Simple Two-Way Active Measurement Protocol Optional Extensions
draft-ietf-ippm-stamp-option-tlv-10

[Ballot discuss]
Thanks for all the updates; we've made good progress.

I think we're still not converged on the DSCP handling, though.  I have
a bit more exposition in the COMMENT section, but in short, my
understanding is that we're setting up a session-reflector to incur
unbounded levels of risk with hard protocol requirements.  I think we
need to provide a way to bound that risk, for example by allowing the
Session-Reflector to selectively choose to treat the CoS TLV as
unimplemented (set the U flag in its reflected packet) or some other
mechanism for local policy to filter what DSCP codepoints are set in
reflected packets (ideally, indicating that the policy made a change).

Also, there's a bit of fallout from the flags reworking that's left to
cleanup in Section 4: we now have the Session-Sender set the U flag to
1, so this text no longer makes sense:

% A STAMP system, i.e., either a Session-Sender or a Session-Reflector,
% that has received a STAMP test packet with extension TLVs MUST
% validate each TLV:
%
%    If the U flag is set, the STAMP system MUST skip the processing of
%    the TLV.

I think it should just apply to the Session-Sender for this case -- the
Session-Reflector doesn't need to check the received U flag, since the
Session-Sender will not be generating TLVs it does not understand.
(Whether or not to keep the behavior for the M and I flags as applying
to both Session-Sender and Session-Reflector vs. just Session-Sender
does not immediately seem to be of much consequence.

[Ballot comment]
My most significant remaining comments are on the Security
Considerations (Section 6):

The security of the HMAC mechanism is not complete, since it is
susceptible to replay attack.  As such, when HMAC is in use, it is
important to check that the received sequence numbers are (at least
mostly) monotonic and to detect replays.  While replayed packets do not
always indicate an attack (depending on the network technology) they are
still a noteworthy condition, and we should say something about whether
we expect to produce a response to each received instance or to suppress
replies to replayed input.

  Monitoring and optional control of DSCP do not appear to introduce
  any additional security threat to hosts that communicate with STAMP
  as defined in [RFC8762].  As this specification defined the mechanism
  to test DSCP mapping, this document inherits all the security

I'm afraid I still don't understand the reasoning here.  In my
understanding, the risk stems from the semantics of the DCSP field being
(for at least some codepoints) site-local, there not being a guarantee
that the session-sender and session-reflector are on the same network
(and thus, using the same DSCP semantics), and the hard requirement for
the Session-Reflector to set the DCSP value indicated by the
Session-Sender.  A mechanism for a remote entity to induce generation of
local packets with unspecified semantics is a risk that cannot be
qualified at protocol-design time, since the possible outcomes are
inherently unspecified.  This is analogous to the situation with
undefined behavior in programming languages like C -- the programmer is
flat-out required to avoid it, because literally anything could go wrong
if undefined behavior is triggered.

This is especially risky when there is the possibility for the
Session-Reflector to act on packets that do not have any form of
authentication (i.e., could be spoofed from off-path).  But we do not
mention this risk at all, let alone give guidance on its mitigation.
(Discussion of the security considerations of unauthenticated operation
would ideally be generalized to all actions/TLVs that have side effects,
not just the specific case of setting the DSCP codepoint.)

Section 4.2

I'd suggest saying that all fields that are not filled are transmitted
with all bits set to zero.

Section 4.2.1

  o  Source MAC Address sub-TLV - is a 12-octet-long sub-TLV.  The Type
      value is TBA9.  The value of the Length field MUST equal to 8.
      The Value field is a 12-octet-long MBZ field that MUST be zeroed
      on transmission and ignored on receipt.

Value should be 8-octets-long, no?

Section 4.2.2

  A Session-Sender MAY include the Source MAC Address sub-TLV is the
  Location TLV.  If the Session-Reflector receives the Location TLV

nit: s/is/in/

Section 4.3

  MUST NOT fill any information fields except for STAMP TLV Flags,
  Type, and Length.  All other fields MUST be filled with zeroes The

nit: missing full stop.

[Ballot comment]
Thank you for responding to the SECDIR review (and thank you to Charlie Kaufman for doing it).

Thanks for addressing my DISCUSS and COMMENT points.  As noted in the thread, I'd also recommend the following:

** Section 4.2.  Section 4.5 of RFC8762 already has helpful guidance word on confidentiality (and it cite it in the Security Considerations generically).  I woul suggest you reiterate that guidance in particular for this TLV because of the information it carries.

[Ballot comment]
[ general ]

* I sill find the access ID being a boolean for 3GPP or not being a bit
  odd, but not super important I guess.

[ section 4 ]

*  "All multibyte fields in the defined in this specification TLVs are in
  network byte order."

  -->

  "... fields defined in this spec..."?

[Ballot comment]
Thanks for addressing my DISCUSS point.  I've left my original (non-blocking) comments here for the record.

--

I'll open with my usual complaint about having more than five authors, which is the recommended maximum.

Abstract:

* "... in addition to ones supported by the STAMP base specification." -- I think you could remove this clause; it's enough to say you're defining extension(s).

Section 3:

* "An implementation of the STAMP Session-Reflector that supports this specification SHOULD identify a STAMP Session using the SSID in combination with elements of the usual 4-tuple for the session." -- Why is this only a SHOULD?  When might one legitimately deviate from this requirement?

Section 4.3:

* "The Session-Sender SHOULD NOT fill any information fields except for STAMP TLV Flags, Type, and Length." -- When might I deviate from that advice, as SHOULD NOT allows?

Section 4.5:

* "The definition of "in-profile packet" is outside the scope of this document and is left to the test operators to determine." -- This isn't my domain, to be sure, but I'm curious about what "in-profile" might mean.  Would it be possible to include an example?

Section 4.6:

* Same question for "access network".

Section 4.8:

* "... excluding when ..." -- suggest instead "excluding the case where"

[Ballot comment]
I support Ben's discuss regarding check the length of the STAMP packet to determine whether it is a base or extended STAMP packet.

