Re: [Dots] WGLC for draft-dots-use-cases-19

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 06 August 2019 11:52 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 363C412016E for <dots@ietfa.amsl.com>; Tue, 6 Aug 2019 04:52:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N_U3Bc0oV0Tz for <dots@ietfa.amsl.com>; Tue, 6 Aug 2019 04:52:42 -0700 (PDT)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [63.128.21.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A11212015A for <dots@ietf.org>; Tue, 6 Aug 2019 04:52:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1565092359; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CJl5IuUCk+Qo9LFB2VDKXqdrqmLnO7T3Zw5KoAf+xNA=; b=TEcObd5z3PnX97ndkBgCCiKGSOex3anszWhw+3n8Rg6IwJ3jM5LzJAXDbOd3+huttJo0uf Grqg7M23xYyOyV6VKHu9ecVa89kV3zfg92TtH/OVOOxFX0M9DGqM2qAFRvn0n3dJqyDTJ7 Bs6ldyVYuLmAktunD8b22VMuMHcU9z0=
Received: from MIVWSMAILOUT1.mcafee.com (mivwsmailout1.mcafee.com [161.69.47.167]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-208-qB5qDOHUPJ-WkaK7Iu0kZg-1; Tue, 06 Aug 2019 07:52:38 -0400
Received: from DNVEXAPP1N05.corpzone.internalzone.com (DNVEXAPP1N05.corpzone.internalzone.com [10.44.48.89]) by MIVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 6975_de58_40d8c2fe_9287_4bee_8bcd_a4006d9ac9aa; Tue, 06 Aug 2019 07:53:18 -0400
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 6 Aug 2019 05:52:25 -0600
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Tue, 6 Aug 2019 05:52:25 -0600
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (10.44.176.241) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 6 Aug 2019 05:52:24 -0600
Received: from DM5PR16MB1705.namprd16.prod.outlook.com (10.172.44.147) by DM5PR16MB1644.namprd16.prod.outlook.com (10.174.178.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.17; Tue, 6 Aug 2019 11:52:23 +0000
Received: from DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::532:f001:84e1:55ba]) by DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::532:f001:84e1:55ba%10]) with mapi id 15.20.2136.018; Tue, 6 Aug 2019 11:52:23 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "Valery Smyslov" <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>
CC: "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>
Thread-Topic: [Dots] WGLC for draft-dots-use-cases-19
Thread-Index: AdVMHvzhmt/V33ByRr+d368GCi1ExgABDh/gAAA/2oAAAmsFAAAApBygAAFk76AAAGXy8AAALP6QAAB9ubAAA9IiYA==
Date: Tue, 6 Aug 2019 11:52:23 +0000
Message-ID: <DM5PR16MB170551C20908654A0F6428D7EAD50@DM5PR16MB1705.namprd16.prod.outlook.com>
References: <00b001d54c1f$d57799e0$8066cda0$@smyslov.net> <DM5PR16MB17050571BAD70FACA597FA6CEAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDB17@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB170555606E26709FC5C54AA4EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDBC8@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB17050DF869BABA8B3670DC85EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDC3B@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB1705E573DE3E7482115B9FE0EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDC6C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B9330312FDC6C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.3.0.17
dlp-reaction: no-action
x-originating-ip: [49.37.202.60]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1d2a9b8d-ff1d-45b2-ace5-08d71a648b4f
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:DM5PR16MB1644;
x-ms-traffictypediagnostic: DM5PR16MB1644:
x-microsoft-antispam-prvs: <DM5PR16MB164468DBF60D2D553878AE68EAD50@DM5PR16MB1644.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0121F24F22
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(346002)(39860400002)(376002)(366004)(32952001)(13464003)(199004)(189003)(316002)(7736002)(81166006)(81156014)(71200400001)(66446008)(305945005)(74316002)(6116002)(2906002)(110136005)(3846002)(71190400001)(229853002)(11346002)(55016002)(66476007)(86362001)(66574012)(76116006)(66556008)(66946007)(446003)(6436002)(8936002)(8676002)(53936002)(64756008)(476003)(486006)(2501003)(102836004)(6506007)(53546011)(9686003)(26005)(33656002)(99286004)(52536014)(25786009)(68736007)(76176011)(4326008)(6246003)(80792005)(478600001)(5024004)(14444005)(256004)(186003)(5660300002)(7696005)(14454004)(66066001)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB1644; H:DM5PR16MB1705.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Ad2P0Q0d20rKqfCWrsMInhPhb+WUkHYN6spYFPflR8T71/or1tChVui6L0xIzK4edWtxXzTuFQFNyPCr19l7upkV27wW1StOAaKZ4Lv8FpqW1dCwlHBhMUedozfgxJbSyazRs/PeNovin7JCEvZ2ooggbi6Hd7Bj8jzgpD29zDT3S2b47JvjQAUQV5Wcj4WawFs1qzYbMRxKr9L5Is5rCATcBjwm6nWAxn9r/dxf4B6GUS7NW/tkPMAQbh+KRTvPT5GGvhOlLSuXoqeWq3WfIbLHQ90ZYnN0n5heZmhMhwxeYqypA9MyD2sP8QiqU5vtin+oueTth+mMFfF8JyBEExiNy9QWJea3b1oQBjClccSGhVEc0szra6POVBCkBP0FPclb34h75dULYs7wu9XDVYz3iErAuWbWBuCzJhKa3+c=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 1d2a9b8d-ff1d-45b2-ace5-08d71a648b4f
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Aug 2019 11:52:23.0701 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TirumaleswarReddy_Konda@McAfee.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB1644
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6605> : inlines <7131> : streams <1829523> : uri <2879127>
X-MC-Unique: qB5qDOHUPJ-WkaK7Iu0kZg-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/1sSO0QBQEV7ftv6DBCeVdw-tHA0>
Subject: Re: [Dots] WGLC for draft-dots-use-cases-19
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 11:52:45 -0000

