idnits 2.17.1 draft-ietf-6man-ipv6-alt-mark-16.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 1, 2022) is 636 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-03) exists of draft-ietf-ippm-rfc8321bis-02 == Outdated reference: A later version (-04) exists of draft-ietf-ippm-rfc8889bis-02 == Outdated reference: A later version (-08) exists of draft-fz-spring-srv6-alt-mark-02 == Outdated reference: A later version (-14) exists of draft-ietf-6man-hbh-processing-00 == Outdated reference: A later version (-07) exists of draft-ietf-idr-sr-policy-ifit-03 == Outdated reference: A later version (-14) exists of draft-ietf-spring-srv6-srh-compression-01 == Outdated reference: A later version (-10) exists of draft-ietf-v6ops-hbh-01 Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 6MAN Working Group G. Fioccola 3 Internet-Draft T. Zhou 4 Intended status: Standards Track Huawei 5 Expires: January 2, 2023 M. Cociglio 6 Telecom Italia 7 F. Qin 8 China Mobile 9 R. Pang 10 China Unicom 11 July 1, 2022 13 IPv6 Application of the Alternate Marking Method 14 draft-ietf-6man-ipv6-alt-mark-16 16 Abstract 18 This document describes how the Alternate Marking Method can be used 19 as a passive performance measurement tool in an IPv6 domain. It 20 defines an Extension Header Option to encode Alternate Marking 21 information in both the Hop-by-Hop Options Header and Destination 22 Options Header. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on January 2, 2023. 41 Copyright Notice 43 Copyright (c) 2022 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (https://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 60 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 3 61 2. Alternate Marking application to IPv6 . . . . . . . . . . . . 3 62 2.1. Controlled Domain . . . . . . . . . . . . . . . . . . . . 5 63 2.1.1. Alternate Marking Measurement Domain . . . . . . . . 6 64 3. Definition of the AltMark Option . . . . . . . . . . . . . . 7 65 3.1. Data Fields Format . . . . . . . . . . . . . . . . . . . 7 66 4. Use of the AltMark Option . . . . . . . . . . . . . . . . . . 8 67 5. Alternate Marking Method Operation . . . . . . . . . . . . . 10 68 5.1. Packet Loss Measurement . . . . . . . . . . . . . . . . . 10 69 5.2. Packet Delay Measurement . . . . . . . . . . . . . . . . 12 70 5.3. Flow Monitoring Identification . . . . . . . . . . . . . 13 71 5.4. Multipoint and Clustered Alternate Marking . . . . . . . 16 72 5.5. Data Collection and Calculation . . . . . . . . . . . . . 16 73 6. Security Considerations . . . . . . . . . . . . . . . . . . . 16 74 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 75 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 76 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 77 9.1. Normative References . . . . . . . . . . . . . . . . . . 21 78 9.2. Informative References . . . . . . . . . . . . . . . . . 21 79 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 81 1. Introduction 83 [I-D.ietf-ippm-rfc8321bis] and [I-D.ietf-ippm-rfc8889bis] describe a 84 passive performance measurement method, which can be used to measure 85 packet loss, latency and jitter on live traffic. Since this method 86 is based on marking consecutive batches of packets, the method is 87 often referred to as the Alternate Marking Method. 89 This document defines how the Alternate Marking Method can be used to 90 measure performance metrics in IPv6. The rationale is to apply the 91 Alternate Marking methodology to IPv6 and therefore allow detailed 92 packet loss, delay and delay variation measurements both hop-by-hop 93 and end-to-end to exactly locate the issues in an IPv6 network. 95 The Alternate Marking is an on-path telemetry technique and consists 96 of synchronizing the measurements in different points of a network by 97 switching the value of a marking bit and therefore dividing the 98 packet flow into batches. Each batch represents a measurable entity 99 recognizable by all network nodes along the path. By counting the 100 number of packets in each batch and comparing the values measured by 101 different nodes, it is possible to precisely measure the packet loss. 102 Similarly, the alternation of the values of the marking bits can be 103 used as a time reference to calculate the delay and delay variation. 104 The Alternate Marking operation is further described in Section 5. 106 This document introduces a TLV (type-length-value) that can be 107 encoded in the Options Headers (Hop-by-Hop or Destination), according 108 to [RFC8200], for the purpose of the Alternate Marking Method 109 application in an IPv6 domain. 111 The Alternate Marking Method MUST be applied to IPv6 only in a 112 controlled environment, as further described in Section 2.1. 113 Besides, [RFC8799] also discusses the trend towards network behaviors 114 that can be applied only within limited domains. 116 The threat model for the application of the Alternate Marking Method 117 in an IPv6 domain is reported in Section 6. 119 1.1. Terminology 121 This document uses the terms related to the Alternate Marking Method 122 as defined in [I-D.ietf-ippm-rfc8321bis] and 123 [I-D.ietf-ippm-rfc8889bis]. 125 1.2. Requirements Language 127 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 128 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 129 "OPTIONAL" in this document are to be interpreted as described in BCP 130 14 [RFC2119] [RFC8174] when, and only when, they appear in all 131 capitals, as shown here. 133 2. Alternate Marking application to IPv6 135 The Alternate Marking Method requires a marking field. Several 136 alternatives could be considered such as IPv6 Extension Headers, IPv6 137 Address and Flow Label. But, it is necessary to analyze the 138 drawbacks for all the available possibilities, more specifically: 140 Reusing existing Extension Header for Alternate Marking leads to a 141 non-optimized implementation; 143 Using the IPv6 destination address to encode the Alternate Marking 144 processing is very expensive; 145 Using the IPv6 Flow Label for Alternate Marking conflicts with the 146 utilization of the Flow Label for load distribution purpose 147 ([RFC6438]). 149 In the end, a Hop-by-Hop or a Destination Option is the best choice. 151 The approach for the Alternate Marking application to IPv6 specified 152 in this memo is compliant with [RFC8200]. It involves the following 153 operations: 155 o The source node is the only one that writes the Option Header to 156 mark alternately the flow (for both Hop-by-Hop and Destination 157 Option). The intermediate nodes and destination node MUST only 158 read the marking values of the option without modifying the Option 159 Header. 