Re: [core] [Dots] Large asynchronous notifications under DDoS: New BLOCK Option?

Achim Kraus <achimkraus@gmx.net> Tue, 07 April 2020 20:26 UTC

Return-Path: <achimkraus@gmx.net>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B9633A12A3; Tue, 7 Apr 2020 13:26:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xdiyqLMEhSb1; Tue, 7 Apr 2020 13:26:47 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B76D23A10D8; Tue, 7 Apr 2020 13:26:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1586291192; bh=foLXtyc5U0FmFQMbdhDKJXKZLzxum8wuCIbBBA32raY=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=PHgQ4y3ugUHgwptbMRSuyoKKkGj6rFdufdP/tHyWT1IAYDyvPncAmk+mQqD8LSTQr PzSkmU8zMKfyLZqYDM3AC2vDjYN5PLqBmnzB/qamTdQvWwmPlDfFlxsAovhin2sC6S jtLGpMyPzZ1GhfCYfA//LB3wLbmkMMCq5gZdhE/M=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.45] ([88.65.144.250]) by mail.gmx.com (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MmULx-1ivcOP12Ez-00iPXV; Tue, 07 Apr 2020 22:26:32 +0200
To: Jon Shallow <supjps-ietf@jpshallow.com>, mohamed.boucadair@orange.com, core@ietf.org, dots@ietf.org
References: <787AE7BB302AE849A7480A190F8B933031490173@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <2a255f3b-6614-f950-4ecc-15f170087c9f@gmx.net> <787AE7BB302AE849A7480A190F8B933031490894@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <019301d60d05$d87fcca0$897f65e0$@jpshallow.com> <a36c6114-d979-e04a-7806-3ad350208e4a@gmx.net> <01ad01d60d17$470b9a80$d522cf80$@jpshallow.com>
From: Achim Kraus <achimkraus@gmx.net>
Message-ID: <0955fc85-8d5a-f1c4-b618-f692b27ad9d3@gmx.net>
Date: Tue, 7 Apr 2020 22:26:31 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <01ad01d60d17$470b9a80$d522cf80$@jpshallow.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: de-AT-frami
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:2LR+gFhIuGDPk3+BeJ/s3k6ORVCJWTz/XVqBbFceMC4Dhvvafey Vgd4w0sMbcvy2LaNCDjxcEYni1p6zzuHxONlQ+STPiuFX+TZZEJ+qFsqivHBlpXu9CQUF9n 91pye3EVdNsDKfSS0RrMmvuX/4+bHpCv/U7g82KhFVrGAYHi4zNp7iEnrLbeJKrpd7C9gXN dZttWQnAv3nVdYTcR6txg==
X-UI-Out-Filterresults: notjunk:1;V03:K0:bujNJ5+2aWo=:hFeTR5zmW0kWg1zFQK/ov+ yxZQmS6lNaxQRwIct+UnfQnbIkD4psB0n9XeuvQxC7Xs+lvarryZ7039OCVYKkhBk3ErzPlbN 6oV++WpFvzqPKcTgNAfXsF9HkhJhoIM5iHh1cdPt6hcr7T7HDKSwDBYGMWXBPAQZD73zH2FVw C8UjXOV3br8ApO0nd0UssyfqO1l5Zw8sKakHMvrA+tSnZe/CnUChkgEC+bRjEuxAm6PylxmtJ wU1/O19GjhhxGSyeSp09+N+75EjM9tfYHK42DVXR0ivkq2RXEiBOSQ73ZEli09dQSjQGJaxFY hNAbD9cjc0O9goBdrPiENdJaibPxjJ64KBqadRL1yg2CEHy8ycSLSxASXINkYZz0pM5K/Ny1Y K47pMpqF5/91cla2MTvEeCPv+FbZLjwFvHgAcKlhHluwdzQXAzQcUQiIzY5FmVoP0NmOJu2w+ hbh7XWIJUptGwV0E2s0j8rC2ao/SHuEDUjUFltzxuwFZeocPOrAkmbSeHL1cS5lczm6VcOdJw 75Lyj3bnALYDXAjHvwGJ/3UReJzrrH0Eajl75DvEciMgKfss1wFcxFAcHYBbrM/dkT9d/62zA JF0chakMMbn1IQ1L8r6DcHH0Cz5Y7KbPprGhzBSfwVEgZvBbtiuXBE6PxwP8HllI8xh9q0kNP sh2ErgXpLL1R2rloA8if77HZPGh3CnpSsMfUEEv4ieB9HEcIDsmr1A6N1iXxUxhPtxwaVvbwb c9TC9LQVPc0Lo35I7FNKPgkCEVUapdzc/7K+uDu5yme8NEelUx7u+hz4/Z9GoxOQt8GPp/6YP m9CI7EUqeixJMUBjFG7+5dYbrZb80YpqlRriRHmUaO7RcF6/DQ0RLmHDsURdfE7pNKk8MVrIz o9zoPN6TfEKskAnz9hf7eHJI9OuhwkLRe6Q1B6EZoM9GvhmfNvXobtkJZ7dFpssE0QwfTK3wq CBNqHgSRkg5ZX1pSV59fcgylKCZ0vKfooYOTiSskoGCCq3sBBik1MLzoOm1tKzcWBJd9Y5Fwm FgABRt2svbZ35END2/lqXfaGBvXoFv1tQzLA6D2zvidvZTrCaTUF5f3ejoOKwLIGTcag9AzJc PtJ74AjmOWn3FNiRspxJJaK9vC4WjGq2aeA6hiwdFDzxkKoRUoEzlAX9qrjZDkS5qYmkDCYYl BxcRJnxZBJYRk2pHv1+sugBefNwOu3llRi/3jgEWFn2ZAGxZdg+BnEiqHJdPu7oVK9YgqKuZC IibOp29R8zly/ZIVX
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/aK7y-7Z0zfBUqV417qutUDNpTZA>
Subject: Re: [core] [Dots] Large asynchronous notifications under DDoS: New BLOCK Option?
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2020 20:26:57 -0000