> -----Original Message-----
> From: mohamed.boucadair@orange.com
> <mohamed.boucadair@orange.com>;
> Sent: Tuesday, August 6, 2019 3:15 PM
> To: Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@McAfee.com>;; Valery Smyslov
> <valery@smyslov.net>;; dots@ietf.org
> Cc: Xialiang (Frank, Network Standard & Patent Dept)
> <frank.xialiang@huawei.com>;
> Subject: RE: [Dots] WGLC for draft-dots-use-cases-19
> 
> 
> 
> Re-,
> 
> Please see inline.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Konda, Tirumaleswar Reddy
> > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > Envoyé : mardi 6 août 2019 11:29
> > À : BOUCADAIR Mohamed TGI/OLN; Valery Smyslov; dots@ietf.org Cc :
> > Xialiang (Frank, Network Standard & Patent Dept) Objet : RE: [Dots]
> > WGLC for draft-dots-use-cases-19
> >
> > > -----Original Message-----
> > > From: mohamed.boucadair@orange.com
> > > <mohamed.boucadair@orange.com>;
> > > Sent: Tuesday, August 6, 2019 2:50 PM
> > > To: Konda, Tirumaleswar Reddy
> > > <TirumaleswarReddy_Konda@McAfee.com>;; Valery Smyslov
> > > <valery@smyslov.net>;; dots@ietf.org
> > > Cc: Xialiang (Frank, Network Standard & Patent Dept)
> > > <frank.xialiang@huawei.com>;
> > > Subject: RE: [Dots] WGLC for draft-dots-use-cases-19
> > >
> > > This email originated from outside of the organization. Do not click
> > links or
> > > open attachments unless you recognize the sender and know the
> > > content is safe.
> > >
> > > Re-,
> > >
> > > Please see inline.
> > >
> > > Cheers,
> > > Med
> > >
> > > > -----Message d'origine-----
> > > > De : Konda, Tirumaleswar Reddy
> > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > Envoyé : mardi 6 août 2019 11:15
> > > > À : BOUCADAIR Mohamed TGI/OLN; Valery Smyslov; dots@ietf.org Cc :
> > > > Xialiang (Frank, Network Standard & Patent Dept) Objet : RE:
> > > > [Dots] WGLC for draft-dots-use-cases-19
> > > >
> > > > > -----Original Message-----
> > > > > From: mohamed.boucadair@orange.com
> > > > > <mohamed.boucadair@orange.com>;
> > > > > Sent: Tuesday, August 6, 2019 2:00 PM
> > > > > To: Konda, Tirumaleswar Reddy
> > > > > <TirumaleswarReddy_Konda@McAfee.com>;; Valery Smyslov
> > > > > <valery@smyslov.net>;; dots@ietf.org
> > > > > Cc: Xialiang (Frank, Network Standard & Patent Dept)
> > > > > <frank.xialiang@huawei.com>;
> > > > > Subject: RE: [Dots] WGLC for draft-dots-use-cases-19
> > > > >
> > > > > This email originated from outside of the organization. Do not
> > > > > click
> > > > links or
> > > > > open attachments unless you recognize the sender and know the
> > > > > content is safe.
> > > > >
> > > > > Re-,
> > > > >
> > > > > Please see inline.
> > > > >
> > > > > Cheers,
> > > > > Med
> > > > >
> > > > > > -----Message d'origine-----
> > > > > > De : Konda, Tirumaleswar Reddy
> > > > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > > > Envoyé : mardi 6 août 2019 10:14 À : BOUCADAIR Mohamed
> > > > > > TGI/OLN; Valery Smyslov; dots@ietf.org Cc :
> > > > > > Xialiang (Frank, Network Standard & Patent Dept) Objet : RE:
> > > > > > [Dots] WGLC for draft-dots-use-cases-19
> > > > > >
> > > > > > Hi Med,
> > > > > >
> > > > > > No, the orchestrator is not ignoring the mitigation hints.
> > > > >
> > > > > [Med] Why? The text is clear the orchestrator acts as DOTS server.
> > > > > As
> > > > such, it
> > > > > can ignore/accept hints.
> > > > >
> > > > >  It is sending
> > > > > > filtering rules to block or rate-limit traffic to routers
> > > > > > (last but one line in the new paragraph).
> > > > >
> > > > > [Med] Yes. That filtering rule is that would be applied by the
> > > > > DMS if it
> > > > has
> > > > > sufficient resources.
> > > > >
> > > > >  The adverse impact is legitimate users whose
> > > > > > IP addresses were spoofed
> > > > > > cannot access the services of the target server.
> > > > >
> > > > > [Med] This is a check at the DMS side. This check applies
> > > > > independently
> > > > of **
> > > > > where ** the filters are applied. This is not specific to this
> > > > > NEW
> > text.
> > > >
> > > > If the orchestrator is sending filtering rules to block traffic,
> > > > checks are required to ensure spoofed IP address are not conveyed
> > > > by
> > the
> > > DMS.
> > >
> > > [Med] Yes, but the current text describes the case where the DMS
> > supplies
> > > "its blocked traffic information":
> > >
> > >   the DDoS mitigation system can send mitigation requests
> > >   with additional hints such as its blocked traffic information to the
> > >                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^
> > >   orchestrator.
> > >
> > > So, the DMS has already done that check.
> >
> > The blocked traffic information will include attack traffic from both
> > spoofed and attacker IP addresses.
> >
> 
> [Med] If you are saying that there is an issue if the DMS does not check, you
> are right. But, again, this is not specific to the NEW text. This is a general
> problem (that is outside DOTS, BTW).

