IPPM IETF 111
When Wednesday 28 July 2021, 12:00-14:00 UTC

Where: Meetecho

Chairs: Tommy Pauly & Ian Swett

Documents

IOAM Drafts

Frank:
- In-Situ OAM Deployment
- In IESG review.
- Document started in OPSAWG
- IPPM is the natural place to progress the work

Tommy:
- Any opinions?

Martin:
- Fine with coming into IPPM

Tommy:
- The WG will kick off the adoption call

TAL:
- In-situ OAM Flags
- In-situ OAM Direct Exporting
- Various attacks described by Martin
- Revised drafts
- One iteration on DEX drafts
- Main changes: IOAM encapsulation nodes in order to mitigate these attacks
- Avoid nesting of direct exporting
- Exporting applied to trusted nodes.

Please follow the slides for checking the main changes

TAL:
- Main changes are related to security
- Otherwise the draft is stable
- This was for the flag draft

Please follow the slide 9 for this

TAL:
- Resolve the above two issues and apply them to the draft.

Martin:
- The draft is going in the correct direction. As a NiT: the situations were cases that could happen, and might be exploited, rather than security problems.To

TAL:
- Any comments?

Frank:
- Integrity of In-situ OAM Data Fields
- Proposing new IOAM options which are integrity protected
- Overhead consideration due to integrity protection.

Please follow slide number 12

Frank:
- (Shows a table)
- Next slide
- Multiple ways to go on HASH and sign.
- The method we have adopted is to have a suite of Hash and sign for flexibility.
- Requires Nonce and Signature.
- Next slide
- The Integrity sub-header will follow the IOAM Option header when the IOAM Option Type is Integrity Protected Option.
- Next Slide
- People think there should be integrity for IOAM data.
- We'll have an extension option much like DEX.
- Hope for a WG Adoption call in future.
- Any comments?

Tommy:
- At some time, we might want to do a secdir review?
- How much implementation is done so far?

Frank:
- From our perspective, it's difficult.
- There is no current implementation.

Justin:
- IOAM in the Linux from 2-3 years.
- Next release will be in 5-6 weeks

Tommy:
- Timeline on the implementation?

Justin:
- Going step-by-step as it's a huge part.

Frank:
- (To Tommy) Opinion on adoption?

Tommy:
- We kick-off deployment and integrity drafts from next week.

Frank:
- We might want to move from Informational status to standards Track.

STAMP YANG Draft

Greg Mirsky
- Session identifier is unique to STAMP session sender
- Symmetric packet of fixed size - RFC 8762
- Ability to generate variable length - RFC 8972
- next slide
- Snapsnot of the YANG data model
- This explains what the session ID is.
- The STAMP session identifier is unique locally

Check the slide 3 for more information

Rakesh:
- YANG model should have it optional extensions, similar to RFC 8972.

Greg:
- That makes sense.

Richard:
- Agrees with Rakesh and Greg.
- RFC 8762 allowed padding outside the TLV

Greg:
- RFC 8762 does not define how you do padding.
- RFC 8972 - Not only extra padding but combine with other TLV.
- Let's discuss this on the mailing list.
- Next steps are continue working and WGLC by IETF 112.

STAMP SRPM Draft

Rakesh:
- Updates in revision 00 and 01.
- next slide
- Revision 00 is newly adopted by IPPM WG
- Updated the security secitons
- introdued the new error flag D

Check the slide number 3 for the revision 00 updates

Check the slide number 4 for revision 01 updates

IOAM CONF STATE

Xiao:
- Presented 08 in IETF 110
- Now draft-10
- Summary of updates from 08 - 10
- BIER added into the scope of this ddraft
- Define Ping and traceroute for BIER
- Will add SR as suggested during adoption poll
- Separate Pre-alloacte Tracing and Incremental

Check slide 2 for the details

Check slide 3 for the details

Frank:
- How will this combine with the IOAM YANG?

Xiao:
- If the controller has has no information about all the IOAM devices (on the path)

Frank:
- It would be nice to have a data model to synchronize with the IOAM YANG

Xiao:
- We'll consider it.

Cheng:
- Did you address the security issues?

Xiao:
- We have to update the draft on the comments from you and others
- We have already addressed it.

Explicit Flow measurements

Mauro:
- New techniques to employ few marking bits, inside the header of each packet, for loss and delay measurement
- Some inplementations are present.

Check the slide 3 for the IETF Hackathon and implementations

Check the slide 5 for "D-bit" or Delay bit working

Check the slide 6 for it

Check the slide 7

Check the slide 8 for images and details

Martin:
- Some recommended choice will be helpful

Mauro:
- Spin bit - Depends on the privacy problems.

Hybrid Two step

Greg:
- update for max length field, flow identification (for environments like SSH and IOAM)
- Added mode for upstreaming (discussion with Pascal)
- next slide
- HTS mac length as unsigned 32 bits.
- Thoughts and comments?
- next slide
- Upstreaming HTS image (Slide 4)
- Studies on IOAM in constrained environments
- Packet go from Ingress node to Egress node
- Make the ingress node experience how the packets were treated by the network.
- Ingress node can consume the data locally and use it for analytics later
- Probably discuss on the mailing list
- Discussion with Frank, what characteristic information can be used by HTS
- Different environments defined in separate documents

Check the slide 5

Capacity Metric Protocol

Al:
- What security features are needed?
- How should it operate in different modes?
- next slide
- Ephemeral port used in the future

Please check the slide 3.

Check the slide 3 for the modes

Rakesh:
- Instead of micro session, why not create a STAMP session?
Greg:
- It simplifies configuration and similar to BFD.

Enhanced Alternate Marking Method

Guiseppe:
- Specifies HBH or DH option for IPv6, developed in 6man (now in WGLC).
- Comments or questions to the list.

EPDMv2

Nalini:
- PDM can be used for DoS attack and timing attacks
- PDMv2 consists of registration phase and data transfer.
- Registration: Shared secret is exchanged
- Occasional KDF
- next slide
- PDMv2 Senariao and Secured paths: It's a solution for enterprises
- Enterprises
- HPKE in PDMv2: Registration phase, online phase, KDF, Pseudo-random repeating sequence, AEAD
- Questions??