Re: [Dots] DOTS telemetry Issues picked up in Interop Testing
mohamed.boucadair@orange.com Tue, 21 April 2020 10:04 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE1993A0B41 for <dots@ietfa.amsl.com>; Tue, 21 Apr 2020 03:04:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ps5WFPu9gzFg for <dots@ietfa.amsl.com>; Tue, 21 Apr 2020 03:04:08 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 954333A0B46 for <dots@ietf.org>; Tue, 21 Apr 2020 03:04:07 -0700 (PDT)
Received: from opfedar00.francetelecom.fr (unknown [xx.xx.xx.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by opfedar21.francetelecom.fr (ESMTP service) with ESMTPS id 495zg92hhvz7tq4; Tue, 21 Apr 2020 12:04:05 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1587463445; bh=Hkd0uTpJkYg3GhMZf6hC0FCPsQ2StLvRbt/9IHPY0p4=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=VzM/cV1jjvU9R8wxHXVRGuarlz+MEMTYz3AuGXOFBLU11v5DgBuNmSOI15hywQhYl RkEJMoOcjdrrS0TUD1P0TOktIlJOMuGc2GzQF05ECrNDJwYY6/oqPcWY56JovlFn+4 tONQktYQBDEFIFm2q4Tt5rq0/+ShIfl742jo98YnbZh/TTmisUx0tuJ+zMBjU65nYb j3B4jbo4bx38FEE3mDhYeXapB/57XS3sFhwsTOeVDOmqudhff5jWEr+is0ihT7xqej V+7sbw3gn1QmFVmiBLVUtpdKnyxzt7Vl/dwjGSGw/896fHxzGZWFuT+hyG7a+h/UlY B+6Uj/a4Xam6w==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.98]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by opfedar00.francetelecom.fr (ESMTP service) with ESMTPS id 495zg91YyqzCqjh; Tue, 21 Apr 2020 12:04:05 +0200 (CEST)
From: mohamed.boucadair@orange.com
To: Jon Shallow <supjps-ietf@jpshallow.com>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] DOTS telemetry Issues picked up in Interop Testing
Thread-Index: AQIP9ThI7DkLoYVsg/jsxFxzT+JmLAHYmGmaAtdF3C+n6gdd4IAADrMA
Date: Tue, 21 Apr 2020 10:04:04 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93303149B39C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <102501d6170c$2be45900$83ad0b00$@jpshallow.com> <787AE7BB302AE849A7480A190F8B933031499776@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <105901d6171a$1a132860$4e397920$@jpshallow.com> <114601d617bb$21c1cac0$65456040$@jpshallow.com>
In-Reply-To: <114601d617bb$21c1cac0$65456040$@jpshallow.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B93303149B39COPEXCAUBMA2corp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/-g6mBnP7rSIQXKeT-v2RFJiJWTA>
Subject: Re: [Dots] DOTS telemetry Issues picked up in Interop Testing
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2020 10:04:12 -0000
Hi Jon, Please see inline. Cheers, Med De : Jon Shallow [mailto:supjps-ietf@jpshallow.com] Envoyé : mardi 21 avril 2020 10:59 À : BOUCADAIR Mohamed TGI/OLN; dots@ietf.org Objet : RE: [Dots] DOTS telemetry Issues picked up in Interop Testing Hi all, A further thought on the use of Uri-Queries to clarify the AND/OR usage. If you only allow one query per query type and put the match list in an array, then this will be an OR of the array list (the same as we do for the target* definitions right now. E.G. :- Uri-Query: target_prefix=[1.2.3.4/32,4.3.2.1/32] Gives either 1.2.3.4 or 4.3.2.1 as a valid match. And Uri-Query: target-prefix=[1.2.3.4/32,4.3.2.1/32] Uri-Query: lower-port=[80,443] Gives (either 1.2.3.4 or 4.3.2.1) and (either port 80 or 443) [] should not include spaces and comma used as a separator. [Med] The issue I have with this is that we will need to handle cases where both lower-port and upper-port are present. Not sure what would be the benefit of allowing multiple key values, compact uris? If that's a concern, we may consider shortened names in the query (e.g., s/target-prefix/tp, s/lower-port/lp, ..). Not sure about :- If [] are not used, then it should be treated as a single item to match. The list of valid Uri-Queries may need to be extended. A Uri-Query option can include the following parameters: target-prefix, lower-port, upper-port, target-protocol, target-fqdn, target-uri, alias-name. should include mid and content ('c'). [Med] OK. Please note that 'c' wasn't listed because we do have the following: The DOTS server follows the same considerations discussed in Section of 4.5.3 of [I-D.ietf-dots-signal-channel] for managing DOTS telemetry configuration freshness and notification. Likewise, a DOTS client may control the selection of configuration and non- configuration data nodes when sending a GET request by means of the 'c' Uri-Query option and following the procedure specified in Section of 4.4.2 of [I-D.ietf-dots-signal-channel]. These considerations are not re-iterated in the following sections. I added a pointer to that section. Do we need to be able to filter on source attributes as well? [Med] What would be the usage? Is it the case of an administrator that is aware (using some means) that some sources are involved an attacks on other networks, then sends a request to its server to filter telemetry data bound to these source? Filtering in this case may be problematic as some attacks may be observed but are hidden by the filter on the source. Or do we want to