Comments:
Thank you for this document.  By and large I found this document fairly easy to read and understand, but have comments on a few areas:

I found the document slightly confusing in that the extended stamp packets are defined under the "STAMP Test Session Identifier" section.  I would have found the document to be more coherent if the new extended packet structure was pulled into its own section, perhaps with "STAMP Test Session Identifier" as a sub-section.

Perhaps it might be helpful to explain why the MBZ sections are where they are - I presume to still conform with the structure of the base STAMP packet formats for session-reflectors that do not understand the new format.

In section 4:  TLV Extensions to STAMP

  A system that has received a STAMP test packet with extension TLVs
  MUST validate each TLV:

      If the U flag is set, the STAMP system MUST skip the processing of
      the TLV.  The implementation MUST try to process the next TLV if
      present in the extended STAMP packet.

      If the L flag is set, the STAMP system MUST stop processing the
      remainder of the extended STAMP packet.

      If the A flag is set, the STAMP system MUST discard all TLVs and
      MUST stop processing the remainder of the extended STAMP packet.

I was initially surprised that different behavior was specified for the handling for the U, L and A flags given that the sender sets these to zero.  I presume that the aim here is just to have commonality between the Session Sender and Session Reflectors?  It might help clarify whether this section applies to both sender and reflector.

In section 4.4:

  o  DSCP2 - The received value in the DSCP field at the Session-
      Reflector in the forward direction.

  o  ECN - The received value in the ECN field at the Session-Reflector
      in the forward direction.
     
These are the only two cases of forward direction.  Would it be better to describe this as "ingress of the Session-Reflector", e.g. similar to the description in the previous section?

4.5.  Direct Measurement TLV

  o  Session-Reflector Rx counter (R_RxC) is a four-octet-long field.
      MUST be zeroed by the Session-Sender on transmit and ignored by
      the Session-Reflector on receipt.  The Session-Reflector MUST fill
      it with the value of in-profile packets received.
     
"in-profile packets received" is unclear to me.

  o  Session-Reflector Tx counter (R_TxC) is a four-octet-long field.
      MUST be zeroed by the Session-Sender and ignored by the Session-
      Reflector on receipt.  The Session-Reflector MUST fill it with the
      value of the transmitted in-profile packets.
     
Presumably the Session-Reflector needs to be configured via an out of band mechanism to specify how many in-profile packets are transmitted, and what those packets are.  Further text in the beginning of section 4.5 may be helpful here.

4.6.  Access Report TLV

This section seems to describe more than just a TLV given that it seems to put additional constraints on the implementation (e.g. use of a retransmission timer).  Possibly the document would have been more clear to split the definition of the access report handling separately (e.g. as a separate section earlier in the document) from the Access Report TLV definition.

Regards,
Rob

[Ballot discuss]
I support Roman's discusses and am happy to see the ongoing discussion
thereof.

(1) I think there's a conflict between this document and RFC 8762 with
respect to the behavior of pure RFC 8762 implementations that receive
packets longer than the base packet for the given operational mode.

RFC 8762 says (Section 4.3):

% The Session-Reflector receives the STAMP-Test packet and verifies it. If
% the base STAMP-Test packet is validated, the Session-Reflector that
% supports this specification prepares and transmits the reflected test
% packet symmetric to the packet received from the Session-Sender copying
% the content beyond the size of the base STAMP packet (see Section 4.2).

But Section 4 of this document says:

                                                  A Session-Reflector
  that does not support STAMP extensions is not expected to compare the
  value in the Length field of the UDP header and the length of the
  STAMP base packet.  Hence the Session-Reflector will transmit the
  base STAMP packet.  [...]

Does "will transmit the base STAMP packet" mean something other than
"with the exact length of the base packet [for the given operational
mode]"?

(2) As I remarked on (then-) draft-ietf-ippm-stamp, I think we need to
require some level of cryptographic protection whenever control
information is included in a Session-Sender's test packet.  That is,
that a Session-Reflector MUST NOT act on control information received in
unauthenticated packets, and specifically, that the HMAC TLV must be
used, since the base authenticated STAMP packet's HMAC does not cover
the options.

(3) The secdir reviewer's question about dealing with 6-to-4 gateways
seems to have not gotten a response.  Specifically, the requirement that
"[t]he Session-Reflector MUST validate the Length value against the
address family of the transport encapsulating the STAMP test packet"
seems to require the protocol to fail when sender and reflector use
different address families, or perhaps to require the sender to use
trial and error to determine which address family is used by the
reflector.  Some clarification on the intended operation in such
scenarios seems appropriate.

(4) The ability for a Session-Sender to (MUST-level!) control the DSCP
codepoint used by packets generated by a Session-Reflector feels like it
opens up significant risk in site-local (security-relevant) policy.  That
is, the interpretation of the DSCP codepoints is to large extent
site-specific, and allowing a nominally external system to set any/all
possible values, without a chance for site policy to be applied and
block the use of potentially disruptive DSCP values.  So I think we need
to modify the "MUST set", perhaps requiring that either the requested
DSCP value is used or the entire TLV/packet/whatever is rejected.

(5) If we're not going to remedy the severability of authenticated
options from authenticated base packets (which would be my preferred
resolution), we need to document that weakness in the security
considerations.

[Ballot comment]
(side note) It seems slightly gratuitous to group the "base" (with
SSID) packet formats by authenticated/unauthenticated and then by
sender/reflector, when RFC 8762 groups by sender/reflector and then by
authenticated/unauthenticated.  But probably not worth churning the
document at this point to address it...

I support Erik Kline's discuss point about the L-bit error-case guidance
(and note that Section 4.7 also seems to be saying to zero specific
fields vs. the earlier guidance to echo the entire rest of the packet).

Section 1

  Simple Two-way Active Measurement Protocol (STAMP) [RFC8762] supports
  the use of optional extensions that use Type-Length-Value (TLV)
  encoding.  Such extensions enhance the STAMP base functions, such as

How about a "this document specifies" in there somewhere?  TLVs are not
mentioned in RFC 8762...

Section 3

  An implementation of the STAMP Session-Reflector that supports this
  specification SHOULD identify a STAMP Session using the SSID in
  combination with elements of the usual 4-tuple for the session.

