IETF Logo Mail Archive

[Dots] Comments and feedbacks on draft-reddy-dots-signal-channel-07 and draft-reddy-dots-data-channel-03 .

Ehud Doron <EhudD@Radware.com> Wed, 08 February 2017 13:51 UTC

Return-Path: <EhudD@Radware.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4326B129A59 for <dots@ietfa.amsl.com>; Wed, 8 Feb 2017 05:51:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LaoqMfOMY0Tk for <dots@ietfa.amsl.com>; Wed, 8 Feb 2017 05:51:16 -0800 (PST)
Received: from mailout1.radware.com (mailout1.radware.com [192.115.180.130]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A0761293D6 for <dots@ietf.org>; Wed, 8 Feb 2017 05:51:14 -0800 (PST)
Received: from ILMB1.corp.radware.com ([169.254.1.252]) by ILCAS2.corp.radware.com ([176.200.120.122]) with mapi id 14.03.0319.002; Wed, 8 Feb 2017 15:51:12 +0200
From: Ehud Doron <EhudD@Radware.com>
To: 'dots' <dots@ietf.org>
Thread-Topic: Comments and feedbacks on draft-reddy-dots-signal-channel-07 and draft-reddy-dots-data-channel-03 .
Thread-Index: AdKCER/slEaaT/pbTQCa8ffUgEh/Yg==
Date: Wed, 08 Feb 2017 13:51:11 +0000
Message-ID: <E58182C4A35A8E498E553AD3D33FA001011717E1DF@ILMB1.corp.radware.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [176.200.121.205]
x-tm-as-product-ver: SMEX-11.0.0.4179-8.100.1062-22872.006
x-tm-as-result: No--14.660500-0.000000-31
x-tm-as-user-approved-sender: Yes
x-tm-as-user-blocked-sender: No
Content-Type: multipart/alternative; boundary="_000_E58182C4A35A8E498E553AD3D33FA001011717E1DFILMB1corpradw_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/0y4sywKMzMwH_Xc5OKXY9-GQI1Y>
Cc: David Aviv <DavidA@Radware.com>
Subject: [Dots] Comments and feedbacks on draft-reddy-dots-signal-channel-07 and draft-reddy-dots-data-channel-03 .
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 13:51:18 -0000

Tiru and authors Hi

Attached please find my comments and feedbacks to draft-reddy-dots-signal-channel-07 and draft-reddy-dots-data-channel-03 .


Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel  draft-reddy-dots-signal-channel-07


1.       General comment: For all signals in the draft, need to add means to allow vendor specific attributes as part of all signals transactions


2.       General comment: Just for clarity, need to explicitly mention on each figure when it is an example or the actual API


3.       Page 3 second paragraph : DOTS should not be limited to "enterprise network" only
.

4.       Page 4 chapter 4: The overall context of the "happy eyeballs" and its relations (or coexistence) to CoAP is not clear.


5.       Page 7 chapter 5.2.1: The need for YANG model cannot be understood from text. What are the needs for YANG models? What is the relation to the JSONs in the other chapters in the draft


6.       Page 14 figure 5: The mitigation request attributes are right but not enough. Need to add more telemetry info about the actual attack that it is required to mitigate, need to consider attributes in draft-doron-dots-telemetry-00 as part of the discussion in the WG.


7.       Page 15 Life time attribute: More reasonable to have this attribute in minutes rather than seconds, bigger default can also suggested


8.       Page 15 last paragraph: Not sure that target port or target protocol can define a protected entity. IP, FQDN, URI are the only "stand alone" attributes , port and protocol are companion attributes. See also figure 9 .


9.       Page 15 last paragraph: The mitigation request is not clear, to which identifier the text is related ?   "policy ID" ? I think the best is have another attribute to define the priority of mitigation requests


10.   Page 21 table: The return status are right but not enough. Need to add more telemetry info about the actual mitigation going on (how much traffic was mitigated) and the attack that are mitigated, need to consider attributes in draft-doron-dots-telemetry-00 as part of the discussion in the WG.


11.   Page 15 : Need to find the way to bind the target-ips with target-port-ranges and target-protocols, meaning that the server needs to understand the exact scope of attack, e.g. IP1 TCP port 80, IP2 UDP port 53 and so on so forth.


12.   Page 21 last paragraph: This is very strong point.


13.   Page 25 : Regarding attack status, same point about telemetry.


14.   Page 25 chapter 5.4: I believe it can valuable to add a short high level description about the proposed API flow, same as you did for 5.3 .


15.   Page 27:  The necessity of policy_id here is not clear enough, are the "Signal Channel Session Configuration" define only "single" DOTS session or the entire communication between Client and Server for several DOTS request for mitigation?


16.   Page 27: Not sure about the reason for "at least one of the attributes heartbeat-interval or max-retransmit or ack-timeout or ack-random-factor MUST be present." Also consider to change to "presented".



17.   Page 30 chapter 5.5: Need to specify the overall scenario, in reaction to which signal (or API transaction POST of Mitigation Request , unidirectional notification from Server as describes in page 23 in page 21 ?) the  redirection occurred ?



Distributed Denial-of-Service Open Threat Signaling (DOTS) Data Channel  draft-reddy-dots-data-channel-03


1.       General comment: For all signal in the draft, need to add means to allow vendor specific attributes as part of all signals transactions



2.       Page 5 second paragraph: Why it is required to configure the DOTS signal channel session ?


3.       Page 8 chapter 3.2.1 : Any reason for not including these identifiers in the DOTS signal channel draft ?


4.       Page 9 figure 3 : Need to find the way to bind the target-ips with target-port-ranges and target-protocols, meaning that the server needs to understand the exact scope of attack, e.g. IP1 TCP port 80, IP2 UDP port 53 and so on so forth.


5.       Page 13 chapter 3.3 : Need to emphasize that filtering rules are relevant for both client server direct communication and through a DOTS gateway. The chapter is a bit confusing.


6.       Page 14 chapter 3.3 : I am missing the white-list installation, is it by using the permit action ?


7.       Page 15 figure 8: For DDoS it is highly valuable to have rate limit as an action. Consider adding such action (if already defined need to explain where and how).


8.       Page 15 figure 8: Need to consider adding priority to an ACL to support cases when several filtering rules are conflicting.



9.       Page 15 : The action field cannot be optional attribute.


10.   Page 16 chapter 3.3.3: Need to add more telemetry info about the actual traffic that was blocked (bps, pps and so on), but as I believe this might be another issue...



Thanks,

Ehud Doron |  Senior Architect, Radware CTO office | M: +972-54-7575503 | T: +972-72-3917120

v2.23.0 | Report a Bug | By Email