Re: [core] [Dots] Large asynchronous notifications under DDoS: New BLOCK Option?

[Jon Shallow <supjps-ietf@jpshallow.com>]

Hi Achim,

It is good to get this feedback.  Please see inline Jon1>

Regards

Jon

> -----Original Message-----
> From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Achim Kraus
> Sent: 07 April 2020 20:04
> To: Jon Shallow; mohamed.boucadair@orange.com; core@ietf.org;
> dots@ietf.org
> Subject: Re: [Dots] [core] Large asynchronous notifications under DDoS:
> New BLOCK Option?
> 
> Hi Jon,
> 
> I'm still not sure, if such an approach would make sense:
> - if multiple blocks are required without gaps
> - the package loss is high
> => that ends up in not receiving any "large payload" at all.

Jon> The packet loss should be transitory in that if the DDoS Mitigation is effective and reduces the rate of the DDoS Attack through the pipe normal (certainly DOTS) service is resumed.  DOTS needs to be able to continue with limiting working with high packet loss as "PUT new mitigation request" are still likely to get through.

> 
> FMPOV, the first thing to ensure is, that the "large payload" gets split
> into "application blocks", which could be processed even when other
> application blocks are missing.

Jon> We are also trying to do this as well, but it is not that straightforward.
> 
> I would also not assume, that a "in between proxies" will be able to
> process blockwise resources with gaps.

Jon> In the DOTS case, we have the concept of DOTS gateways where the DOTS CoAP server and DOTS CoAP client stacks are fully terminated making things easier here.  This is a good point though and needs to be worked through.

> So I'm not sure, why
> observer/notify is used. If it should be used, (and a proxy will not
> work,) 

Jon> I don't quite follow why a proxy will not work unless you are referring to blockwise resources with gaps.

> then you may consider to "misuse" the notifies and send your
> "application blocks" just in multiple notifies (each application block
> in one notify, without droping "old" notifies, because they are not old
> :-) ). In my opinion that would require less changes to existing
> implementations than introduce a "blockwise without next".

Jon> It may make for less changes, but I was expecting the NONBLOCK2 option to be handled within the application rather than at the CoAP layer.  In the DOTS case, server enhanced Telemetry information sending has to be explicitly enabled by the client so existing implementations will not get broken.

> 
> In the end, it would be interesting, if such a improvement really pays
> off. Using some nodes with standard blockwise and others with the new
> one should show the benefit. It would be great, if you then report your
> numbers.

Jon> I will see what I can come up with here.  A good suggestion.  It may take a while though as I have only partially got the DOTS telemetry draft extensions coded.
~Jon

