IETF Logo Mail Archive

Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt

Greg Mirsky <gregimirsky@gmail.com> Tue, 19 January 2021 17:32 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C9703A1651; Tue, 19 Jan 2021 09:32:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRtXBTR1Ucha; Tue, 19 Jan 2021 09:32:11 -0800 (PST)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50BE43A1650; Tue, 19 Jan 2021 09:32:10 -0800 (PST)
Received: by mail-lf1-x130.google.com with SMTP id o13so30230927lfr.3; Tue, 19 Jan 2021 09:32:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=f/VVFcM/x4jfeniVNirlKw76Sz5pCRkB44VhtQJ9TBY=; b=NYbpHkh3tNk3H/K/eIu7Ra4gCmkbbeYSe7L/9t1yeC04xVKpMKVVDf+SnnWgntrlGQ cMDexizbpS4yVRyLbTyvJiLexjwifFem+GSlU+q6XHK6WrpVX0G7K9nRcXSBC4y3TeXO 1v1SEK4HH5woMiPWTe4CL3ewkU12z/gSfPXCuLIR6kUg9jbHwbBLK+Jf8EbDq6vdBejj P9joa0iyvqtc8/1McrYLrnHVyiQ9YDOLiUw0zi9x+Rm4ttTwCC0XUDAUPkj25NYmOFOs rZSLB8h0ey1p5ETsyHw4d2jMsw6U6ZIWflYBZ6J+T1KdNGxmWNcTsZ6Q5izlwW2xD/fF r1aw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=f/VVFcM/x4jfeniVNirlKw76Sz5pCRkB44VhtQJ9TBY=; b=mL0BbTbiP3pYz5L97fbD2ZWIZ/QNtdqfIAmUlgjYjYYrUmvGyXVbHHHyhorD4r6GRb 8+7gnzIg/lhuE68fer6kVltaOjYPGPns7fQq1X/bKa+7vyzh1gi7NZv3ZdxK1O6E7ExS +15asHQHqrZuCX80ebCI3TVwTTDp+3kfH0Xuiz5DrqzV8NYzg4SmCX2XDVGI90t9w5bm a2YwakE/VgWL69Fpw9gEbxmq1GMIlmx+gRV++SK5fJjthcKos688Ox55XO9r178C2eZX uso2foFUvXrgJu9WTfkF5KLX1lRjUII39wLppWyWH9D1k/G2zFnjsXsbdY1drAxv5Vrm ri5w==
X-Gm-Message-State: AOAM533NSwRVlEzQHR4tYtr+tIPmku7uB0sB5nysZaBiOX1n8Zz3eddt WXLFonNUcKBnaFK3Gatvd1iFFFg8gns0JcoShME=
X-Google-Smtp-Source: ABdhPJxfObv/csNTHNBfwDyIGSWs9aZUnhwQtFNwBRI47w+i2PMLGw1SoOil1+/9q52fOHiCAtvrgmVhld5BIoU/olY=
X-Received: by 2002:ac2:5ca1:: with SMTP id e1mr2276704lfq.192.1611077527688; Tue, 19 Jan 2021 09:32:07 -0800 (PST)
MIME-Version: 1.0
References: <160799455546.19145.6717090076172979397@ietfa.amsl.com> <CA+RyBmVnC6h3oPzy_eCUAPaRjF_=_ohySdpU-MuHxqNPGtxKhQ@mail.gmail.com> <26008_1610446108_5FFD751C_26008_440_1_787AE7BB302AE849A7480A190F8B9330315B7D64@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <CA+RyBmXbQgWWoBNE82zk2QO=Qiq++srO4TJcbcrMtfSHyDnk0g@mail.gmail.com> <18222_1610529058_5FFEB922_18222_77_5_787AE7BB302AE849A7480A190F8B9330315B8963@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <CA+RyBmWxf_w4CfHfDvmrbRea=Q1oOTqmx50-L3FD+RsPz_+7jw@mail.gmail.com> <1307_1611065899_6006EA2B_1307_245_1_787AE7BB302AE849A7480A190F8B9330315BCF68@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <1307_1611065899_6006EA2B_1307_245_1_787AE7BB302AE849A7480A190F8B9330315BCF68@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Tue, 19 Jan 2021 09:31:56 -0800
Message-ID: <CA+RyBmVGnC4hKBTeXYRHEYZQ-FgM7YJd-Av4Te8MSm_62MnHyQ@mail.gmail.com>
To: Med Boucadair <mohamed.boucadair@orange.com>
Cc: Service Function Chaining IETF list <sfc@ietf.org>, "sfc-chairs@ietf.org" <sfc-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000be5a3c05b9443762"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/gmdEuWh8Uqdtb_YVvLd1DixbcqM>
Subject: Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2021 17:32:15 -0000

