IETF Logo Mail Archive

Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt

mohamed.boucadair@orange.com Wed, 13 January 2021 09:11 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 436063A089C; Wed, 13 Jan 2021 01:11:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.117
X-Spam-Level:
X-Spam-Status: No, score=-2.117 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ih_K2mjt64li; Wed, 13 Jan 2021 01:11:01 -0800 (PST)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6D603A0888; Wed, 13 Jan 2021 01:10:59 -0800 (PST)
Received: from opfedar02.francetelecom.fr (unknown [xx.xx.xx.4]) by opfedar23.francetelecom.fr (ESMTP service) with ESMTP id 4DG1rf2kSlzBrWL; Wed, 13 Jan 2021 10:10:58 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1610529058; bh=yAM1A7Mts9WLrOXrHm6iv87/a4SfJz4NEigkHVu9a9Y=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=RqFdKAwL6hFvJ19bd1jiNrCbYq03j9lVi6ixI9prKDSuIvuDHEbq6tqDincrQT2QI IMpEw8GJ7xiB89ZJo0fLUmUyICvAxxM11BwoG2e8fUgFvkirm8aPspw1bpGssx8zT6 +EC8F8YEhMJEsS8oA5aVQ5Vucn3GoXzSRWfa/yifN8b3HBuMsfVqCSiCEVOfyrrFJZ rM0cW5Uo3yGVH372MWS/eHC/kDYZuizD5cpFKolgDl6XjD22Od1/FPBF9PR8qv6fVl CDPWkePh3RySgJOqVuPdgbLrrYRBoDRUJ4XXZkv6724deu2gzXhVYOv/9jV2V/Myey UiBDGzhODaSkg==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.73]) by opfedar02.francetelecom.fr (ESMTP service) with ESMTP id 4DG1rf1cmBzCqlK; Wed, 13 Jan 2021 10:10:58 +0100 (CET)
From: mohamed.boucadair@orange.com
To: Greg Mirsky <gregimirsky@gmail.com>
CC: Service Function Chaining IETF list <sfc@ietf.org>, "sfc-chairs@ietf.org" <sfc-chairs@ietf.org>
Thread-Topic: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt
Thread-Index: AQHW6SnFvtHlp8hmX0GrF1eTZuQEUKolQS9A
Date: Wed, 13 Jan 2021 09:10:57 +0000
Message-ID: <18222_1610529058_5FFEB922_18222_77_5_787AE7BB302AE849A7480A190F8B9330315B8963@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <160799455546.19145.6717090076172979397@ietfa.amsl.com> <CA+RyBmVnC6h3oPzy_eCUAPaRjF_=_ohySdpU-MuHxqNPGtxKhQ@mail.gmail.com> <26008_1610446108_5FFD751C_26008_440_1_787AE7BB302AE849A7480A190F8B9330315B7D64@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <CA+RyBmXbQgWWoBNE82zk2QO=Qiq++srO4TJcbcrMtfSHyDnk0g@mail.gmail.com>
In-Reply-To: <CA+RyBmXbQgWWoBNE82zk2QO=Qiq++srO4TJcbcrMtfSHyDnk0g@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B9330315B8963OPEXCAUBMA2corp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/RGu5nUdvtqqzmjRrI_DimZAePGY>
Subject: Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2021 09:11:05 -0000

Hi Greg,

Please see inline.

Cheers,
Med

De : Greg Mirsky [mailto:gregimirsky@gmail.com]
Envoyé : mardi 12 janvier 2021 22:28
À : BOUCADAIR Mohamed TGI/OLN <mohamed.boucadair@orange.com>
Cc : Service Function Chaining IETF list <sfc@ietf.org>; sfc-chairs@ietf.org
Objet : Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt

Hi Med,
many thanks for your comment on the new Authentication TLV and the reference to draft-ietf-sfc-nsh-integrity. I've compared the scope of both integrity protection mechanisms and think that there is no functional duplication or overlap but they are rather complementary. Please correct me if my understanding of draft-ietf-sfc-nsh-integrity is not accurate. As I understood it, the proposed in Section 5 of the NSH Integrity Protection draft Variable-Length Context Headers secure only the NSH layer, not a payload.

[Med] Actually, the payload is also covered. You may refer to these figures in Section 4.