It's slightly surprising that this is only a SHOULD.

  A STAMP Session-Reflector that does not support this specification
  will return the zeroed SSID field in the reflected STAMP test packet.
  The Session-Sender MAY stop the session if it receives a zeroed SSID
  field.  An implementation of a Session-Sender MUST support control of
  its behavior in such a scenario.  [...]

This feels like it's somewhat misaligned, in that the MAY would indicate
that the choice is at the implementation's discretion, but the MUST
indicates that it's at the operator's discretion.


Should the TLVs field be included in Figures 3 and 4 (as it is in
Figures 1 and 2)?

Section 4

  optional field in the STAMP test packet.  Multiple TLVs MAY be placed
  in a STAMP test packet.  A TLV MAY be enclosed in a TLV.  TLVs have a

Would it be appropriate to instead say something like "Additional TLVs
may be enclosed within a given TLV, subject to the semantics of the
(outer) TLV in question"?

  The format of the STAMP TLV Flags displayed in Figure 6 and the
  location of flags is according to Section 5.2.

(side note): it's often nice to give a short "mnemonic" expansion for
the bit names, to help people remember what they do.  E.g., 'U' could be
"unimplemented" (or "unrecognized"), 'A' could be "authentic", etc.
(assuming that the boolean sense of the interpretation makes sense, of
course).  ('L' confuses me a bit, as "length-error" is not quite a
generic enough description to cover all flavors of malformed contents.)

  o  U - a one-bit flag.  A Session-Sender MUST set the U flag to 0
      before transmitting an extended STAMP test packet.  A Session-
      Reflector MUST set the U flag to 1 if the Session-Reflector has
      not understood the TLV.

This seems kind of problematic, in that the Session-Sender can only rely
on this ("set to 1") behavior if it already knows as a precondition that
the Session-Reflector supports this document.  (IIUC, a pure RFC 8762
Session-Reflector would just blindly copy any part of the packet after
the base format into the reflected packet, i.e., leave the bit set at
zero.)  Wouldn't it be more robust if the semantics were to set the bit
to 1 if it actively was understood?  (Yes, this would require a more
complicated specification for recipient behavior when the U flag is set,
since it would differ between Sender and Reflector, but that seems
easier to control for than lack of robustness in the face of mixed
deployment.)

Section 4.1

  o  Extra Padding - a pseudo-random sequence of bits.  The field MAY
      be filled with all zeros.

"All zeros" is not a "pseudo-random sequence of bits".  I suggest
"typically, a pseudo-random sequence of bits" instead.

Section 4.2

  STAMP Session-Senders MAY include the Location TLV to request
  information from the Session-Reflector.  The Session-Sender SHOULD
  NOT fill any information fields except for STAMP TLV Flags, Type, and
  Length.  [...]

Just to check: "NOT fill any information" means "set all bits to zero",
right?

Also, to check: this "to request information" implies that this is
"optional control information" that, per my Discuss point, "MUST NOT be
acted on unless authenticated"?  So, we would want to (in addition to my
previous point) say that the fields would be set to all zeros in the
reflected packet if the initial packet was unauthenticated.

  packet.  If the Length field's value is invalid, the Session-
  Reflector MUST zero all fields and MUST NOT return any information to
  the Session-Sender.  The Session-Reflector MUST ignore all other
  fields of the received Location TLV.

nit(?): Grammatically, framing these requirements as standalone
sentences seems to imply that they are independent requirements that
apply separately.  That, in turn, would say that the Session-Reflector
MUST ignore everything but the Length, always, which is of course absurd
... but it might be worth clarifying that this requirement is also
conditional on an invalid Length field.

  o  Source MAC - 6-octet-long field.  The Session-Reflector MUST copy
      the Source MAC of the received STAMP packet into this field.

(nit) In my mind, a bare "MAC" here evaluates to Message Authentication
Code, i.e., the authorization HMAC, which is of course 16 octets, not 6.
So I suggest including the word "Address" to disambiguate.

  o  Destination IP Address - IPv4 or IPv6 destination address of the
      packet received by the STAMP Session-Reflector.
  [...]

(side note): I note that at least in 2008, there were deployed NATs that
rewrote binary payloads containing the NAT's public IP address,
necessitating the creation of the XOR-MAPPED-ADDRESS attribute to
successfully convey the un-NAT-mangled address to the peer
(https://tools.ietf.org/html/rfc5389#section-15.2).  Depending on how
reliable the address information (source or destination) needs to be for
STAMP, this may be a relevant consideration.

  ports will indicate if there is a NAT router on the path.  It allows
  the Session-Sender to identify the IP address of the Session-
  Reflector behind the NAT, and detect changes in the NAT mapping that
  could cause sending the STAMP packets to the wrong Session-Reflector.

How does this allow the Session-Sender to detect changes in the NAT
mapping that would cause this?  Wouldn't a change in the NAT mapping
that sends packets to the wrong Session-Reflector result in a failure to
look up the session on the Reflector and a lack of any reflected packets
coming back to the Session-Sender?

Section 4.3

Is just the granularity of "NTP" or "PTP" as time synchronization
information sufficient to be useful?  Is the assumption that one would
then go and query, via a different mechanism, (e.g.) what stratum of NTP
source is used, etc.?

  The STAMP Session-Sender MAY include the Timestamp Information TLV to
  request information from the Session-Reflector.  The Session-Sender

[ditto re "optional control information" and authentication]

  SHOULD NOT fill any information fields except for STAMP TLV Flags,
  Type, and Length.  The Session-Reflector MUST validate the Length

[ditto re "NOT fill in"]

  value of the TLV.  If the value of the Length field is invalid, the

I know that we expect the Session-Reflector to have relatively little
logic, but the Session-Sender should probably still behave defensively
and also do this kind of validation (not just here; throughout the
document) in case it receives attacker-supplied input.

Section 4.4

Could we get some more guidance on how the Session-Sender should set all
these fields, specifically the DSCP2 that is "the received value in the
DSCP field at the Session-Reflector in the forward direction", that in
general the sender cannot know at the time it constructs the packet?

  drops for lower service packets are at a normal level.  Using a CoS
  TLV in STAMP testing helps to troubleshoot the existing problem and
  also verify whether DiffServ policies are processing CoS as required
  by the configuration.

