IETF Logo Mail Archive

Re: [Dots] Comments on dots-signal-control-filtering-01

<mohamed.boucadair@orange.com> Fri, 18 January 2019 15:06 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E16341276D0 for <dots@ietfa.amsl.com>; Fri, 18 Jan 2019 07:06:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Io7ZWXfr04uR for <dots@ietfa.amsl.com>; Fri, 18 Jan 2019 07:06:11 -0800 (PST)
Received: from orange.com (mta240.mail.business.static.orange.com [80.12.66.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2101127133 for <dots@ietf.org>; Fri, 18 Jan 2019 07:06:10 -0800 (PST)
Received: from opfedar03.francetelecom.fr (unknown [xx.xx.xx.5]) by opfedar26.francetelecom.fr (ESMTP service) with ESMTP id 43h45Y2HRmzFpxd; Fri, 18 Jan 2019 16:06:09 +0100 (CET)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.24]) by opfedar03.francetelecom.fr (ESMTP service) with ESMTP id 43h45Y17DwzCqky; Fri, 18 Jan 2019 16:06:09 +0100 (CET)
Received: from OPEXCAUBM5D.corporate.adroot.infra.ftgroup (10.114.13.60) by OPEXCLILM7D.corporate.adroot.infra.ftgroup (10.114.31.24) with Microsoft SMTP Server (TLS) id 14.3.408.0; Fri, 18 Jan 2019 16:06:08 +0100
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM5D.corporate.adroot.infra.ftgroup ([fe80::8899:bbc3:9726:cd5e%22]) with mapi id 14.03.0415.000; Fri, 18 Jan 2019 16:06:08 +0100
From: mohamed.boucadair@orange.com
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, Takahiko Nagata <nagata@lepidum.co.jp>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] Comments on dots-signal-control-filtering-01
Thread-Index: AQHUrjQ7qebvBkLi4EG6xztFHqgLVaW0nHgAgAAAoHCAAAQ70IAAA/zAgAAJc2CAAEc+cIAAKT7g
Date: Fri, 18 Jan 2019 15:06:07 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA0A586@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <e508fc49-fe2f-8160-8f0b-cba1868be738@lepidum.co.jp> <787AE7BB302AE849A7480A190F8B93302EA09E84@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790ED34736AB959C030CD94EA9C0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA09EC9@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790AB6791398A387B1B1280EA9C0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA09FB4@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB27900D89516C1322CBD734BEEA9C0@BYAPR16MB2790.namprd16.prod.outlook.com>
In-Reply-To: <BYAPR16MB27900D89516C1322CBD734BEEA9C0@BYAPR16MB2790.namprd16.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/0XfxQQUjX1SO_ABVetsfGJrN3Rw>
Subject: Re: [Dots] Comments on dots-signal-control-filtering-01
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jan 2019 15:06:14 -0000

Re-,

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
> Envoyé : vendredi 18 janvier 2019 14:54
> À : BOUCADAIR Mohamed TGI/OLN; Takahiko Nagata; dots@ietf.org
> Objet : RE: [Dots] Comments on dots-signal-control-filtering-01
> 
> Hi Med,
> 
> Please see inline
> 
> > > > >
> > > > > A Mitigation request with "trigger-mitigation" set to false must
> > > > > only be sent in the peace time and not during the attack time.
> > > > > During the peace time, I don't see the need to
> > > > > activate/de-activate ACLs using DOTS signal channel protocol.
> > > >
> > > > [Med] The point is that the control functionality will be there. It
> > > > is up
> > > to the
> > > > client to decide to use:
> > > >
> > > > * its data channel to alter the acl and then wait for a signal
> > > > channel
> > > notification.
> > > > These notifications may not be set by the client.
> > > > * its signal channel to alter the acl.
> > > >
> > > > With that approach we don't overload the server with extra
> > > > validation on trigger-mitigation to decide about the behavior to
> follow.
> > >
> > > This draft is introduced to alter the ACL using DOTS signal channel
> > > only during mitigation time because data channel does not work during
> > > attack time, and ACL alteration using DOTS signal channel  should not
> > > be allowed during peace time.
> > > If allowed, the client can use both the DOTS data and signal channels
> > > to alter the ACL during peace time and can create inconsistent
> configuration.
> >
> > [Med] If there is a risk of inconsistent configuration, it won't be
> specific to this
> > case but a generic one.
> 
> It's not a generic scenario, the inconsistent configuration is be because two
> protocols are allowed to alter the ACL at the same time.

[Med] But this is what we are doing in dots-signal-control-filtering. It is true that when an attack is ongoing, the client will use the signal channel to control the ACL, still the object is controllable either by signal or data channels. 

> 
> >
> > > Why use two protocols to do the same job ?
> >
> > [Med] Because:
> > * the functionality is there and its use will be for free.
> > * the server checks are simplified. No need to do extra checks based on
> > "trigger-mitigation"
> > * the client may not subscribe to notification. Please note that we don't
> have a
> > MUST, but a SHOULD.
> 
> Without the notification from the server, How will the client know the ACL
> needs to be altered ?

[Med] this is covered by this part in the draft: 

   If not, the
   polling mechanism in Section 4.4.2.2 of
   [I-D.ietf-dots-signal-channel] has to be followed by the DOTS client.


> If the client detects the white-listed traffic is attacking the target by
> itself, it can use DOTS data channel protocol to alter the ACL.

[Med] Yes. That would be straightforward, but the client needs to get an update (either by notification or by polling the server).  

> https://tools.ietf.org/html/draft-nishizuka-dots-signal-control-filtering-
> 01#section-1.1 only discusses the scenario where it is useful to alter the
> ACL using signal channel during attack time,
> Please provide an attack scenario where allowing this alternation using
> signal channel is useful during peace time.

[Med] You seem to miss my point, Tiru. What I'm saying is that there isn't a significant benefit in asking the server to enforce validation checks based on the trigger-mitigation. If the server is able to get control when an attack is ongoing, it will be able to do so when for pre-configured requests, too. 

We may provide a guidance for the client to recommend dc for pre-configured requests, but we should not discard control message when they show up (either). 

> 
> Cheers
> -Tiru

v2.45.0 | Report a Bug | By Email | System Status