Re: [core] [Dots] Large asynchronous notifications under DDoS: New BLOCK Option?
Jon Shallow <supjps-ietf@jpshallow.com> Tue, 07 April 2020 17:58 UTC
Return-Path: <supjps-ietf@jpshallow.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADCE53A1BD6; Tue, 7 Apr 2020 10:58:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OC99_BrR1nyk; Tue, 7 Apr 2020 10:58:42 -0700 (PDT)
Received: from mail.jpshallow.com (mail.jpshallow.com [217.40.240.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AB6A3A0B1B; Tue, 7 Apr 2020 10:56:20 -0700 (PDT)
Received: from mail2.jpshallow.com ([192.168.0.3] helo=N01332) by mail.jpshallow.com with esmtp (Exim 4.92.3) (envelope-from <jon.shallow@jpshallow.com>) id 1jLsSN-0006Sq-8N; Tue, 07 Apr 2020 18:56:15 +0100
From: Jon Shallow <supjps-ietf@jpshallow.com>
To: 'Achim Kraus' <achimkraus@gmx.net>, mohamed.boucadair@orange.com, core@ietf.org, dots@ietf.org
References: <787AE7BB302AE849A7480A190F8B933031490173@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <2a255f3b-6614-f950-4ecc-15f170087c9f@gmx.net> <787AE7BB302AE849A7480A190F8B933031490894@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B933031490894@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Date: Tue, 07 Apr 2020 18:56:21 +0100
Message-ID: <019301d60d05$d87fcca0$897f65e0$@jpshallow.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGFUV4cZbdAMYpJNEeLLEh4F2cKcwH1DnpQAK+no82o+kI84A==
Content-Language: en-gb
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/bEGz0aXPgcoE7yMDt7yW9g-zARM>
Subject: Re: [core] [Dots] Large asynchronous notifications under DDoS: New BLOCK Option?
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2020 17:58:49 -0000
Hi Achim, To add to Med's inline comments, the use case that we are trying to solve is as follows. We are trying to send telemetry information from a server to a unicast client which has the potential to exceed the size of IP packet (possibly multiple times too large). The environment that this telemetry information is going to be transmitted in will be where Distributed Denial of Service (DDoS) attacks are taking place and so there is a high chance that network pipes will be running at or near capacity and hence there is likely to be high packet loss. It is likely that the direction of the telemetry data is the same as that of the packet loss. This telemetry is an additional tool for passing information about how mitigations of these DDoS attacks are being effective so that decisions can be taken as to how better to mitigate the DDoS situation. This is making use of the DDoS Open Threat Signaling protocol (DOTS) described in RFC8612 with other drafts for components of this protocol in the final stages of becoming RFCs ( https://tools.ietf.org/wg/dots/ ). While not desirable, it is acceptable if the client is unable to receive the telemetry data (out of band mechanisms such as phone calls can be used in slow time if needed for tuning against attacks) but we would like to maximize the possibility of the telemetry data getting through. Currently with other data and small amounts of telemetry, the GET response or Observe data can safely be sent off from the server and the client may or may not get it as we are using NON-confirmable. PUT (which has small amounts of data) and DELETE are also sent as NON-confirmable - and the client handles things if there is not seen a 2.XX etc. response to the PUT/DELETE. This issue is when the data is too large to fit into a single packet - we currently use the CoAP BLOCK2 option which works fine under normal traffic conditions, but relies on the client synchronously requesting the next block of data. We currently are doing this as NON-confirmable so a loss of a block of data causes the transfer to stall with the need to do garbage collection at a later point in time ion the server. Using CONfirmable causes everything to slow right down with the lossy network and prevents the next CON transmission for a long time as NSTART is 1. The data is CBOR based on YANG with the YANG parameters two-way mapped into integers to give as much CBOR data reduction as possible, so cannot save any space there. It is theoretically possible to reduce the amount of telemetry data by only asking for subsets of information as Med has referred to in this email trail. It is possible to solve the issue using IP fragmentation and let the client re-assemble everything, but this is not ideal in a lossy network and there is no way to ask for a particular IP fragment to be re-transmitted. If there was a new CoAP option - let's call it NONBLOCK2, which the server uses to send the all the data packets without waiting for the GET request of the next block (only difference compared with BLOCK2). If the client does not see all the blocks after a timeout, it can then request the missing blocks by using one or more of the NONBLOCK2 options in a new GET request - or just wait until the next GET / Observe response. This may be a way to move forward if we cannot solve the issue in another way. Regards Jon > -----Original Message----- > From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of mohamed.boucadair@orange.com > Sent: 07 April 2020 18:42 > To: Achim Kraus; core@ietf.org > Cc: Jon Shallow (supjps-ietf@jpshallow.com); dots@ietf.org > Subject: Re: [Dots] [core] Large asynchronous notifications under DDoS: > New BLOCK Option? > > Hi Achim, > > Please see inline. > > Cheers, > Med > > > -----Message d'origine----- > > De : Achim Kraus [mailto:achimkraus@gmx.net] > > Envoyé : mardi 7 avril 2020 18:50 > > À : BOUCADAIR Mohamed TGI/OLN; core@ietf.org > > Cc : Jon Shallow (supjps-ietf@jpshallow.com); dots@ietf.org > > Objet : Re: [core] Large asynchronous notifications under DDoS: New > > BLOCK Option? > > > > Hi Med, > > > > I think, not all assumption and requirements are clear to everyone. > > > > [Med] We are using CoAP for signaling DDoS attacks