It's not immediately obvious to me how we get from "using a CoS TLV in
STAMP" to "verify whether DiffServ policies are processing CoS as
required by the configuration", though I'm willing to believe it's the
case.

Section 4.5

While I can perhaps accept that the specifics of "in-profile" are going
to be site-specific, I would greatly appreciate some greater clarity on
what type of thing it's supposed to be doing and at what scope (in time
and, e.g., STAMP session) it is going to be defined/configured.

  test packet.  The Session-Sender MUST zero the R_RxC and R_TxC fields
  before the transmission of the STAMP test packet.  If the received

(This is redundant with the per-field definitions.)

Section 4.6

  o  ID (Access ID) - four-bit-long field that identifies the access
      network, e.g., 3GPP (Radio Access Technologies specified by 3GPP)
      or Non-3GPP (accesses that are not specified by 3GPP) [TS23501].

Does the [TS23501] reference really apply to the "Non-3GPP" case
(whether or not in addition to the 3GPP case)?

      The value is one of those listed below:

      *  1 - 3GPP Network

      *  2 - Non-3GPP Network

      All other values are invalid and the TLV that contains it MUST be
      discarded.

So there's no interest in future expansion here or need for a registry?

  three seconds.  An implementation MUST provide control of the
  retransmission timer value and the number of retransmissions.

Is the retransmission timer defined to have a fixed value (i.e., no
back-off)?

Is the retransmission a blind retransmission, i.e., using the original
Return Code even if local conditions have changed?

Section 4.7

  in the reflected packet.  If the Session-Reflector is in stateless
  mode (defined in Section 4.2 [RFC8762]), it MUST zero the Sequence

Looks like this definition is just in the toplevel Section 4 of RFC 8762.

  o  Follow-up Timestamp - eight-octet-long field, with the format
      indicated by the Z flag of the Error Estimate field of the packet
      transmitted by a Session-Reflector, as described in Section 4.1
      [RFC8762].  It carries the timestamp when the reflected packet
      with the specified sequence number was sent.

We should probably be extremely clear on whether this is the Z flag of
the current/containing packet or the one indicated by the Sequence
Number field.

Section 4.8

(I'm happy to see the discussion with Roman about the key-management and
algorithm-agility questions, noting that we have BCPs 107 and 201 to
give guidance for those cases, respectively.)

  The STAMP authenticated mode protects the integrity of data collected
  in the STAMP base packet.  STAMP extensions are designed to provide
  valuable information about the condition of a network, and protecting
  the integrity of that data is also essential.  The keyed Hashed
  Message Authentication Code (HMAC) TLV MUST be included in a STAMP
  test packet in the authenticated mode, excluding when the only TLV
  present is Extra Padding TLV.  The HMAC TLV MUST follow all TLVs

(editorial?) I think I can convince myself to read this with two different
causalities -- either the HMAC TLV is only allowed to appear in
authenticated-mode packets (but can also appear in unauthenticated-mode
packets where the only other TLV is the Extra Padding TLV); or in the
case when you are sending [this-document] packets in authenticated mode,
you MUST also have an HMAC TLV, unless you're sending unauthenticated
extended packets where the only TLV present is the Extra Padding TLV.
The first interpretation doesn't really make much sense, and the second
one is pretty consistent with the follow-up note about "HMAC TLV MAY be
used [...] in unauthenticated mode".  But I would still suggest
rewording for clarity, perhpas "all authenticated STAMP packets
compatible with this specification MUST additionally authenticate the
option TLVs by including the HMAC TLV, with the sole exception of when
there is only one TLV present and it is the Extended Padding TLV".

  fully applicable to the use of the HMAC TLV.  HMAC is calculated as
  defined in [RFC2104] over text as the concatenation of all preceding
  TLVs.  [...]

As the secdir reviewer noted, this makes the options severable from the
base packet (and separately replayable, the "mix and match" nature).
From a cryptographic point of view it's much preferred to include at
least some of the base packet (ideally all, though that of course makes
precise egress timestamping hard) as HMAC input, to bind the two
together.  Even including just the sequence number(s) would be a big
win.

  packet.  The Session-Reflector MUST copy the remainder of the
  extended STAMP test packet into the reflected packet.  The Session-
  Reflector MUST set the A flag in the copy of the HMAC TLV in the
  reflected packet to 1 before transmitting the reflected test packet.

This phrasing is a bit weird -- is "the remainder" of the packet all the
other TLVs, or just the stuff after the HMAC TLV?  We're supposed to
process HMAC first, after all, but that's only partially clear from the
rest of the section/document...

Section 5.1

  This document defines the following new values in the STAMP Extension
  TLV range of the STAMP TLV Type registry:

This appears to be the only instance of "STAMP Extension TLV range" in
the document; is this perhaps meant to refer to the "IETF Review" or
1-175 range?

Section 5.4

Do we feel a need to provide any kind of definition for "HW Assist", "SW
local", and/or "Control plane"?

Section 6

This would be a fine place to reiterate that both Sender and Reflector
should have parsers written defensively to protect against malformed
(i.e., bad TLV length) input); as I noted previously, the current text
really only suggests that the reflector should do so, but the sender is
not immune.

If we leave the U-flag semantics unchanged, we also need to document the
potential ambiguity between a reflector that blindly reflects the whole
message and one that actually understands all the received TLVs.

There's also some interesting considerations about the state of the 'A'
bit not itself being covered by the response's HMAC TLV (if it is only
set in the HMAC TLV vs. all TLVs).  I would strongly recommend having
Section 4.8 require that the A flag be set in *all* TLVs if
authentication fails, so that this information is covered by the
response's HMAC TLV.  (In the degenerate case of only an HMAC TLV it's
still unprotected, but the HMAC itself is over the empty message in that
case so it's not terribly interesting to mess with.)  Also, the
definition of the A flag in Section 4 could probably be tightened up,
whichever way we land on this point -- right now it suggests that it
might be set on more than just the HMAC TLV but is not very clear.
(Interestingly, later on in Section 4 we do seem to say that you have to
*check* the A flag in every TLV.)