161 o In case of Hop-by-Hop Option Header carrying Alternate Marking 162 bits, it is not inserted or deleted, but can be read by any node 163 along the path. The intermediate nodes may be configured to 164 support this Option or not and the measurement can be done only 165 for the nodes configured to read the Option. As further discussed 166 in Section 4, the presence of the hop-by-hop option should not 167 affect the traffic throughput both on nodes that do not recognize 168 this option and on the nodes that support it. However, it is 169 worth mentioning that there is a difference between theory and 170 practice. Indeed, in a real implementation it can happen that 171 packets with hop-by-hop option could also be skipped or processed 172 in the slow path. While some proposals are trying to address this 173 problem and make Hop-by-Hop Options more practical 174 ([I-D.ietf-v6ops-hbh], [I-D.ietf-6man-hbh-processing]), these 175 aspects are out of the scope for this document. 177 o In case of Destination Option Header carrying Alternate Marking 178 bits, it is not processed, inserted, or deleted by any node along 179 the path until the packet reaches the destination node. Note 180 that, if there is also a Routing Header (RH), any visited 181 destination in the route list can process the Option Header. 183 Hop-by-Hop Option Header is also useful to signal to routers on the 184 path to process the Alternate Marking. However, as said, routers 185 will only examine this option if properly configured. 187 The optimization of both implementation and scaling of the Alternate 188 Marking Method is also considered and a way to identify flows is 189 required. The Flow Monitoring Identification field (FlowMonID), as 190 introduced in Section 5.3, goes in this direction and it is used to 191 identify a monitored flow. 193 The FlowMonID is different from the Flow Label field of the IPv6 194 Header ([RFC6437]). The Flow Label field in the IPv6 header is used 195 by a source to label sequences of packets to be treated in the 196 network as a single flow and, as reported in [RFC6438], it can be 197 used for load-balancing/equal cost multi-path (LB/ECMP). The reuse 198 of Flow Label field for identifying monitored flows is not considered 199 because it may change the application intent and forwarding behavior. 200 Also, the Flow Label may be changed en route and this may also 201 invalidate the integrity of the measurement. Those reasons make the 202 definition of the FlowMonID necessary for IPv6. Indeed, the 203 FlowMonID is designed and only used to identify the monitored flow. 204 Flow Label and FlowMonID within the same packet are totally disjoint, 205 have different scope, are used to identify flows based on different 206 criteria, and are intended for different use cases. 208 The rationale for the FlowMonID is further discussed in Section 5.3. 209 This 20 bit field allows easy and flexible identification of the 210 monitored flow and enables improved measurement correlation and finer 211 granularity since it can be used in combination with the traditional 212 TCP/IP 5-tuple to identify a flow. An important point that will be 213 discussed in Section 5.3 is the uniqueness of the FlowMonID and how 214 to allow disambiguation of the FlowMonID in case of collision. 216 The following section highlights an important requirement for the 217 application of the Alternate Marking to IPv6. The concept of the 218 controlled domain is explained and it is considered an essential 219 precondition, as also highlighted in Section 6. 221 2.1. Controlled Domain 223 IPv6 has much more flexibility than IPv4 and innovative applications 224 have been proposed, but for security and compatibility reasons, some 225 of these applications are limited to a controlled environment. This 226 is also the case of the Alternate Marking application to IPv6 as 227 assumed hereinafter. In this regard, [RFC8799] reports further 228 examples of specific limited domain solutions. 230 The IPv6 application of the Alternate Marking Method MUST be deployed 231 in a controlled domain. It is not common that the user traffic 232 originates and terminates within the controlled domain, as also noted 233 in Section 2.1.1. For this reason, it will typically only be 234 applicable in an overlay network, where user traffic is encapsulated 235 at one domain border, decapsulated at the other domain border and the 236 encapsulation incorporates the relevant extension header for 237 Alternate Marking. This requirement also implies that an 238 implementation MUST filter packets that carry Alternate Marking data 239 and are entering or leaving the controlled domain. 241 A controlled domain is a managed network where it is required to 242 select, monitor and control the access to the network by enforcing 243 policies at the domain boundaries in order to discard undesired 244 external packets entering the domain and check the internal packets 245 leaving the domain. It does not necessarily mean that a controlled 246 domain is a single administrative domain or a single organization. A 247 controlled domain can correspond to a single administrative domain or 248 can be composed by multiple administrative domains under a defined 249 network management. Indeed, some scenarios may imply that the 250 Alternate Marking Method involves more than one domain, but in these 251 cases, it is RECOMMENDED that the multiple domains create a whole 252 controlled domain while traversing the external domain by employing 253 IPsec [RFC4301] authentication and encryption or other VPN technology 254 that provides full packet confidentiality and integrity protection. 255 In a few words, it must be possible to control the domain boundaries 256 and eventually use specific precautions if the traffic traverse the 257 Internet. 259 The security considerations reported in Section 6 also highlight this 260 requirement. 262 2.1.1. Alternate Marking Measurement Domain 264 The Alternate Marking measurement domain can overlap with the 265 controlled domain or may be a subset of the controlled domain. The 266 typical scenarios for the application of the Alternate Marking Method 267 depend on the controlled domain boundaries, in particular: 269 the user equipment can be the starting or ending node, only in 270 case it is fully managed and if it belongs to the controlled 271 domain. In this case the user generated IPv6 packets contain the 272 Alternate Marking data. But, in practice, this is not common due 273 to the fact that the user equipment cannot be totally secured in 274 the majority of cases. 