IETF Logo Mail Archive

Re: [sfc] IETF WG state changed for draft-ietf-sfc-proof-of-transit

"Frank Brockners (fbrockne)" <fbrockne@cisco.com> Thu, 02 July 2020 10:54 UTC

Return-Path: <fbrockne@cisco.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECFB23A0ACD for <sfc@ietfa.amsl.com>; Thu, 2 Jul 2020 03:54:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=ggEMOHV6; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=eiVBpyKg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FQIW4Xl3jIlC for <sfc@ietfa.amsl.com>; Thu, 2 Jul 2020 03:54:35 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 959283A0A4F for <sfc@ietf.org>; Thu, 2 Jul 2020 03:54:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6623; q=dns/txt; s=iport; t=1593687275; x=1594896875; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=/ko62zjKXwmVLzVLajzWGNwPz8sDYoC1w6Spow9BG68=; b=ggEMOHV64KNViDaS9WuRy5q0jWIwVq1Fxjsmt423jWt8V66WaF1X/2ZY T0DaAv+3rHfa4tw7kveBSdAcFI9oaMpJNHpaBW5IpROU0YkSR+7ZTUoQD 2hZvfCRtI9OP4ezSZL14pTRI2BhWFYZFft7ERJTk154dRl/XgtG2t7Y6z 0=;
IronPort-PHdr: 9a23:Otrd4xOM9MOthTKc6V4l6mtXPHoupqn0MwgJ65Eul7NJdOG58o//OFDEvK8x3lPMVJ/QrfNJl+SQtLrvCiQM4peE5XYFdpEEFxoIkt4fkAFoBsmZQVb6I/jnY21ffoxCWVZp8mv9PR1TH8DzNFHXq2e5qz8fBhu5MhB6daz5H4fIhJGx0Oa/s5TYfwRPgm+7ZrV/ZBW7pAncrI8Ym4xnf60w0RDO5HBPfrdb
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0A3AABrvP1e/5FdJa1gGwEBAQEBAQEBBQEBARIBAQEDAwEBAUCBOAQBAQELAYFRIy4Hb1gvLAqHbQONS4EBl1mBLoEkA1ULAQEBDAEBGA0IAgQBAYRHAoIcAiQ2Bw4CAwEBCwEBBQEBAQIBBgRthVsMhW4BAQEBAgEBARALHQYBASUHDAsEAgEIEQEDAQEBHhAnCxcGCAEBBAESCBMHgwWCSwMOIAEOoEwCgTmIYXSBNIMBAQEFgUZBg0MYgg4JgTgBgmiCTEaFKoFDGoFBPxJ/Q4IYNT6CXAEBAgEBgTMqg0eCLbUOCoJciEuGLopxgnOJMJJ6kVmBZYg3kCQWhAoCBAIEBQIOAQEFgVoDL4FWcBU7gmkJRxcCDY4eDBeDToUUhUJ0NwIGCAEBAwl8jB2BNAGBEAEB
X-IronPort-AV: E=Sophos;i="5.75,304,1589241600"; d="scan'208";a="517702714"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 02 Jul 2020 10:54:34 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by rcdn-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id 062AsYfF016770 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 2 Jul 2020 10:54:34 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 2 Jul 2020 05:54:34 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 2 Jul 2020 06:54:33 -0400
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 2 Jul 2020 06:54:33 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=O9Fod1m7mQgRgLQ0o50+xWqX4elRz/qsRhCqs7J+Udx84IyMrhKPzDG2mXOqxhS5oE8pFVn1BILK4BiTcY3S5Wpi7VEmFNFdHCKz3f2N+vg0P1bSp+4evkMafvfq18pN1ZdKRltUAevwemjKliX0DDTUQv/LJb+Eu5VWEj/0CKDiKBYDIYeUsrwSdL3Ozl3A9p83mqFk8Tv/Ov9MsHiM30YEJI2bJeDACg6nlFm68SYDcP6aTWUeudpbJNqhEkBVeSG4BchhNneQtrRahxzHciCJnz/7sr8nkf2SFcD8WkXEPwF5q/kuJguCJmElf9aZ15HacgDttTg7MUJh0xy81Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iI2Kro73r5g86DLX8jDAs93u85n5PGeFR1faJAE9Bzw=; b=EyadWbFu+i5t/SlDAMsKLTQfze4NqhX4bflrd5lyg6jsTmrnqEMWnDUXIO/CBzNJddvk/8C+w4P4ciP3z70FwLgZKFkLgdLkHVZkIrShKy3PHMoQL8sL5gh+JxHDek1bMmNSUPWfmbHhWYCEUD0dVcRueEwxwrF/4XIhOWHg2PMXYs9InEzk8yhaStwzBrhRWM9OTy8H0yB+AdS9qcGPYS/N0a9pAfKBT0eNv4j03W3zPMp/Jo7u1eyMBJqhjtT61sQQgHXNlMRO83Ohdg3O0UuMTlhb5Cwx2Q/29eMjNqts/WpeVCu7+L6TCWT03M26xpMOxbwJquS6ceRmo7LuUg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iI2Kro73r5g86DLX8jDAs93u85n5PGeFR1faJAE9Bzw=; b=eiVBpyKg0uIMCO4fG6cCF+EqONMes+0wBrnfKgkZANZkPaf2PHSczhgV6RYe/lJlVfUfCm2G9RAGgOIk8o9k6S5f69CeNV0qZxNbWbcNud37pB9Y9TiBxkfx2gjYU5UrbFFAcMTXHQy3Fe8+bNfF17Uykvp9L4X3I0krDybccDI=