We might also consider referencing RFC 2474 for the DSCP security
considerations.

Section 9.1

It's not entirely clear that RFC 5357 needs to be normative; we say we
can be compatible with lite-mode and that the extended padding is
similar, but those are just facts and you don't need to know anything
from 5357 to implement this document.

Similarly, I'm not sure why [TS23501] is listed as normative.

Section 9.2

On the other hand, you do actually need to read RFC 2104 to implement
the HMAC TLV, which makes it a normative reference (similarly for 4868)!

[Ballot comment]
(1) Figures 1 and 2 are labeled "an example" -- but they are not examples.

(2) §3: "If the test session is not stopped, the Session-Sender, can, for example, send a base STAMP packet [RFC8762]."  Just to make sure I understand: if the Session-Reflector doesn't support this specification, then a packet with or without an SSID will look the same to them, right?  If so, then there's no need for the Session-Sender to change its packets -- may be worth a mention.

(3) §4: "the TLV is malformed, i.e., the Length field value of the fixed-size TLV is not equal to the value defined for the particular type".  The Length can also be incorrect for variable-size TLVs -- so perhaps change to "the TLV is malformed, i.e., the Length field value is not valid for the particular type"

(4) §4: "MUST try to process"  "Do or do not. There is no try." - Yoda. ;-)  Seriously...consider deleting this sentence as skipping the TLV should already result in processing the next one, if present.

(5) The Reference column in tables 1/4/6/8 mixes references and assignment policies.  The whole registry should reference this document...so the column should really point at the assignment policies.

(6) Table 2: The new registry is being defined in this document, so you can go ahead and assign values -- no need to wait for IANA.

(7) Nits:

s/SSID/the SSID/g

s/vendor's the Structure/vendor's Structure

s/extend STAMP/extend the STAMP

s/is Extra/is the Extra

s/one-octet-long Type field, and two-octet-long/a one-octet-long Type field, and a two-octet-long

s/equals length/equals the length

[Ballot comment]
(1) Figures 1 and 2 are labeled "an example" -- but they are not really examples.

(2) §3: "If the test session is not stopped, the Session-Sender, can, for example, send a base STAMP packet [RFC8762]."  Just to make sure I understand: if the Session-Reflector doesn't support this specification, then a packet with or without an SSID will look exactly the same to them, right?  If so, then there's no need for the Session-Sender to change its packets -- maybe worth a mention.

(3) §4: "the TLV is malformed, i.e., the Length field value of the fixed-size TLV is not equal to the value defined for the particular type".  The Length can also be incorrect for variable-size TLVs -- so perhaps change to "the TLV is malformed, i.e., the Length field value is not valid for the particular type"

(4) §4: "MUST try to process"  "Do or do not. There is no try." - Yoda. ;-)  Seriously...consider deleting this sentence as skipping the TLV should already result in processing the next one, if present.

(5) The Reference column in tables 1/4/6/8 mixes references and assignment policies.  The whole registry should reference this document...so the column should really point at the assignment policies.

(6) Table 2: The new registry is being defined in this document, so you can go ahead and assign values -- no need to wait for IANA.

(7) Nits:

s/SSID/the SSID/g

s/vendor's the Structure/vendor's Structure

s/extend STAMP/extend the STAMP

s/is Extra/is the Extra

s/one-octet-long Type field, and two-octet-long/a one-octet-long Type field, and a two-octet-long

s/equals length/equals the length

[Ballot discuss]
[ general ]

* Please clarify whether the Length is in network byte order or not for all
  multibyte fields.  A single statement, perhaps around 2.0 or something,
  declaring the convention would suffice (assuming all multibyte integers
  share the same encoding).

* Should there be an IANA registry for the access ID field as well?

[ sections 4.2,4.3 ]

* I think the L-bit error case guidance may not conform to the guidance
  in section 4(.0)?  Specifically, 4(.0) says if the Length field is funky
  the copy the rest of the packet into the reponse and set L=1 (yes?).
  Whereas, 4.2,3 says it MUST zero out the fields (rather than just copy
  the remainder of the packet).  I may have misunderstood something,
  though.

[Ballot comment]
[ section 4 ]

* "that vendor's the" -> "that vendor's"

[ section 4.2 ]

* I know links with EUI64 addresses ("8 byte MACs") aren't especially
  popular but is some affordance for other link-layer identifiers
  desirable?

  Since it's a value chosen by the source I don't suppose it really
  matters all that much...

[ section 4.3 ]

* Add definitions or references for T2 and T3?

[ section 4.5 ]

* Under what conditions might R_RxC != R_TxC?  Does R_TxC factor in ICMP
  errors received that might be attributable to responses sent in this
  session?

[ section 4.8 ]

* I assume that the A bit setting by the reflector is the same behaviour
  if the HAMC should appear anywhere other than the last TLV?  If so,
  perhaps a brief clarifying statement.

[Ballot discuss]
** Section 4.2.  The Location TLV is explicitly trying to extract network configuration information that would be elided by the first hop router (MAC) or a NAT (real IP address).  RFC8762 helpfully notes that “When using STAMP over the Internet … impact of the STAMP-Test packets MUST be thoroughly analyzed.”  Please provide a bit of text describing the privacy implications here (or bound this with an applicability statement).

** Section 4.8.  Is the key used for the HMAC TLV the same as the one in the HMAC in the STAMP authenticated packet?  Could one use different keys?

[Ballot comment]
Thank you for responding to the SECDIR review (and thank you to Charlie Kaufman for doing it).

** Section 4.6.  Per the “ID (Access ID)”, I was a surprised that the values are hard-coded as this complicates future extensibility (e.g., providing further fidelity into the type “non-3gpp network” used).  Perhaps this was intentional to meet the PMF component of TS23501?

** Section 4.8.  This mechanism like, RFC8762, does not provide for algorithm agility.  As RFC8762 at least says “Future specifications may define the use of other, more advanced cryptographic algorithms, …” it would be useful to say that this TLV is anticipated to track updates in the base STAMP protocol.