276 the CPE (Customer Premises Equipment) and the PE (Provider Edge) 277 router are most likely to be the starting or ending node since 278 they can border a controlled domain. For instance, the CPE, which 279 connects the user's premises with the service provider's network, 280 belongs to a controlled domain only if it is managed by the 281 service provider and if additional security measures are taken to 282 keep it trustworthy. Typically the CPE or the PE can encapsulate 283 a received packet in an outer IPv6 header which contains the 284 Alternate Marking data. They can also be able to filter and drop 285 packets from outside of the domain with inconsistent fields to 286 make effective the relevant security rules at the domain 287 boundaries, for example a simple security check can be to insert 288 the Alternate Marking data if and only if the destination is 289 within the controlled domain. 291 3. Definition of the AltMark Option 293 The definition of a TLV for the Options Extension Headers, carrying 294 the data fields dedicated to the Alternate Marking method, is 295 reported below. 297 3.1. Data Fields Format 299 The following figure shows the data fields format for enhanced 300 Alternate Marking TLV (AltMark). This AltMark data can be 301 encapsulated in the IPv6 Options Headers (Hop-by-Hop or Destination 302 Option). 304 0 1 2 3 305 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 306 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 307 | Option Type | Opt Data Len | 308 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 309 | FlowMonID |L|D| Reserved | 310 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 312 where: 314 o Option Type: 8-bit identifier of the type of Option that needs to 315 be allocated. Unrecognized Types MUST be ignored on processing. 316 For Hop-by-Hop Options Header or Destination Options Header, 317 [RFC8200] defines how to encode the three high-order bits of the 318 Option Type field. The two high-order bits specify the action 319 that must be taken if the processing IPv6 node does not recognize 320 the Option Type; for AltMark these two bits MUST be set to 00 321 (skip over this Option and continue processing the header). The 322 third-highest-order bit specifies whether the Option Data can 323 change en route to the packet's final destination; for AltMark the 324 value of this bit MUST be set to 0 (Option Data does not change en 325 route). In this way, since the three high-order bits of the 326 AltMark Option are set to 000, it means that nodes can simply skip 327 this Option if they do not recognize and that the data of this 328 Option do not change en route, indeed the source is the only one 329 that can write it. 331 o Opt Data Len: 4. It is the length of the Option Data Fields of 332 this Option in bytes. 334 o FlowMonID: 20-bit unsigned integer. The FlowMon identifier is 335 described in Section 5.3. As further discussed below, it has been 336 picked as 20 bits since it is a reasonable value and a good 337 compromise in relation to the chance of collision. It MUST be set 338 pseudo randomly by the source node or by a centralized controller. 340 o L: Loss flag for Packet Loss Measurement as described in 341 Section 5.1; 343 o D: Delay flag for Single Packet Delay Measurement as described in 344 Section 5.2; 346 o Reserved: is reserved for future use. These bits MUST be set to 347 zero on transmission and ignored on receipt. 349 4. Use of the AltMark Option 351 The AltMark Option is the best way to implement the Alternate Marking 352 method and it is carried by the Hop-by-Hop Options header and the 353 Destination Options header. In case of Destination Option, it is 354 processed only by the source and destination nodes: the source node 355 inserts and the destination node processes it. While, in case of 356 Hop-by-Hop Option, it may be examined by any node along the path, if 357 explicitly configured to do so. 359 It is important to highlight that the Option Layout can be used both 360 as Destination Option and as Hop-by-Hop Option depending on the Use 361 Cases and it is based on the chosen type of performance measurement. 362 In general, it is needed to perform both end to end and hop by hop 363 measurements, and the Alternate Marking methodology allows, by 364 definition, both performance measurements. In many cases the end-to- 365 end measurement is not enough and it is required the hop-by-hop 366 measurement, so the most complete choice can be the Hop-by-Hop 367 Options Header. 369 IPv6, as specified in [RFC8200], allows nodes to optionally process 370 Hop-by-Hop headers. Specifically the Hop-by-Hop Options header is 371 not inserted or deleted, but may be examined or processed by any node 372 along a packet's delivery path, until the packet reaches the node (or 373 each of the set of nodes, in the case of multicast) identified in the 374 Destination Address field of the IPv6 header. Also, it is expected 375 that nodes along a packet's delivery path only examine and process 376 the Hop-by-Hop Options header if explicitly configured to do so. 378 Another scenario that can be mentioned is the presence of a Routing 379 Header, in particular it is possible to consider SRv6. A type of 380 Routing Header, referred as Segment Routing Header (SRH), has been 381 defined in [RFC8754] for SRv6. Like any other use case of IPv6, Hop- 382 by-Hop and Destination Options are usable when SRv6 header is 383 present. Because SRv6 is implemented through the SRH, Destination 384 Options before the Routing Header are processed by each destination 385 in the route list, that means, in case of SRH, by every SR node that 386 is identified by the SR path. If segment list compression is in use, 387 as described in [I-D.ietf-spring-srv6-srh-compression], Destination 388 Options or Hop-by-Hop Options can always be applicable. More details 389 about the SRv6 application are described in 390 [I-D.fz-spring-srv6-alt-mark]. 392 In summary, it is possible to list the alternative possibilities: 394 o Destination Option not preceding a Routing Header => measurement 395 only by node in Destination Address. 397 o Hop-by-Hop Option => every router on the path with feature 398 enabled. 400 o Destination Option preceding a Routing Header => every destination 401 node in the route list. 403 In general, Hop-by-Hop and Destination Options are the most suitable 404 ways to implement Alternate Marking. 406 It is worth mentioning that Hop-by-Hop Options are not strongly 407 recommended in [RFC7045] and [RFC8200], unless there is a clear 408 justification to standardize it, because nodes may be configured to 409 ignore the Options Header, drop or assign packets containing an 410 Options Header to a slow processing path. In case of the AltMark 411 data fields described in this document, the motivation to standardize 412 a Hop-by-Hop Option is that it is needed for OAM (Operations, 413 Administration, and Maintenance). An intermediate node can read it 414 or not, but this does not affect the packet behavior. The source 415 node is the only one that writes the Hop-by-Hop Option to mark 416 alternately the flow, so, the performance measurement can be done for 417 those nodes configured to read this Option, while the others are 418 simply not considered for the metrics. 