Re: [core] [Dots] Large asynchronous notifications under DDoS: New BLOCK Option? Wed, 08 April 2020 09:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 96A223A0FE5; Wed, 8 Apr 2020 02:56:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id C67rlb0-Ugoo; Wed, 8 Apr 2020 02:56:17 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EF2EC3A0FE4; Wed, 8 Apr 2020 02:56:16 -0700 (PDT)
Received: from (unknown [xx.xx.xx.66]) by (ESMTP service) with ESMTP id 48y0663tZNz5vdm; Wed, 8 Apr 2020 11:56:14 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ORANGE001; t=1586339774; bh=iHbYQjpslX5s7pGcTMA04lnQcW5heQhj96FyHxcUN4o=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=o20XXuT1ChSeC3SS1oilAelf6cDJYFvsxRWVd2K5MNje2llffQZC12yvqNLl8sd9V VyUL0ikNizMXTLgn0695MnYWVQ+7UJLdHNSbOkPebOEkVvVe+4NKsUZg9RdTnp6SxQ iV2zPKhjtNtIykFrM6dIGfqXhONGsihG754LZpDIhuumVsWbbwQo1DfEfZNGBTgW8m Lr0MrR1aG6DXXByYcGsVj0rGerz5P687rlAIN941BqORQDF7JY6L01TrXTMM1XYO8y X3S0UcrRCDcfwwBdhHJ41TWzpuPUwhaX95uNBJB3C/E/El8y+eqHnO8qCz0DB4Odeh lvgvtIIT6tPsg==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.60]) by (ESMTP service) with ESMTP id 48y0662nVxz8sZj; Wed, 8 Apr 2020 11:56:14 +0200 (CEST)
From: <>
To: Carsten Bormann <>
CC: Jon Shallow <>, core <>, "" <>
Thread-Topic: [core] [Dots] Large asynchronous notifications under DDoS: New BLOCK Option?
Thread-Index: AQHWDYvwpy/bxUigK0iz1rVnLiHoRg==
Date: Wed, 8 Apr 2020 09:56:13 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B933031491200@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <787AE7BB302AE849A7480A190F8B933031490173@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <> <787AE7BB302AE849A7480A190F8B933031490894@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <019301d60d05$d87fcca0$897f65e0$> <> <>
In-Reply-To: <>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [core] [Dots] Large asynchronous notifications under DDoS: New BLOCK Option?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Apr 2020 09:56:19 -0000

Hi Carsten,

We are also considering how to solve the issue at the DOTS level. The good news is that we are not blindly overriding pieces of data that are received in distinct responses. We have some checks to update an active record. But as mentioned by Jon, there are some challenges as well. 

With regards to the network environment, the direction of the attack is the same as the one from servers to clients. That’s said, telemetry data can be exchanged in both directions:

* from client to servers: using a dedicated telemetry message or in an efficacy update shared with the server when a mitigation is active. This is done using PUT messages.
* from servers to clients: telemetry data can be sent in dedicated notification messages or as part of the mitigation status update. Both rely upon GET+Observe. Having a mechanism to ask for gaps would thus be helpful.


> -----Message d'origine-----
> De : Carsten Bormann []
> Envoyé : mardi 7 avril 2020 23:19
> À : Achim Kraus
> Cc : Jon Shallow; BOUCADAIR Mohamed TGI/OLN; core;
> Objet : Re: [core] [Dots] Large asynchronous notifications under DDoS:
> New BLOCK Option?
> Hi Achim,
> On 2020-04-07, at 21:04, Achim Kraus <> wrote:
> >
> > FMPOV, the first thing to ensure is, that the "large payload" gets
> split
> > into "application blocks", which could be processed even when other
> > application blocks are missing.
> Indeed, “application layer framing” comes to mind here; that is always
> a good idea if it cannot be ensured that all messages make it or if it
> is good to be able to process messages while still waiting for others.
>                      .oOo.
> I’m trying to understand the very specific network environment that we
> are targeting here.
> Are we assuming packets are way more likely to make it from the server
> to the client than the other way around?
> That indeed would call for additional capabilities that base CoAP does
> not have.
> We also may not really care about congestion control much in a
> situation of massive (attacker-induced) congestion (although that
> might be misdiagnosed, so some care is still required); which would be
> another reason to maybe deviate from base CoAP.
> I don’t have a design in mind at the moment.  It would need to cater
> for the fact that sending the other response messages for the request
> would be on the initiative of the server.
> So observe (with non-confirmable responses) is maybe a good model
> indeed; what’s missing is some way to ask for gaps.
> I just resubmitted a draft that we have been discussing for a while in
> T2TRG:
> The Series Transfer Pattern (STP)
> This has some discussion that may be relevant here, although it does
> not address the specific DOTS problem.  I think it would be great if
> whatever we come up with to solve this problem would also be a step
> forward on the larger class of applications needing the series
> transfer pattern.
> Grüße, Carsten