Hi Jon,


Jon> I don't quite follow why a proxy will not work unless you are
referring to blockwise resources with gaps.

Yes, the point is the blockwise with gaps.

Jon> It may make for less changes, but I was expecting the NONBLOCK2
option to be handled within the application rather than at the CoAP
layer.  In the DOTS case, server enhanced Telemetry information sending
has to be explicitly enabled by the client so existing implementations
will not get broken.

If it's not a modification of the coap-layer, which kind of messages are
you plan to use?
Multiple NON-responses (wouldn't that be notifies)?
Or NON requests with "no-response"?

best regards
Achim

Am 07.04.20 um 22:01 schrieb Jon Shallow:
> Hi Achim,
>
> It is good to get this feedback.  Please see inline Jon1>
>
> Regards
>
> Jon
>
>> -----Original Message-----
>> From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Achim Kraus
>> Sent: 07 April 2020 20:04
>> To: Jon Shallow; mohamed.boucadair@orange.com; core@ietf.org;
>> dots@ietf.org
>> Subject: Re: [Dots] [core] Large asynchronous notifications under DDoS:
>> New BLOCK Option?
>>
>> Hi Jon,
>>
>> I'm still not sure, if such an approach would make sense:
>> - if multiple blocks are required without gaps
>> - the package loss is high
>> => that ends up in not receiving any "large payload" at all.
>
> Jon> The packet loss should be transitory in that if the DDoS Mitigation is effective and reduces the rate of the DDoS Attack through the pipe normal (certainly DOTS) service is resumed.  DOTS needs to be able to continue with limiting working with high packet loss as "PUT new mitigation request" are still likely to get through.
>
>>
>> FMPOV, the first thing to ensure is, that the "large payload" gets split
>> into "application blocks", which could be processed even when other
>> application blocks are missing.
>
> Jon> We are also trying to do this as well, but it is not that straightforward.
>>
>> I would also not assume, that a "in between proxies" will be able to
>> process blockwise resources with gaps.
>
> Jon> In the DOTS case, we have the concept of DOTS gateways where the DOTS CoAP server and DOTS CoAP client stacks are fully terminated making things easier here.  This is a good point though and needs to be worked through.
>
>> So I'm not sure, why
>> observer/notify is used. If it should be used, (and a proxy will not
>> work,)
>
> Jon> I don't quite follow why a proxy will not work unless you are referring to blockwise resources with gaps.
>
>> then you may consider to "misuse" the notifies and send your
>> "application blocks" just in multiple notifies (each application block
>> in one notify, without droping "old" notifies, because they are not old
>> :-) ). In my opinion that would require less changes to existing
>> implementations than introduce a "blockwise without next".
>
> Jon> It may make for less changes, but I was expecting the NONBLOCK2 option to be handled within the application rather than at the CoAP layer.  In the DOTS case, server enhanced Telemetry information sending has to be explicitly enabled by the client so existing implementations will not get broken.
>
>>
>> In the end, it would be interesting, if such a improvement really pays
>> off. Using some nodes with standard blockwise and others with the new
>> one should show the benefit. It would be great, if you then report your
>> numbers.
>
> Jon> I will see what I can come up with here.  A good suggestion.  It may take a while though as I have only partially got the DOTS telemetry draft extensions coded.
> ~Jon
>
>>
>> best regards
>> Achim
>>
>> Am 07.04.20 um 19:56 schrieb Jon Shallow:
>>> Hi Achim,
>>>
>>> To add to Med's inline comments, the use case that we are trying to solve
>> is
>>> as follows.
>>>
>>> We are trying to send telemetry information from a server to a unicast
>>> client which has the potential to exceed the size of IP packet (possibly
>>> multiple times too large).
>>>
>>> The environment that this telemetry information is going to be
>> transmitted
