draft-ietf-ippm-ioam-direct-export-06.txt   draft-ietf-ippm-ioam-direct-export-07.txt 
IPPM H. Song IPPM H. Song
Internet-Draft Futurewei Internet-Draft Futurewei
Intended status: Standards Track B. Gafni Intended status: Standards Track B. Gafni
Expires: February 9, 2022 Nvidia Expires: April 16, 2022 Nvidia
T. Zhou T. Zhou
Z. Li Z. Li
Huawei Huawei
F. Brockners F. Brockners
Cisco Cisco
S. Bhandari, Ed. S. Bhandari, Ed.
Thoughtspot Thoughtspot
R. Sivakolundu R. Sivakolundu
Cisco Cisco
T. Mizrahi, Ed. T. Mizrahi, Ed.
Huawei Huawei
August 8, 2021 October 13, 2021
In-situ OAM Direct Exporting In-situ OAM Direct Exporting
draft-ietf-ippm-ioam-direct-export-06 draft-ietf-ippm-ioam-direct-export-07
Abstract Abstract
In-situ Operations, Administration, and Maintenance (IOAM) is used In-situ Operations, Administration, and Maintenance (IOAM) is used
for recording and collecting operational and telemetry information. for recording and collecting operational and telemetry information.
Specifically, IOAM allows telemetry data to be pushed into data Specifically, IOAM allows telemetry data to be pushed into data
packets while they traverse the network. This document introduces a packets while they traverse the network. This document introduces a
new IOAM option type called the Direct Export (DEX) option, which is new IOAM option type called the Direct Export (DEX) option, which is
used as a trigger for IOAM data to be directly exported or locally used as a trigger for IOAM data to be directly exported or locally
aggregated without being pushed into in-flight data packets. The aggregated without being pushed into in-flight data packets. The
skipping to change at page 1, line 49 skipping to change at page 1, line 49
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 9, 2022. This Internet-Draft will expire on April 16, 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 34 skipping to change at page 2, line 34
2.1. Requirement Language . . . . . . . . . . . . . . . . . . 3 2.1. Requirement Language . . . . . . . . . . . . . . . . . . 3
2.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
3. The Direct Exporting (DEX) IOAM Option Type . . . . . . . . . 3 3. The Direct Exporting (DEX) IOAM Option Type . . . . . . . . . 3
3.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1.1. DEX Packet Selection . . . . . . . . . . . . . . . . 5 3.1.1. DEX Packet Selection . . . . . . . . . . . . . . . . 5
3.1.2. Responding to the DEX Trigger . . . . . . . . . . . . 5 3.1.2. Responding to the DEX Trigger . . . . . . . . . . . . 5
3.2. The DEX Option Format . . . . . . . . . . . . . . . . . . 6 3.2. The DEX Option Format . . . . . . . . . . . . . . . . . . 6
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
4.1. IOAM Type . . . . . . . . . . . . . . . . . . . . . . . . 8 4.1. IOAM Type . . . . . . . . . . . . . . . . . . . . . . . . 8
4.2. IOAM DEX Flags . . . . . . . . . . . . . . . . . . . . . 8 4.2. IOAM DEX Flags . . . . . . . . . . . . . . . . . . . . . 8
4.3. IOAM DEX Extension-Flags . . . . . . . . . . . . . . . . 8 4.3. IOAM DEX Extension-Flags . . . . . . . . . . . . . . . . 9
5. Performance Considerations . . . . . . . . . . . . . . . . . 9 5. Performance Considerations . . . . . . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11
7.1. Normative References . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
7.2. Informative References . . . . . . . . . . . . . . . . . 11 8.1. Normative References . . . . . . . . . . . . . . . . . . 11
Appendix A. Hop Limit in Direct Exporting . . . . . . . . . . . 11 8.2. Informative References . . . . . . . . . . . . . . . . . 11
Appendix A. Hop Limit in Direct Exporting . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
IOAM [I-D.ietf-ippm-ioam-data] is used for monitoring traffic in the IOAM [I-D.ietf-ippm-ioam-data] is used for monitoring traffic in the
network, and for incorporating IOAM data fields into in-flight data network, and for incorporating IOAM data fields into in-flight data
packets. packets.