> 
> best regards
> Achim
> 
> Am 07.04.20 um 19:56 schrieb Jon Shallow:
> > Hi Achim,
> >
> > To add to Med's inline comments, the use case that we are trying to solve
> is
> > as follows.
> >
> > We are trying to send telemetry information from a server to a unicast
> > client which has the potential to exceed the size of IP packet (possibly
> > multiple times too large).
> >
> > The environment that this telemetry information is going to be
> transmitted
> > in will be where Distributed Denial of Service (DDoS) attacks are taking
> > place and so there is a high chance that network pipes will be running at or
> > near capacity and hence there is likely to be high packet loss.  It is
> > likely that the direction of the telemetry data is the same as that of the
> > packet loss.
> >
> > This telemetry is an additional tool for passing information about how
> > mitigations of these DDoS attacks are being effective so that decisions can
> > be taken as to how better to mitigate the DDoS situation.  This is making
> > use of the DDoS Open Threat Signaling protocol (DOTS) described in
> RFC8612
> > with other drafts for components of this protocol in the final stages of
> > becoming RFCs ( https://tools.ietf.org/wg/dots/ ).
> >
> > While not desirable, it is acceptable if the client is unable to receive the
> > telemetry data (out of band mechanisms such as phone calls can be used
> in
> > slow time if needed for tuning against attacks) but we would like to
> > maximize the possibility of the telemetry data getting through.
> >
> > Currently with other data and small amounts of telemetry, the GET
> response
> > or Observe data can safely be sent off from the server and the client may
> or
> > may not get it as we are using NON-confirmable.  PUT (which has small
> > amounts of data) and DELETE are also sent as NON-confirmable - and the
> > client handles things if there is not seen a 2.XX etc. response to the
> > PUT/DELETE.
> >
> > This issue is when the data is too large to fit into a single packet - we
> > currently use the CoAP BLOCK2 option which works fine under normal
> traffic
> > conditions, but relies on the client synchronously requesting the next
> block
> > of data.  We currently are doing this as NON-confirmable so a loss of a
> > block of data causes the transfer to stall with the need to do garbage
> > collection at a later point in time ion the server.  Using CONfirmable
> > causes everything to slow right down with the lossy network and prevents
> the
> > next CON transmission for a long time as NSTART is 1.
> >
> > The data is CBOR based on YANG with the YANG parameters two-way
> mapped into
> > integers to give as much CBOR data reduction as possible, so cannot save
> any
> > space there.  It is theoretically possible to reduce the amount of telemetry
> > data by only asking for subsets of information as Med has referred to in
> > this email trail.
> >
> > It is possible to solve the issue using IP fragmentation and let the client
> > re-assemble everything, but this is not ideal in a lossy network and there
> > is no way to ask for a particular IP fragment to be re-transmitted.
> >
> > If there was a new CoAP option - let's call it NONBLOCK2, which the server
> > uses to send the all the data packets without waiting for the GET request
> of
> > the next block (only difference compared with BLOCK2).  If the client does
> > not see all the blocks after a timeout, it can then request the missing
> > blocks by using one or more of the NONBLOCK2 options in a new GET
> request -
> > or just wait until the next GET / Observe response.  This may be a way to
> > move forward if we cannot solve the issue in another way.
> >
> > Regards
> >
> > Jon
> >
> >> -----Original Message-----
> >> From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of
> > mohamed.boucadair@orange.com
> >> Sent: 07 April 2020 18:42
> >> To: Achim Kraus; core@ietf.org
> >> Cc: Jon Shallow (supjps-ietf@jpshallow.com); dots@ietf.org
> >> Subject: Re: [Dots] [core] Large asynchronous notifications under DDoS:
> >> New BLOCK Option?
> >>
> >> Hi Achim,
> >>
> >> Please see inline.
> >>
> >> Cheers,
> >> Med
> >>
> >>> -----Message d'origine-----
> >>> De : Achim Kraus [mailto:achimkraus@gmx.net]
> >>> Envoyé : mardi 7 avril 2020 18:50
> >>> À : BOUCADAIR Mohamed TGI/OLN; core@ietf.org
> >>> Cc : Jon Shallow (supjps-ietf@jpshallow.com); dots@ietf.org
> >>> Objet : Re: [core] Large asynchronous notifications under DDoS: New
> >>> BLOCK Option?
> >>>
> >>> Hi Med,
> >>>
> >>> I think, not all assumption and requirements are clear to everyone.
> >>>
> >>
> >> [Med] We are using CoAP for signaling DDoS attacks and for seeking help
> >> from a DDoS mitigator. The mitigation signal itself is compact as we do
> > have
> >> a requirement that the signal channel survive under extreme DDoS
> >> conditions. We do have a mechanism to maintain the signal alive, to
> detect
> >> when it is lost and then to recover asap.
> >>
> >> We are now designing an extension to the base signaling that allows to
> >> share knowledge of attacks for better coordination and efficient
> > mitigation.
> >> To that aim, we need to signal DDoS telemetry data between our DOTS
> >> agents (CoAP endpoints).
> >>
> >>> I guess, your mission is to send a couple of "block" messages, but
> >>> without getting requested for the next-blocks, because the node is
> >>> under
> >>> attack and already receiving too much. Therefore the SACK will be used
> >>> a
> >>> little later as "cleanup"/"collect lefts".
> >>
> >> [Med] Yes.
> >>
> >>>
> >>> My first idea about that was, that sending the "block-flush" just
> >>> creates the next attack. But, if you sure, that this doesn't happen,
> >>> then such an approach may help in that special situation.
> >>
> >> [Med] Yes.
> >>
> >>>
> >>> I'm not sure, if you assume, that in the most cases all blocks will
> >>> make
> >>> it to the destination when sending them. That may also depend on the
> >>> assumed number of blocks. If it's not assumed, that all block will be
> >>> received, your payload should be encoded in a way, that you could
> >>> decode
> >>> the received blocks, even if some blocks are missing.
> >>
> >> [Med] This is will be nice to have. This might be managed at the
> > application
> >> (DOTS) level but there are some challenges as well (make sure that the
> >> crafted data will fit a single DTLS packet).
> >>
> >>>
> >>> If that number is not too large, maybe a "blockwise with NSTART-X"
> >>> will
> >>> also do it. Especially if DTLS is used, it may be possible to concat
> >>> the
> >>> "ACK/next blocks" into one package (with multiple records). AFAIK,
> >>> that
> >>> would require changes in implementations, which optimizes the
> >>> deduplication base on a strict sequence of blocks, but the difference
> >>> should be not too large.
> >>>
> >>> best regards
> >>> Achim
> >>>
> >>>
> >>> Am 07.04.20 um 13:11 schrieb mohamed.boucadair@orange.com:
> >>>> Hi all,
> >>>>
> >>>> We are using Observe to receive notifications during attack events.
> >>>> These notifications are set as NON messages for reasons specific to
> >>> DDoS
> >>>> conditions.
> >>>>
> >>>> With DDoS telemetry information included (see
> >>>> draft-ietf-dots-telemetry), a notification may not fit one single
> >>>> message. The use of BLOCK2 is not convenient during attack times. A
> >>> full
> >>>> description of the issue is described here:
> >>>>
> >>>
> >>
> https://mailarchive.ietf.org/arch/msg/dots/Gbtf8bBWpxD9CWNBhS_TZtsW
> >> eP4
> >>> /
> >>>>
> >>>> We are considering some mechanisms to solve this issue. One of them
> >>> is
> >>>> to define a new BLOCK option (similar to BLOCK2) that does not
> >>> require
> >>>> the observer to send a GET to receive the next fragment. The server
> >>> will
> >>>> send all the fragments. The observer will follow a SACK-like
> >>> approach to
> >>>> request retransmission of missing fragments.
> >>>>
> >>>> Please let us know whether you think this is a generic issue that
> >>> should
> >>>> be solved at the CoAP or not. Suggestions are welcome.
> >>>>
> >>>> Thank you.
> >>>>
> >>>> Cheers,
> >>>>
> >>>> Jon & Med
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> core mailing list
> >>>> core@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/core
> >>>>
> >>
> >> _______________________________________________
> >> Dots mailing list
> >> Dots@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dots
> >
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots