Re: [ippm] Robert Wilton's Discuss on draft-ietf-ippm-ioam-conf-state-07: (with DISCUSS and COMMENT)
xiao.min2@zte.com.cn Mon, 07 November 2022 01:58 UTC
Return-Path: <xiao.min2@zte.com.cn>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F05EC14CF0F; Sun, 6 Nov 2022 17:58:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l7kkBZgsaOVL; Sun, 6 Nov 2022 17:58:09 -0800 (PST)
Received: from mxhk.zte.com.cn (mxhk.zte.com.cn [63.216.63.35]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0CB2C14CF1E; Sun, 6 Nov 2022 17:58:08 -0800 (PST)
Received: from mxct.zte.com.cn (unknown [192.168.251.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mxhk.zte.com.cn (FangMail) with ESMTPS id 4N5DsB5YJ2z5BNS0; Mon, 7 Nov 2022 09:58:06 +0800 (CST)
Received: from mse-fl2.zte.com.cn (unknown [10.5.228.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mxct.zte.com.cn (FangMail) with ESMTPS id 4N5Drc2gMrz4y0v1; Mon, 7 Nov 2022 09:57:36 +0800 (CST)
Received: from njxapp01.zte.com.cn ([10.41.132.200]) by mse-fl2.zte.com.cn with SMTP id 2A71vO6N040787; Mon, 7 Nov 2022 09:57:24 +0800 (+08) (envelope-from xiao.min2@zte.com.cn)
Received: from mapi (njxapp04[null]) by mapi (Zmail) with MAPI id mid201; Mon, 7 Nov 2022 09:57:25 +0800 (CST)
Date: Mon, 07 Nov 2022 09:57:25 +0800
X-Zmail-TransId: 2afc63686605ffffffff8017e7b0
X-Mailer: Zmail v1.0
Message-ID: <202211070957251439115@zte.com.cn>
In-Reply-To: <202210281044003290501@zte.com.cn>
References: 166685538535.48302.7648891467141022566@ietfa.amsl.com, 202210281044003290501@zte.com.cn
Mime-Version: 1.0
From: xiao.min2@zte.com.cn
To: rwilton@cisco.com
Cc: ippm-chairs@ietf.org, iesg@ietf.org, ippm@ietf.org, draft-ietf-ippm-ioam-conf-state@ietf.org
Content-Type: multipart/mixed; boundary="=====_001_next====="
X-MAIL: mse-fl2.zte.com.cn 2A71vO6N040787
X-Fangmail-Gw-Spam-Type: 0
X-FangMail-Miltered: at cgslv5.04-192.168.250.138.novalocal with ID 6368662E.000 by FangMail milter!
X-FangMail-Envelope: 1667786286/4N5DsB5YJ2z5BNS0/6368662E.000/192.168.251.13/[192.168.251.13]/mxct.zte.com.cn/<xiao.min2@zte.com.cn>
X-Fangmail-Anti-Spam-Filtered: true
X-Fangmail-MID-QID: 6368662E.000/4N5DsB5YJ2z5BNS0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/A0oVTod6UDFeHvyIt6uNbBM93pY>
Subject: Re: [ippm] Robert Wilton's Discuss on draft-ietf-ippm-ioam-conf-state-07: (with DISCUSS and COMMENT)
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Nov 2022 01:58:13 -0000
Hi Robert, The I-D submission tool reopens and I've posted -08 revision. Link as below. https://datatracker.ietf.org/doc/html/draft-ietf-ippm-ioam-conf-state-08 Much appreciated if you would check it over to see whether your DISCUSS point has been addressed. P.S. I just realize that I used a wrong email address while firstly replying to your comments, sorry for the inconvenience. Best Regards, Xiao Min Original From: 肖敏10093570 To: noreply@ietf.org <noreply@ietf.org>; Cc: ippm-chairs@ietf.org <ippm-chairs@ietf.org>;iesg@ietf.org <iesg@ietf.org>;ippm@ietf.org <ippm@ietf.org>;draft-ietf-ippm-ioam-conf-state@ietf.org <draft-ietf-ippm-ioam-conf-state@ietf.org>; Date: 2022年10月28日 10:45 Subject: Re: [ippm] Robert Wilton's Discuss on draft-ietf-ippm-ioam-conf-state-07: (with DISCUSS and COMMENT) _______________________________________________ ippm mailing list ippm@ietf.org https://www.ietf.org/mailman/listinfo/ippm Hi Robert, Thank you for the review and thoughtful comments. Please check inline the proposed changes that will be incorporated into the next revision. Best Regards, Xiao Min From: RobertWiltonviaDatatracker <noreply@ietf.org> To: The IESG <iesg@ietf.org>; Cc: draft-ietf-ippm-ioam-conf-state@ietf.org <draft-ietf-ippm-ioam-conf-state@ietf.org>;ippm-chairs@ietf.org <ippm-chairs@ietf.org>;ippm@ietf.org <ippm@ietf.org>;marcus.ihlar@ericsson.com <marcus.ihlar@ericsson.com>;marcus.ihlar@ericsson.com <marcus.ihlar@ericsson.com>; Date: 2022年10月27日 15:23 Subject: Robert Wilton's Discuss on draft-ietf-ippm-ioam-conf-state-07: (with DISCUSS and COMMENT) Robert Wilton has entered the following ballot position for draft-ietf-ippm-ioam-conf-state-07: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-conf-state/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Hi, I support Roman and Warren's discuss, and again, I have a similar, but slightly separate concern: (1) p 14, sec 6. Security Considerations To protect against unauthorized sources using echo request messages to obtain IOAM Capabilities information, it is RECOMMENDED that implementations provide a means of checking the source addresses of echo request messages against an access list before accepting the message. I'm concerned that performing a source address filtering isn't necessarily that secure, compared with use NETCONF or RESTCONF that can provide AAA access controls. Hence, I think that the security considerations should REQUIRE that IOAM daemons do not respond to these capability requests unless explicitly configured to do so, specifically to avoid implementations potentially leaking information if they are not aware of this functionality (e.g., if it was enabled by default). [XM]>>> OK. Propose to add a new paragraph into the security section as below. NEW A deployment MUST support the configuration option to enable/disable the IOAM Capabilities Discovery feature defined in this document. By default, the IOAM Capabilities Discovery feature MUST be disabled. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- (2) p 2, sec 1. Introduction * When NETCONF/YANG is used in this scenario, each IOAM encapsulating node (including the host when it takes the role of an IOAM encapsulating node) needs to implement a NETCONF Client, each IOAM transit and IOAM decapsulating node (including the host when it takes the role of an IOAM decapsulating node) needs to implement a NETCONF Server, the complexity can be an issue. Furthermore, each IOAM encapsulating node needs to establish NETCONF Connection with each IOAM transit and IOAM decapsulating node, the scalability can be an issue. Isn't it quite likely that the network devices in question has already implement NETCONF servers, and hence really the additional code would only be NETCONF client code. There is also a separate option that RESTCONF could be used instead of NETCONF, which is a somewhat lighter protocol. I believe that one big advantage to using NETCONF over these loopback mechanisms is that they are properly secure, and NACM can be used to limit access to the IOAM capabilities to only those devices/individuals which should be allowed to access the data. [XM]>>> I understand this paragraph might be undesirable to you (as NETCONF AD), so I believe it's helpful to retrospect the journey of this paragraph. As I recall it, there were two wg adoption calls for this draft before it's adopted, this paragraph was added between the two calls, because the proposal to use NETCONF was raised during the first adoption call. There were some heated discussions on whether to use NETCONF or Echo Request/Reply, and the wg (rough) consensus was that Echo Request/Reply is more appropriate. Since then this paragraph remains there. From my personal perspective I'm unwilling to reopen this discussion at this point. If you have any suggestions on changing the text of this paragraph, or even removing it, please let me know :-) Regards, Rob
- [ippm] Robert Wilton's Discuss on draft-ietf-ippm… Robert Wilton via Datatracker
- Re: [ippm] Robert Wilton's Discuss on draft-ietf-… xiao.min2
- Re: [ippm] Robert Wilton's Discuss on draft-ietf-… xiao.min2
- Re: [ippm] Robert Wilton's Discuss on draft-ietf-… Rob Wilton (rwilton)
- Re: [ippm] Robert Wilton's Discuss on draft-ietf-… xiao.min2