Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt
mohamed.boucadair@orange.com Wed, 13 January 2021 09:11 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 436063A089C; Wed, 13 Jan 2021 01:11:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.117
X-Spam-Level:
X-Spam-Status: No, score=-2.117 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ih_K2mjt64li; Wed, 13 Jan 2021 01:11:01 -0800 (PST)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6D603A0888; Wed, 13 Jan 2021 01:10:59 -0800 (PST)
Received: from opfedar02.francetelecom.fr (unknown [xx.xx.xx.4]) by opfedar23.francetelecom.fr (ESMTP service) with ESMTP id 4DG1rf2kSlzBrWL; Wed, 13 Jan 2021 10:10:58 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1610529058; bh=yAM1A7Mts9WLrOXrHm6iv87/a4SfJz4NEigkHVu9a9Y=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=RqFdKAwL6hFvJ19bd1jiNrCbYq03j9lVi6ixI9prKDSuIvuDHEbq6tqDincrQT2QI IMpEw8GJ7xiB89ZJo0fLUmUyICvAxxM11BwoG2e8fUgFvkirm8aPspw1bpGssx8zT6 +EC8F8YEhMJEsS8oA5aVQ5Vucn3GoXzSRWfa/yifN8b3HBuMsfVqCSiCEVOfyrrFJZ rM0cW5Uo3yGVH372MWS/eHC/kDYZuizD5cpFKolgDl6XjD22Od1/FPBF9PR8qv6fVl CDPWkePh3RySgJOqVuPdgbLrrYRBoDRUJ4XXZkv6724deu2gzXhVYOv/9jV2V/Myey UiBDGzhODaSkg==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.73]) by opfedar02.francetelecom.fr (ESMTP service) with ESMTP id 4DG1rf1cmBzCqlK; Wed, 13 Jan 2021 10:10:58 +0100 (CET)
From: mohamed.boucadair@orange.com
To: Greg Mirsky <gregimirsky@gmail.com>
CC: Service Function Chaining IETF list <sfc@ietf.org>, "sfc-chairs@ietf.org" <sfc-chairs@ietf.org>
Thread-Topic: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt
Thread-Index: AQHW6SnFvtHlp8hmX0GrF1eTZuQEUKolQS9A
Date: Wed, 13 Jan 2021 09:10:57 +0000
Message-ID: <18222_1610529058_5FFEB922_18222_77_5_787AE7BB302AE849A7480A190F8B9330315B8963@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <160799455546.19145.6717090076172979397@ietfa.amsl.com> <CA+RyBmVnC6h3oPzy_eCUAPaRjF_=_ohySdpU-MuHxqNPGtxKhQ@mail.gmail.com> <26008_1610446108_5FFD751C_26008_440_1_787AE7BB302AE849A7480A190F8B9330315B7D64@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <CA+RyBmXbQgWWoBNE82zk2QO=Qiq++srO4TJcbcrMtfSHyDnk0g@mail.gmail.com>
In-Reply-To: <CA+RyBmXbQgWWoBNE82zk2QO=Qiq++srO4TJcbcrMtfSHyDnk0g@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B9330315B8963OPEXCAUBMA2corp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/RGu5nUdvtqqzmjRrI_DimZAePGY>
Subject: Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2021 09:11:05 -0000
Hi Greg, Please see inline. Cheers, Med De : Greg Mirsky [mailto:gregimirsky@gmail.com] Envoyé : mardi 12 janvier 2021 22:28 À : BOUCADAIR Mohamed TGI/OLN <mohamed.boucadair@orange.com> Cc : Service Function Chaining IETF list <sfc@ietf.org>; sfc-chairs@ietf.org Objet : Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt Hi Med, many thanks for your comment on the new Authentication TLV and the reference to draft-ietf-sfc-nsh-integrity. I've compared the scope of both integrity protection mechanisms and think that there is no functional duplication or overlap but they are rather complementary. Please correct me if my understanding of draft-ietf-sfc-nsh-integrity is not accurate. As I understood it, the proposed in Section 5 of the NSH Integrity Protection draft Variable-Length Context Headers secure only the NSH layer, not a payload. [Med] Actually, the payload is also covered. You may refer to these figures in Section 4. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Transport Encapsulation | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+... | Base Header | | +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ N | | Service Path Header | S | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ H | | Context Header(s) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+... | | Original Packet | +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +------Scope of integrity protected data and +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Transport Encapsulation | +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+... | | Base Header | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ N | | Service Path Header | S | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ H | | Context Header(s) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+... | | Original Packet | +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +----Scope of integrity protected data The goal of the Authentication TLV is to protect the integrity of the SFC Echo Request, Echo Reply messages, and optional TLVs. The text over which HMAC is calculated includes fields only