IOAM makes use of four possible IOAM options, defined in IOAM makes use of four possible IOAM options, defined in
[I-D.ietf-ippm-ioam-data]: Pre-allocated Trace Option, Incremental [I-D.ietf-ippm-ioam-data]: Pre-allocated Trace Option, Incremental
Trace Option, Proof of Transit (POT) Option, and Edge-to-Edge Option. Trace Option, Proof of Transit (POT) Option, and Edge-to-Edge Option.
This document defines a new IOAM option type (also known as an IOAM This document defines a new IOAM option type (also known as an IOAM
type) called the Direct Export (DEX) option. This option is used as type) called the Direct Export (DEX) option. This option is used as
a trigger for IOAM nodes to locally aggregate and process IOAM data, a trigger for IOAM nodes to locally aggregate and process IOAM data,
and/or to export it to a receiving entity (or entities). A and/or to export it to a receiving entity (or entities). Throughout
"receiving entity" in this context can be, for example, an external the document this functionality is referred to as collection and/or
collector, analyzer, controller, decapsulating node, or a software exporting. A "receiving entity" in this context can be, for example,
module in one of the IOAM nodes. an external collector, analyzer, controller, decapsulating node, or a
software module in one of the IOAM nodes.
Note that even though the IOAM Option-Type is called "Direct Export", Note that even though the IOAM Option-Type is called "Direct Export",
it depends on the deployment whether the receipt of a packet with DEX it depends on the deployment whether the receipt of a packet with DEX
option type leads to the creation of another packet. Some option type leads to the creation of another packet. Some
deployments might simply use the packet with the DEX option type to deployments might simply use the packet with the DEX option type to
trigger local processing of OAM data. trigger local processing of OAM data. The functionality of this
local processing is not within the scope of this document.
This draft has evolved from combining some of the concepts of PBT-I This draft has evolved from combining some of the concepts of PBT-I
from [I-D.song-ippm-postcard-based-telemetry] with immediate from [I-D.song-ippm-postcard-based-telemetry] with immediate
exporting from [I-D.ietf-ippm-ioam-flags]. exporting from [I-D.ietf-ippm-ioam-flags].
2. Conventions 2. Conventions
2.1. Requirement Language 2.1. Requirement Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
skipping to change at page 6, line 10 skipping to change at page 6, line 15
[I-D.spiegel-ippm-ioam-rawexport]. [I-D.spiegel-ippm-ioam-rawexport].
An IOAM node that performs DEX-triggered exporting MUST support the An IOAM node that performs DEX-triggered exporting MUST support the
ability to limit the rate of the exported packets. The rate of ability to limit the rate of the exported packets. The rate of
exported packets SHOULD be limited so that the number of exported exported packets SHOULD be limited so that the number of exported
packets is significantly lower than the number of packets that are packets is significantly lower than the number of packets that are
forwarded by the device. The exported data rate SHOULD NOT exceed 1/ forwarded by the device. The exported data rate SHOULD NOT exceed 1/
N of the interface capacity on any of the IOAM node's interfaces. It N of the interface capacity on any of the IOAM node's interfaces. It
is recommended to use N>100. Depending on the IOAM node's is recommended to use N>100. Depending on the IOAM node's
architecture considerations, the export rate may be limited to a architecture considerations, the export rate may be limited to a
lower number in order to avoid loading the IOAM node. lower number in order to avoid loading the IOAM node. An IOAM node
MAY maintain a counter or a set of counters that count the events in
which the IOAM node receives a packet with the DEX option type and
does not collect and/or export data due to the rate limits.
Exported packets SHOULD NOT be exported over a path or a tunnel that Exported packets SHOULD NOT be exported over a path or a tunnel that
is subject to IOAM direct exporting. Furthermore, IOAM encapsulating is subject to IOAM direct exporting. Furthermore, IOAM encapsulating
nodes that can identify a packet as an IOAM exported packet MUST NOT nodes that can identify a packet as an IOAM exported packet MUST NOT
push a DEX option into such a packet. This requirement is intended push a DEX option into such a packet. This requirement is intended
to prevent nested exporting and/or exporting loops. to prevent nested exporting and/or exporting loops.