420 The Hop-by-Hop Option defined in this document is designed to take 421 advantage of the property of how Hop-by-Hop options are processed. 422 Nodes that do not support this Option would be expected to ignore it 423 if encountered, according to the procedures of [RFC8200]. This can 424 mean that, in this case, the performance measurement does not account 425 for all links and nodes along a path. The definition of the Hop-by- 426 Hop Options in this document is also designed to minimize throughput 427 impact both on nodes that do not recognize the Option and on node 428 that support it. Indeed, the three high-order bits of the Options 429 Header defined in this draft are 000 and, in theory, as per [RFC8200] 430 and [I-D.ietf-6man-hbh-processing], this means "skip if do not 431 recognize and data do not change en route". [RFC8200] also mentions 432 that the nodes only examine and process the Hop-by-Hop Options header 433 if explicitly configured to do so. For these reasons, this Hop-by- 434 Hop Option should not affect the throughput. However, in practice, 435 it is important to be aware that the things may be different in the 436 implementation and it can happen that packets with Hop-by-Hop are 437 forced onto the slow path, but this is a general issue, as also 438 explained in [I-D.ietf-6man-hbh-processing]. It is also worth 439 mentioning that the application to a controlled domain should avoid 440 the risk of arbitrary nodes dropping packets with Hop-by-Hop Options. 442 5. Alternate Marking Method Operation 444 This section describes how the method operates. 445 [I-D.ietf-ippm-rfc8321bis] introduces several applicable methods 446 which are reported below, and an additional field is introduced to 447 facilitate the deployment and improve the scalability. 449 5.1. Packet Loss Measurement 451 The measurement of the packet loss is really straightforward in 452 comparison to the existing mechanisms, as detailed in 453 [I-D.ietf-ippm-rfc8321bis]. The packets of the flow are grouped into 454 batches, and all the packets within a batch are marked by setting the 455 L bit (Loss flag) to a same value. The source node can switch the 456 value of the L bit between 0 and 1 after a fixed number of packets or 457 according to a fixed timer, and this depends on the implementation. 458 The source node is the only one that marks the packets to create the 459 batches, while the intermediate nodes only read the marking values 460 and identify the packet batches. By counting the number of packets 461 in each batch and comparing the values measured by different network 462 nodes along the path, it is possible to measure the packet loss 463 occurred in any single batch between any two nodes. Each batch 464 represents a measurable entity recognizable by all network nodes 465 along the path. 467 Both fixed number of packets and fixed timer can be used by the 468 source node to create packet batches. But, as also explained in 469 [I-D.ietf-ippm-rfc8321bis], the timer-based batches are preferable 470 because they are more deterministic than the counter-based batches. 471 There is no definitive rule for counter-based batches, differently 472 from timer-based batches. Using a fixed timer for the switching 473 offers better control over the method, indeed the length of the 474 batches can be chosen large enough to simplify the collection and the 475 comparison of the measures taken by different network nodes. In the 476 implementation the counters can be sent out by each node to the 477 controller that is responsible for the calculation. It is also 478 possible to exchange this information by using other on-path 479 techniques. But this is out of scope for this document. 481 Packets with different L values may get swapped at batch boundaries, 482 and in this case, it is required that each marked packet can be 483 assigned to the right batch by each router. It is important to 484 mention that for the application of this method there are two 485 elements to consider: the clock error between network nodes and the 486 network delay. These can create offsets between the batches and out- 487 of-order of the packets. The mathematical formula on timing aspects, 488 explained in section 5 of [I-D.ietf-ippm-rfc8321bis], must be 489 satisfied and it takes into considerations the different causes of 490 reordering such as clock error and network delay. The assumption is 491 to define the available counting interval where to get stable 492 counters and to avoid these issues. Specifically, if the effects of 493 network delay are ignored, the condition to implement the methodology 494 is that the clocks in different nodes MUST be synchronized to the 495 same clock reference with an accuracy of +/- B/2 time units, where B 496 is the fixed time duration of the batch. In this way each marked 497 packet can be assigned to the right batch by each node. Usually the 498 counters can be taken in the middle of the batch period to be sure to 499 read quiescent counters. In a few words this implies that the length 500 of the batches MUST be chosen large enough so that the method is not 501 affected by those factors. The length of the batches can be 502 determined based on the specific deployment scenario. 504 L bit=1 ----------+ +-----------+ +---------- 505 | | | | 506 L bit=0 +-----------+ +-----------+ 507 Batch n ... Batch 3 Batch 2 Batch 1 508 <---------> <---------> <---------> <---------> <---------> 510 Traffic Flow 511 ===========================================================> 512 L bit ...1111111111 0000000000 11111111111 00000000000 111111111... 513 ===========================================================> 515 Figure 1: Packet Loss Measurement and Single-Marking Methodology 516 using L bit 518 It is worth mentioning that the duration of the batches is considered 519 stable over time in the previous figure. In theory, it is possible 520 to change the length of batches over time and among different flows 521 for more flexibility. But, in practice, it could complicate the 522 correlation of the information. 