IETF Logo Mail Archive

[Spud] 答复: endpoint control

Youjianjie <youjianjie@huawei.com> Wed, 22 June 2016 09:36 UTC

Return-Path: <youjianjie@huawei.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CED712B058 for <spud@ietfa.amsl.com>; Wed, 22 Jun 2016 02:36:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.647
X-Spam-Level:
X-Spam-Status: No, score=-5.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4c6UgpSkOx5R for <spud@ietfa.amsl.com>; Wed, 22 Jun 2016 02:36:09 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8B72127058 for <spud@ietf.org>; Wed, 22 Jun 2016 02:36:07 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml708-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CRH07510; Wed, 22 Jun 2016 09:36:05 +0000 (GMT)
Received: from NKGEML414-HUB.china.huawei.com (10.98.56.75) by lhreml708-cah.china.huawei.com (10.201.5.202) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 22 Jun 2016 10:36:03 +0100
Received: from NKGEML515-MBX.china.huawei.com ([fe80::a54a:89d2:c471:ff]) by nkgeml414-hub.china.huawei.com ([10.98.56.75]) with mapi id 14.03.0235.001; Wed, 22 Jun 2016 17:35:56 +0800
From: Youjianjie <youjianjie@huawei.com>
To: Brian Trammell <ietf@trammell.ch>
Thread-Topic: [Spud] endpoint control
Thread-Index: AQHRyzwoxDCBxuKTZk6d9wR8LfPe/p/zI/AAgAHtRPD//5oTAIAAjlgQ
Date: Wed, 22 Jun 2016 09:35:56 +0000
Message-ID: <F6C28B32DA084644BB6C8D0BD65B669DC0C8F5@NKGEML515-MBX.china.huawei.com>
References: <F797C2D5-3FF6-496F-98FB-0487E5573B2A@gmail.com> <57690A66.3050502@trammell.ch> <F6C28B32DA084644BB6C8D0BD65B669DC0C7D3@NKGEML515-MBX.china.huawei.com> <095C2E5D-D235-4017-91E2-9B437D8DBDD0@trammell.ch>
In-Reply-To: <095C2E5D-D235-4017-91E2-9B437D8DBDD0@trammell.ch>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.78.148]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A0B0208.576A5C05.016A, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 54788bab200ba984077cc06ccd49cc3e
Archived-At: <https://mailarchive.ietf.org/arch/msg/spud/9-uBrVqPdxjjxfYrIT3ROjzDI18>
Cc: Aaron Falk <aaron.falk@gmail.com>, spud <spud@ietf.org>
Subject: [Spud] 答复: endpoint control
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2016 09:36:11 -0000

Hi Brian,

Thanks for your prompt reply. Please see my comments below:

> -----邮件原件-----
> 发件人: Brian Trammell [mailto:ietf@trammell.ch]
> 发送时间: 2016年6月22日 16:56
> 收件人: Youjianjie
> 抄送: Aaron Falk; spud
> 主题: Re: [Spud] endpoint control
> 
> hi Jianjie,
> 
> > On 22 Jun 2016, at 09:09, Youjianjie <youjianjie@huawei.com> wrote:
> >
> > Hi Brian,
> >
> > (1) For forward signaling, the sending endpoint must place "scratch space" in
> the packet with a label on it stating that it's okay to modify; this
> okay-to-modify state is enforced by a MAC which only verifies the length but
> not the content of the scratch space.
> >
> > Could you please elaborate how a MAC is used to enforce the okay-to-modify
> state? Is it only applicable to L2 network?
> 
> Sorry, acronym collision. Here MAC = message authentication code, not
> medium access control.
> 
> > Is it a designed field in the PLUS header?
> 
> There isn't a "PLUS header" yet; we're only talking about potential
> mechanisms that could be implemented within one. Here, the idea is that you
> have some encoding that allows you to place labeled data in the PLUS header
> (from the SPUD prototype experience, we like CBOR, but this is a technical
> detail).
> 
> Some of the types/keys in this data structure are designated end-to-end, and
> some of the types/keys are designated path-modifiable.
> 
> The MAC is generated by the sending endpoint using a secret shared by both
> endpoints, and covers:

How is the secret shared between both endpoints? The endpoints need to establish a connection to exchange keys?

> (1) the presence and content of end-to-end PLUS header information

Do you mean that this information is encrypted using the shared secret? Only both endpoints can know the content?

> (2) the presence and length of path-modifiable PLUS header information, by
> treating the content as a length-N byte array of zeroes.

How does the middle-box along the path interpret the PLUS header? Does the middle-box also need the secret? I used to think middle-box is transparent.

Thanks,
Jianjie

> This MAC is then transmitted from the sender to the receiver in encrypted
> form.
> 
> Additional MACs may also protect bits of the IP and UDP header, in order to
> detect NAT and other sub-PLUS modifications, but these are outside the scope
> of this question.
> 
> Cheers,
> 
> Brian
> 
> 
> >
> > Thanks,
> > Jianjie
> >
> > 发件人: Spud [mailto:spud-bounces@ietf.org] 代表 Brian Trammell
> > 发送时间: 2016年6月21日 17:36
> > 收件人: Aaron Falk
> > 抄送: spud
> > 主题: Re: [Spud] endpoint control
> >
> > hi Aaron,
> >
> > On 06/20/2016 11:38 PM, Aaron Falk wrote:
> > Hi Brian-
> >
> > In the charter and the draft-trammel-spud-req it says
> >
> >    Both endpoint-to-path and path-to-endpoint signaling happen
> >    completely under endpoint control.
> >
> > Without additional elaboration, one could conclude that, e.g., permission is
> required before a path could signal to an endpoint.  Alternatively, it could be
> implying an endpoint has the freedom to ignore any signaling from the path.
> I have been assuming the latter.  But now I wonder if you are intentionally
> attempting to permit the former.  Could you clarify?
> >
> > Our intention is the former: that permission is required before the path can
> signal to the endpoint. We have two mechanisms we've been thinking about
> for this:
> >
> > (1) For forward signaling, the sending endpoint must place "scratch space" in
> the packet with a label on it stating that it's okay to modify; this
> okay-to-modify state is enforced by a MAC which only verifies the length but
> not the content of the scratch space.
> >
> > (2) For direct reverse signaling, a path element may not send a direct reverse
> signaling packet to a sender unless it has also dropped a forward packet from
> the sender to receiver. This second mechanism is less about permission and
> more about reducing the attractiveness of PLUS for amplification/reflection
> attacks.
> >
> > In any case, endpoints (and path elements) can ignore whatever they want to
> from the PLUS-exposed information; it's what's in the encrypted transport
> layer headers that matters to the transport protocol on the endpoint.
> >
> > Cheers,
> >
> > Brian
> >
> >
> > Thanks,
> >
> > —aaron
> >
> >
> >
> >
> >
> > _______________________________________________
> > Spud mailing list
> > Spud@ietf.org
> > https://www.ietf.org/mailman/listinfo/spud
> >

v2.23.0 | Report a Bug | By Email