Re: [Dots] Behavior when keep-alives fail (RE: Mirja Kühlewind's Discuss on draft-ietf-dots-signal-channel-31: (with DISCUSS and COMMENT)

<> Wed, 17 July 2019 12:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1E7BC1203A4; Wed, 17 Jul 2019 05:15:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wnXNMDaefZ_g; Wed, 17 Jul 2019 05:15:45 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3A1E912038A; Wed, 17 Jul 2019 05:15:45 -0700 (PDT)
Received: from (unknown [xx.xx.xx.7]) by (ESMTP service) with ESMTP id 45pbnq348fzFsgJ; Wed, 17 Jul 2019 14:15:43 +0200 (CEST)
Received: from Exchangemail-eme3.itn.ftgroup (unknown [xx.xx.50.59]) by (ESMTP service) with ESMTP id 45pbnq1VBpz2xCl; Wed, 17 Jul 2019 14:15:43 +0200 (CEST)
Received: from OPEXCNORMAE.corporate.adroot.infra.ftgroup ([fe80::897f:9a74:3898:db87]) by OPEXCNORM73.corporate.adroot.infra.ftgroup ([fe80::3991:195b:e05c:93d5%21]) with mapi id 14.03.0439.000; Wed, 17 Jul 2019 14:15:43 +0200
From: <>
To: Mirja Kuehlewind <>
CC: "" <>, "" <>, The IESG <>, "" <>, Benjamin Kaduk <>
Thread-Topic: =?utf-8?B?W0RvdHNdICBCZWhhdmlvciB3aGVuIGtlZXAtYWxpdmVzIGZhaWwgKFJFOiAg?= =?utf-8?B?IE1pcmphIEvDvGhsZXdpbmQncyBEaXNjdXNzIG9uIGRyYWZ0LWlldGYtZG90?= =?utf-8?Q?s-signal-channel-31:_(with_DISCUSS_and_COMMENT)?=
Thread-Index: AQHVO+zmzhyXOwvkyUu6dskqVyjY5abOpq+Q
Date: Wed, 17 Jul 2019 12:15:42 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302F643236@OPEXCNORMAE.corporate.adroot.infra.ftgroup>
References: <787AE7BB302AE849A7480A190F8B93302EAB2ABA@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <> <787AE7BB302AE849A7480A190F8B93302EAB2CC5@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <> <787AE7BB302AE849A7480A190F8B93302EAB2F77@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <06e901d531a8$38f38d90$aadaa8b0$> <> <072901d531d3$bdd39c00$397ad400$> <> <>
In-Reply-To: <>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Dots] =?utf-8?q?Behavior_when_keep-alives_fail_=28RE=3A___Mirja?= =?utf-8?q?_K=C3=BChlewind=27s_Discuss_on_draft-ietf-dots-signal-channel-3?= =?utf-8?q?1=3A_=28with_DISCUSS_and_COMMENT=29?=
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 17 Jul 2019 12:15:47 -0000

Hi Mirja,

Glad to see that we are progressing. With regards to the remaining issue, let's recap on the intended functionality and general observations.

* What is the intended functionality?

(1) What we need is a check to assess the liveness of the peer DOTS agent + maintain NAT/FW state on on-path devices. 
(2) CoAP does not impose how CoAP Ping messages should be sent, how their response (or lack of) should be interpreted, etc. This is left to the application.

(3) In a DDoS context, failure to receive heartbeats ** should not ** be systematically interpreted as the session is defunct. To that aim, a specific behavior is followed at the DOTS layer (not CoAP layer). The DOTS layer instructs the CoAP layer (DOTS session, and mitigation operations) accordingly.   

* Why CoAP Pings?

CoAP Pings naturally achieve (1). These messages are interesting because they have small message sizes. CoAP Ping uses Empty Confirmable message (no request) and the response is a Reset message (which is empty).

CoAP Ping can be used ** as-is ** during idle time (no attack). Multiple Ping failures and Ping exchange in both directions is required only during the attack time to really detect if the peer is dead or alive (because of (3)).

This is aligned with (2).

* Why not DOTS-specific messages?

If we have to define such message, it needs to be the smallest footprint as practical. An Empty message is inexpensive, nevertheless empty Non-confirmable messages are not allowed (See rfc7252#section-4.3) and sending the Reset message is optional. 

Furthermore, if heartbeats were non-confirmable that means that we would need to get the application layer to do any recovery work. It is much simpler to make them confirmable and delegate the recovery work to CoAP layer. 

So, even if we did it in the DOTS layer it will be the same as "CoAP ping".

The WG did not see a reason to re-do the same in the application layer. In DOTS, the CoAP ping is initiated by the application (DOTS layer itself) and CoAP layer only handles the retransmissions. The proposed mechanism does not require an update to the CoAP stack other with the assumption that callback handlers are supported to give visibility of when a ping or pong was received by the CoAP layer in the application layer. As such, the current design is pragmatic. 

The DOTS layer has the ** full control required for the intended functionality **.

* Why separating heartbeats parameters from CoAP transmission ones?

We need to allow for a differentiated handling of heartbeats during idle/mitigation times. To that aim, we defined specific heartbeat parameters for each of these times without touching the CoAP connection parameters. All the message transmission parameters including missing-hb-allowed are configurable using the DOTS signal channel (see draft-ietf-dots-signal-channel-35#section-4.5) and these message transmission parameter including the missing-hb-allowed is only used for UDP transport.

One last comment about adjusting CoAP parameter values, we spent in the WG a lot of cycles to discuss this particular point. The conclusion of the WG is that 4 retransmits (that corresponds to the default value of MAX_RETRANSMIT) are not sufficient to detect the session is disconnected during volumetric 
DDoS attack saturating the incoming link, and which will lead to high packet loss. This is why multiple heartbeat losses are required to detect the session is defunct.

Unless there is a flaw with the current design (fail to achieve the intended functionality, implementation complexity, side effects, ...), we don't see a reason to change the current approach. 

Thank you. 


> -----Message d'origine-----
> De : Mirja Kuehlewind []
> Envoyé : mardi 16 juillet 2019 17:41
> À : Konda, Tirumaleswar Reddy
> Cc : Jon Shallow; BOUCADAIR Mohamed TGI/OLN; draft-ietf-dots-signal-
>;;; The IESG;
>; Benjamin Kaduk
> Objet : Re: [Dots] Behavior when keep-alives fail (RE: Mirja Kühlewind's
> Discuss on draft-ietf-dots-signal-channel-31: (with DISCUSS and COMMENT)
> Hi Tiru,
> Thanks for the updates. I think there is one remaining issue on the use of
> ping/heart-beats (see also my other message). However, I believe all other
> discuss points have been addressed now. Thanks for that!
> Mirja