524 5.2. Packet Delay Measurement 526 The same principle used to measure packet loss can be applied also to 527 one-way delay measurement. Delay metrics MAY be calculated using the 528 two possibilities: 530 1. Single-Marking Methodology: This approach uses only the L bit to 531 calculate both packet loss and delay. In this case, the D flag 532 MUST be set to zero on transmit and ignored by the monitoring 533 points. The alternation of the values of the L bit can be used 534 as a time reference to calculate the delay. Whenever the L bit 535 changes and a new batch starts, a network node can store the 536 timestamp of the first packet of the new batch, that timestamp 537 can be compared with the timestamp of the first packet of the 538 same batch on a second node to compute packet delay. But this 539 measurement is accurate only if no packet loss occurs and if 540 there is no packet reordering at the edges of the batches. A 541 different approach can also be considered and it is based on the 542 concept of the mean delay. The mean delay for each batch is 543 calculated by considering the average arrival time of the packets 544 for the relative batch. There are limitations also in this case 545 indeed, each node needs to collect all the timestamps and 546 calculate the average timestamp for each batch. In addition, the 547 information is limited to a mean value. 549 2. Double-Marking Methodology: This approach is more complete and 550 uses the L bit only to calculate packet loss and the D bit (Delay 551 flag) is fully dedicated to delay measurements. The idea is to 552 use the first marking with the L bit to create the alternate flow 553 and, within the batches identified by the L bit, a second marking 554 is used to select the packets for measuring delay. The D bit 555 creates a new set of marked packets that are fully identified 556 over the network, so that a network node can store the timestamps 557 of these packets; these timestamps can be compared with the 558 timestamps of the same packets on a second node to compute packet 559 delay values for each packet. The most efficient and robust mode 560 is to select a single double-marked packet for each batch, in 561 this way there is no time gap to consider between the double- 562 marked packets to avoid their reorder. Regarding the rule for 563 the selection of the packet to be double-marked, the same 564 considerations in Section 5.1 apply also here and the double- 565 marked packet can be chosen within the available counting 566 interval that is not affected by factors such as clock errors. 567 If a double-marked packet is lost, the delay measurement for the 568 considered batch is simply discarded, but this is not a big 569 problem because it is easy to recognize the problematic batch and 570 skip the measurement just for that one. So in order to have more 571 information about the delay and to overcome out-of-order issues 572 this method is preferred. 574 In summary the approach with double marking is better than the 575 approach with single marking. Moreover, the two approaches provide 576 slightly different pieces of information and the data consumer can 577 combine them to have a more robust data set. 579 Similar to what said in Section 5.1 for the packet counters, in the 580 implementation the timestamps can be sent out to the controller that 581 is responsible for the calculation or could also be exchanged using 582 other on-path techniques. But this is out of scope for this 583 document. 585 L bit=1 ----------+ +-----------+ +---------- 586 | | | | 587 L bit=0 +-----------+ +-----------+ 589 D bit=1 + + + + + 590 | | | | | 591 D bit=0 ------+----------+----------+----------+------------+----- 593 Traffic Flow 594 ===========================================================> 595 L bit ...1111111111 0000000000 11111111111 00000000000 111111111... 597 D bit ...0000010000 0000010000 00000100000 00001000000 000001000... 598 ===========================================================> 600 Figure 2: Double-Marking Methodology using L bit and D bit 602 Likewise to packet delay measurement (both for Single Marking and 603 Double Marking), the method can also be used to measure the inter- 604 arrival jitter. 606 5.3. Flow Monitoring Identification 608 The Flow Monitoring Identification (FlowMonID) identifies the flow to 609 be measured and is required for some general reasons: 611 First, it helps to reduce the per node configuration. Otherwise, 612 each node needs to configure an access-control list (ACL) for each 613 of the monitored flows. Moreover, using a flow identifier allows 614 a flexible granularity for the flow definition, indeed, it can be 615 used together with other identifiers (e.g. 5-tuple). 617 Second, it simplifies the counters handling. Hardware processing 618 of flow tuples (and ACL matching) is challenging and often incurs 619 into performance issues, especially in tunnel interfaces. 621 Third, it eases the data export encapsulation and correlation for 622 the collectors. 624 The FlowMonID MUST only be used as a monitored flow identifier in 625 order to determine a monitored flow within the measurement domain. 626 This entails not only an easy identification but improved correlation 627 as well. 629 The FlowMonID allocation procedure can be stateful or stateless. In 630 case of a stateful approach, it is required that each source node 631 stores and keeps track of the FlowMonID historic information in order 632 to assign unique values within the domain. This may imply a complex 633 procedure and it is considered out of scope for this document. The 634 stateless approach is described hereinafter where FlowMonID values 635 are pseudo randomly generated. 637 The value of 20 bits has been selected for the FlowMonID since it is 638 a good compromise and implies a low rate of ambiguous FlowMonIDs that 639 can be considered acceptable in most of the applications. The 640 disambiguation issue can be solved by tagging the pseudo randomly 641 generated FlowMonID with additional flow information. In particular, 642 it is RECOMMENDED to consider the 3-tuple FlowMonID, source and 643 destination addresses: 645 o If the 20 bit FlowMonID is set independently and pseudo randomly 646 in a distributed way there is a chance of collision. Indeed, by 647 using the well-known birthday problem in probability theory, if 648 the 20 bit FlowMonID is set independently and pseudo randomly 649 without any additional input entropy, there is a 50% chance of 650 collision for 1206 flows. So, for more entropy, FlowMonID is 651 combined with source and destination addresses. Since there is a 652 1% chance of collision for 145 flows, it is possible to monitor 653 145 concurrent flows per host pairs with a 1% chance of collision. 655 o If the 20 bits FlowMonID is set pseudo randomly but in a 656 centralized way, the controller can instruct the nodes properly in 657 order to guarantee the uniqueness of the FlowMonID. With 20 bits, 658 the number of combinations is 1048576, and the controller should 659 ensure that all the FlowMonID values are used without any 660 collision. Therefore, by considering source and destination 661 addresses together with the FlowMonID, it can be possible to 662 monitor 1048576 concurrent flows per host pairs. 664 A consistent approach MUST be used in the Alternate Marking 665 deployment to avoid the mixture of different ways of identifying. 666 All the nodes along the path and involved into the measurement SHOULD 667 use the same mode for identification. As mentioned, it is 668 RECOMMENDED to use the FlowMonID for identification purpose in 669 combination with source and destination addresses to identify a flow. 670 By considering source and destination addresses together with the 671 FlowMonID it can be possible to monitor 145 concurrent flows per host 672 pairs with a 1% chance of collision in case of pseudo randomly 673 generated FlowMonID, or 1048576 concurrent flows per host pairs in 674 case of centralized controller. It is worth mentioning that the 675 solution with the centralized control allows finer granularity and 676 therefore adds even more flexibility to the flow identification. 678 The FlowMonID field is set at the source node, which is the ingress 679 point of the measurement domain, and can be set in two ways: 681 a. It can be algorithmically generated by the source node, that can 682 set it pseudo-randomly with some chance of collision. This 683 approach cannot guarantee the uniqueness of FlowMonID since 684 conflicts and collisions are possible. But, considering the 685 recommendation to use FlowMonID with source and destination 686 addresses the conflict probability is reduced due to the 687 FlowMonID space available for each endpoint pair (i.e. 145 flows 688 with 1% chance of collision). 690 b. It can be assigned by the central controller. Since the 691 controller knows the network topology, it can allocate the value 692 properly to avoid or minimize ambiguity and guarantee the 693 uniqueness. In this regard, the controller can verify that there 694 is no ambiguity between different pseudo-randomly generated 695 FlowMonIDs on the same path. The conflict probability is really 696 small given that the FlowMonID is coupled with source and 697 destination addresses and up to 1048576 flows can be monitored 698 for each endpoint pair. When all values in the FlowMonID space 699 are consumed, the centralized controller can keep track and 700 reassign the values that are not used any more by old flows. 702 If the FlowMonID is set by the source node, the intermediate nodes 703 can read the FlowMonIDs from the packets in flight and act 704 accordingly. While, if the FlowMonID is set by the controller, both 705 possibilities are feasible for the intermediate nodes which can learn 706 by reading the packets or can be instructed by the controller. 708 The FlowMonID setting by the source node may seem faster and more 709 scalable than the FlowMonID setting by the controller. But, it is 710 supposed that the controller does not slow the process since it can 711 enable Alternate Marking method and its parameters (like FlowMonID) 712 together with the flow instantiation, as further described in 713 [I-D.ietf-idr-sr-policy-ifit] and [I-D.chen-pce-pcep-ifit]. 715 5.4. Multipoint and Clustered Alternate Marking 717 The Alternate Marking method can be extended to any kind of 718 multipoint to multipoint paths. [I-D.ietf-ippm-rfc8321bis] only 719 applies to point-to-point unicast flows, while the Multipoint 720 Alternate Marking Clustered method, introduced in 721 [I-D.ietf-ippm-rfc8889bis], is valid for multipoint-to-multipoint 722 unicast flows, anycast and ECMP flows. 724 [I-D.ietf-ippm-rfc8889bis] describes the network clustering approach 725 which allows a flexible and optimized performance measurement. A 726 Cluster is the smallest identifiable subnetwork (composed by more 727 than one node) of the entire Network graph that still satisfies the 728 condition that the number of packets that goes in is the same that 729 goes out. With network clustering, it is possible to use the 730 partition of the network into clusters at different levels in order 731 to perform the needed degree of detail. 733 For Multipoint Alternate Marking, FlowMonID can identify in general a 734 multipoint-to-multipoint flow and not only a point-to-point flow. 736 5.5. Data Collection and Calculation 738 The nodes enabled to perform performance monitoring collect the value 739 of the packet counters and timestamps. There are several 740 alternatives to implement Data Collection and Calculation, but this 741 is not specified in this document. 743 There are documents on the control plane mechanisms of Alternate 744 Marking, e.g. [I-D.ietf-idr-sr-policy-ifit], 745 [I-D.chen-pce-pcep-ifit]. 747 6. Security Considerations 749 This document aims to apply a method to perform measurements that 750 does not directly affect Internet security nor applications that run 751 on the Internet. However, implementation of this method must be 752 mindful of security and privacy concerns. 754 There are two types of security concerns: potential harm caused by 755 the measurements and potential harm to the measurements. 757 Harm caused by the measurement: Alternate Marking implies the 758 insertion of an Option Header to the IPv6 packets by the source node, 759 but this must be performed in a way that does not alter the quality 760 of service experienced by the packets and that preserves stability 761 and performance of routers doing the measurements. As already 762 discussed in Section 4, the design of the AltMark Option has been 763 chosen with throughput in mind, such that it can be implemented 764 without affecting the user experience. 766 Harm to the measurement: Alternate Marking measurements could be 767 harmed by routers altering the fields of the AltMark Option (e.g. 768 marking of the packets, FlowMonID) or by a malicious attacker adding 769 AltMark Option to the packets in order to consume the resources of 770 network devices and entities involved. As described above, the 771 source node is the only one that writes the Option Header while the 772 intermediate nodes and destination node only read it without 773 modifying the Option Header. But, for example, an on-path attacker 774 can modify the flags, whether intentionally or accidentally, or 775 deliberately insert an option to the packet flow or delete the option 776 from the packet flow. The consequent effect could be to give the 777 appearance of loss or delay or invalidate the measurement by 778 modifying option identifiers, such as FlowMonID. The malicious 779 implication can be to cause actions from the network administrator 780 where an intervention is not necessary or to hide real issues in the 781 network. Since the measurement itself may be affected by network 782 nodes intentionally altering the bits of the AltMark Option or 783 injecting Options headers as a means for Denial of Service (DoS), the 784 Alternate Marking MUST be applied in the context of a controlled 785 domain, where the network nodes are locally administered and this 786 type of attack can be avoided. For this reason, the implementation 787 of the method is not done on the end node if it is not fully managed 788 and does not belong to the controlled domain. Packets generated 789 outside the controlled domain may consume router resources by 790 maliciously using the HbH Option, but this can be mitigated by 791 filtering these packets at the controlled domain boundary. This can 792 be done because, if the end node does not belong to the controlled 793 domain, it is not supposed to add the AltMark HbH Option, and it can 794 be easily recognized. 