within the SFC Echo Request/Reply message. We can certainly add a text pointing out that the Authentication TLV and its use are independent of the use of context headers defined in draft-ietf-sfc-nsh-integrity. Also, would you suggest enhancing the text used by the Authentication TLV by including a field from the NSH Base or NSH Path headers? [Med] Protecting part of the NSH information is suboptimal as attacks are still possible by misbehaving nodes by altering some of these fields. I would just remove the Authentication TLV from the OAM draft and point to the integrity draft where these matters are discussed. Thank you. Best regards, Greg On Tue, Jan 12, 2021 at 2:08 AM <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>> wrote: Hi Greg, Thank you for sharing this updated version. I have a comment about the new Authentication TLV. We used to have a similar discussion in the past: whether each TLV document has to include its own protection means or have a generic solution. Please check Slide 7 of https://datatracker.ietf.org/meeting/104/materials/slides-104-sfc-sfc-chair-slides-01. As a follow-up, the WG developed https://tools.ietf.org/html/draft-ietf-sfc-nsh-integrity-02. I suggest to avoid duplicated functionality and refer to draft-ietf-sfc-nsh-integrity if integrity at the NSH level is required. Cheers, Med De : sfc [mailto:sfc-bounces@ietf.org<mailto:sfc-bounces@ietf.org>] De la part de Greg Mirsky Envoyé : mardi 15 décembre 2020 02:18 À : Service Function Chaining IETF list <sfc@ietf.org<mailto:sfc@ietf.org>>; sfc-chairs@ietf.org<mailto:sfc-chairs@ietf.org> Objet : [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt Dear All, in addition to a number of nits being fixed, updates in this version include: * a change in the format of the TLV used in the SFC Echo Request/Reply. The shorter Type field seems not to affect extensibility but an additional one-octet-long filed can be used in some cases (one being the new Authentication TLV); * a new Authentication TLV that can be used to protect the base SFC Echo Request/Reply as well as any optional TLV. Authors welcome your comments, questions, and suggestions. Regards, Greg ---------- Forwarded message --------- From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> Date: Mon, Dec 14, 2020 at 5:10 PM Subject: [sfc] I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt To: <i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>> Cc: <sfc@ietf.org<mailto:sfc@ietf.org>> A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Service Function Chaining WG of the IETF. Title : Active OAM for Service Function Chains in Networks Authors : Greg Mirsky Wei Meng Bhumip Khasnabish Cui Wang Filename : draft-ietf-sfc-multi-layer-oam-07.txt Pages : 22 Date : 2020-12-14 Abstract: A set of requirements for active Operation, Administration and Maintenance (OAM) of Service Function Chains (SFCs) in networks is presented. Based on these requirements, an encapsulation of active OAM message in SFC and a mechanism to detect and localize defects described. Also, this document updates RFC 8300 in the definition of O (OAM) bit in the Network Service Header (NSH) and defines how the active OAM message is identified in SFC NSH. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-sfc-multi-layer-oam/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-sfc-multi-layer-oam-07 https://datatracker.ietf.org/doc/html/draft-ietf-sfc-multi-layer-oam-07 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-sfc-multi-layer-oam-07 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ sfc mailing list sfc@ietf.org<mailto:sfc@ietf.org> https://www.ietf.org/mailman/listinfo/sfc _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [sfc] I-D Action: draft-ietf-sfc-multi-layer-oam-… internet-drafts
- [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-layer… Greg Mirsky
- Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-l… mohamed.boucadair
- Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-l… Greg Mirsky
- Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-l… mohamed.boucadair
- Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-l… mohamed.boucadair
- Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-l… Greg Mirsky
- Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-l… mohamed.boucadair
- Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-l… Greg Mirsky
- Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-l… mohamed.boucadair
- Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-l… Greg Mirsky
- Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-l… mohamed.boucadair