>>> in will be where Distributed Denial of Service (DDoS) attacks are taking
>>> place and so there is a high chance that network pipes will be running at or
>>> near capacity and hence there is likely to be high packet loss.  It is
>>> likely that the direction of the telemetry data is the same as that of the
>>> packet loss.
>>>
>>> This telemetry is an additional tool for passing information about how
>>> mitigations of these DDoS attacks are being effective so that decisions can
>>> be taken as to how better to mitigate the DDoS situation.  This is making
>>> use of the DDoS Open Threat Signaling protocol (DOTS) described in
>> RFC8612
>>> with other drafts for components of this protocol in the final stages of
>>> becoming RFCs ( https://tools.ietf.org/wg/dots/ ).
>>>
>>> While not desirable, it is acceptable if the client is unable to receive the
>>> telemetry data (out of band mechanisms such as phone calls can be used
>> in
>>> slow time if needed for tuning against attacks) but we would like to
>>> maximize the possibility of the telemetry data getting through.
>>>
>>> Currently with other data and small amounts of telemetry, the GET
>> response
>>> or Observe data can safely be sent off from the server and the client may
>> or
>>> may not get it as we are using NON-confirmable.  PUT (which has small
>>> amounts of data) and DELETE are also sent as NON-confirmable - and the
>>> client handles things if there is not seen a 2.XX etc. response to the
>>> PUT/DELETE.
>>>
>>> This issue is when the data is too large to fit into a single packet - we
>>> currently use the CoAP BLOCK2 option which works fine under normal
>> traffic
>>> conditions, but relies on the client synchronously requesting the next
>> block
>>> of data.  We currently are doing this as NON-confirmable so a loss of a
>>> block of data causes the transfer to stall with the need to do garbage
>>> collection at a later point in time ion the server.  Using CONfirmable
>>> causes everything to slow right down with the lossy network and prevents
>> the
>>> next CON transmission for a long time as NSTART is 1.
>>>
>>> The data is CBOR based on YANG with the YANG parameters two-way
>> mapped into
>>> integers to give as much CBOR data reduction as possible, so cannot save
>> any
>>> space there.  It is theoretically possible to reduce the amount of telemetry
>>> data by only asking for subsets of information as Med has referred to in
>>> this email trail.
>>>
>>> It is possible to solve the issue using IP fragmentation and let the client
>>> re-assemble everything, but this is not ideal in a lossy network and there
>>> is no way to ask for a particular IP fragment to be re-transmitted.
>>>
>>> If there was a new CoAP option - let's call it NONBLOCK2, which the server
>>> uses to send the all the data packets without waiting for the GET request
>> of
>>> the next block (only difference compared with BLOCK2).  If the client does
>>> not see all the blocks after a timeout, it can then request the missing
>>> blocks by using one or more of the NONBLOCK2 options in a new GET
>> request -
>>> or just wait until the next GET / Observe response.  This may be a way to
>>> move forward if we cannot solve the issue in another way.
>>>
>>> Regards
>>>
>>> Jon
>>>
>>>> -----Original Message-----
>>>> From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of
>>> mohamed.boucadair@orange.com
>>>> Sent: 07 April 2020 18:42
>>>> To: Achim Kraus; core@ietf.org
>>>> Cc: Jon Shallow (supjps-ietf@jpshallow.com); dots@ietf.org
>>>> Subject: Re: [Dots] [core] Large asynchronous notifications under DDoS:
>>>> New BLOCK Option?
>>>>
>>>> Hi Achim,
>>>>
>>>> Please see inline.
>>>>
>>>> Cheers,
>>>> Med
>>>>
>>>>> -----Message d'origine-----
>>>>> De : Achim Kraus [mailto:achimkraus@gmx.net]
>>>>> Envoyé : mardi 7 avril 2020 18:50
>>>>> À : BOUCADAIR Mohamed TGI/OLN; core@ietf.org
>>>>> Cc : Jon Shallow (supjps-ietf@jpshallow.com); dots@ietf.org
>>>>> Objet : Re: [core] Large asynchronous notifications under DDoS: New
>>>>> BLOCK Option?
>>>>>
>>>>> Hi Med,
>>>>>