796 An attacker that does not belong to the controlled domain can 797 maliciously send packets with AltMark Option. But if Alternate 798 Marking is not supported in the controlled domain, no problem happens 799 because the AltMark Option is treated as any other unrecognized 800 option and will not be considered by the nodes since they are not 801 configured to deal with it, so the only effect is the increased 802 packet size (by 48 bits). While if Alternate Marking is supported in 803 the controlled domain, it is also necessary to avoid that the 804 measurements are affected and external packets with AltMark Option 805 MUST be filtered. As any other Hop-by-Hop Options or Destination 806 Options, it is possible to filter AltMark Options entering or leaving 807 the domain e.g. by using ACL extensions for filtering. 809 The flow identifier (FlowMonID), together with the two marking bit (L 810 and D), comprises the AltMark Option. As explained in Section 5.3, 811 there is a chance of collision if the FlowMonID is set pseudo 812 randomly but that there is a solution for this issue. In general 813 this may not be a problem and a low rate of ambiguous FlowMonIDs can 814 be acceptable, since this does not cause significant harm to the 815 operators or their clients and this harm may not justify the 816 complications of avoiding it. But, for large scale measurements, a 817 big number of flows could be monitored and the probability of a 818 collision is higher, thus the disambiguation of the FlowMonID field 819 can be considered. 821 The privacy concerns also need to be analyzed even if the method only 822 relies on information contained in the Option Header without any 823 release of user data. Indeed, from a confidentiality perspective, 824 although AltMark Option does not contain user data, the metadata can 825 be used for network reconnaissance to compromise the privacy of users 826 by allowing attackers to collect information about network 827 performance and network paths. AltMark Option contains two kinds of 828 metadata: the marking bits (L and D bits) and the flow identifier 829 (FlowMonID). 831 The marking bits are the small information that is exchanged 832 between the network nodes. Therefore, due to this intrinsic 833 characteristic, network reconnaissance through passive 834 eavesdropping on data-plane traffic is difficult. Indeed, an 835 attacker cannot gain information about network performance from a 836 single monitoring point. The only way for an attacker can be to 837 eavesdrop on multiple monitoring points at the same time, because 838 they have to do the same kind of calculation and aggregation as 839 Alternate Marking requires. 841 The FlowMonID field is used in the AltMark Option as the 842 identifier of the monitored flow. It represents a more sensitive 843 information for network reconnaissance and may allow a flow 844 tracking type of attack because an attacker could collect 845 information about network paths. 847 Furthermore, in a pervasive surveillance attack, the information that 848 can be derived over time is more. But, as further described 849 hereinafter, the application of the Alternate Marking to a controlled 850 domain helps to mitigate all the above aspects of privacy concerns. 852 At the management plane, attacks can be set up by misconfiguring or 853 by maliciously configuring AltMark Option. Thus, AltMark Option 854 configuration MUST be secured in a way that authenticates authorized 855 users and verifies the integrity of configuration procedures. 856 Solutions to ensure the integrity of AltMark Option are outside the 857 scope of this document. Also, attacks on the reporting of the 858 statistics between the monitoring points and the network management 859 system (e.g. centralized controller) can interfere with the proper 860 functioning of the system. Hence, the channels used to report back 861 flow statistics MUST be secured. 863 As stated above, the precondition for the application of the 864 Alternate Marking is that it MUST be applied in specific controlled 865 domains, thus confining the potential attack vectors within the 866 network domain. A limited administrative domain provides the network 867 administrator with the means to select, monitor and control the 868 access to the network, making it a trusted domain. In this regard it 869 is expected to enforce policies at the domain boundaries to filter 870 both external packets with AltMark Option entering the domain and 871 internal packets with AltMark Option leaving the domain. Therefore, 872 the trusted domain is unlikely subject to hijacking of packets since 873 packets with AltMark Option are processed and used only within the 874 controlled domain. 876 As stated, the application to a controlled domain ensures the control 877 over the packets entering and leaving the domain, but despite that, 878 leakages may happen for different reasons, such as a failure or a 879 fault. In this case, nodes outside the domain are expected to ignore 880 packets with AltMark Option since they are not configured to handle 881 it and should not process it. 883 Additionally, it is to be noted that the AltMark Option is carried by 884 the Options Header and it will have some impact on the packet sizes 885 for the monitored flow and on the path MTU, since some packets might 886 exceed the MTU. However, the relative small size (48 bit in total) 887 of these Option Headers and its application to a controlled domain 888 help to mitigate the problem. 890 It is worth mentioning that the security concerns may change based on 891 the specific deployment scenario and related threat analysis, which 892 can lead to specific security solutions that are beyond the scope of 893 this document. As an example, the AltMark Option can be used as Hop- 894 by-Hop or Destination Option and, in case of Destination Option, 895 multiple administrative domains may be traversed by the AltMark 896 Option that is not confined to a single administrative domain. In 897 this case, the user, aware of the kind of risks, may still want to 898 use Alternate Marking for telemetry and test purposes but the 899 controlled domain must be composed by more than one administrative 900 domains. To this end, the inter-domain links need to be secured 901 (e.g., by IPsec, VPNs) in order to avoid external threats and realize 902 the whole controlled domain. 