A transit IOAM node that does not support the DEX option SHOULD A transit or decapsulating IOAM node that receives an unknown IOAM
ignore it. A decapsulating node that does not support the DEX option option type ignores it (as defined in [I-D.ietf-ippm-ioam-data]), and
MUST remove it, along with any other IOAM options carried in the specifically nodes that do not support the DEX option ignore it.
packet if such exist. Note that as per [I-D.ietf-ippm-ioam-data] a decapsulating node
removes the IOAM encapsulation and all its IOAM options, and
specifically in the case where one of these options is a (possibly
unknown) DEX option.
3.2. The DEX Option Format 3.2. The DEX Option Format
The format of the DEX option is depicted in Figure 2. The length of The format of the DEX option is depicted in Figure 2. The length of
the DEX option is at least 8 octets. The DEX option MAY include one the DEX option is at least 8 octets. The DEX option MAY include one
or more optional fields. The existence of the optional fields is or more optional fields. The existence of the optional fields is
indicated by the corresponding flags in the Extension-Flags field. indicated by the corresponding flags in the Extension-Flags field.
Two optional fields are defined in this document, the Flow ID and the Two optional fields are defined in this document, the Flow ID and the
Sequence Number fields. Every optional field MUST be exactly 4 Sequence Number fields. Every optional field MUST be exactly 4
octets long. Thus, the Extension-Flags field explicitly indicates octets long. Thus, the Extension-Flags field explicitly indicates
skipping to change at page 9, line 31 skipping to change at page 9, line 46
Therefore, the performance impact of these exported packets is Therefore, the performance impact of these exported packets is
limited by taking two measures: at the encapsulating nodes, by limited by taking two measures: at the encapsulating nodes, by
selective DEX encapsulation (Section 3.1.1), and at the transit selective DEX encapsulation (Section 3.1.1), and at the transit
nodes, by limiting exporting rate (Section 3.1.2). These two nodes, by limiting exporting rate (Section 3.1.2). These two
measures ensure that direct exporting is used at a rate that does not measures ensure that direct exporting is used at a rate that does not
significantly affect the network bandwidth, and does not overload the significantly affect the network bandwidth, and does not overload the
receiving entity. Moreover, it is possible to load balance the receiving entity. Moreover, it is possible to load balance the
exported data among multiple receiving entities, although the exported data among multiple receiving entities, although the
exporting method is not within the scope of this document. exporting method is not within the scope of this document.
It should be noted that in some networks DEX data may be exported
over an out-of-band network, in which a large volume of exported
traffic does not compromise user traffic. In this case an operator
may choose to disable the exporting rate limiting.
6. Security Considerations 6. Security Considerations
The security considerations of IOAM in general are discussed in The security considerations of IOAM in general are discussed in
[I-D.ietf-ippm-ioam-data]. Specifically, an attacker may try to use [I-D.ietf-ippm-ioam-data]. Specifically, an attacker may try to use
the functionality that is defined in this document to attack the the functionality that is defined in this document to attack the
network. network.
An attacker may attempt to overload network devices by injecting An attacker may attempt to overload network devices by injecting
synthetic packets that include the DEX option. Similarly, an on-path synthetic packets that include the DEX option. Similarly, an on-path
attacker may maliciously incorporate the DEX option into transit attacker may maliciously incorporate the DEX option into transit
skipping to change at page 10, line 29 skipping to change at page 10, line 52
significantly limit the scale of amplification attacks. significantly limit the scale of amplification attacks.
o IOAM encapsulating nodes are required to avoid pushing the DEX o IOAM encapsulating nodes are required to avoid pushing the DEX
option into IOAM exported packets (Section 3.1.2), thus preventing option into IOAM exported packets (Section 3.1.2), thus preventing
some of the amplification and export loop scenarios. some of the amplification and export loop scenarios.
Although the exporting method is not within the scope of this Although the exporting method is not within the scope of this
document, any exporting method MUST secure the exported data from the document, any exporting method MUST secure the exported data from the
IOAM node to the receiving entity. Specifically, an IOAM node that IOAM node to the receiving entity. Specifically, an IOAM node that
performs DEX exporting MUST send the exported data to a pre- performs DEX exporting MUST send the exported data to a pre-
configured trusted receiving entity. configured trusted receiving entity. Furthermore, an IOAM node MUST
gain explicit consent to export data to a receiving entity before
starting to send exported data.
