IETF Logo Mail Archive

Re: [Dots] Comments on dots-signal-control-filtering-01

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Fri, 18 January 2019 07:48 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C936D131151 for <dots@ietfa.amsl.com>; Thu, 17 Jan 2019 23:48:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.853
X-Spam-Level:
X-Spam-Status: No, score=-8.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 490vpCFZmZTA for <dots@ietfa.amsl.com>; Thu, 17 Jan 2019 23:48:32 -0800 (PST)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7B02131150 for <dots@ietf.org>; Thu, 17 Jan 2019 23:48:31 -0800 (PST)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1547797700; h=From: To:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-office365-filtering-correlation-id:x-microsoft-antispam: x-ms-traffictypediagnostic:x-microsoft-antispam-prvs: x-forefront-prvs:x-forefront-antispam-report: received-spf:x-ms-exchange-senderadcheck:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=ua0w9pVzFpwI/V48PZVV81zqgCiVIDfTdjFahx +wSaw=; b=iugR5SlDYXygtoZGN7Vi9UHeGLcUnWKhwsWMxbaM L0VJRwV8Vhn8ocsFCAQ/8a7gcCxkdGWqa8XN3YsmoiNi7UGwi9 Jdf2Bm3H6YyJcReKv+XOXVKv6E0jnzQ58KqLHLeaKknKrc7TYy DvGySNDHe9SKKgIuEyOPn5nclYyVHmQ=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (unknown [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 2a18_083d_91166d2b_ab44_4e78_b64c_87a7cb0b344a; Fri, 18 Jan 2019 01:48:19 -0600
Received: from DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 18 Jan 2019 00:48:07 -0700
Received: from DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) by DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 18 Jan 2019 00:48:06 -0700
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Fri, 18 Jan 2019 00:48:06 -0700
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (10.44.176.241) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 18 Jan 2019 00:48:05 -0700
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2568.namprd16.prod.outlook.com (20.177.226.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.27; Fri, 18 Jan 2019 07:48:03 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::202f:5967:73ad:130f]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::202f:5967:73ad:130f%5]) with mapi id 15.20.1537.018; Fri, 18 Jan 2019 07:48:03 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Takahiko Nagata <nagata@lepidum.co.jp>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] Comments on dots-signal-control-filtering-01
Thread-Index: AQHUrjQ7qebvBkLi4EG6xztFHqgLVaW0nHgAgAAAoHCAAAQ70IAAA/zA
Date: Fri, 18 Jan 2019 07:48:03 +0000
Message-ID: <BYAPR16MB2790AB6791398A387B1B1280EA9C0@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <e508fc49-fe2f-8160-8f0b-cba1868be738@lepidum.co.jp> <787AE7BB302AE849A7480A190F8B93302EA09E84@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790ED34736AB959C030CD94EA9C0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA09EC9@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA09EC9@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.100.18
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR16MB2568; 6:JxlAS1ElkGHycmItt3BX+Yut+5ygCrBtd3AxWmPzE+YyWS/uc7YLIvp9l3NmUscg17RO+ZD+uH7bTaQ+ubopGxiI+DoIvf30cB21PqTtGcAJWXtzLG9rnwwmWRr+CQjxDq1sHIluvg55YSN8UBmDIFxF6JWocITsp5kaikQceDSBuxlwgiUBru/gx6yO5ooniwqhDIHtW9HBblKqHHW6ulNeUQECiIhL50EcS8jBtY9sP292+rRbUfEJvtKUEUsKNwCLd3hGGfBpfyCrlY0bbckMl97rd+jPfM7tJnu//6UgORI0jsd0P2IZpTCivB2nLIlKg0BWMQVaUZmhbS1m/KmM/KGDulUB/ETzZRqBiEiW/S2aBKdxJgM4qzoD8waS9Prbqpfq4UgvbdT+4gVdfoBdrPetPXpXrwWYFKggt7gTl3jgTQwk0Icb9iSabpVScEP2Hd7ZK8CrCzMpuFne9g==; 5:YLV/7FL11ef+GFEy7vq588y3VSv2GEC33VMycz+kSgPUgL7zX1u4sWIaFET2JreCc+ECYvubHKcrOfuXrJjprLs9b8Ef6LMmlgvlTOoEdJ5OkTpAw1vT1wNWel1Tuydiu6fSsA/Ys0oi3/5/RNJOg7+1RjkMDU/nMUMFjuUrV2/fTQ8Lh6vvNSY26N5UDkhrOlTdbKpX9a/L+C5EBzC3AA==; 7:0ppj0Y2zqzP0Uy+E0A7KNRQQtvVMw2iLYv9FBCH8sd48qQg12uY0lPhgsQ7/eciPdbko32eoEjD4mguDmxvzcwl6MZEq9BQ2LWgGIvTA9XsqPb4bLVBQWs5FAZrlAaU+XUW+iVyKCi7CUFFJeMPxXg==
x-ms-office365-filtering-correlation-id: 71baa797-6328-4311-1612-08d67d1946ab
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(7193020); SRVR:BYAPR16MB2568;
x-ms-traffictypediagnostic: BYAPR16MB2568:
x-microsoft-antispam-prvs: <BYAPR16MB25686B6EE5C3526782C3C0A9EA9C0@BYAPR16MB2568.namprd16.prod.outlook.com>
x-forefront-prvs: 0921D55E4F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(396003)(346002)(39860400002)(136003)(376002)(13464003)(189003)(199004)(32952001)(55784004)(72206003)(446003)(6246003)(106356001)(11346002)(55016002)(76176011)(6506007)(5660300001)(99286004)(102836004)(53546011)(2906002)(476003)(316002)(110136005)(305945005)(9686003)(7696005)(486006)(26005)(186003)(966005)(229853002)(93886005)(33656002)(105586002)(14454004)(345774005)(97736004)(80792005)(71190400001)(71200400001)(68736007)(66066001)(3846002)(6306002)(25786009)(8936002)(81156014)(8676002)(81166006)(6116002)(86362001)(14444005)(53936002)(256004)(478600001)(74316002)(6436002)(5024004)(2501003)(7736002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2568; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: eorkGTMaOdOREMSfS6QeEmzxluK+Q+mC/X2lrZxmUy1YGhRKrwI3/HLWPKZ9T27woNslUO1/NiBsrQ2b/r4gtBi+f2s1p/Qw1q/MsuBqgynViMqFqqmmQDDcigWck7Dz7MQjm0xbDza6G8DkaR8nQovrjYTk7LFueEKbEPw+6TNeWnWUxiTxxgNLqQ/OIo6pLWIcLD0DfsZdBIpOSEvOFDjO7F9PLrM63hgo5azJvnW6PzC/zwK1ITgAh0hGTbmUWgoZNwUu5dtOUl60HSOrftpsFfFsfvlnTdDUVjSuMBBoHU8iTQGA8GUgZbro+MVe825jF352XuEmxaH/6LeiRkwM7+fJY5VJ7d/Pb9kcw9aW3bo/OAWFwW21yPom1lc8KnOyDXMEgINNh4bcolGdbAUeZaKygGwX6/CSngWyNqQ=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 71baa797-6328-4311-1612-08d67d1946ab
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jan 2019 07:48:03.1324 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2568
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6463> : inlines <6997> : streams <1810418> : uri <2781717>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/-58E5gNN2QNME5sEbfNqQOzKpoQ>
Subject: Re: [Dots] Comments on dots-signal-control-filtering-01
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jan 2019 07:48:35 -0000

> -----Original Message-----
> From: mohamed.boucadair@orange.com <mohamed.boucadair@orange.com>
> Sent: Friday, January 18, 2019 1:01 PM
> To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
> Takahiko Nagata <nagata@lepidum.co.jp>; dots@ietf.org
> Subject: RE: [Dots] Comments on dots-signal-control-filtering-01
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is safe.
> 
> Tiru,
> 
> Please see inline.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Konda, Tirumaleswar Reddy
> > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > Envoyé : vendredi 18 janvier 2019 08:14 À : BOUCADAIR Mohamed TGI/OLN;
> > Takahiko Nagata; dots@ietf.org Objet : RE: [Dots] Comments on
> > dots-signal-control-filtering-01
> >
> > > -----Original Message-----
> > > From: Dots <dots-bounces@ietf.org> On Behalf Of
> > > mohamed.boucadair@orange.com
> > > Sent: Friday, January 18, 2019 12:37 PM
> > > To: Takahiko Nagata <nagata@lepidum.co.jp>; dots@ietf.org
> > > Subject: Re: [Dots] Comments on dots-signal-control-filtering-01
> > >
> > > This email originated from outside of the organization. Do not click
> > > links
> > or
> > > open attachments unless you recognize the sender and know the
> > > content is
> > safe.
> > >
> > > Hi Takahiko,
> > >
> > > Thank you for sharing the comments.
> > >
> > > Please see inline.
> > >
> > > Cheers,
> > > Med
> > >
> > > > -----Message d'origine-----
> > > > De : Dots [mailto:dots-bounces@ietf.org] De la part de Takahiko
> > > > Nagata Envoyé : jeudi 17 janvier 2019 08:13 À : dots@ietf.org
> > > > Objet : [Dots] Comments on dots-signal-control-filtering-01
> > > >
> > > > Hi Kaname,
> > > >
> > > > I would like to 2 comments on dots-signal-control-filtering-01.
> > > >
> > > > (Comment1) Minimal attributes for control-filtering. ("lifetime"
> > behavior)
> > > >   Minimal attributes of SignalChannel MitigationRequest
> > > >   for control-filtering is only the followings, I think.
> > > >   - acl-list(acl-name, activation-type)
> > > >   - lifetime
> > > >
> > > >   So, We can send acl-list via SignalChannel without
> > > >   other Mitigation request parameters.
> > >
> > > [Med] When the same mid is used, the request is considered as a
> > > refresh. As such the attributes that were included in the first
> > > request must be
> > included.
> > >
> > > >
> > > >   In this case, we need to decide behavior of "lifetime".
> > > >   I think "lifetime" is ignored in this case.
> > >
> > > [Med] No. This is a particular case of this text from the signal
> > > channel
> > spec:
> > >
> > >    For a mitigation request to continue beyond the initial negotiated
> > >    lifetime, the DOTS client has to refresh the current mitigation
> > >    request by sending a new PUT request.  This PUT request MUST use the
> > >    same 'mid' value, and MUST repeat all the other parameters as sent in
> > >    the original mitigation request apart from a possible change to the
> > >    lifetime parameter value.
> > >
> > > >   Because acl-list(acl-name, activation-type) should be
> > > >   managed only DataChannel side for specification simply.
> > > >
> > > >
> > > > (Comment2) Should be specified behavior.
> > > > (a) Not be affected by "trigger-mitigation"
> > > >   acl-list(acl-name, activation-type) is soon be applied
> > > >   even if "trigger-mitigation" is false.
> > >
> > > [Med] The procedure applies independently of the value of "trigger-
> > mitigation".
> > > We can say this explicitly on the draft.
> >
> > A Mitigation request with "trigger-mitigation" set to false must only
> > be sent in the peace time and not during the attack time. During the
> > peace time, I don't see the need to activate/de-activate ACLs using
> > DOTS signal channel protocol.
> 
> [Med] The point is that the control functionality will be there. It is up to the
> client to decide to use:
> 
> * its data channel to alter the acl and then wait for a signal channel notification.
> These notifications may not be set by the client.
> * its signal channel to alter the acl.
> 
> With that approach we don't overload the server with extra validation on
> trigger-mitigation to decide about the behavior to follow.