Received: from BYAPR11MB2584.namprd11.prod.outlook.com (2603:10b6:a02:c8::31) by BYAPR11MB2760.namprd11.prod.outlook.com (2603:10b6:a02:c0::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.25; Thu, 2 Jul 2020 10:54:31 +0000
Received: from BYAPR11MB2584.namprd11.prod.outlook.com ([fe80::d8d7:dbc7:25a8:a4bd]) by BYAPR11MB2584.namprd11.prod.outlook.com ([fe80::d8d7:dbc7:25a8:a4bd%3]) with mapi id 15.20.3153.027; Thu, 2 Jul 2020 10:54:31 +0000
From: "Frank Brockners (fbrockne)" <fbrockne@cisco.com>
To: "Vengada Prasad Govindan (venggovi)" <venggovi=40cisco.com@dmarc.ietf.org>, "sfc@ietf.org" <sfc@ietf.org>
Thread-Topic: [sfc] IETF WG state changed for draft-ietf-sfc-proof-of-transit
Thread-Index: AdZK2SX2LrPrxvKtTuqDAc47v17FHAFbaSmw
Date: Thu, 02 Jul 2020 10:54:31 +0000
Message-ID: <BYAPR11MB25843F4E3F42F0E904A1FFCFDA6D0@BYAPR11MB2584.namprd11.prod.outlook.com>
References: <SN6PR11MB3152DCDD40BFF952C22F0AECCD920@SN6PR11MB3152.namprd11.prod.outlook.com>
In-Reply-To: <SN6PR11MB3152DCDD40BFF952C22F0AECCD920@SN6PR11MB3152.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.220.58]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 53af8c19-1293-4e9b-e277-08d81e764cd9
x-ms-traffictypediagnostic: BYAPR11MB2760:
x-microsoft-antispam-prvs: <BYAPR11MB2760E12387BA4A1922F27DB3DA6D0@BYAPR11MB2760.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0452022BE1
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: XC8OrBgNaPC2JiJQsRuhCmxHl6UePau9+4DOhzgprEH8peUEl8Cckau45w9sEgAg9Nwt7G09Zjvbgs5FeCGyjor1ErblqskuBw6gq6tEkRNHN64xSqBZnCdYEyn4w9uuFDsV5gARaStqeOCXhUeLp1veSBjHnVDK1zzJcmmIpZ8dn5fLdTcpMANBC2lcxD/P8A9spB91hHhQE4WmcGn+cesw/iFr3CR3DXOI8Z5PHPVbrFoG4zbv8GN0tYU2uh/BRuA8SMtw6McdsNOu4q18xoFM/xlRTiUuU8fumWrndOhBu58g41Y9/GAmqErbDjE+q2l38pKNVBQj8TYjHuaKdGT5BR7OpRl7PNokP7Pqt0BPJTTRxKB78BZOzPE05AlkroGeOX1RBAhncNg+z9hg0Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB2584.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(136003)(376002)(366004)(39860400002)(346002)(2906002)(7696005)(66446008)(53546011)(71200400001)(66556008)(9686003)(64756008)(66946007)(76116006)(66476007)(86362001)(83380400001)(8676002)(33656002)(55016002)(966005)(478600001)(8936002)(52536014)(110136005)(186003)(26005)(6506007)(316002)(5660300002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: pm65eyZohOF7wDuDA/R9FJyQix0TV9mcL1pz8WaFANBwO1ZZjpO+bjDizP/46YTshLIl3NvkpYiOpI0p45D88HePAgc4VbEpw+ZbMZhpZqusiwC2Oc6Un9gRra7p2fp/2dwe+ibROtEn+0lb2D4Wwd6eaeqBt82cVXM4ouGSvjuSqriq+lioRT+J91dE8Egp2beITsWHN30orG1z9hanMRuamQkiiRl6n6RySHaibgo7q9jvjXUkWs32N92Re4WEW4xYCa5p5rPNntj+AAZ3xW6U2u0ot6PI1noN9ZueB7PGM5HTJJglCDaW8rAqcgo+depm3Ie2NfbPDa/k2KswGhfpKBivNPvxHYIOKM9+Zg8mEpPjPOpA8UfsIjAyHLcuXZ/Ls+or8kobX5cccfkbI4vJdqLBLPhlFe/Dft8s8RywjlXAJoND84GM/f8Tnbo60p1LLUuaXOmPFDiNSgiIUtqyyWnjvszBNkzUQoNd4WPrY4HmWUuVw4TSxDyj82t0
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB2584.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 53af8c19-1293-4e9b-e277-08d81e764cd9
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jul 2020 10:54:31.4608 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: RZNC7TEIakBQHn5+qBzuV76TZVErxi1lMyhbfw/vsyQutXfwOnCRxoV7GgPxiRqeAj6K0gUS7ePCmK+hs383gA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB2760
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: rcdn-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/_h1j0i_9WFTvPQICbH1PKGW_ULU>
Subject: Re: [sfc] IETF WG state changed for draft-ietf-sfc-proof-of-transit
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2020 10:54:38 -0000

