Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt

H Y <yuuhei.hayashi@gmail.com> Wed, 24 July 2019 13:51 UTC

Return-Path: <yuuhei.hayashi@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 722371202B6 for <dots@ietfa.amsl.com>; Wed, 24 Jul 2019 06:51:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DR9gB_ZVcwvC for <dots@ietfa.amsl.com>; Wed, 24 Jul 2019 06:51:00 -0700 (PDT)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AEBA12037C for <dots@ietf.org>; Wed, 24 Jul 2019 06:50:59 -0700 (PDT)
Received: by mail-lf1-x132.google.com with SMTP id x3so32110684lfc.0 for <dots@ietf.org>; Wed, 24 Jul 2019 06:50:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=U18bwnsOFVc5SJFyCvBMwpmSTego3+9x2KCstpwo0a0=; b=k6s8fHMDg3+HonXy4tLeSb0dOtOJvptTMEiRz5+kKcsSJpn327VHYNJSSu26qoBSKe ZO1L7xAIQZZ2njZn15kNv+NSlCBTHo7OAi/0Xe0UxDXYjF3O/ClmJtaDcKMCwUAgqYnq /P50CPApVsp8rRZrIZfQwhHzW7/1sfs1z0NY9xBfiPjWprG/Shdrnt4e92LWJUxNmevj y468Tk3vDH/WtNzZGrZVNfH6Kgalxd33eWkJnEwijxYQseVH9IarQ//s8JUL84X1x4tS K2x5flrgeb2eTou83tyOAK83A4nmd9ASGQJbOL2BpxzGVs435JqZ6QFMlyGLOFtEPQRF j9HA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=U18bwnsOFVc5SJFyCvBMwpmSTego3+9x2KCstpwo0a0=; b=Sv6Sh++8OzotAK6J7SUCPiRsnANWI0+b25P7rFDaPKL4wmeDKdFul7fqlFwmU0QlOe QBkmX0FnkVz4IKzf/ypEANYlJ1pgufpfRsVTTrQkgj3DHBflAEns1hYSVY+nRBM0F0ZZ Hoas3MwLkNRU/KVOUks0uBM42mPSCEm00ZZ0m85F8F8BStKUWtQWVOg1Ljeu7ntiHBrA M0/AlgSMnWvleNQXuyfe9UqVBKQW0bhu9t2G54gyHW4/8jP9O2FFpS43oKJpFtkqjpwa W/IMTRbtcAUbuju2OfxgasdtvB3R6BVtZLcumBU93d94BUH9JBCpWEORxUnfLqFQP9Mh Zveg==
X-Gm-Message-State: APjAAAVYgadHRjuxKMnxVnehXZeH/mrWxB+Vw6fNU1emHdELaVwsS4Yb YaD6uCrOgERifia034zt5FqioGKcGS+E7IpdD1A=
X-Google-Smtp-Source: APXvYqyspO337ozm7gUPzvtBxVwOvJ/am6zZ7vfG5IyMvB36HUp5YLcNKFO0qaIjv3+VWJQyciaXXtdzjwFPL3UplsA=
X-Received: by 2002:ac2:596c:: with SMTP id h12mr4040493lfp.101.1563976257604; Wed, 24 Jul 2019 06:50:57 -0700 (PDT)
MIME-Version: 1.0
References: <156233245922.21720.2303446065970922340.idtracker@ietfa.amsl.com> <CAFpG3gcgpJRyLSoLkOMuUWY8pZrBPDCCz6-sc8A=1KW3GMpm+g@mail.gmail.com> <CAA8pjUPY+GDGxNhqDCWsh-6aGnYoOL+A5pGaE=2BaE5j8rY41g@mail.gmail.com> <DM5PR16MB17051F8C7697FE7DAF88AEC4EAC60@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312E739F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB17050D182A4BE8C3B7EFDC3EEAC60@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312E73FA@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <CAA8pjUPe8rf6m2xy2S+JzhTN+xMm_9f3+OaBAsAnY7aV43g11A@mail.gmail.com> <DM5PR16MB17055E4630A2413CB7D212DBEAC60@DM5PR16MB1705.namprd16.prod.outlook.com>
In-Reply-To: <DM5PR16MB17055E4630A2413CB7D212DBEAC60@DM5PR16MB1705.namprd16.prod.outlook.com>
From: H Y <yuuhei.hayashi@gmail.com>
Date: Wed, 24 Jul 2019 09:55:36 -0400
Message-ID: <CAA8pjUMngVnRAbMtLWYSb+0UCfO4ZEBtqk04gYNgsFHvGDU3fg@mail.gmail.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>
Cc: Mohamed Boucadair <mohamed.boucadair@orange.com>, tirumal reddy <kondtir@gmail.com>, "dots@ietf.org" <dots@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/0bhuSTwyFMhCuyi2_X-SesreP8Y>
Subject: Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 13:51:10 -0000

