Re: [core] Large asynchronous notifications under DDoS: New BLOCK Option?

mohamed.boucadair@orange.com Tue, 07 April 2020 16:48 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D23F3A0EAD; Tue, 7 Apr 2020 09:48:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o_2UQ5pdboFX; Tue, 7 Apr 2020 09:48:50 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 079F73A0EAA; Tue, 7 Apr 2020 09:48:50 -0700 (PDT)
Received: from opfedar04.francetelecom.fr (unknown [xx.xx.xx.6]) by opfedar21.francetelecom.fr (ESMTP service) with ESMTP id 48xYJc5S0Lz7tqZ; Tue, 7 Apr 2020 18:48:48 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1586278128; bh=PFNUr/DLCWdsL/Urbz4cLj2KnwQxYJyt+osuaCuzje4=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=l9oVm/gviZKxWmAWKIChS+lh2m1AQjb0qs7NWCgSDoMscvIbr4RSQL2xmExJmq+ap u02XEpjvg60KtkJcUCBOnwbU/KWkbTmQZoXueJ0u+X2znQ2r6pYKduttW+SoboBpq7 uuj0Fb+x8zacyAxKRu0dzNyMl15ta5OCJVuGxBKylLFDihunLTDOjTFEMDaRkEd57o VKMWp/2uRgwqmoDTEOKpK3PWEnLckkq2ADG//CHGWOIhNk9kJnzyAOvCOtWIPorTXJ XRTCfyAVLPe+EqEgiZDRsnVb4Z1Xeh3E0IeoXSBX3Ge6VrK3XXNMGMLD0OSjEAOhW6 gqm/Wq0jq1New==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.107]) by opfedar04.francetelecom.fr (ESMTP service) with ESMTP id 48xYJc4GM2z1xpK; Tue, 7 Apr 2020 18:48:48 +0200 (CEST)
From: <mohamed.boucadair@orange.com>
To: Jim Schaad <ietf@augustcellars.com>, "core@ietf.org" <core@ietf.org>
CC: 'Jon Shallow' <supjps-ietf@jpshallow.com>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [core] Large asynchronous notifications under DDoS: New BLOCK Option?
Thread-Index: AQHWDPxoTyAJ7vdgrkKV3NX2lQCcxw==
Date: Tue, 7 Apr 2020 16:48:48 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93303149082D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <787AE7BB302AE849A7480A190F8B933031490173@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <049201d60cef$d1299a50$737ccef0$@augustcellars.com>
In-Reply-To: <049201d60cef$d1299a50$737ccef0$@augustcellars.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B93303149082DOPEXCAUBMA2corp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/ELKj5nPBtLF-UqM2rU7a1-2DBvM>
Subject: Re: [core] Large asynchronous notifications under DDoS: New BLOCK Option?
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2020 16:48:52 -0000

Hi Jim,

That can be policy based at the client side + some signal to the server.

For our DOTS application, clients indicate to servers that they are (not) willing to receive all the content (below an excerpt of our spec):

   DOTS clients that are interested to receive pre- or ongoing mitigation
   telemetry (pre-or-ongoing-mitigation) information from a DOTS server
   (Section 8.2<https://tools.ietf.org/html/draft-ietf-dots-telemetry-06#section-8.2>) MUST set 'server-originated-telemetry' to 'true'.

And


   In order to signal telemetry data in a mitigation efficacy update, it

   is RECOMMENDED that the DOTS client has already established a DOTS

   telemetry setup session with the server in 'idle' time.


Clients can filter out data they are interested in (Uri-Query), e.g.,.


   Header: GET (Code=0.01)

   Uri-Path: ".well-known"

   Uri-Path: "dots"

   Uri-Path: "mitigate"

   Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"

   Uri-Path: "mid=12332"

   Uri-Query: "target-alias=https1"

   Observe: 0

If not filter is included, all the content has to be returned to the client:


   Header: GET (Code=0.01)

   Uri-Path: ".well-known"

   Uri-Path: "dots"

   Uri-Path: "tm"

   Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"

   Uri-Path: "tmid=123"

   Observe: 0



    Figure 34: GET to Subscribe to Telemetry Asynchronous Notifications

                           for a Specific 'tmid'

What is missing for us is a "BLOCK2"-Like option to send all fragments without waiting for a GET + retrieval of missing fragments (if any).

Cheers,
Med

De : Jim Schaad [mailto:ietf@augustcellars.com]
Envoyé : mardi 7 avril 2020 17:19
À : BOUCADAIR Mohamed TGI/OLN; core@ietf.org
Cc : 'Jon Shallow'; dots@ietf.org
Objet : RE: [core] Large asynchronous notifications under DDoS: New BLOCK Option?

I do not believe that there is anything today that says the observer is required to do a GET to receive the next fragment in the event that it does not care about what it says.   The question that sprints to mind is how should the server/client decide that it does or does not want to retrieve the entire content?

Jim


From: core <core-bounces@ietf.org> On Behalf Of mohamed.boucadair@orange.com
Sent: Tuesday, April 7, 2020 4:11 AM
To: core@ietf.org
Cc: Jon Shallow (supjps-ietf@jpshallow.com) <supjps-ietf@jpshallow.com>om>; dots@ietf.org
Subject: [core] Large asynchronous notifications under DDoS: New BLOCK Option?

Hi all,

We are using Observe to receive notifications during attack events. These notifications are set as NON messages for reasons specific to DDoS conditions.

With DDoS telemetry information included (see draft-ietf-dots-telemetry), a notification may not fit one single message. The use of BLOCK2 is not convenient during attack times. A full description of the issue is described here: https://mailarchive.ietf.org/arch/msg/dots/Gbtf8bBWpxD9CWNBhS_TZtsWeP4/

We are considering some mechanisms to solve this issue. One of them is to define a new BLOCK option (similar to BLOCK2) that does not require the observer to send a GET to receive the next fragment. The server will send all the fragments. The observer will follow a SACK-like approach to request retransmission of missing fragments.

Please let us know whether you think this is a generic issue that should be solved at the CoAP or not. Suggestions are welcome.

Thank you.

Cheers,
Jon & Med