      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                Transport Encapsulation                |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+...
      |                Base Header                            |  |
   +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  N
   |  |                Service Path Header                    |  S
   |  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  H
   |  |                Context Header(s)                      |  |
   |  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+...
   |  |                Original Packet                        |
   +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |
   +------Scope of integrity protected data

and

      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                Transport Encapsulation                |
   +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+...
   |  |                Base Header                            |  |
   |  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  N
   |  |                Service Path Header                    |  S
   |  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  H
   |  |                Context Header(s)                      |  |
   |  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+...
   |  |                Original Packet                        |
   +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |
   +----Scope of integrity protected data


The goal of the Authentication TLV is to protect the integrity of the SFC Echo Request, Echo Reply messages, and optional TLVs. The text over which HMAC is calculated includes fields only within the SFC Echo Request/Reply message. We can certainly add a text pointing out that the Authentication TLV and its use are independent of the use of context headers defined in draft-ietf-sfc-nsh-integrity.
Also, would you suggest enhancing the text used by the Authentication TLV by including a field from the NSH Base or NSH Path headers?

[Med] Protecting part of the NSH information is suboptimal as attacks are still possible by misbehaving nodes by altering some of these fields. I would just remove the Authentication TLV from the OAM draft and point to the integrity draft where these matters are discussed. Thank you.

Best regards,
Greg


On Tue, Jan 12, 2021 at 2:08 AM <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>> wrote:
Hi Greg,

Thank you for sharing this updated version.

I have a comment about the new Authentication TLV. We used to have a similar discussion in the past: whether each TLV document has to include its own protection means or have a generic solution. Please check Slide 7 of https://datatracker.ietf.org/meeting/104/materials/slides-104-sfc-sfc-chair-slides-01. As a follow-up, the WG developed https://tools.ietf.org/html/draft-ietf-sfc-nsh-integrity-02.

I suggest to avoid duplicated functionality and refer to draft-ietf-sfc-nsh-integrity if integrity at the NSH level is required.

Cheers,
Med

De : sfc [mailto:sfc-bounces@ietf.org<mailto:sfc-bounces@ietf.org>] De la part de Greg Mirsky
Envoyé : mardi 15 décembre 2020 02:18
À : Service Function Chaining IETF list <sfc@ietf.org<mailto:sfc@ietf.org>>; sfc-chairs@ietf.org<mailto:sfc-chairs@ietf.org>
Objet : [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt

Dear All,
in addition to a number of nits being fixed, updates in this version include:

  *   a change in the format of the TLV used in the SFC Echo Request/Reply. The shorter Type field seems not to affect extensibility but an additional one-octet-long filed can be used in some cases (one being the new Authentication TLV);
  *   a new Authentication TLV that can be used to protect the base SFC Echo Request/Reply as well as any optional TLV.
Authors welcome your comments, questions, and suggestions.

Regards,
Greg

---------- Forwarded message ---------
From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Date: Mon, Dec 14, 2020 at 5:10 PM
Subject: [sfc] I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt
To: <i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>>
Cc: <sfc@ietf.org<mailto:sfc@ietf.org>>



A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Service Function Chaining WG of the IETF.

        Title           : Active OAM for Service Function Chains in Networks
        Authors         : Greg Mirsky
                          Wei Meng
                          Bhumip Khasnabish
                          Cui Wang
        Filename        : draft-ietf-sfc-multi-layer-oam-07.txt
        Pages           : 22
        Date            : 2020-12-14

Abstract:
   A set of requirements for active Operation, Administration and
   Maintenance (OAM) of Service Function Chains (SFCs) in networks is
   presented.  Based on these requirements, an encapsulation of active
   OAM message in SFC and a mechanism to detect and localize defects
   described.  Also, this document updates RFC 8300 in the definition of
   O (OAM) bit in the Network Service Header (NSH) and defines how the
   active OAM message is identified in SFC NSH.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-sfc-multi-layer-oam/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-sfc-multi-layer-oam-07
https://datatracker.ietf.org/doc/html/draft-ietf-sfc-multi-layer-oam-07

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-sfc-multi-layer-oam-07


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


_______________________________________________
sfc mailing list
sfc@ietf.org<mailto:sfc@ietf.org>
https://www.ietf.org/mailman/listinfo/sfc

_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.



_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email