Hi Tiru

> What is stopping the attacker to frequently change the IP address (especially with IPv6) ?
> What kind of attack traffic is generated by the top talkers and what happens if the top talkers are spoofed IP addresses (e.g. amplification attack) ?
IMO, when a reflection attack hits a target, src_ip address detected
at the target are reflectors ip address.
If the reflector's ip does not change frequently, the top talker
information can be used.
Is it wrong?

Thanks,
Yuhei

2019年7月24日(水) 9:37 Konda, Tirumaleswar Reddy
<TirumaleswarReddy_Konda@mcafee.com>;:
>
> Hi Yuhei,
>
> What is stopping the attacker to frequently change the IP address (especially with IPv6) ?
> What kind of attack traffic is generated by the top talkers and what happens if the top talkers are spoofed IP addresses (e.g. amplification attack) ?
>
> Cheers,
> -Tiru
>
> > -----Original Message-----
> > From: H Y <yuuhei.hayashi@gmail.com>;
> > Sent: Wednesday, July 24, 2019 6:57 PM
> > To: Mohamed Boucadair <mohamed.boucadair@orange.com>;
> > Cc: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;;
> > tirumal reddy <kondtir@gmail.com>;; dots@ietf.org
> > Subject: Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-
> > telemetry-00.txt
> >
> >
> >
> > Hi Med,
> >
> > > [Med] Yes. My point is if one has to return a list of top-talkers in terms of
> > pps, another list of top-talkers in terms of second_criteria, or other
> > information relying on source-prefix dedicated attributes will be needed
> > because this cannot be inferred from the current source-prefix attribute.
> > [hayashi] +1. This top-talker information is helpful for the orchestrator to
> > decide which attack traffic should be blocked preferentially in network. The
> > criteria information is also needed.
> >
> > Thanks,
> > Yuhei
> >
> > 2019年7月24日(水) 8:56 <mohamed.boucadair@orange.com>;:
> > >
> > > Re-,
> > >
> > > Please see inline.
> > >
> > > Cheers,
> > > Med
> > >
> > > > -----Message d'origine-----
> > > > De : Konda, Tirumaleswar Reddy
> > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > Envoyé : mercredi 24 juillet 2019 14:45 À : BOUCADAIR Mohamed
> > > > TGI/OLN; H Y; tirumal reddy Cc : dots@ietf.org Objet : RE: [Dots]
> > > > Fwd: New Version Notification for draft-reddy-dots- telemetry-00.txt
> > > >
> > > > > -----Original Message-----
> > > > > From: mohamed.boucadair@orange.com
> > <mohamed.boucadair@orange.com>;
> > > > > Sent: Wednesday, July 24, 2019 6:02 PM
> > > > > To: Konda, Tirumaleswar Reddy
> > > > > <TirumaleswarReddy_Konda@McAfee.com>;; H Y
> > > > > <yuuhei.hayashi@gmail.com>;; tirumal reddy <kondtir@gmail.com>;
> > > > > Cc: dots@ietf.org
> > > > > Subject: RE: [Dots] Fwd: New Version Notification for
> > > > > draft-reddy-dots- telemetry-00.txt
> > > > >
> > > > > This email originated from outside of the organization. Do not
> > > > > click
> > > > links or
> > > > > open attachments unless you recognize the sender and know the
> > > > > content is safe.
> > > > >
> > > > > Hi Tiru,
> > > > >
> > > > > That’s true...but fragmentation is a general issue each time we
> > > > > need to supply more telemetry information in the signal channel.
> > > > > As already
> > > > noted in
> > > > > the draft, we will need to figure out when it is better to provide
> > > > > some telemetry information using data channel.
> > > >
> > > > Yes, normal traffic baseline attributes can be conveyed in the DOTS
> > > > data channel and traffic from top talkers can also be
> > > > blocked/rate-limited using the DOTS data channel during peace time.
> > > >
> > > > >
> > > > > BTW, "top talker" can already be supplied using source-prefix attribute.
> > > > > Whether top-talker needs to be defined as a separated attribute,
> > > > > but structured as a list of source-prefixes is a design details
> > > > > (if the WG
> > > > agrees to
> > > > > include it in the telemetry information).
> > > >
