IPPM IETF 111
When Wednesday 28 July 2021, 12:00-14:00 UTC

Where: Meetecho

Chairs: Tommy Pauly & Ian Swett

Documents

IOAM Drafts

Frank:
- In-Situ OAM Deployment
- In IESG review.
- Document started in OPSAWG
- IPPM is the natural place to progress the work

Tommy:
- Any opinions?

Martin:
- Fine with coming into IPPM

Tommy:
- The WG will kick off the adoption call

TAL:
- In-situ OAM Flags
- In-situ OAM Direct Exporting
- Various attacks described by Martin
- Revised drafts
- One iteration on DEX drafts
- Main changes: IOAM encapsulation nodes in order to mitigate these attacks
- Avoid nesting of direct exporting
- Exporting applied to trusted nodes.

Please follow the slides for checking the main changes

TAL:
- Main changes are related to security
- Otherwise the draft is stable
- This was for the flag draft

• Moving onto In-situ OAM Direct Exporting
• Advise from WG chairs?
• Issue 1: Whether to have an explicit hop count in DEX option?
• Issue 2: Different DEX option field length?

Please follow the slide 9 for this

TAL:
- Resolve the above two issues and apply them to the draft.

Martin:
- The draft is going in the correct direction. As a NiT: the situations were cases that could happen, and might be exploited, rather than security problems.To

TAL:
- Any comments?

Frank:
- Integrity of In-situ OAM Data Fields
- Proposing new IOAM options which are integrity protected
- Overhead consideration due to integrity protection.

Please follow slide number 12

Frank:
- (Shows a table)
- Next slide
- Multiple ways to go on HASH and sign.
- The method we have adopted is to have a suite of Hash and sign for flexibility.
- Requires Nonce and Signature.
- Next slide
- The Integrity sub-header will follow the IOAM Option header when the IOAM Option Type is Integrity Protected Option.
- Next Slide
- People think there should be integrity for IOAM data.
- We'll have an extension option much like DEX.
- Hope for a WG Adoption call in future.
- Any comments?

Tommy:
- At some time, we might want to do a secdir review?
- How much implementation is done so far?

Frank:
- From our perspective, it's difficult.
- There is no current implementation.

Justin:
- IOAM in the Linux from 2-3 years.
- Next release will be in 5-6 weeks

Tommy:
- Timeline on the implementation?

Justin:
- Going step-by-step as it's a huge part.

Frank:
- (To Tommy) Opinion on adoption?

Tommy:
- We kick-off deployment and integrity drafts from next week.

Frank:
- We might want to move from Informational status to standards Track.

STAMP YANG Draft

Greg Mirsky
- Session identifier is unique to STAMP session sender
- Symmetric packet of fixed size - RFC 8762
- Ability to generate variable length - RFC 8972
- next slide
- Snapsnot of the YANG data model
- This explains what the session ID is.
- The STAMP session identifier is unique locally

Check the slide 3 for more information

• Specification defines fixed size packets
• Should the STAMP YANG model include the extra padding TLV?
• Other STAMP extensions defined in RFC 8972?
• Open questions to all.
• Should be include the other extensions in the base YANG model or have it as separate modules?
• Default no padding and option to define extra padding TLV.
• The quesiton to the WG: How the TLVs to reflect in the STAMP YANG model?

Rakesh:
- YANG model should have it optional extensions, similar to RFC 8972.

Greg:
- That makes sense.

Richard:
- Agrees with Rakesh and Greg.
- RFC 8762 allowed padding outside the TLV

Greg:
- RFC 8762 does not define how you do padding.
- RFC 8972 - Not only extra padding but combine with other TLV.
- Let's discuss this on the mailing list.
- Next steps are continue working and WGLC by IETF 112.

STAMP SRPM Draft

Rakesh:
- Updates in revision 00 and 01.
- next slide
- Revision 00 is newly adopted by IPPM WG
- Updated the security secitons
- introdued the new error flag D

Check the slide number 3 for the revision 00 updates

• Update to the security section
• Add stamp TLV flag
• Minor editorial changes

Check the slide number 4 for revision 01 updates

• next slide
• Informational or Standards Track discussion on in WG on STAMP?
• next slide
• Any questions?

