being conveyed? > > Yuehua-2>>You raised a good question. I prefer to add Context Type (CT) to distinguish different flow IDs. I'd appreciate your advice. An explicit Context Type to indicate the specific Flow ID used seems like it will be very helpful for extensibility. That would also allow each context type to specify how long in bits the useful Flow ID value is, since the NSH metadata framing only gives a length in bytes. If there was no in-band context type, a recipient would have to rely on out-of-band configuration to know how much padding is present, which is not very interoperable. > (3) If we are to allow for specifying the "logical grouping of source and/or > destination objects" in §4.6 (emphasis on "and/or"), but the context > header always conveys both a source group and dest group field, do we > need to reserve a dedicated value for "no group information specified"? > > Yuehua-3>>Very good observation. Shall we state that if there is "no group information specified" for the source or dest field, the field MUST be sent as zero and ignored on receipt Yes, please! > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Section 1 > > This document does not address metadata usage, updating/chaining of > metadata, or other SFP functions. Those topics are described in > [RFC8300]. > > I'm not entirely sure what is meant by "chaining of metadata" (unless > it's just a synonym for "updating of metadata"?), and having reviewed > all 18 instances of "chain" and 88 instances of "metadata" in RFC 8300, > I am not sure which part you're intending to refer to by it. Could you > please point to a more specific part of RFC 8300 (at least in this email > thread for now, not necessarily in a document update)? > > Yuehua-4>> RFC8300 doesn't use “chain”to discribe multiple metadata. > it mentions "If multiple mandatory-to-process Context Headers are required for a given SFP" and "If multiple instances of the same metadata are included in an NSH packet" in RFC8300 section 2.5.1 > Further comments are welcome Mostly my comment here is that I don't know what you mean by "chaining of metadata". If it's just that there might be interdependencies or relations between two pieces of metadata in the same packet, we could clarify the text in one way; if it's relating to updating (modifying) a given piece of metadata along the path of the packet, we would do something else; etc. > > Section 4.1 > > I suggest putting a context (forgive the pun) indicator in the figure > legends, e.g., "Figure 4: Forwarding Context - 2 (QinQ)". The > information is already available elsewhere, but having it in the caption > helps focus the reader on the important/relevant part of the figure. > > Yuehua-5>> Accepted, will update to ver10 Thanks! -Ben > Section 4.3 > > It might be interesting to say something about when the SPI itself > suffices to identify the ingress node vs. when this metadata context > header is needed. > > Node ID: Represents an opaque value of the ingress network node > ID. The structure and semantics of this field are deployment > specific. For example, Node ID may be a 4 bytes IPv4 address Node > ID, or a 16 bytes IPv6 address Node ID, or a 6 bytes MAC address, > or 8 bytes MAC address (EUI-64), etc,. > > There seems to be some dissonance between saying this field is "an > opaque value" and also saying that it might be an IP or MAC address. In > the vein of Francesca's Discuss point, I don't think we can have > interoperability if the NSH implementation is expected to process this > as IP/MAC address information (as opposed to just an opaque identifier). > > Yuehua-6>> it has relation to > > Section 8.2 > > URLs for [GROUPBASEDPOLICY] and [GROUPPOLICY] would be helpful. > Yuehua-7>> Accepted, will fix the problem to ver10 > > > _______________________________________________ > sfc mailing list > sfc@ietf.org > https://www.ietf.org/mailman/listinfo/sfc >
- [sfc] Benjamin Kaduk's Discuss on draft-ietf-sfc-… Benjamin Kaduk via Datatracker
- Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-… Martin Vigoureux
- Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-… wei.yuehua
- Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-… Carlos Pignataro (cpignata)
- Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-… mohamed.boucadair
- Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-… Carlos Pignataro (cpignata)
- Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-… mohamed.boucadair
- Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-… Donald Eastlake