Re: [core] [Dots] Large asynchronous notifications under DDoS: New BLOCK Option?

Jon Shallow <supjps-ietf@jpshallow.com> Tue, 07 April 2020 17:58 UTC

Return-Path: <supjps-ietf@jpshallow.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADCE53A1BD6; Tue, 7 Apr 2020 10:58:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OC99_BrR1nyk; Tue, 7 Apr 2020 10:58:42 -0700 (PDT)
Received: from mail.jpshallow.com (mail.jpshallow.com [217.40.240.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AB6A3A0B1B; Tue, 7 Apr 2020 10:56:20 -0700 (PDT)
Received: from mail2.jpshallow.com ([192.168.0.3] helo=N01332) by mail.jpshallow.com with esmtp (Exim 4.92.3) (envelope-from <jon.shallow@jpshallow.com>) id 1jLsSN-0006Sq-8N; Tue, 07 Apr 2020 18:56:15 +0100
From: "Jon Shallow" <supjps-ietf@jpshallow.com>
To: "'Achim Kraus'" <achimkraus@gmx.net>, <mohamed.boucadair@orange.com>, <core@ietf.org>, <dots@ietf.org>
References: <787AE7BB302AE849A7480A190F8B933031490173@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <2a255f3b-6614-f950-4ecc-15f170087c9f@gmx.net> <787AE7BB302AE849A7480A190F8B933031490894@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B933031490894@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Date: Tue, 7 Apr 2020 18:56:21 +0100
Message-ID: <019301d60d05$d87fcca0$897f65e0$@jpshallow.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGFUV4cZbdAMYpJNEeLLEh4F2cKcwH1DnpQAK+no82o+kI84A==
Content-Language: en-gb
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/bEGz0aXPgcoE7yMDt7yW9g-zARM>
Subject: Re: [core] [Dots] Large asynchronous notifications under DDoS: New BLOCK Option?
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2020 17:58:49 -0000

Hi Achim,

To add to Med's inline comments, the use case that we are trying to solve is
as follows.

We are trying to send telemetry information from a server to a unicast
client which has the potential to exceed the size of IP packet (possibly
multiple times too large).

The environment that this telemetry information is going to be transmitted
in will be where Distributed Denial of Service (DDoS) attacks are taking
place and so there is a high chance that network pipes will be running at or
near capacity and hence there is likely to be high packet loss.  It is
likely that the direction of the telemetry data is the same as that of the
packet loss.

This telemetry is an additional tool for passing information about how
mitigations of these DDoS attacks are being effective so that decisions can
be taken as to how better to mitigate the DDoS situation.  This is making
use of the DDoS Open Threat Signaling protocol (DOTS) described in RFC8612
with other drafts for components of this protocol in the final stages of
becoming RFCs ( https://tools.ietf.org/wg/dots/ ).

While not desirable, it is acceptable if the client is unable to receive the
telemetry data (out of band mechanisms such as phone calls can be used in
slow time if needed for tuning against attacks) but we would like to
maximize the possibility of the telemetry data getting through.

Currently with other data and small amounts of telemetry, the GET response
or Observe data can safely be sent off from the server and the client may or
may not get it as we are using NON-confirmable.  PUT (which has small
amounts of data) and DELETE are also sent as NON-confirmable - and the
client handles things if there is not seen a 2.XX etc. response to the
PUT/DELETE.

This issue is when the data is too large to fit into a single packet - we
currently use the CoAP BLOCK2 option which works fine under normal traffic
conditions, but relies on the client synchronously requesting the next block
of data.  We currently are doing this as NON-confirmable so a loss of a
block of data causes the transfer to stall with the need to do garbage
collection at a later point in time ion the server.  Using CONfirmable
causes everything to slow right down with the lossy network and prevents the
next CON transmission for a long time as NSTART is 1.

The data is CBOR based on YANG with the YANG parameters two-way mapped into
integers to give as much CBOR data reduction as possible, so cannot save any
space there.  It is theoretically possible to reduce the amount of telemetry
data by only asking for subsets of information as Med has referred to in
this email trail.

It is possible to solve the issue using IP fragmentation and let the client
re-assemble everything, but this is not ideal in a lossy network and there
is no way to ask for a particular IP fragment to be re-transmitted.

If there was a new CoAP option - let's call it NONBLOCK2, which the server
uses to send the all the data packets without waiting for the GET request of
the next block (only difference compared with BLOCK2).  If the client does
not see all the blocks after a timeout, it can then request the missing
blocks by using one or more of the NONBLOCK2 options in a new GET request -
or just wait until the next GET / Observe response.  This may be a way to
move forward if we cannot solve the issue in another way.