904 It might be theoretically possible to modulate the marking or the 905 other fields of the AltMark Option to serve as a covert channel to be 906 used by an on-path observer. This may affect both the data and 907 management plane, but, here too, the application to a controlled 908 domain helps to reduce the effects. 910 The Alternate Marking application described in this document relies 911 on a time synchronization protocol. Thus, by attacking the time 912 protocol, an attacker can potentially compromise the integrity of the 913 measurement. A detailed discussion about the threats against time 914 protocols and how to mitigate them is presented in [RFC7384]. 915 Network Time Security (NTS), described in [RFC8915], is a mechanism 916 that can be employed. Also, the time, which is distributed to the 917 network nodes through the time protocol, is centrally taken from an 918 external accurate time source, such as an atomic clock or a GPS 919 clock. By attacking the time source it can be possible to compromise 920 the integrity of the measurement as well. There are security 921 measures that can be taken to mitigate the GPS spoofing attacks and a 922 network administrator should certainly employ solutions to secure the 923 network domain. 925 7. IANA Considerations 927 The Option Type should be assigned in IANA's "Destination Options and 928 Hop-by-Hop Options" registry. 930 This draft requests the following IPv6 Option Type assignment from 931 the Destination Options and Hop-by-Hop Options sub-registry of 932 Internet Protocol Version 6 (IPv6) Parameters 933 (https://www.iana.org/assignments/ipv6-parameters/). 935 Hex Value Binary Value Description Reference 936 act chg rest 937 ---------------------------------------------------------------- 938 TBD 00 0 tbd AltMark [This draft] 940 8. Acknowledgements 942 The authors would like to thank Bob Hinden, Ole Troan, Martin Duke, 943 Lars Eggert, Roman Danyliw, Alvaro Retana, Eric Vyncke, Warren 944 Kumari, Benjamin Kaduk, Stewart Bryant, Christopher Wood, Yoshifumi 945 Nishida, Tom Herbert, Stefano Previdi, Brian Carpenter, Greg Mirsky, 946 Ron Bonica for the precious comments and suggestions. 948 9. References 950 9.1. Normative References 952 [I-D.ietf-ippm-rfc8321bis] 953 Fioccola, G., Cociglio, M., Mirsky, G., Mizrahi, T., and 954 T. Zhou, "Alternate-Marking Method", draft-ietf-ippm- 955 rfc8321bis-02 (work in progress), June 2022. 957 [I-D.ietf-ippm-rfc8889bis] 958 Fioccola, G., Cociglio, M., Sapio, A., Sisto, R., and T. 959 Zhou, "Multipoint Alternate-Marking Clustered Method", 960 draft-ietf-ippm-rfc8889bis-02 (work in progress), June 961 2022. 963 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 964 Requirement Levels", BCP 14, RFC 2119, 965 DOI 10.17487/RFC2119, March 1997, 966 . 968 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 969 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 970 May 2017, . 972 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 973 (IPv6) Specification", STD 86, RFC 8200, 974 DOI 10.17487/RFC8200, July 2017, 975 . 977 9.2. Informative References 979 [I-D.chen-pce-pcep-ifit] 980 Yuan, H., Zhou, T., Li, W., Fioccola, G., and Y. Wang, 981 "Path Computation Element Communication Protocol (PCEP) 982 Extensions to Enable IFIT", draft-chen-pce-pcep-ifit-06 983 (work in progress), February 2022. 985 [I-D.fz-spring-srv6-alt-mark] 986 Fioccola, G., Zhou, T., and M. Cociglio, "Segment Routing 987 Header encapsulation for Alternate Marking Method", draft- 988 fz-spring-srv6-alt-mark-02 (work in progress), February 989 2022. 991 [I-D.ietf-6man-hbh-processing] 992 Hinden, R. and G. Fairhurst, "IPv6 Hop-by-Hop Options 993 Processing Procedures", draft-ietf-6man-hbh-processing-00 994 (work in progress), January 2022. 996 [I-D.ietf-idr-sr-policy-ifit] 997 Qin, F., Yuan, H., Zhou, T., Fioccola, G., and Y. Wang, 998 "BGP SR Policy Extensions to Enable IFIT", draft-ietf-idr- 999 sr-policy-ifit-03 (work in progress), January 2022. 1001 [I-D.ietf-spring-srv6-srh-compression] 1002 Cheng, W., Filsfils, C., Li, Z., Decraene, B., Cai, D., 1003 Voyer, D., Clad, F., Zadok, S., Guichard, J. N., Aihua, 1004 L., Raszuk, R., and C. Li, "Compressed SRv6 Segment List 1005 Encoding in SRH", draft-ietf-spring-srv6-srh- 1006 compression-01 (work in progress), March 2022. 1008 [I-D.ietf-v6ops-hbh] 1009 Peng, S., Li, Z., Xie, C., Qin, Z., and G. Mishra, 1010 "Operational Issues with Processing of the Hop-by-Hop 1011 Options Header", draft-ietf-v6ops-hbh-01 (work in 1012 progress), April 2022. 1014 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1015 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 1016 December 2005, . 1018 [RFC6437] Amante, S., Carpenter, B., Jiang, S., and J. Rajahalme, 1019 "IPv6 Flow Label Specification", RFC 6437, 1020 DOI 10.17487/RFC6437, November 2011, 1021 . 1023 [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label 1024 for Equal Cost Multipath Routing and Link Aggregation in 1025 Tunnels", RFC 6438, DOI 10.17487/RFC6438, November 2011, 1026 . 1028 [RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing 1029 of IPv6 Extension Headers", RFC 7045, 1030 DOI 10.17487/RFC7045, December 2013, 1031 . 1033 [RFC7384] Mizrahi, T., "Security Requirements of Time Protocols in 1034 Packet Switched Networks", RFC 7384, DOI 10.17487/RFC7384, 1035 October 2014, . 1037 [RFC8754] Filsfils, C., Ed., Dukes, D., Ed., Previdi, S., Leddy, J., 1038 Matsushima, S., and D. Voyer, "IPv6 Segment Routing Header 1039 (SRH)", RFC 8754, DOI 10.17487/RFC8754, March 2020, 1040 . 1042 [RFC8799] Carpenter, B. and B. Liu, "Limited Domains and Internet 1043 Protocols", RFC 8799, DOI 10.17487/RFC8799, July 2020, 1044 . 1046 [RFC8915] Franke, D., Sibold, D., Teichel, K., Dansarie, M., and R. 1047 Sundblad, "Network Time Security for the Network Time 1048 Protocol", RFC 8915, DOI 10.17487/RFC8915, September 2020, 1049 . 1051 Authors' Addresses 1053 Giuseppe Fioccola 1054 Huawei 1055 Riesstrasse, 25 1056 Munich 80992 1057 Germany 1059 Email: giuseppe.fioccola@huawei.com 1061 Tianran Zhou 1062 Huawei 1063 156 Beiqing Rd. 1064 Beijing 100095 1065 China 1067 Email: zhoutianran@huawei.com 1069 Mauro Cociglio 1070 Telecom Italia 1071 Via Reiss Romoli, 274 1072 Torino 10148 1073 Italy 1075 Email: mauro.cociglio@telecomitalia.it 1077 Fengwei Qin 1078 China Mobile 1079 32 Xuanwumenxi Ave. 1080 Beijing 100032 1081 China 1083 Email: qinfengwei@chinamobile.com 1084 Ran Pang 1085 China Unicom 1086 9 Shouti South Rd. 1087 Beijing 100089 1088 China 1090 Email: pangran@chinaunicom.cn