[Ballot discuss]
Section 4 says: "Detected error events MUST be logged.  Note that rate of logging MUST be controlled."

This seems to be incomplete.  Why is it a MUST?  It doesn't seem to have anything to do with interoperability; if I don't log, nothing breaks.  If it's MUST for security reasons, other questions arise: Logged where?  What data specifically needs to be logged?  How long should they be retained?  Do any privacy concerns arise?  Do the logs need to be protected at rest? etc.

[Ballot comment]
I'll open with my usual complaint about having more than five authors, which is the recommended maximum.

Abstract:

* "... in addition to ones supported by the STAMP base specification." -- I think you could remove this clause; it's enough to say you're defining extension(s).

Section 3:

* "An implementation of the STAMP Session-Reflector that supports this specification SHOULD identify a STAMP Session using the SSID in combination with elements of the usual 4-tuple for the session." -- Why is this only a SHOULD?  When might one legitimately deviate from this requirement?

Section 4.3:

* "The Session-Sender SHOULD NOT fill any information fields except for STAMP TLV Flags, Type, and Length." -- When might I deviate from that advice, as SHOULD NOT allows?

Section 4.5:

* "The definition of "in-profile packet" is outside the scope of this document and is left to the test operators to determine." -- This isn't my domain, to be sure, but I'm curious about what "in-profile" might mean.  Would it be possible to include an example?

Section 4.6:

* Same question for "access network".

Section 4.8:

* "... excluding when ..." -- suggest instead "excluding the case where"

[Ballot comment]
Thank you for the work put into this document.

Please find below a couple of non-blocking COMMENTs (and I would appreciate a reply to my COMMENTs).

I hope that this helps to improve the document,

Regards,

-éric

== COMMENTS ==

-- Section 4 --
The text "A system that has received a STAMP test packet with extension TLVs MUST validate each TLV:" is unclear whether it is Session-Sender or Session-Reflector or both. Clarification welcome.

The A-bit is linked to HMAC and looks like "Authentication" while section 4.8 says HMAC is only for integrity. Hence, why not using "I-bit" rather than "A-bit" (cosmetic issue)

-- Section 4.1 --
For the 'Extra Padding' field, "a pseudo-random sequence of bits.  The field MAY be filled with all zeros.". Is it 'bits' or 'octets' ? (the latter most probably). I also have hard time to reconciliate "pseudo-random" with "MAY be filled with 0"; this seems like an oxymoron to me.

-- Section 4.2 --
How to handle cases where the MAC address is not 6-bytes long ? AFAIK IEEE 802.15.4 uses 16 or 64-bit addresses and future MAC layers could use different MAC addresses length. What should be the MAC address field value when there is no associated MAC address?

-- Section 4.8
What is the expected behavior of a Session-Sender when receiving a STAMP packet whose HMAC verification fails ?

I must also say that I am a little puzzled by the Session-Reflector behavior when HMAC verification fails: logging and replying anyway seems opening an avenue for STAMP service theft or DoS. Or am I missing something ?

-- Section 5.3 --
In table 5, is there a reason why Galileo is not listed ?

[Ballot comment]
I'll open with my usual complaint about having more than five authors, which is the recommended maximum.

Abstract:

* "... in addition to ones supported by the STAMP base specification." -- I think you could remove this clause; it's enough to say you're defining extension(s).

Section 3:

* "An implementation of the STAMP Session-Reflector that supports this specification SHOULD identify a STAMP Session using the SSID in combination with elements of the usual 4-tuple for the session." -- Why is this only a SHOULD?  When might one legitimately deviate from this requirement?

Section 4:

* "Detected error events MUST be logged.  Note that rate of logging MUST be controlled." -- This seems to be incomplete.  Logged where?  If you're going to make this mandatory, shouldn't you discuss log retention requirements, details of what's to be logged, logging security, and things of that nature?

Section 4.3:

* "The Session-Sender SHOULD NOT fill any information fields except for STAMP TLV Flags, Type, and Length." -- When might I deviate from that advice, as SHOULD NOT allows?

Section 4.5:

* "The definition of "in-profile packet" is outside the scope of this document and is left to the test operators to determine." -- This isn't my domain, to be sure, but I'm curious about what "in-profile" might mean.  Would it be possible to include an example?

Section 4.6:

* Same question for "access network".

Section 4.8:

* "... excluding when ..." -- suggest instead "excluding the case where"

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-ippm-stamp-option-tlv-06. If any part of this review is inaccurate, please let us know.

The IANA Functions Operator has a question about one of the actions requested in the IANA Considerations section of this document.

The IANA Functions Operator understands that, upon approval of this document, there are four actions which we must complete.

First, a new registry is to be created called the STAMP TLV Type registry.

IANA Question --> Where should this new registry be located? Should it be added to an existing registry page? If not, does it belong in an existing category at http://www.iana.org/protocols?

The allocation policy for the new registry is as follows:

0 Reserved
1-32759 IETF Review
32760-65279 First Come, First Served
65280-65519 Experimental
65520-65534 Private Use
65535 Reserved

+-----------------------+-----------------------+---------------+
| Value | Description | Reference |
+-----------------------+-----------------------+---------------+
|[ TBD-at-Registration ]| Extra Padding | [ RFC-to-be ] |
|[ TBD-at-Registration ]| Location | [ RFC-to-be ] |
|[ TBD-at-Registration ]| Timestamp Information | [ RFC-to-be ] |
|[ TBD-at-Registration ]| Class of Service | [ RFC-to-be ] |
|[ TBD-at-Registration ]| Direct Measurement | [ RFC-to-be ] |
|[ TBD-at-Registration ]| Access Report | [ RFC-to-be ] |
|[ TBD-at-Registration ]| Follow-up Telemetry | [ RFC-to-be ] |
|[ TBD-at-Registration ]| HMAC | [ RFC-to-be ] |
+-----------------------+-----------------------+---------------+

Second, a new subregistry of the STAMP TLV Type registry (created above) is to be created called the Synchronization Source sub-registry.