and for seeking help > from a DDoS mitigator. The mitigation signal itself is compact as we do have > a requirement that the signal channel survive under extreme DDoS > conditions. We do have a mechanism to maintain the signal alive, to detect > when it is lost and then to recover asap. > > We are now designing an extension to the base signaling that allows to > share knowledge of attacks for better coordination and efficient mitigation. > To that aim, we need to signal DDoS telemetry data between our DOTS > agents (CoAP endpoints). > > > I guess, your mission is to send a couple of "block" messages, but > > without getting requested for the next-blocks, because the node is > > under > > attack and already receiving too much. Therefore the SACK will be used > > a > > little later as "cleanup"/"collect lefts". > > [Med] Yes. > > > > > My first idea about that was, that sending the "block-flush" just > > creates the next attack. But, if you sure, that this doesn't happen, > > then such an approach may help in that special situation. > > [Med] Yes. > > > > > I'm not sure, if you assume, that in the most cases all blocks will > > make > > it to the destination when sending them. That may also depend on the > > assumed number of blocks. If it's not assumed, that all block will be > > received, your payload should be encoded in a way, that you could > > decode > > the received blocks, even if some blocks are missing. > > [Med] This is will be nice to have. This might be managed at the application > (DOTS) level but there are some challenges as well (make sure that the > crafted data will fit a single DTLS packet). > > > > > If that number is not too large, maybe a "blockwise with NSTART-X" > > will > > also do it. Especially if DTLS is used, it may be possible to concat > > the > > "ACK/next blocks" into one package (with multiple records). AFAIK, > > that > > would require changes in implementations, which optimizes the > > deduplication base on a strict sequence of blocks, but the difference > > should be not too large. > > > > best regards > > Achim > > > > > > Am 07.04.20 um 13:11 schrieb mohamed.boucadair@orange.com: > > > Hi all, > > > > > > We are using Observe to receive notifications during attack events. > > > These notifications are set as NON messages for reasons specific to > > DDoS > > > conditions. > > > > > > With DDoS telemetry information included (see > > > draft-ietf-dots-telemetry), a notification may not fit one single > > > message. The use of BLOCK2 is not convenient during attack times. A > > full > > > description of the issue is described here: > > > > > > https://mailarchive.ietf.org/arch/msg/dots/Gbtf8bBWpxD9CWNBhS_TZtsW > eP4 > > / > > > > > > We are considering some mechanisms to solve this issue. One of them > > is > > > to define a new BLOCK option (similar to BLOCK2) that does not > > require > > > the observer to send a GET to receive the next fragment. The server > > will > > > send all the fragments. The observer will follow a SACK-like > > approach to > > > request retransmission of missing fragments. > > > > > > Please let us know whether you think this is a generic issue that > > should > > > be solved at the CoAP or not. Suggestions are welcome. > > > > > > Thank you. > > > > > > Cheers, > > > > > > Jon & Med > > > > > > > > > _______________________________________________ > > > core mailing list > > > core@ietf.org > > > https://www.ietf.org/mailman/listinfo/core > > > > > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots
- [core] Large asynchronous notifications under DDo… mohamed.boucadair
- Re: [core] Large asynchronous notifications under… Christian Amsüss
- Re: [core] Large asynchronous notifications under… Jim Schaad
- Re: [core] Large asynchronous notifications under… mohamed.boucadair
- Re: [core] Large asynchronous notifications under… mohamed.boucadair
- Re: [core] Large asynchronous notifications under… Achim Kraus
- Re: [core] Large asynchronous notifications under… mohamed.boucadair
- Re: [core] [Dots] Large asynchronous notification… Jon Shallow
- Re: [core] [Dots] Large asynchronous notification… Achim Kraus
- Re: [core] [Dots] Large asynchronous notification… Jon Shallow
- Re: [core] [Dots] Large asynchronous notification… Achim Kraus
- Re: [core] [Dots] Large asynchronous notification… Carsten Bormann
- Re: [core] [Dots] Large asynchronous notification… Carsten Bormann
- Re: [core] Large asynchronous notifications under… Christian Amsüss
- Re: [core] [Dots] Large asynchronous notification… mohamed.boucadair
- Re: [core] [Dots] Large asynchronous notification… Jon Shallow
- Re: [core] [Dots] Large asynchronous notification… Achim Kraus
- Re: [core] [Dots] Large asynchronous notification… Achim Kraus
- Re: [core] [Dots] Large asynchronous notification… Jon Shallow
- Re: [core] [Dots] Large asynchronous notification… Jon Shallow
- Re: [core] [Dots] Large asynchronous notification… mohamed.boucadair
- Re: [core] [Dots] Large asynchronous notification… Carsten Bormann
- Re: [core] [Dots] Large asynchronous notification… mohamed.boucadair
- Re: [core] [Dots] Large asynchronous notification… Achim Kraus
- Re: [core] [Dots] Large asynchronous notification… mohamed.boucadair
- Re: [core] [Dots] Large asynchronous notification… Carsten Bormann
- Re: [core] [Dots] Large asynchronous notification… mohamed.boucadair
- Re: [core] [Dots] Large asynchronous notification… mohamed.boucadair
- Re: [core] [Dots] Large asynchronous notification… Jon Shallow
- Re: [core] [Dots] Large asynchronous notification… Carsten Bormann
- Re: [core] [Dots] Large asynchronous notification… Carsten Bormann
- Re: [core] [Dots] Large asynchronous notification… Jon Shallow
- Re: [core] [Dots] Large asynchronous notification… Achim Kraus
- Re: [core] [Dots] Large asynchronous notification… mohamed.boucadair
- Re: [core] [Dots] Large asynchronous notification… Jon Shallow