IOAM is assumed to be deployed in a restricted administrative domain, IOAM is assumed to be deployed in a restricted administrative domain,
thus limiting the scope of the threats above and their affect. This thus limiting the scope of the threats above and their affect. This
is a fundamental assumption with respect to the security aspects of is a fundamental assumption with respect to the security aspects of
IOAM, as further discussed in [I-D.ietf-ippm-ioam-data]. IOAM, as further discussed in [I-D.ietf-ippm-ioam-data].
7. References 7. Acknowledgments
7.1. Normative References The authors thank Martin Duke, Tommy Pauly, Greg Mirsky, and other
members of the IPPM working group for many helpful comments.
8. References
8.1. Normative References
[I-D.ietf-ippm-ioam-data] [I-D.ietf-ippm-ioam-data]
Brockners, F., Bhandari, S., and T. Mizrahi, "Data Fields Brockners, F., Bhandari, S., and T. Mizrahi, "Data Fields
for In-situ OAM", draft-ietf-ippm-ioam-data-14 (work in for In-situ OAM", draft-ietf-ippm-ioam-data-15 (work in
progress), June 2021. progress), October 2021.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC5475] Zseby, T., Molina, M., Duffield, N., Niccolini, S., and F. [RFC5475] Zseby, T., Molina, M., Duffield, N., Niccolini, S., and F.
Raspall, "Sampling and Filtering Techniques for IP Packet Raspall, "Sampling and Filtering Techniques for IP Packet
Selection", RFC 5475, DOI 10.17487/RFC5475, March 2009, Selection", RFC 5475, DOI 10.17487/RFC5475, March 2009,
<https://www.rfc-editor.org/info/rfc5475>. <https://www.rfc-editor.org/info/rfc5475>.
[RFC7014] D'Antonio, S., Zseby, T., Henke, C., and L. Peluso, "Flow [RFC7014] D'Antonio, S., Zseby, T., Henke, C., and L. Peluso, "Flow
Selection Techniques", RFC 7014, DOI 10.17487/RFC7014, Selection Techniques", RFC 7014, DOI 10.17487/RFC7014,
September 2013, <https://www.rfc-editor.org/info/rfc7014>. September 2013, <https://www.rfc-editor.org/info/rfc7014>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
7.2. Informative References 8.2. Informative References
[I-D.ietf-ippm-ioam-flags] [I-D.ietf-ippm-ioam-flags]
Mizrahi, T., Brockners, F., Bhandari, S., Sivakolundu, R., Mizrahi, T., Brockners, F., Bhandari, S., Sivakolundu, R.,
Pignataro, C., Kfir, A., Gafni, B., Spiegel, M., and J. Pignataro, C., Kfir, A., Gafni, B., Spiegel, M., and J.
Lemon, "In-situ OAM Flags", draft-ietf-ippm-ioam-flags-05 Lemon, "In-situ OAM Loopback and Active Flags", draft-
(work in progress), July 2021. ietf-ippm-ioam-flags-06 (work in progress), August 2021.
[I-D.song-ippm-postcard-based-telemetry] [I-D.song-ippm-postcard-based-telemetry]
Song, H., Mirsky, G., Filsfils, C., Abdelsalam, A., Zhou, Song, H., Mirsky, G., Filsfils, C., Abdelsalam, A., Zhou,
T., Li, Z., Shin, J., and K. Lee, "Postcard-based On-Path T., Li, Z., Shin, J., and K. Lee, "Postcard-based On-Path
Flow Data Telemetry using Packet Marking", draft-song- Flow Data Telemetry using Packet Marking", draft-song-
ippm-postcard-based-telemetry-10 (work in progress), July ippm-postcard-based-telemetry-10 (work in progress), July
2021. 2021.
[I-D.spiegel-ippm-ioam-rawexport] [I-D.spiegel-ippm-ioam-rawexport]
Spiegel, M., Brockners, F., Bhandari, S., and R. Spiegel, M., Brockners, F., Bhandari, S., and R.
 End of changes. 17 change blocks. 
28 lines changed or deleted 49 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/