The registration policy for the new registry is as follows:

+-----------+--------------+-------------------------+
| Value | Description | Reference |
+-----------+--------------+-------------------------+
| 0 | Reserved | [ RFC-to-be ] |
| 1- 127 | Unassigned | IETF Review |
| 128 - 239 | Unassigned | First Come First Served |
| 240 - 249 | Experimental | [ RFC-to-be ] |
| 250 - 254 | Private Use | [ RFC-to-be ] |
| 255 | Reserved | [ RFC-to-be ] |
+-----------+--------------+-------------------------+

There are initial registrations in the new registry as follows:

+-------+---------------------+---------------+
| Value | Description | Reference |
+-------+---------------------+---------------+
| 1 | NTP | [ RFC-to-be ] |
| 2 | PTP | [ RFC-to-be ] |
| 3 | SSU/BITS | [ RFC-to-be ] |
| 4 | GPS/GLONASS/LORAN-C | [ RFC-to-be ] |
| 5 | Local free-running | [ RFC-to-be ] |
+-------+---------------------+---------------+

Third, a new subregistry of the STAMP TLV Type registry (created above) is to be created called the Timestamping Method sub-registry.

The registration policy for the new registry is as follows:

+-----------+--------------+-------------------------+
| Value | Description | Reference |
+-----------+--------------+-------------------------+
| 0 | Reserved | [ RFC-to-be ] |
| 1- 127 | Unassigned | IETF Review |
| 128 - 239 | Unassigned | First Come First Served |
| 240 - 249 | Experimental | [ RFC-to-be ] |
| 250 - 254 | Private Use | [ RFC-to-be ] |
| 255 | Reserved | [ RFC-to-be ] |
+-----------+--------------+-------------------------+

There are initial registrations in the new registry as follows:

+-------+---------------+---------------+
| Value | Description | Reference |
+-------+---------------+---------------+
| 1 | HW Assist | [ RFC-to-be ] |
| 2 | SW local | [ RFC-to-be ] |
| 3 | Control plane | [ RFC-to-be ] |
+-------+---------------+---------------+

Fourth, a new subregistry of the STAMP TLV Type registry (created above) is to be created called the Return Code sub-registry.

The registration policy for the new registry is as follows:

+-----------+--------------+-------------------------+
| Value | Description | Reference |
+-----------+--------------+-------------------------+
| 0 | Reserved | [ RFC-to-be ] |
| 1- 127 | Unassigned | IETF Review |
| 128 - 239 | Unassigned | First Come First Served |
| 240 - 249 | Experimental | [ RFC-to-be ] |
| 250 - 254 | Private Use | [ RFC-to-be ] |
| 255 | Reserved | [ RFC-to-be ] |
+-----------+--------------+-------------------------+

There are initial registrations in the new registry as follows:

+-------+---------------------+---------------+
| Value | Description | Reference |
+-------+---------------------+---------------+
| 1 | Network available | [ RFC-to-be ] |
| 2 | Network unavailable | [ RFC-to-be ] |
+-------+---------------------+---------------+

The IANA Functions Operator understands that these are the only actions required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

Thank you,

Sabrina Tanamal
Senior IANA Services Specialist

The following Last Call announcement was sent out (ends 2020-07-06):

From: The IESG
To: IETF-Announce
CC: wangyali11@huawei.com, ippm-chairs@ietf.org, martin.h.duke@gmail.com, ippm@ietf.org, Yali Wang , draft-ietf-ippm-stamp-option-tlv@ietf.org
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Simple Two-way Active Measurement Protocol Optional Extensions) to Proposed Standard


The IESG has received a request from the IP Performance Measurement WG (ippm)
to consider the following document: - 'Simple Two-way Active Measurement
Protocol Optional Extensions'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2020-07-06. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  This document describes optional extensions to Simple Two-way Active
  Measurement Protocol (STAMP) which enable measurement performance
  metrics in addition to ones supported by the STAMP base
  specification.  The document also defines a STAMP Test Session
  Identifier and thus updates RFC 8762.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-ippm-stamp-option-tlv/



No IPR declarations have been submitted directly on this I-D.

As required by RFC 4858, this is the current template for the Document
Shepherd Write-Up. Changes are expected over time.

This version is dated 1 November 2019.

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header?

A Proposed Standard RFC is being requested and is indicated in the title page header. It is the proper type of RFC because this document defines optional STAMP extensions, their formats, and the theory of operation. Also, a STAMP Test Session Identifier is defined, updating the base STAMP specification [RFC8762].

(2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections:

Technical Summary:

  This document describes optional extensions to Simple Two-way Active
  Measurement Protocol (STAMP) which enable measurement performance
  metrics in addition to ones supported by the STAMP base
  specification.  The document also defines a STAMP Test Session
  Identifier and thus updates RFC 8762.

Working Group Summary:

The document has gone through sufficient discussion within the IPPM WG and has working group consensus to publish. There was no particular controversy during the WG process.

Document Quality:

The document has been a WG document for almost one year. It has been reviewed by the community within the IPPM WG and gone through several updates.

Personnel:

Document Shepherd: Yali Wang
Responsible Area Director: Martin Duke

(3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG.

The Document Shepherd has reviewed the latest revision of the document, followed the comments during WGLC, and joined in the discussion on the IPPM mailing list. Also, the Document Shepherd performed the review on IPR checks and Nits.

The Document Shepherd thinks the document is ready for review by the IESG for publication.

(4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed?

No.

(5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place.

No. The document has received several reviews, comments, and questions from IPPM WG members. All of the comments and questions have been resolved.

(6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

None.

(7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why?

Confirmed.

(8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures.

No IPR disclosures. https://datatracker.ietf.org/ipr/search/?submit=draft&id=draft-ietf-ippm-stamp-option-tlv

(9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

Solid consensus according to the review and discussion on the mailing list.

(10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.)

None.

(11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough.

According to the ID nits check, there is one comment, which should be OK:
https://www6.ietf.org/tools/idnits?url=https://www.ietf.org/archive/id/draft-ietf-ippm-stamp-option-tlv-05.txt

(12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

Not relevant for the MIB Doctor, YANG Doctor, media type, and URI.