IOAM CONF STATE

Xiao:
- Presented 08 in IETF 110
- Now draft-10
- Summary of updates from 08 - 10
- BIER added into the scope of this ddraft
- Define Ping and traceroute for BIER
- Will add SR as suggested during adoption poll
- Separate Pre-alloacte Tracing and Incremental

Check slide 2 for the details

• Two more discussion points (based on adoption poll)

Check slide 3 for the details

• Submit new drafts on specfic extensions and considerations to Pings
• next slide
• Next steps is to imrove it, more review and comments.

Frank:
- How will this combine with the IOAM YANG?

Xiao:
- If the controller has has no information about all the IOAM devices (on the path)

Frank:
- It would be nice to have a data model to synchronize with the IOAM YANG

Xiao:
- We'll consider it.

Cheng:
- Did you address the security issues?

Xiao:
- We have to update the draft on the comments from you and others
- We have already addressed it.

Explicit Flow measurements

Mauro:
- New techniques to employ few marking bits, inside the header of each packet, for loss and delay measurement
- Some inplementations are present.

Check the slide 3 for the IETF Hackathon and implementations

• There are two draft updates.
• Q-bit and R-bit improved burst loss resiliency.
• New option in the D-bit implementation.
• next slide
• (Slide on Delay bit)

Check the slide 5 for "D-bit" or Delay bit working

• next slide in "The Hidden Delay bit (Hidden RTT) variation (D^-bit)".

Check the slide 6 for it

• next slide
• (It's a slide on AD: Additional Delay for Hidden D-bit version)

Check the slide 7

• 2 direction Observer: right RTT
• 2-point measure ment: intra-domain RTT

Check the slide 8 for images and details

• next slide on "Delay Bits" Summary.

• next slide on "Loss Bits" Summary.

• Next steps: gaining interest for encrypted transport protocols

• WG adoption requested
• Welcome questions and comments

Martin:
- Some recommended choice will be helpful

Mauro:
- Spin bit - Depends on the privacy problems.

Hybrid Two step

Greg:
- update for max length field, flow identification (for environments like SSH and IOAM)
- Added mode for upstreaming (discussion with Pascal)
- next slide
- HTS mac length as unsigned 32 bits.
- Thoughts and comments?
- next slide
- Upstreaming HTS image (Slide 4)
- Studies on IOAM in constrained environments
- Packet go from Ingress node to Egress node
- Make the ingress node experience how the packets were treated by the network.
- Ingress node can consume the data locally and use it for analytics later
- Probably discuss on the mailing list
- Discussion with Frank, what characteristic information can be used by HTS
- Different environments defined in separate documents

Check the slide 5

• next slide
• Next steps for comments, suggestions and questions
• Ask for WG adoption.

Capacity Metric Protocol

Al:
- What security features are needed?
- How should it operate in different modes?
- next slide
- Ephemeral port used in the future

Please check the slide 3.

• New security modes.
• There are 6 modes.

Check the slide 3 for the modes

• Feedback on these modes?
• What's the bullet-proof posible security for IESG review?
• Any comments?
• From the chat:
  • Martin Duke there is no silver bullet to pass security but early SECDIR review is your best bet
  • Al Morton Would we need to adopt the draft to get an early SECDIR review?
  • Martin Duke I don't know if that's a rule, but it is less likely to waste the reviewer's time. I suspect the security specifics are not going to affect our adoption call, so why not adopt and then request?
  • Al Morton Right, we all just want a solution that passes muster. I hope we can generate enough discussion to warrant adoption!!! FYI- the feedback messages would be a fork-lift upgrade for any of our existing protocols... and there's history about the OWAMP and TWAMP security...

Link Aggregation Group (LAG)

• Slide 3 : Motivation
• next slide
• No changes to STAMP base test packet
• next slide
• Example: STAMP Micro Session

Rakesh:
- Instead of micro session, why not create a STAMP session?
Greg:
- It simplifies configuration and similar to BFD.

Enhanced Alternate Marking Method

Guiseppe:
- Specifies HBH or DH option for IPv6, developed in 6man (now in WGLC).
- Comments or questions to the list.

EPDMv2

Nalini:
- PDM can be used for DoS attack and timing attacks
- PDMv2 consists of registration phase and data transfer.
- Registration: Shared secret is exchanged
- Occasional KDF
- next slide
- PDMv2 Senariao and Secured paths: It's a solution for enterprises
- Enterprises
- HPKE in PDMv2: Registration phase, online phase, KDF, Pseudo-random repeating sequence, AEAD
- Questions??