Re: [ippm] Warren Kumari's Discuss on draft-ietf-ippm-ioam-conf-state-07: (with DISCUSS)
Warren Kumari <warren@kumari.net> Thu, 27 October 2022 13:39 UTC
Return-Path: <warren@kumari.net>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18219C1524D2 for <ippm@ietfa.amsl.com>; Thu, 27 Oct 2022 06:39:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1HdeuMdD4bI3 for <ippm@ietfa.amsl.com>; Thu, 27 Oct 2022 06:39:24 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F11A6C1524A9 for <ippm@ietf.org>; Thu, 27 Oct 2022 06:39:23 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id b2so2950080lfp.6 for <ippm@ietf.org>; Thu, 27 Oct 2022 06:39:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari.net; s=google; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=twHui5BFxJn5hFvbt4RJ1O/dJY40iNqpZDjPYSPrn08=; b=GIqOcMI4R6u6YlfCyQD2+jx/9S2D7SeI3WJUzFYnVTHSLpO+S/AOIANzSgu+dRSw3k Bj76sDS9QQI87asKmzTikJxOPFMGt6CaN0bhFnRQ9d3FmDijx1NRjHtV4u9+GYBcUzXH BuqgdSpMckBYEHB19vgmAiRDNcZsI7IYniF3pv9VkZXLLUYqqMhawsHzfdWRKaCry6mD 8ldqsUxULI5DlJ22sHSv85MShV7pi5+b8OAPZ9uLoKtcDauQxmjzRlFEGHLpJ/nEB48F cGt8/aXdwotuIU6CU/Qrj9HhfNieo4P9o7IsWK2gMI2F8n0/EhSacGLKn0wPckeQEQAE aJkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=twHui5BFxJn5hFvbt4RJ1O/dJY40iNqpZDjPYSPrn08=; b=NcmLqLALczxpZuOefSnUELM+SZetQ+U8h8vgXhWdFnyrUDkdFb9zPQGTEY0KQoHpVo qj7JqTZthsXCXXqTjgavTwPHtjOCQCzuWtwQowRoEoULpkdMyG0QaTm5y5aDDDarN0d1 tBNSYTjkO6KyVw0iPHThDNykeMRNfcEd+uLXtLzB/uzqRcYMFWeTYjuJIMeLfuNzhmRi M2G5HkNXNU7lz+ypta9W7+hxpNO4YJ/9ozd7neoLOiydg9Zk147eC7D68nlWNfGG5Rcv s5eIu7kjUXRXzLNSGNl+P04wxadJBouv9D28h1ke98viY7HXQpyOKnsxAuUPuc7Zo9g3 sHtQ==
X-Gm-Message-State: ACrzQf2Mb9iYP1DxOMloEuxN5E4g6BfehAripCl/UR5sTjYngK8UFMcj tgVpBOgWPZVgWTEWs8YY7xg9rIjpK2uxesuhYVaZFg==
X-Google-Smtp-Source: AMsMyM6d6kPhbpSrZxRsoZA3r1IpsKUSoZ61j4taopBWK6CpWJw1z7v+sqM+XUhglzDa/SpZQ88IxVm3x+cT1sghx0c=
X-Received: by 2002:a05:6512:798:b0:497:aa2b:8b10 with SMTP id x24-20020a056512079800b00497aa2b8b10mr19995511lfr.636.1666877961663; Thu, 27 Oct 2022 06:39:21 -0700 (PDT)
Received: from 649336022844 named unknown by gmailapi.google.com with HTTPREST; Thu, 27 Oct 2022 06:39:21 -0700
Mime-Version: 1.0
X-Superhuman-Draft-ID: draft00ced73b6d79c787
In-Reply-To: <202210271443035690400@zte.com.cn>
References: 166681530275.46711.14052349083997392055@ietfa.amsl.com <202210271443035690400@zte.com.cn>
From: Warren Kumari <warren@kumari.net>
X-Mailer: Superhuman Desktop (2022-10-26T22:05:55Z)
X-Superhuman-ID: l9r43684.2435e73d-829f-4173-8e96-af23d665920a
Date: Thu, 27 Oct 2022 06:39:21 -0700
Message-ID: <CAHw9_iJurptaF991KLP5CS+J7C++XcRU5_ef-nmZ3yP6p1pVXw@mail.gmail.com>
To: xiao.min2@zte.com.cn
Cc: iesg@ietf.org, draft-ietf-ippm-ioam-conf-state@ietf.org, ippm-chairs@ietf.org, ippm@ietf.org, marcus.ihlar@ericsson.com
Content-Type: multipart/alternative; boundary="000000000000ca0cee05ec04443c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/1qNDrh-AiYY4a17KEqn2bEWNfLI>
Subject: Re: [ippm] Warren Kumari's Discuss on draft-ietf-ippm-ioam-conf-state-07: (with DISCUSS)
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2022 13:39:28 -0000
Comments inline, but the summary is: Thank you, very much for the proposed changes, and for replying so quickly. I will clear my DISCUSS position…. On Thu, Oct 27, 2022 at 2:43 AM, <xiao.min2@zte.com.cn> wrote: > Hi Warren, > > > Thank you for the review and thoughtful comments. > > Please check inline the proposed changes that will be incorporated into > the next revision. > > > Best Regards, > > Xiao Min > > > Original > *From: *WarrenKumariviaDatatracker <noreply@ietf.org> > *To: *The IESG <iesg@ietf.org>; > *Cc: *draft-ietf-ippm-ioam-conf-state@ietf.org < > draft-ietf-ippm-ioam-conf-state@ietf.org>;ippm-chairs@ietf.org < > ippm-chairs@ietf.org>;ippm@ietf.org <ippm@ietf.org>;marcus.ihlar@ericsson. > com <marcus.ihlar@ericsson.com>;marcus.ihlar@ericsson.com <marcus.ihlar@ > ericsson.com>; > *Date: *2022年10月27日 04:15 > *Subject: **Warren Kumari's Discuss on > draft-ietf-ippm-ioam-conf-state-07: (with DISCUSS)* > Warren Kumari has entered the following ballot position for > draft-ietf-ippm-ioam-conf-state-07: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/ > handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-conf-state/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Thank you very much for writing this document. > Please see: > https://www.ietf.org/about/groups/iesg/statements/ > handling-ballot-positions/ > > My concerns are closely related to Roman's DISCUSS point: > > The document says: "A deployment can increase security by using border > filtering of incoming and outgoing echo requests/replies." > > > I'm unclear why this is just a "can increase security", and not something much > much stronger -- but, also, I'm unclear how exactly an operator would be > > expected to filter these. > > [XM]>>> Roman Danyliw has provided some change on the text you quoted as > below. Does that change works for you? > > NEW > > A deployment MUST ensure that border filtering drops inbound echo requests with > a IOAM Capabilities Container Header from outside of the domain, and drops > > outbound echo request/replies with IOAM Capabilities Headers leaving the domain. > > As to the exact way an operator may take to do filter, I assume the > operator can do filter on all incoming and outgoing echo requests/replies, > or can do filter on some incoming and outgoing echo requests/replies with > an IOAM Capabilities Container Header, an instantiation of the IOAM > Capabilities Container Header has been described in > draft-xiao-6man-icmpv6-ioam-conf-state. > This is a meta point - a number of (recent) documents contain statements similar to: "A deployment MUST ensure that border filtering drops inbound echo requests with a IOAM Capabilities Container Header from outside of the domain, [...]", but this assumes that routers actually have this sort of capability. The filtering logic on modern routers is quite limited (in order to allow filtering in hardware / not require multiple branch decisions), and just because the IETF puts a "deployments MUST ensure that border filtering drops <some new feature>" doesn't actually cause router filters to support this. E.g: set firewall family inet6 filter ioam_echo_capability term example from extension-header ? Possible completions: <range> Range of values [ Open a set of values ah Authentication header any Any extension header dstopts Destination options esp Encapsulating security payload fragment Fragment hop-by-hop Hop by hop options mobility Mobility routing Routing [edit] I don't have an e.g IPv6 / SRv6 / BIER / MPLS / <whatever> IOAM echo capability container matching term... Again, I'm clearing this discuss, but I did want to mention this larger concern and disconnect between what a document specifies as a MUST in operational requirements, and what is actually implementable / deployable… W > The Abstract says: "This document describes an > > extension to the echo request/reply mechanisms used in [...]", but from what I > > can tell, it is more "here are some containers that you could use in some other > > protocols". > > [XM]>>> Alvaro Retana has provided some change on the Abstract as below. > Does that change works for you? > > NEW > This document describes a generic format for use in echo > request/reply mechanisms, which can be used within an In situ > Operations, Administration, and Maintenance (IOAM) domain, allowing > the IOAM encapsulating node to discover the enabled IOAM capabilities > of each IOAM transit and IOAM decapsulating node. The generic format > is intended to be used with a variety of data planes such as IPv6, > MPLS, Service Function Chain (SFC) > and Bit Index Explicit Replication (BIER). > > > It seems like, instead of only relying on the network for filtering (which > doesn't yet seem to be implemented), the: "To protect against unauthorized > > sources using echo request messages to obtain IOAM Capabilities information, it > is RECOMMENDED that implementations provide a means of checking the source > > addresses of echo request messages against an access list before accepting the > message." should be made stronger. Implementations need to be created to > > understand IOAM, and so requiring that they have the capability to only accept > configured source addresses seems simple. > > [XM]>>> OK. Propose to change the text you quoted as below. > > OLD > > To protect against unauthorized sources using echo request messages > to obtain IOAM Capabilities information, it is RECOMMENDED that > implementations provide a means of checking the source addresses of > echo request messages against an access list before accepting the > message. > > > NEW > > To protect against unauthorized sources using echo request messages > to obtain IOAM Capabilities information, > implementations MUST provide a means of checking the source addresses of > echo request messages against an access list before accepting the > message. > >
- [ippm] Warren Kumari's Discuss on draft-ietf-ippm… Warren Kumari via Datatracker
- Re: [ippm] Warren Kumari's Discuss on draft-ietf-… xiao.min2
- Re: [ippm] Warren Kumari's Discuss on draft-ietf-… Warren Kumari
- Re: [ippm] Warren Kumari's Discuss on draft-ietf-… xiao.min2