>>>>> I think, not all assumption and requirements are clear to everyone.
>>>>>
>>>>
>>>> [Med] We are using CoAP for signaling DDoS attacks and for seeking help
>>>> from a DDoS mitigator. The mitigation signal itself is compact as we do
>>> have
>>>> a requirement that the signal channel survive under extreme DDoS
>>>> conditions. We do have a mechanism to maintain the signal alive, to
>> detect
>>>> when it is lost and then to recover asap.
>>>>
>>>> We are now designing an extension to the base signaling that allows to
>>>> share knowledge of attacks for better coordination and efficient
>>> mitigation.
>>>> To that aim, we need to signal DDoS telemetry data between our DOTS
>>>> agents (CoAP endpoints).
>>>>
>>>>> I guess, your mission is to send a couple of "block" messages, but
>>>>> without getting requested for the next-blocks, because the node is
>>>>> under
>>>>> attack and already receiving too much. Therefore the SACK will be used
>>>>> a
>>>>> little later as "cleanup"/"collect lefts".
>>>>
>>>> [Med] Yes.
>>>>
>>>>>
>>>>> My first idea about that was, that sending the "block-flush" just
>>>>> creates the next attack. But, if you sure, that this doesn't happen,
>>>>> then such an approach may help in that special situation.
>>>>
>>>> [Med] Yes.
>>>>
>>>>>
>>>>> I'm not sure, if you assume, that in the most cases all blocks will
>>>>> make
>>>>> it to the destination when sending them. That may also depend on the
>>>>> assumed number of blocks. If it's not assumed, that all block will be
>>>>> received, your payload should be encoded in a way, that you could
>>>>> decode
>>>>> the received blocks, even if some blocks are missing.
>>>>
>>>> [Med] This is will be nice to have. This might be managed at the
>>> application
>>>> (DOTS) level but there are some challenges as well (make sure that the
>>>> crafted data will fit a single DTLS packet).
>>>>
>>>>>
>>>>> If that number is not too large, maybe a "blockwise with NSTART-X"
>>>>> will
>>>>> also do it. Especially if DTLS is used, it may be possible to concat
>>>>> the
>>>>> "ACK/next blocks" into one package (with multiple records). AFAIK,
>>>>> that
>>>>> would require changes in implementations, which optimizes the
>>>>> deduplication base on a strict sequence of blocks, but the difference
>>>>> should be not too large.
>>>>>
>>>>> best regards
>>>>> Achim
>>>>>
>>>>>
>>>>> Am 07.04.20 um 13:11 schrieb mohamed.boucadair@orange.com:
>>>>>> Hi all,
>>>>>>
>>>>>> We are using Observe to receive notifications during attack events.
>>>>>> These notifications are set as NON messages for reasons specific to
>>>>> DDoS
>>>>>> conditions.
>>>>>>
>>>>>> With DDoS telemetry information included (see
>>>>>> draft-ietf-dots-telemetry), a notification may not fit one single
>>>>>> message. The use of BLOCK2 is not convenient during attack times. A
>>>>> full
>>>>>> description of the issue is described here:
>>>>>>
>>>>>
>>>>
>> https://mailarchive.ietf.org/arch/msg/dots/Gbtf8bBWpxD9CWNBhS_TZtsW
>>>> eP4
>>>>> /
>>>>>>
>>>>>> We are considering some mechanisms to solve this issue. One of them
>>>>> is
>>>>>> to define a new BLOCK option (similar to BLOCK2) that does not
>>>>> require
>>>>>> the observer to send a GET to receive the next fragment. The server
>>>>> will
>>>>>> send all the fragments. The observer will follow a SACK-like
>>>>> approach to
>>>>>> request retransmission of missing fragments.
>>>>>>
>>>>>> Please let us know whether you think this is a generic issue that
>>>>> should
>>>>>> be solved at the CoAP or not. Suggestions are welcome.
>>>>>>
>>>>>> Thank you.
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Jon & Med
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> core mailing list
>>>>>> core@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/core
>>>>>>
>>>>
>>>> _______________________________________________
>>>> Dots mailing list
>>>> Dots@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dots
>>>
>>
>> _______________________________________________
>> Dots mailing list
>> Dots@ietf.org
>> https://www.ietf.org/mailman/listinfo/dots
>