No, DMS will anyway check and try not block legitimate traffic from users whose IP addresses have been spoofed.

> 
> 
> > >
> > >  If
> > > > the orchestrator delegates the mitigation to a separate domain
> > > > (recursive signaling), the attack information provided by DMS can
> > > > include spoofed IP addresses (so the new mitigator in the separate
> > > > domain learns the attack traffic is coming from spoofed IP addresses).
> > >
> > > [Med] This is not specific to this case, but applies each time there
> > > is
> > recursive
> > > signaling.
> >
> > My comment is to using the attack information of spoofed IP addresses
> > to filter traffic would penalize legitimate users, and the text is not
> > clear me. I suggest adding a line for clarity, DMS may supply both
> > spoofed and attacker IP addresses in the attack information to the
> > orchestrator. The orchestrator will only use the non-spoofed IP
> > addresses to enforce filtering rules on routers.
> 
> [Med] I was assuming this is already done by the DMS to generate "its
> blocked traffic information", but if you prefer the text to be explicit, it will
> need to be generic:
> 
> the check is not specific to the NEW text but applies also in the general DMS
> case (without offloading).

When DMS generates the attack traffic information it should include both spoofed and attacker IP addresses (tagged with whether the IP address is spoofed or not). If the orchestrator is delegating the mitigation to a separate domain, it can propagate the attack information so the mitigator in the separate domain has knowledge that the attacker is using spoofed IP addresses and the mitigator can optionally use the attack information to determine the mitigation strategy. However If orchestrator is enforcing filtering rules on routers, it should create the black-list rules based on the non-spoofed attacker IP address and not use the spoofed victim IP addresses.

Cheers,
-Tiru