[Dots] 答复: Hi, authors. 3 comments:
"Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com> Tue, 05 March 2019 10:41 UTC
Return-Path: <frank.xialiang@huawei.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4974B131006; Tue, 5 Mar 2019 02:41:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.189
X-Spam-Level:
X-Spam-Status: No, score=-4.189 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ng9Ay5xM_ljN; Tue, 5 Mar 2019 02:41:40 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BC4D1200B3; Tue, 5 Mar 2019 02:41:40 -0800 (PST)
Received: from lhreml709-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 93E95D44883A39D38A5C; Tue, 5 Mar 2019 10:41:37 +0000 (GMT)
Received: from lhreml704-chm.china.huawei.com (10.201.108.53) by lhreml709-cah.china.huawei.com (10.201.108.32) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 5 Mar 2019 10:41:37 +0000
Received: from lhreml704-chm.china.huawei.com (10.201.108.53) by lhreml704-chm.china.huawei.com (10.201.108.53) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1591.10; Tue, 5 Mar 2019 10:41:37 +0000
Received: from DGGEMM424-HUB.china.huawei.com (10.1.198.41) by lhreml704-chm.china.huawei.com (10.201.108.53) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256) id 15.1.1591.10 via Frontend Transport; Tue, 5 Mar 2019 10:41:37 +0000
Received: from DGGEMM511-MBX.china.huawei.com ([169.254.1.215]) by dggemm424-hub.china.huawei.com ([10.1.198.41]) with mapi id 14.03.0415.000; Tue, 5 Mar 2019 18:38:32 +0800
From: "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, kaname nishizuka <kaname@nttv6.jp>, "draft-nishizuka-dots-signal-control-filtering.authors@ietf.org" <draft-nishizuka-dots-signal-control-filtering.authors@ietf.org>
CC: "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] Hi, authors. 3 comments:
Thread-Index: AdTTG1tETE/2KpxERZ6OuyfVBRtPrv//lj4AgAAprID//3e18A==
Date: Tue, 05 Mar 2019 10:38:32 +0000
Message-ID: <C02846B1344F344EB4FAA6FA7AF481F12C9D76C2@dggemm511-mbx.china.huawei.com>
References: <C02846B1344F344EB4FAA6FA7AF481F12C9D756B@dggemm511-mbx.china.huawei.com> <21e92c8d-8df0-576a-db08-3163c74bba59@nttv6.jp> <787AE7BB302AE849A7480A190F8B93302EA287D5@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA287D5@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.134.159.76]
Content-Type: multipart/alternative; boundary="_000_C02846B1344F344EB4FAA6FA7AF481F12C9D76C2dggemm511mbxchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/-JhPLJzxVmNwRWt2GOV9vyqF32E>
Subject: [Dots] 答复: Hi, authors. 3 comments:
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2019 10:41:43 -0000
Hi Med, Thanks for the clarification, we are on the same page now. B.R. Frank 发件人: mohamed.boucadair@orange.com [mailto:mohamed.boucadair@orange.com] 发送时间: 2019年3月5日 18:30 收件人: kaname nishizuka <kaname@nttv6.jp>; Xialiang (Frank, Network Standard & Patent Dept) <frank.xialiang@huawei.com>; draft-nishizuka-dots-signal-control-filtering.authors@ietf.org 抄送: dots@ietf.org 主题: RE: [Dots] Hi, authors. 3 comments: Hi Frank, Kaname, Please see inline. Cheers, Med De : Dots [mailto:dots-bounces@ietf.org] De la part de kaname nishizuka Envoyé : mardi 5 mars 2019 09:01 À : Xialiang (Frank, Network Standard & Patent Dept); draft-nishizuka-dots-signal-control-filtering.authors@ietf.org<mailto:draft-nishizuka-dots-signal-control-filtering.authors@ietf.org> Cc : dots@ietf.org<mailto:dots@ietf.org> Objet : Re: [Dots] Hi, authors. 3 comments: Hi Frank, On 2019/03/05 15:26, Xialiang (Frank, Network Standard & Patent Dept) wrote: Hi authors, I have 3 general comments as below: 1. Can you clarify the DOTS server administrative domain a little bit? What is the goal we define it? We'll clarify it and update the draft. [Med] This is what is called “DOTS server domain” in DOTS drafts. The notion of “administrative domain” is already used/discussed in the arch I-D. 2. Will this document open a door to make signal channel to cover the functions of data channel more and more? [Med] No. We do already have this text: A DOTS client MUST NOT use the filtering control over DOTS signal channel if no attack (mitigation) is active; such requests MUST be discarded by the DOTS server with 4.00 (Bad Request). By default, ACL-related operations are achieved using the DOTS data channel [I-D.ietf-dots-data-channel<https://tools.ietf.org/html/draft-nishizuka-dots-signal-control-filtering-04#ref-I-D.ietf-dots-data-channel>] when no attack is ongoing. The draft focuses only on tweaking the status of **existing** filters. 3. I can accept the situation of changing the accept-list to the “deactivate” status, but is it a common use case we need to change a deny-list to the “immediate” status? Regarding with 2 and 3, I can add one usecase to the draft. When a DOTS client noticed that a system in its domain is being attacked, it will try to ask for help to a DOTS server in its transit provider (or somewhere in upstream networks). Sometimes it is hard to get any information from the DOTS server if the upstream is saturated by attack traffic. It is good strategy to enable ACL(set by data-channel) immediately first via signal-channel. Especially if it is rate-limit ACL, it will make a room for further communication over signal-channel. Then, it will send mitigation request to the DOTS server. This kind of procedure is really used by manual operation. Combination of ACL-based filtering and mitigation appliance is cost effective. The proposed draft (signal-control-filtering) enable automation of it. regards, Kaname Thanks! B.R. Frank
- [Dots] Hi, authors. 3 comments: Xialiang (Frank, Network Standard & Patent Dept)
- Re: [Dots] Hi, authors. 3 comments: kaname nishizuka
- [Dots] 答复: Hi, authors. 3 comments: Xialiang (Frank, Network Standard & Patent Dept)
- Re: [Dots] Hi, authors. 3 comments: mohamed.boucadair
- [Dots] 答复: Hi, authors. 3 comments: Xialiang (Frank, Network Standard & Patent Dept)
- Re: [Dots] 答复: Hi, authors. 3 comments: Konda, Tirumaleswar Reddy
- Re: [Dots] 答复: Hi, authors. 3 comments: mohamed.boucadair
- Re: [Dots] 答复: Hi, authors. 3 comments: Konda, Tirumaleswar Reddy
- Re: [Dots] 答复: Hi, authors. 3 comments: mohamed.boucadair