Re: [Detnet] Last Call: <draft-ietf-detnet-architecture-08.txt> (Deterministic Networking Architecture) to Proposed Standard
János Farkas <janos.farkas@ericsson.com> Fri, 19 October 2018 19:42 UTC
Return-Path: <Janos.Farkas@ericsson.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7109C130DD1 for <detnet@ietfa.amsl.com>; Fri, 19 Oct 2018 12:42:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.364
X-Spam-Level:
X-Spam-Status: No, score=-4.364 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.064, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vcLb2RrpKyWl for <detnet@ietfa.amsl.com>; Fri, 19 Oct 2018 12:42:21 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA6FF130DF9 for <detnet@ietf.org>; Fri, 19 Oct 2018 12:42:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1539978139; x=1542570139; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=tRErPwaeabmvmSkq7zN4gxByHaqNx40M2+KmTl5sM5w=; b=Q9Z+rQXAulVnkC3l1UNPDn7A2gAmAm762GQ8Xf3vdU/eJq5kSPVvWSX6aa06L8NY LozWOzH1RcKi3Q78V1+032NjrTbxkjsHQTE8u7NsqBG8SBAtjfQU41TY8ZSempSQ Yw/gchdW9lbCgwb/Ov/6Ba010+xrYhlSOHcwkkjcMns=;
X-AuditID: c1b4fb30-2d3ff700000047d2-3c-5bca339be934
Received: from ESESSMB504.ericsson.se (Unknown_Domain [153.88.183.122]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id BF.71.18386.B933ACB5; Fri, 19 Oct 2018 21:42:19 +0200 (CEST)
Received: from ESESBMB501.ericsson.se (153.88.183.168) by ESESSMB504.ericsson.se (153.88.183.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Fri, 19 Oct 2018 21:42:18 +0200
Received: from [100.94.32.88] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.184) with Microsoft SMTP Server id 15.1.1466.3 via Frontend Transport; Fri, 19 Oct 2018 21:42:18 +0200
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
CC: "draft-ietf-detnet-architecture.all@ietf.org" <draft-ietf-detnet-architecture.all@ietf.org>, "detnet@ietf.org" <detnet@ietf.org>, "db3546@att.com" <db3546@att.com>
References: <D7CE9582.7425D%maseewal@cisco.com>
From: János Farkas <janos.farkas@ericsson.com>
Message-ID: <760f588d-be57-492b-1168-75c598ae2348@ericsson.com>
Date: Fri, 19 Oct 2018 21:42:18 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <D7CE9582.7425D%maseewal@cisco.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrFLMWRmVeSWpSXmKPExsUyM2J7le5s41PRBlMvcVq0XdzHZHG5q5vd 4ven2SwW+2ZtYnFg8XjZP4fRY+esu+weS5b8ZApgjuKySUnNySxLLdK3S+DK6HtmX/DTu2LN kh9sDYxTbbsYOTkkBEwk/l5/xtbFyMUhJHCUUWJ531Qo5xujxIqPR9ghnMOMEvt2fmUBcYQF 2hklunZeYgLpFxEwlmjsOs0KkmAWWM0o8fXZdTaQhJCAvsT/M8uZQWw2AXuJu5c2gNm8QPba 9zvAalgEVCVOPpkNNkhUIFbi05XFUDWCEidnPmEBsTkFDCSO/vnKCmIzC1hIzJx/nhHClpdo 3jqbGcIWl7j1ZD4TxF41iU9vH7JPYBSahWTULCTts5C0z0LSvoCRZRWjaHFqcVJuupGRXmpR ZnJxcX6eXl5qySZGYAwc3PLbYAfjy+eOhxgFOBiVeHh5uE9FC7EmlhVX5h5ilOBgVhLhVSw9 GS3Em5JYWZValB9fVJqTWnyIUZqDRUmc18Jvc5SQQHpiSWp2ampBahFMlomDU6qBccM9RTke 9/R4tSjduP1NXN/ef91w6si7c5c5gvKrlXzOPG7slVX1ui7WyDg76PfxGvfrIXEREmz/+PXr ovdd2fdgqhJ70KRbJ/0371nxevW5wJX2yxryCkOaOWJ//+bkm5+0fB//nC8MDbtcrn/1Kza/ UpjEOP/+qmVHtS8K3E61ebI6r8slRYmlOCPRUIu5qDgRAFmt7799AgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/DmyFkzq8Tzyk9YKLqyjAIG7NWGc>
Subject: Re: [Detnet] Last Call: <draft-ietf-detnet-architecture-08.txt> (Deterministic Networking Architecture) to Proposed Standard
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2018 19:42:25 -0000
Hi Brian, Thank you very much for your review! Please find below more in-line on how we will update the draft to resolve your comments. Best regards, Janos On 9/24/2018 1:28 PM, Maik Seewald (maseewal) wrote: > Given the criticality of the use cases (IACS), authentication and > authorisation of the packet source appears to be imperative. > IMHO, applying security controls to the infrastructure elements only > crates a secure architecture for potential hostile traffic. > Application security might/will exist on-top, providing a multi-layer > approach. > > BR, Maik > > > On 24.09.18, 08:27, "detnet on behalf of Pascal Thubert (pthubert)" > <detnet-bounces@ietf.org on behalf of pthubert=40cisco.com@dmarc.ietf.org> > wrote: > >>>> Security must cover: >>>> >>>> o the protection of the signaling protocol >>>> >>>> o the authentication and authorization of the controlling systems >>>> >>>> o the identification and shaping of the DetNet flows >>> What about the identification and authorization of the nodes allowed to >>> generate DetNet flows within a domain, and of the border nodes at the >>> edges >>> of the domain? >>> >>> <NWF> I'll let others comment on that one. I'm not clear about the >>> boundaries and the amount of overlap between network security and >>> application security, in this case. >> I agree with Brian; the source of the flow must be authenticated. I >> believe that a secure identification of the flow involves that, but it >> could make sense to emphasize this. >> What about: >> >>>> o the identification and shaping of the DetNet flows, including >>> authorization of the packet source >> Note: we have imposed that a flow has a single source and one or mane end >> points. There are MP2MP use cases in industrial. Unsure how to fully >> characterize them but the most basic methods are source A or source B, >> and source A and source B. The latter can be reserved as 2 independent >> DetNet flows, but the former needs methods that we do not have. >> >> Cheers; >> >> Pascal >> >>> -----Original Message----- >>> From: Norman Finn <norman.finn@mail01.huawei.com> >>> Sent: lundi 24 septembre 2018 07:56 >>> To: Brian E Carpenter <brian.e.carpenter@gmail.com> >>> Cc: draft-ietf-detnet-architecture.all@ietf.org; detnet@ietf.org; >>> db3546@att.com >>> Subject: RE: Last Call: <draft-ietf-detnet-architecture-08.txt> >>> (Deterministic >>> Networking Architecture) to Proposed Standard >>> >>> Thanks for the comments, Brian. I'll try to respond; others will have >>> opinions, >>> I'm sure. See <NWF> ________________________________________ >>> From: Brian E Carpenter [brian.e.carpenter@gmail.com] >>> Sent: Sunday, September 23, 2018 9:56 PM >>> Cc: draft-ietf-detnet-architecture.all@ietf.org; detnet@ietf.org; >>> db3546@att.com >>> Subject: Re: Last Call: <draft-ietf-detnet-architecture-08.txt> >>> (Deterministic >>> Networking Architecture) to Proposed Standard >>> >>> Hi, >>> >>> The term "Flow-ID" is used frequently but is not defined or explained. >>> Section 4.7 "Flow identification at technology borders" doesn't really >>> help on >>> this. >>> >>> In fact, it isn't entirely clear what the word "flow" itself means. >>> You might think it's obvious, but when designing the rules for the >>> IPv6 Flow Label we stumbled until we got to this: >>> >>> From the viewpoint of the network layer, a flow is a sequence of >>> packets sent from a particular source to a particular unicast, >>> anycast, or multicast destination that a node desires to label as a >>> flow. >>> >>> In other words, a flow is whatever set of packets the source chooses to >>> assert >>> is a flow. Is that the DetNet definition too? >>> >>> <NWF> In 2.1 we have, "A DetNet flow is a sequence of packets to >>> which the >>> DetNet service is to be provided." This could be expanded to, "A >>> DetNet flow >>> is a sequence of packets from one source to one or more destinations, >>> which >>> conform uniquely to a flow identifier, and to which the DetNet service >>> is to be >>> provided." The idea is that the process of creating a reservation for >>> a DetNet >>> flow always provides a means for unambiguously identifying to which >>> DetNet >>> flow, if any, a packet belongs. The definition will be updated as suggested by Norm. >>> >>> Also: >>>> The Flow-ID must be unique inside a given domain. >>> It isn't clear from the discussion of Flow-ID mapping whether this >>> implies that >>> the value of the upper layer (the deepest >>> encapsulated) Flow-ID is is intended to be preserved end-to-end. >>> It appears so from the examples in Figure 10 and Figure 11, but based >>> on the >>> experience that this has been a contentious point for the IPv6 Flow >>> Label, I >>> recommend that this should be clearly defined in the architecture. >>> >>> <NWF> A better way to phrase the uniqueness requirement is that any >>> given >>> relay node must be able to unambiguously assign to a packet the >>> resources >>> reserved for that packet's DetNet flow. That's easiest if the >>> identifiers are >>> unique over domain, of course. I'd like to hear from others, on this. The sentence will be updated to make it clearer: OLD: The Flow-ID must be unique inside a given domain. Note that the Flow-ID added to the App-flow is still present in the packet, but transport nodes may lack the function to recognize it; that's why the additional Flow-ID is added. NEW: "The Flow-ID must be unique inside a given domain. Note that the Flow-ID added to the App-flow by higher