Hi Med,
I much appreciate your quick response to my questions. I've updated the
Authentication section in the draft. Please let me know if you agree with
the proposed text:
5.2.  Authentication in Echo Request/Reply

   Authentication can be used to protect the integrity of the
   information in SFC Echo Request and/or Echo Reply.  In the
   [I-D.ietf-sfc-nsh-integrity] a variable-length Context Header has
   been defined to protect the integrity of the NSH and the payload.
   The header can also be used for the optional encryption of the
   sensitive metadata.  MAC#1 Context Header is more suitable for the
   integrity protection of active SFC OAM, particularly of the defined
   in this document SFC Echo Request and Echo Reply.  On the other hand,
   using MAC#2 Context Header allows the detection of mishandling of the
   O-bit by a transient SFC element.

And I've accordingly updated draft-ao-sfc-oam-return-path specified and
draft-ao-sfc-oam-path-consistency also to refer to the
draft-ietf-sfc-nsh-integrity.
A couple of new notes logged in-line tagged GIM>>.

Regards,
Greg

On Tue, Jan 19, 2021 at 6:18 AM <mohamed.boucadair@orange.com> wrote:

> Hi Greg,
>
>
>
> Please see inline.
>
>
>
> Cheers,
>
> Med
>
>
>
> *De :* Greg Mirsky [mailto:gregimirsky@gmail.com]
> *Envoyé :* lundi 18 janvier 2021 18:04
> *À :* BOUCADAIR Mohamed TGI/OLN <mohamed.boucadair@orange.com>
> *Cc :* Service Function Chaining IETF list <sfc@ietf.org>;
> sfc-chairs@ietf.org
> *Objet :* Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt
>
>
>
> Hi Med,
>
> many thanks for your review and comments. I agree that the new
> Authentication TLV is not necessary.
>
> [Med] Glad to see that we are in agreement.
>
>
>
> You are right in pointing that an active SFC OAM protocol, e.g., SFP Echo
> Request/Reply defined in draft-ietf-sfc-multi-layer-oam, must use a MAC
> Header, as defined in draft-ietf-sfc-nsh-integrity. I have some questions
> about the draft-ietf-sfc-nsh-integrity:
>
>    - I think that the scope of the MAC#1 Context Header is more suitable
>    for the active OAM over an SFP.
>
> [Med] Actually, as the “payload” is modified by SFFs, MAC#2 would be more
> appropriate here. It also allows to detect misbehaving nodes that may unset
> the O-bit while they shouldn’t.
>
GIM>> Thank you for pointing that out. I agree that is beneficial and the
choice can be left up to an operator.

> At the same time, it appears that such use is not considered in the draft. For
> example, in Section 5.1 is noted that:
>
>    It does
>    not require to re-compute the MAC by each SFF because of TTL
>    processing.
>
>
>    - Also, I understand that encryption is optional and it not being in
>    use indicated by setting the value of the IV LEngth field to 0. But I
>    couldn't find the text that explains what must be done with the
>    Initialization Vector field.
>
> [Med] That field won’t be present. Will add explicit text to record this.
>
>  On the one hand, that is a variable-length field and thus must not be
> included in the header when the IV Length =0. On the other hand, I expect
> that three-octet-long padding should be applied, zeroed on the
> transmission, and ignored on the receipt. If that is what is expected,
> perhaps clarifying text in Section 5.1 could be added.
>
> [Med] We don’t mention padding as this is new a NEW requirement. Padding
> is assumed to be applied when appropriate as per Section 2.2 of RFC8300. We
> can add a reminder, though.
>
GIM>> Thank you. I agree that some clarifying text would be helpful.