(13) Have all references within this document been identified as either normative or informative?

Yes. All references have been identified as either normative or informative.

(14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion?

No.

(15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure.

No.

(16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary.

No. This document updates RFC8762 but does not change its status. RFC8762 has been mentioned in the abstract and introduction.

(17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 8126).

The IANA considerations section is clear and consistent with the body of the document.

IANA is requested to allocate new code points for "Extra Padding", "Location", "Timestamp Information", "Class of Service", "Direct Measurement", "Access Report", "Follow-up Telemetry", "HMAC" from the "Mandatory TLV range of the STAMP TLV Type registry".

IANA has allocated the following code points from the "Synchronization Source sub-registry":
1 NTP
2 PTP
3 SSU/BITS
4 GPS/GLONASS/LORAN-C
5 Local free-running

IANA has allocated the following code points from the "Timestamping Methods sub-registry":
1 HW Assist
2 SW local
3 Control plane

IANA has allocated the following code points from the "Return Code sub-registry":
1 Network available
2 Network unavailable

(18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

Followings are new IANA registries that require Expert Review for future allocations:
1) IANA is requested to create the STAMP TLV Type registry.
2) IANA is requested to create Synchronization Source sub-registry as part of the STAMP TLV Type registry.
3) IANA is requested to create Timestamping Method sub-registry as part of the STAMP TLV Type registry.
4) IANA is requested to create Return Code sub-registry as part of STAMP TLV Type registry.

(19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, YANG modules, etc.

None.

(20) If the document contains a YANG module, has the module been checked with any of the recommended validation tools (https://trac.ietf.org/trac/ops/wiki/yang-review-tools) for syntax and formatting validation? If there are any resulting errors or warnings, what is the justification for not fixing them at this time? Does the YANG module comply with the Network Management Datastore Architecture (NMDA) as specified in RFC8342?

No YANG module.

As required by RFC 4858, this is the current template for the Document
Shepherd Write-Up. Changes are expected over time.

This version is dated 1 November 2019.

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header?

A Proposed Standard RFC is being requested and is indicated in the title page header. It is the proper type of RFC because this document defines optional STAMP extensions, their formats, and the theory of operation. Also, a STAMP Test Session Identifier is defined, updating the base STAMP specification [RFC8762].

(2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections:

Technical Summary:

  This document describes optional extensions to Simple Two-way Active
  Measurement Protocol (STAMP) which enable measurement performance
  metrics in addition to ones supported by the STAMP base
  specification.  The document also defines a STAMP Test Session
  Identifier and thus updates RFC 8762.

Working Group Summary:

The document has gone through sufficient discussion within the IPPM WG and has working group consensus to publish. There was no particular controversy during the WG process.

Document Quality:

The document has been a WG document for almost one year. It has been reviewed by the community within the IPPM WG and gone through several updates.

Personnel:

Document Shepherd: Yali Wang
Responsible Area Director: Martin Duke

(3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG.

The Document Shepherd has reviewed the latest revision of the document, followed the comments during WGLC, and joined in the discussion on the IPPM mailing list. Also, the Document Shepherd performed the review on IPR checks and Nits.

The Document Shepherd thinks the document is ready for review by the IESG for publication.

(4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed?

No.

(5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place.

No. The document has received several reviews, comments, and questions from IPPM WG members. All of the comments and questions have been resolved.

(6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

None.

(7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why?

Confirmed.

(8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures.

No IPR disclosures. https://datatracker.ietf.org/ipr/search/?submit=draft&id=draft-ietf-ippm-stamp-option-tlv

(9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

Solid consensus according to the review and discussion on the mailing list.

(10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.)

None.

(11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough.

According to the ID nits check, there is one comment, which should be OK:
https://www6.ietf.org/tools/idnits?url=https://www.ietf.org/archive/id/draft-ietf-ippm-stamp-option-tlv-05.txt

(12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

Not relevant for the MIB Doctor, YANG Doctor, media type, and URI.

(13) Have all references within this document been identified as either normative or informative?

Yes. All references have been identified as either normative or informative.

(14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion?

No.

(15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure.

No.

(16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary.

No. This document updates RFC8762 but does not change its status. RFC8762 has been mentioned in the abstract and introduction.

(17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 8126).

The IANA considerations section is clear and consistent with the body of the document.

IANA is requested to allocate new code points for "Extra Padding", "Location", "Timestamp Information", "Class of Service", "Direct Measurement", "Access Report", "Follow-up Telemetry", "HMAC" from the "Mandatory TLV range of the STAMP TLV Type registry".

IANA has allocated the following code points from the "Synchronization Source sub-registry":
1 NTP
2 PTP
3 SSU/BITS
4 GPS/GLONASS/LORAN-C
5 Local free-running

IANA has allocated the following code points from the "Timestamping Methods sub-registry":
1 HW Assist
2 SW local
3 Control plane

IANA has allocated the following code points from the "Return Code sub-registry":
1 Network available
2 Network unavailable

(18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

Followings are new IANA registries that require Expert Review for future allocations:
1) IANA is requested to create the STAMP TLV Type registry.
2) IANA is requested to create Synchronization Source sub-registry as part of the STAMP TLV Type registry.
3) IANA is requested to create Timestamping Method sub-registry as part of the STAMP TLV Type registry.
4) IANA is requested to create Return Code sub-registry as part of STAMP TLV Type registry.

(19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, YANG modules, etc.

None.

(20) If the document contains a YANG module, has the module been checked with any of the recommended validation tools (https://trac.ietf.org/trac/ops/wiki/yang-review-tools) for syntax and formatting validation? If there are any resulting errors or warnings, what is the justification for not fixing them at this time? Does the YANG module comply with the Network Management Datastore Architecture (NMDA) as specified in RFC8342?

No YANG module.

Request for posting confirmation emailed to previous authors: Henrik Nydell , ippm-chairs@ietf.org, Min Xiao , Adi Masputra , Gregory Mirsky , Richard Foote , Guo Jun