layer(s) is preserved in the packet, but transport nodes may lack the function to recognize it; that’s why the additional Flow-ID is added." >>> >>>> 3.2.1.1. "Eliminate congestion loss" >>> Shouldn't there be some discussion here about buffer bloat, which >>> serves to >>> reduce congestion loss but does terrible things to latency? The >>> discussion at >>> the beginning of Section 4.5 "Queuing, Shaping, Scheduling, and >>> Preemption" >>> doesn't make it clear how buffer bloat is avoided at large scale, where >>> many >>> DetNet flows are going through the same choke point. Having reserved >>> buffers >>> per flow doesn't prevent the total buffer space creeping up, and clever >>> queueing algorithms can't completely save you when that happens. >>> >>> <NWF> As we are trying to make more clear in the bounded-latency draft, >>> one >>> of the characteristics of any queuing strategy that is useful for >>> DetNet is that >>> one can compute no later than flow reservation time how much buffer >>> space >>> is required to guarantee zero congestion loss. If you can't, then the >>> queuing >>> strategy is unsuitable. Different strategies make different trade-offs >>> regarding >>> buffer space, latency, data plane and control plane complexity, etc. >>> Generally >>> speaking, buffer space will grow with the number of flows visible to a >>> given >>> relay node. Flow aggregation is helpful, here, but one can expect a >>> DetNet >>> relay node to require more buffer space than a non-DetNet node. And, >>> if you >>> calculate that you haven't enough buffers to ensure zero congestion >>> loss, you >>> refuse the reservation. The next paragraph in 3.2.1.1 explains that regulation is needed and applied, which actually avoids buffer bloat. "Ensuring adequate buffering requires, in turn, that the source, and every DetNet node along the path to the destination (or nearly every node, see Section 4.3.3) be careful to regulate its output to not exceed the data rate for any DetNet flow, except for brief periods when making up for interfering traffic. Any packet sent ahead of its time potentially adds to the number of buffers required by the next hop DetNet node and may thus exceed the resources allocated for a particular DetNet flow. " A sentence will be added to the end of the paragraph to make it clearer: "Ensuring adequate buffering requires, in turn, that the source, and every DetNet node along the path to the destination (or nearly every node, see Section 4.3.3) be careful to regulate its output to not exceed the data rate for any DetNet flow, except for brief periods when making up for interfering traffic. Any packet sent ahead of its time potentially adds to the number of buffers required by the next hop DetNet node and may thus exceed the resources allocated for a particular DetNet flow. The regulation ensures adequate use of the buffer space. " >>> >>>> Security must cover: >>>> >>>> o the protection of the signaling protocol >>>> >>>> o the authentication and authorization of the controlling systems >>>> >>>> o the identification and shaping of the DetNet flows >>> What about the identification and authorization of the nodes allowed to >>> generate DetNet flows within a domain, and of the border nodes at the >>> edges >>> of the domain? >>> >>> <NWF> I'll let others comment on that one. I'm not clear about the >>> boundaries and the amount of overlap between network security and >>> application security, in this case. Security issues and considerations are addressed by the DetNet Security draft: https://datatracker.ietf.org/doc/draft-ietf-detnet-security. Reference will be added to the DetNet security document. >>> >>> Regards >>> Brian Carpenter >> _______________________________________________ >> detnet mailing list >> detnet@ietf.org >> https://www.ietf.org/mailman/listinfo/detnet
- [Detnet] Last Call: <draft-ietf-detnet-architectu… The IESG
- Re: [Detnet] Last Call: <draft-ietf-detnet-archit… Brian E Carpenter
- Re: [Detnet] Last Call: <draft-ietf-detnet-archit… Norman Finn
- Re: [Detnet] Last Call: <draft-ietf-detnet-archit… Pascal Thubert (pthubert)
- Re: [Detnet] Last Call: <draft-ietf-detnet-archit… Maik Seewald (maseewal)
- Re: [Detnet] Last Call: <draft-ietf-detnet-archit… Balázs Varga A
- Re: [Detnet] Last Call: <draft-ietf-detnet-archit… Pascal Thubert (pthubert)
- Re: [Detnet] Last Call: <draft-ietf-detnet-archit… János Farkas