Hi Prasad,

Thanks a lot for your comments. Please see inline ("..FB").

> -----Original Message-----
> From: sfc <sfc-bounces@ietf.org> On Behalf Of Vengada Prasad Govindan
> (venggovi)
> Sent: Donnerstag, 25. Juni 2020 13:02
> To: sfc@ietf.org
> Subject: Re: [sfc] IETF WG state changed for draft-ietf-sfc-proof-of-transit
> 
> Hello all,
> 
> I support progressing this draft to an Experimental RFC. Please consider the
> following comments (mostly editorial):
> 
> 1)
> Not sure what is implied by the sentence below (Sec 1):
> > A particular set of nodes "to be verified" is either described by a set of shares
> of a single secret.
...FB: Good catch. We'll remove the word "either". This is an editorial left-over from the time when the draft had two methods mentioned (SSSS and nested crypto).

> 
> 2)
> The following sentence (Sec 1) describes about controller nodes and verifier
> nodes. While the former's role could be easily understood, I am not sure the
> latter node role is clearly defined. If it does not limit the scope, we may use only
> one terminology or clarify the difference, if we need to refer about two roles.
> > The complete secret set is only known to  the controller and a verifier node,
> which is typically the ultimate node on a path that performs verification.

...FB: A network element that compares the iteratively (by all nodes that participate in POT on the path) computed result which is carried along in the packet with the secret and concludes whether the computed result matches the secret. If the two match, the packet transit is proven. The role of the verifier naturally assumes that the packets had a chance to traverse the nodes subject to POT before arriving at the verifier.

We can add a short paragraph with such an explanation to the document to ensure the role of the verifier is properly explained.

> 
> 3)
> Sec 7.9.1
> OLD
>  Since these schemes introduce at least additional control requirements, the
> selection of order verification SHOULD be configurable the Controller
> management interface NEW Since these schemes introduce at least additional
> control requirements, the selection of order verification SHOULD be
> configurable BY the Controller management interface

...FB: Thanks. We'll update the sentence accordingly.

> 
> 4)
> Sec 3.2 has the words Solution Approach duplicated

...FB: Thanks. Good catch. 
> 
> 5)
> Not sure if there is a missing reference here (Sec: 3.3.1.3):
> > For a general way to compute the modular multiplicative inverse, see   e.g.,
> the Euclidean algorithm.

...FB: We'll add a reference to http://en.wikipedia.org/wiki/Modular_multiplicative_inverse#Computation

> 
> 6)
> General comment: It may be helpful to either have a diagram or a pointer to a
> diagram pointing out the different roles like Controller, ingress node. Also I am
> not sure if there is text (other than the section in Security Considerations) that
> explains that POT should be deployed in a set of nodes under a single
> administrative domain.

...FB: The scope of this draft is the definition of methods for proof-of-transit. Like I mentioned in an earlier discussion on the SFC mailing list:
An implementor of POT for SFC with NSH would need to rely on several documents:
    - draft-ietf-sfc-proof-of-transit: for the POT concept and mechanism
    - draft-ietf-ippm-ioam-data: for the definition of POT related data fields in IOAM
    - draft-ietf-sfc-ioam-nsh: for the definition of the encapsulation of POT related data fields in IOAM into NSH
What you seem to be missing is an architecture-level discussion of how the mix of POT+IOAM+NSH apply to the SFC architecture. IMHO this would best be addressed by an architecture-level document, because all of the above mentioned documents are focused on a specific subject and neither of the documents would be a good fit for an architecture level definition. IMHO the best place for that would be a "RFC 7665bis" document - i.e. we'd extend the SFC architecture with a discussion how POT applies.

That said - and this is along the lines of your comment wrt/ the verifier: What is feasible within the scope of the document is to have an explanation of the different roles in POT in the document (e.g. we can do this in section 3), where we discuss the role of nodes which participate in POT, the verifier and the controller role, i.e.

* Node: A network element through which packet transit has to be proven.
* Controller: The Controller that creates secrets and secrets shares and configures the nodes for POT operations.
* Verifier: A network element that compares the iteratively (by all nodes that participate in POT on the path) computed result which is carried along in the packet with the secret and concludes whether the computed result matches the secret. If the two match, the packet transit is proven. The role of the verifier naturally assumes that the packets had a chance to traverse the nodes subject to POT before arriving at the verifier.

Thanks again, Frank

> 
> Thanks
> Prasad
> 
> > > -----Original Message-----
> > > From: sfc <sfc-bounces@ietf.org> On Behalf Of Joel M. Halpern
> > > Sent: Dienstag, 16. Juni 2020 15:42
> > > To: sfc@ietf.org
> > > Subject: Re: [sfc] IETF WG state changed for
> > > draft-ietf-sfc-proof-of-transit
> > >
> > > The chairs are starting the WG last call for
> > > draft-ietf-sfc-proof-of-transit.  Please reply explicitly whether
> > > you think this is ready to go to the IETF for publication as a Experimental
> RFC.
> > > As noted below, the call runs through June 30.
> > >
> > > Note that silence does not imply consent, so please speak up.
> > >
> > > Yours,
> > > Joel (& Jim)
> > >
> > > On 6/16/2020 9:32 AM, IETF Secretariat wrote:
> > > >
> > > > The IETF WG state of draft-ietf-sfc-proof-of-transit has been
> > > > changed to "In WG Last Call" from "WG Document" by Joel Halpern:
> > > >
> > > > https://datatracker.ietf.org/doc/draft-ietf-sfc-proof-of-transit/
> > > >
> > > > Comment:
> > > > This starts WG last call for this document, ending June 30.
> > > >
> > >
> > > _______________________________________________
> > > sfc mailing list
> > > sfc@ietf.org
> > > https://www.ietf.org/mailman/listinfo/sfc
> 
> _______________________________________________
> sfc mailing list
> sfc@ietf.org
> https://www.ietf.org/mailman/listinfo/sfc

v2.23.0 | Report a Bug | By Email