focus on very few talkers? For example, the client would instruct the server to send data only related to the top-talker, 3 first top-talkers, etc.? Regards Jon From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Jon Shallow Sent: 20 April 2020 14:47 To: mohamed.boucadair@orange.com; dots@ietf.org Subject: Re: [Dots] DOTS telemetry Issues picked up in Interop Testing Hi Med, See inline. Regards Jon From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of iemohamed.boucadair@orange.com Sent: 20 April 2020 13:54 To: Jon Shallow; dots@ietf.org Subject: Re: [Dots] DOTS telemetry Issues picked up in Interop Testing Hi Jon, Thank you for sharing the comments. Please see De : Dots [mailto:dots-bounces@ietf.org] De la part de Jon Shallow Envoyé : lundi 20 avril 2020 14:07 À : dots@ietf.org Objet : [Dots] DOTS telemetry Issues picked up in Interop Testing Hi All, 1) DOTS agents MUST NOT send pre-or-ongoing-mitigation telemetry messages to the same peer more frequently than once every 'telemetry- notify-interval' (Section 6.1). If I do a PUT /tm-setup, followed immediately by a GET /tm-setup, should the GET fail based on the telemetry-notify-interval, or should telemetry-notify-interval apply individually to PUT. GET and DELETE? [I may want to do a DELETE (no tsid) followed by a GET to get suitable max/min information and telemetry-notify-interval can easily be more than 1 second. ] [Med] This rate limit does not apply to these messages; it applies only for notifications; == leaf telemetry-notify-interval { type uint32 { range "1 .. 3600"; } must '. >= ../../min-config-values/telemetry-notify-interval' { error-message "The value must be greater than or equal to the telemetry-notify-interval in the min-config-values"; } units "seconds"; description "Minimum number of seconds between successive telemetry notifications."; } === We can make the text clear: OLD: DOTS agents MUST NOT send pre-or-ongoing-mitigation telemetry messages to the same peer more frequently than once every 'telemetry- notify-interval' (Section 6.1<https://tools.ietf.org/html/draft-ietf-dots-telemetry-07#section-6.1>). If a telemetry notification is sent using a block-like transfer mechanism (e.g., [I-D.bosh-core-new-block<https://tools.ietf.org/html/draft-ietf-dots-telemetry-07#ref-I-D.bosh-core-new-block>]), this rate limit policy MUST NOT consider these individual blocks as separate notifications, but as a single notification. NEW: DOTS agents MUST NOT send pre-or-ongoing-mitigation telemetry notifications to the same peer more frequently than once every 'telemetry- notify-interval' (Section 6.1<https://tools.ietf.org/html/draft-ietf-dots-telemetry-07#section-6.1>). If a telemetry notification is sent using a block-like transfer mechanism (e.g., [I-D.bosh-core-new-block<https://tools.ietf.org/html/draft-ietf-dots-telemetry-07#ref-I-D.bosh-core-new-block>]), this rate limit policy MUST NOT consider these individual blocks as separate notifications, but as a single notification. Jon> This change works for me. 2) Use of multiple Uri-Query: Uri-Query: target_prefix=[1.2..3.4] Uri-Query: target_prefix=[2.3..4.5] I think this should be OR [Med] Yes, this is the same interpretation when we include target-prefix in the message body. Uri-Query: target_prefix=[1.2..3.4] Uri-Query: target_port=[80] I think this should be an AND. [Med] Yes, because the target-port is specifying a subset of ports bound to the target-prefix. Perhaps we should have operator queries Uri-Query: target_prefix=[1.2..3.4] Uri-Query: op=OR Uri-Query: target_prefix=[2.3..4.5] Uri-Query: target_prefix=[1.2..3.4] Uri-Query: op=AND Uri-Query: target_port=[80] [Med] I don't think this is needed. We don't specify the operator when we include the target clauses in the message body. The same rules apply. We can clarify this in the text If you think this is needed. Jon> I think that it is worth stating that the same rules apply for clarification. Thoughts? 3) What happens if a Query cannot be supported. E.g. Uri-Query: target_port=[80] and statistics on the server by a port basis is not supported. Do we want to either error out with a 4.0X responses, or should we include a (new additional) YANG body response indicating which Uri-Query is not supported? [Med] Good point. The client can retrieve during telemetry setup the supported query types + server replies with 4.00 when an invalid query type is used. Jon> I think the server stating what Queries are supported is a good idea. Regards Jon
- [Dots] DOTS telemetry Issues picked up in Interop… Jon Shallow
- Re: [Dots] DOTS telemetry Issues picked up in Int… mohamed.boucadair
- Re: [Dots] DOTS telemetry Issues picked up in Int… Jon Shallow
- Re: [Dots] DOTS telemetry Issues picked up in Int… mohamed.boucadair
- Re: [Dots] DOTS telemetry Issues picked up in Int… Jon Shallow
- Re: [Dots] DOTS telemetry Issues picked up in Int… mohamed.boucadair
- Re: [Dots] DOTS telemetry Issues picked up in Int… Jon Shallow