This draft is introduced to alter the ACL using DOTS signal channel only during mitigation time because data channel does not work during attack time, and ACL alteration using DOTS signal channel  should not be allowed during peace time.
If allowed, the client can use both the DOTS data and signal channels to alter the ACL during peace time and can create inconsistent configuration. Why use two protocols to do the same job ?

-Tiru

> 
> >
> > Cheers,
> > -Tiru
> >
> > >
> > > >
> > > > (b) Do not affect to "Efficacy Update"
> > > >   acl-list(acl-name, activation-type) would be ignored
> > > >   at "Efficacy Update" success or reject.
> > >
> > > [Med] Agree. We are not updating that part of the signal channel
> > > spec. acl-
> > list
> > > clauses won't be included in the efficacy update.
> > >
> > > >
> > > > (c) GET response of Mitigation Request
> > > >   acl-list(acl-name, activation-type) would not be included
> > > >   on respose of GET Mitigation Request.
> > >
> > > [Med] Yes. Will be make this clear in the draft.
> > >
> > > >
> > > > (d) In DELETE, no behavior(ex: rollback) for acl-list.
> > >
> > > [Med] Yes.
> > >
> > > >
> > > >
> > > > Best Regards,
> > > > Takahiko Nagata
> > > >
> > > > _______________________________________________
> > > > Dots mailing list
> > > > Dots@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/dots
> > >
> > > _______________________________________________
> > > Dots mailing list
> > > Dots@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dots

v2.43.4 | Report a Bug | By Email | System Status