>
>    - And another question is on how an SFC element, SFF, for example,
>    would realize that the particular must or must not include MAC context
>    header? In some protocols, the use of authentication/encryption
>    indicated in the packet, e.g., Authentication flag in the BFD control
>    message. Had the authors considered a similar method?
>
> [Med] As discussed in the draft, that is the responsibility of the control
> plane. Once a MAC# is imposed, downstream nodes will need to comply with
> the behavior for validating/updating the enclosed information.
>
GIM>> Please, correct me if I misunderstood the use of the MAC Context
Header. Once its presence in the NSH is signaled through the control plane,
it MUST be present in each NSH and it cannot be used intermittently.
Without comparing, from the experience with BFD authentication, we learned
that requiring authentication of each control message is burdensome and not
critical. A lighter approach where some messages are authenticated has been
developed by the BFD WG by introducing NULL Authentication. Do you think a
similar option could be useful in SFC NSH?

I'll update draft-ietf-sfc-multi-layer-oam as you've suggested.
>
>
>
> Regards,
>
> Greg
>
>
>
> On Wed, Jan 13, 2021 at 1:10 AM <mohamed.boucadair@orange.com> wrote:
>
> Hi Greg,
>
>
>
> Please see inline.
>
>
>
> Cheers,
>
> Med
>
>
>
> *De :* Greg Mirsky [mailto:gregimirsky@gmail.com]
> *Envoyé :* mardi 12 janvier 2021 22:28
> *À :* BOUCADAIR Mohamed TGI/OLN <mohamed.boucadair@orange.com>
> *Cc :* Service Function Chaining IETF list <sfc@ietf.org>;
> sfc-chairs@ietf.org
> *Objet :* Re: [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt
>
>
>
> Hi Med,
>
> many thanks for your comment on the new Authentication TLV and the
> reference to draft-ietf-sfc-nsh-integrity. I've compared the scope of both
> integrity protection mechanisms and think that there is no functional
> duplication or overlap but they are rather complementary. Please correct me
> if my understanding of draft-ietf-sfc-nsh-integrity is not accurate. As I
> understood it, the proposed in Section 5 of the NSH Integrity Protection
> draft Variable-Length Context Headers secure only the NSH layer, not a
> payload.
>
>
>
> [Med] Actually, the payload is also covered. You may refer to these
> figures in Section 4.
>
>
>
>       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
>       |                Transport Encapsulation                |
>
>       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+...
>
>       |                Base Header                            |  |
>
>    +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  N
>
>    |  |                Service Path Header                    |  S
>
>    |  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  H
>
>    |  |                Context Header(s)                      |  |
>
>    |  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+...
>
>    |  |                Original Packet                        |
>
>    +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
>    |
>
>    +------Scope of integrity protected data
>
>
>
> and
>
>
>
>       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
>       |                Transport Encapsulation                |
>
>    +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+...
>
>    |  |                Base Header                            |  |
>
>    |  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  N
>
>    |  |                Service Path Header                    |  S
>
>    |  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  H
>
>    |  |                Context Header(s)                      |  |
>
>    |  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+...
>
>    |  |                Original Packet                        |
>
>    +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
>    |
>
>    +----Scope of integrity protected data
>
>
>
>
>
> The goal of the Authentication TLV is to protect the integrity of the SFC
> Echo Request, Echo Reply messages, and optional TLVs. The text over which
> HMAC is calculated includes fields only within the SFC Echo Request/Reply
> message. We can certainly add a text pointing out that the Authentication
> TLV and its use are independent of the use of context headers defined
> in draft-ietf-sfc-nsh-integrity.
>
> Also, would you suggest enhancing the text used by the Authentication TLV
> by including a field from the NSH Base or NSH Path headers?
>
>
>
> [Med] Protecting part of the NSH information is suboptimal as attacks are
> still possible by misbehaving nodes by altering some of these fields. I
> would just remove the Authentication TLV from the OAM draft and point to
> the integrity draft where these matters are discussed. Thank you.
>
>
>
> Best regards,
>
> Greg
>
>
>
>
>
> On Tue, Jan 12, 2021 at 2:08 AM <mohamed.boucadair@orange.com> wrote:
>
> Hi Greg,
>
>
>
> Thank you for sharing this updated version.
>
>
>
> I have a comment about the new Authentication TLV. We used to have a
> similar discussion in the past: whether each TLV document has to include
> its own protection means or have a generic solution. Please check Slide 7
> of
> https://datatracker.ietf.org/meeting/104/materials/slides-104-sfc-sfc-chair-slides-01.
> As a follow-up, the WG developed
> https://tools.ietf.org/html/draft-ietf-sfc-nsh-integrity-02.
>
>
>
> I suggest to avoid duplicated functionality and refer to
> draft-ietf-sfc-nsh-integrity if integrity at the NSH level is required.
>
>
>
> Cheers,
>
> Med
>
>
>
> *De :* sfc [mailto:sfc-bounces@ietf.org] *De la part de* Greg Mirsky
> *Envoyé :* mardi 15 décembre 2020 02:18
> *À :* Service Function Chaining IETF list <sfc@ietf.org>;
> sfc-chairs@ietf.org
> *Objet :* [sfc] Fwd: I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt
>
>
>
> Dear All,
>
> in addition to a number of nits being fixed, updates in this version
> include:
>
>    - a change in the format of the TLV used in the SFC Echo
>    Request/Reply. The shorter Type field seems not to affect extensibility but
>    an additional one-octet-long filed can be used in some cases (one being the
>    new Authentication TLV);
>    - a new Authentication TLV that can be used to protect the base SFC
>    Echo Request/Reply as well as any optional TLV.
>
> Authors welcome your comments, questions, and suggestions.
>
>
>
> Regards,
>
> Greg
>
>
>
> ---------- Forwarded message ---------
> From: <internet-drafts@ietf.org>
> Date: Mon, Dec 14, 2020 at 5:10 PM
> Subject: [sfc] I-D Action: draft-ietf-sfc-multi-layer-oam-07.txt
> To: <i-d-announce@ietf.org>
> Cc: <sfc@ietf.org>
>
>
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Service Function Chaining WG of the IETF.
>
>         Title           : Active OAM for Service Function Chains in
> Networks
>         Authors         : Greg Mirsky
>                           Wei Meng
>                           Bhumip Khasnabish
>                           Cui Wang
>         Filename        : draft-ietf-sfc-multi-layer-oam-07.txt
>         Pages           : 22
>         Date            : 2020-12-14
>
> Abstract:
>    A set of requirements for active Operation, Administration and
>    Maintenance (OAM) of Service Function Chains (SFCs) in networks is
>    presented.  Based on these requirements, an encapsulation of active
>    OAM message in SFC and a mechanism to detect and localize defects
>    described.  Also, this document updates RFC 8300 in the definition of
>    O (OAM) bit in the Network Service Header (NSH) and defines how the
>    active OAM message is identified in SFC NSH.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-sfc-multi-layer-oam/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-sfc-multi-layer-oam-07
> https://datatracker.ietf.org/doc/html/draft-ietf-sfc-multi-layer-oam-07
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-sfc-multi-layer-oam-07
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
> _______________________________________________
> sfc mailing list
> sfc@ietf.org
> https://www.ietf.org/mailman/listinfo/sfc
>
> _________________________________________________________________________________________________________________________
>
>
>
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
>
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
>
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
>
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
>
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
>
> they should not be distributed, used or copied without authorisation.
>
> If you have received this email in error, please notify the sender and delete this message and its attachments.
>
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
>
> Thank you.
>
>
>
> _________________________________________________________________________________________________________________________
>
>
>
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
>
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
>
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
>
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
>
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
>
> they should not be distributed, used or copied without authorisation.
>
> If you have received this email in error, please notify the sender and delete this message and its attachments.
>
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
>
> Thank you.
>
>
>
> _________________________________________________________________________________________________________________________
>
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
>
>

v2.23.0 | Report a Bug | By Email