> > > > Source-prefix is already a list/array.
> > >
> > > [Med] Yes. My point is if one has to return a list of top-talkers in terms of
> > pps, another list of top-talkers in terms of second_criteria, or other
> > information relying on source-prefix dedicated attributes will be needed
> > because this cannot be inferred from the current source-prefix attribute.
> > >
> > > >
> > > > >
> > > > > Anyway, let's continue collecting candidate telemetry information
> > > > > and
> > > > then
> > > > > make a selection in a second phase.
> > > >
> > > > Sure.
> > > >
> > > > Cheers,
> > > > -Tiru
> > > >
> > > > >
> > > > > Cheers,
> > > > > Med
> > > > >
> > > > > > -----Message d'origine-----
> > > > > > De : Dots [mailto:dots-bounces@ietf.org] De la part de Konda,
> > > > > > Tirumaleswar Reddy Envoyé : mercredi 24 juillet 2019 14:18 À : H
> > > > > > Y; tirumal reddy Cc : dots@ietf.org Objet : Re: [Dots] Fwd: New
> > > > > > Version Notification for draft-reddy-dots- telemetry-00.txt
> > > > > >
> > > > > > Hi Yuhei,
> > > > > >
> > > > > > Thanks for the support. The problem is fragmentation of the DOTS
> > > > > > telemetry message, DOTS Telemetry is sent over the DOTS signal
> > > > > > channel using UDP and the message size cannot exceed PMTU.
> > > > > >
> > > > > > Cheers,
> > > > > > -Tiru
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Dots <dots-bounces@ietf.org>; On Behalf Of H Y
> > > > > > > Sent: Tuesday, July 23, 2019 5:28 PM
> > > > > > > To: tirumal reddy <kondtir@gmail.com>;
> > > > > > > Cc: dots@ietf.org
> > > > > > > Subject: Re: [Dots] Fwd: New Version Notification for
> > > > > > > draft-reddy-dots- telemetry-00.txt
> > > > > > >
> > > > > > > This email originated from outside of the organization. Do not
> > > > > > > click
> > > > > > links or
> > > > > > > open attachments unless you recognize the sender and know the
> > > > > > > content is safe.
> > > > > > >
> > > > > > > Hi Tiru,
> > > > > > >
> > > > > > > I read the draft and I also support this draft.
> > > > > > > Sending detail information about attack traffic helps my dms
> > > > > > > offload
> > > > > > scenario
> > > > > > > because the orchestrator can decide what to do based on the
> > > > > > > detail information.
> > > > > > >
> > > > > > > IMO, "top talker" attribute defined in my previous draft is
> > > > > > > also
> > > > > > feasible to
> > > > > > > send and effective to mitigate attack correctly.
> > > > > > > https://datatracker.ietf.org/doc/draft-h-dots-mitigation-offlo
> > > > > > > ad-
> > > > > > expansion/
> > > > > > > What do you think about including the top talker attribute to
> > > > > > > the
> > > > > > telemetry?
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Yuhei
> > > > > > >
> > > > > > > 2019年7月5日(金) 9:21 tirumal reddy <kondtir@gmail.com>;:
> > > > > > > >
> > > > > > > > Hi all,
> > > > > > > >
> > > > > > > > https://tools.ietf.org/html/draft-reddy-dots-telemetry-00
> > > > > > > > aims to
> > > > > > enrich
> > > > > > > DOTS protocols with various telemetry attributes allowing
> > > > > > > optimal DDoS attack mitigation. This document specifies the
> > > > > > > normal traffic baseline
> > > > > > and
> > > > > > > attack traffic telemetry attributes a DOTS client can convey
> > > > > > > to its DOTS
> > > > > > server
> > > > > > > in the mitigation request, the mitigation status telemetry
> > > > > > > attributes a
> > > > > > DOTS
> > > > > > > server can communicate to a DOTS client, and the mitigation
> > > > > > > efficacy telemetry attributes a DOTS client can communicate to a
> > DOTS server.
> > > > > > The
> > > > > > > telemetry attributes can assist the mitigator to choose the
> > > > > > > DDoS
> > > > > > mitigation
> > > > > > > techniques and perform optimal DDoS attack mitigation.
> > > > > > > >
> > > > > > > > Comments, suggestions, and questions are more than welcome.
> > > > > > > >
> > > > > > > > Cheers,
> > > > > > > > -Tiru
> > > > > > > >
> > > > > > > > ---------- Forwarded message ---------
> > > > > > > > From: <internet-drafts@ietf.org>;
> > > > > > > > Date: Fri, 5 Jul 2019 at 18:44
> > > > > > > > Subject: New Version Notification for
> > > > > > > > draft-reddy-dots-telemetry-00.txt
> > > > > > > > To: Tirumaleswar Reddy <kondtir@gmail.com>;, Ehud Doron
> > > > > > > > <ehudd@radware.com>;, Mohamed Boucadair
> > > > > > > <mohamed.boucadair@orange.com>;
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > A new version of I-D, draft-reddy-dots-telemetry-00.txt has
> > > > > > > > been successfully submitted by Tirumaleswar Reddy and posted
> > > > > > > > to the IETF repository.
> > > > > > > >
> > > > > > > > Name:           draft-reddy-dots-telemetry
> > > > > > > > Revision:       00
> > > > > > > > Title:          Distributed Denial-of-Service Open Threat
> > > > Signaling
> > > > > > (DOTS)
> > > > > > > Telemetry
> > > > > > > > Document date:  2019-07-05
> > > > > > > > Group:          Individual Submission
> > > > > > > > Pages:          13
> > > > > > > > URL:            https://www.ietf.org/internet-drafts/draft-reddy-
> > > > dots-
> > > > > > > telemetry-00.txt
> > > > > > > > Status:         https://datatracker.ietf.org/doc/draft-reddy-dots-
> > > > > > telemetry/
> > > > > > > > Htmlized:       https://tools.ietf.org/html/draft-reddy-dots-
> > > > > > telemetry-00
> > > > > > > > Htmlized:       https://datatracker.ietf.org/doc/html/draft-reddy-
> > > > > > dots-
> > > > > > > telemetry
> > > > > > > >
> > > > > > > >
> > > > > > > > Abstract:
> > > > > > > >    This document aims to enrich DOTS signal channel protocol with
> > > > > > > >    various telemetry attributes allowing optimal DDoS attack
> > > > > > mitigation.
> > > > > > > >    This document specifies the normal traffic baseline and attack
> > > > > > > >    traffic telemetry attributes a DOTS client can convey to
> > > > > > > > its
> > > > DOTS
> > > > > > > >    server in the mitigation request, the mitigation status
> > > > telemetry
> > > > > > > >    attributes a DOTS server can communicate to a DOTS
> > > > > > > > client, and
> > > > the
> > > > > > > >    mitigation efficacy telemetry attributes a DOTS client can
> > > > > > > >    communicate to a DOTS server.  The telemetry attributes
> > > > > > > > can
> > > > assist
> > > > > > > >    the mitigator to choose the DDoS mitigation techniques
> > > > > > > > and
> > > > perform
> > > > > > > >    optimal DDoS attack mitigation.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Please note that it may take a couple of minutes from the
> > > > > > > > time of submission until the htmlized version and diff are
> > > > > > > > available at
> > > > > > tools.ietf.org.
> > > > > > > >
> > > > > > > > The IETF Secretariat
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Dots mailing list
> > > > > > > > Dots@ietf.org
> > > > > > > > https://www.ietf.org/mailman/listinfo/dots
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > ----------------------------------
> > > > > > > Yuuhei HAYASHI
> > > > > > > 08065300884
> > > > > > > yuuhei.hayashi@gmail.com
> > > > > > > iehuuy_0220@docomo.ne.jp
> > > > > > > ----------------------------------
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Dots mailing list
> > > > > > > Dots@ietf.org
> > > > > > > https://www.ietf.org/mailman/listinfo/dots
> > > > > > _______________________________________________
> > > > > > Dots mailing list
> > > > > > Dots@ietf.org
> > > > > > https://www.ietf.org/mailman/listinfo/dots
> >
> >
> >
> > --
> > ----------------------------------
> > Yuuhei HAYASHI
> > 08065300884
> > yuuhei.hayashi@gmail.com
> > iehuuy_0220@docomo.ne.jp
> > ----------------------------------



-- 
----------------------------------
Yuuhei HAYASHI
08065300884
yuuhei.hayashi@gmail.com
iehuuy_0220@docomo.ne.jp
----------------------------------