Regards

Jon

> -----Original Message-----
> From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of
mohamed.boucadair@orange.com
> Sent: 07 April 2020 18:42
> To: Achim Kraus; core@ietf.org
> Cc: Jon Shallow (supjps-ietf@jpshallow.com); dots@ietf.org
> Subject: Re: [Dots] [core] Large asynchronous notifications under DDoS:
> New BLOCK Option?
> 
> Hi Achim,
> 
> Please see inline.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Achim Kraus [mailto:achimkraus@gmx.net]
> > Envoyé : mardi 7 avril 2020 18:50
> > À : BOUCADAIR Mohamed TGI/OLN; core@ietf.org
> > Cc : Jon Shallow (supjps-ietf@jpshallow.com); dots@ietf.org
> > Objet : Re: [core] Large asynchronous notifications under DDoS: New
> > BLOCK Option?
> >
> > Hi Med,
> >
> > I think, not all assumption and requirements are clear to everyone.
> >
> 
> [Med] We are using CoAP for signaling DDoS attacks and for seeking help
> from a DDoS mitigator. The mitigation signal itself is compact as we do
have
> a requirement that the signal channel survive under extreme DDoS
> conditions. We do have a mechanism to maintain the signal alive, to detect
> when it is lost and then to recover asap.
> 
> We are now designing an extension to the base signaling that allows to
> share knowledge of attacks for better coordination and efficient
mitigation.
> To that aim, we need to signal DDoS telemetry data between our DOTS
> agents (CoAP endpoints).
> 
> > I guess, your mission is to send a couple of "block" messages, but
> > without getting requested for the next-blocks, because the node is
> > under
> > attack and already receiving too much. Therefore the SACK will be used
> > a
> > little later as "cleanup"/"collect lefts".
> 
> [Med] Yes.
> 
> >
> > My first idea about that was, that sending the "block-flush" just
> > creates the next attack. But, if you sure, that this doesn't happen,
> > then such an approach may help in that special situation.
> 
> [Med] Yes.
> 
> >
> > I'm not sure, if you assume, that in the most cases all blocks will
> > make
> > it to the destination when sending them. That may also depend on the
> > assumed number of blocks. If it's not assumed, that all block will be
> > received, your payload should be encoded in a way, that you could
> > decode
> > the received blocks, even if some blocks are missing.
> 
> [Med] This is will be nice to have. This might be managed at the
application
> (DOTS) level but there are some challenges as well (make sure that the
> crafted data will fit a single DTLS packet).
> 
> >
> > If that number is not too large, maybe a "blockwise with NSTART-X"
> > will
> > also do it. Especially if DTLS is used, it may be possible to concat
> > the
> > "ACK/next blocks" into one package (with multiple records). AFAIK,
> > that
> > would require changes in implementations, which optimizes the
> > deduplication base on a strict sequence of blocks, but the difference
> > should be not too large.
> >
> > best regards
> > Achim
> >
> >
> > Am 07.04.20 um 13:11 schrieb mohamed.boucadair@orange.com:
> > > Hi all,
> > >
> > > We are using Observe to receive notifications during attack events.
> > > These notifications are set as NON messages for reasons specific to
> > DDoS
> > > conditions.
> > >
> > > With DDoS telemetry information included (see
> > > draft-ietf-dots-telemetry), a notification may not fit one single
> > > message. The use of BLOCK2 is not convenient during attack times. A
> > full
> > > description of the issue is described here:
> > >
> >
> https://mailarchive.ietf.org/arch/msg/dots/Gbtf8bBWpxD9CWNBhS_TZtsW
> eP4
> > /
> > >
> > > We are considering some mechanisms to solve this issue. One of them
> > is
> > > to define a new BLOCK option (similar to BLOCK2) that does not
> > require
> > > the observer to send a GET to receive the next fragment. The server
> > will
> > > send all the fragments. The observer will follow a SACK-like
> > approach to
> > > request retransmission of missing fragments.
> > >
> > > Please let us know whether you think this is a generic issue that
> > should
> > > be solved at the CoAP or not. Suggestions are welcome.
> > >
> > > Thank you.
> > >
> > > Cheers,
> > >
> > > Jon & Med
> > >
> > >
> > > _______________________________________________
> > > core mailing list
> > > core@ietf.org
> > > https://www.ietf.org/mailman/listinfo/core
> > >
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots