Re: [Dots] draft-ietf-dots-filter-control: acl updates

kaname nishizuka <kaname@nttv6.jp> Wed, 05 June 2019 01:18 UTC

Return-Path: <kaname@nttv6.jp>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44A7B1200E5 for <dots@ietfa.amsl.com>; Tue, 4 Jun 2019 18:18:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nttv6.jp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id quKKnYQwudZt for <dots@ietfa.amsl.com>; Tue, 4 Jun 2019 18:18:00 -0700 (PDT)
Received: from guri.nttv6.jp (guri.nttv6.jp [115.69.228.140]) by ietfa.amsl.com (Postfix) with ESMTP id EFB8312000E for <dots@ietf.org>; Tue, 4 Jun 2019 18:17:59 -0700 (PDT)
Received: from z.nttv6.jp (z.nttv6.jp [192.168.8.15]) by guri.nttv6.jp (NTTv6MTA) with ESMTP id 9482125F6BF; Wed, 5 Jun 2019 10:17:58 +0900 (JST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nttv6.jp; s=20180820; t=1559697478; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Vng49DN75mWda8vEhCuoX4oAoaYX5bmDLoEmQuYS3No=; b=ljxmOpuBRvvxbjboW26Cp1MDcXEdt2czoIKmAKMAIBRN9ug9csfxznfzL/qn5K7c5beJsy 5Zn7uWEj7NHsu5pUSs5U2sslacokWn39S3LAYU6iKoLgwqqCtBPEoJoNGfhSqEBf35ylGS 9nlDKWBDU1BWmHl3iDrRj6cOnPozoKc=
Received: from MacBook-Pro-17.local (fujiko.nttv6.jp [IPv6:2402:c800:ff06:136::141]) by z.nttv6.jp (NTTv6MTA) with ESMTP id 7BEAC759077; Wed, 5 Jun 2019 10:17:58 +0900 (JST)
To: mohamed.boucadair@orange.com, Jon Shallow <supjps-ietf@jpshallow.com>, "dots@ietf.org" <dots@ietf.org>
References: <787AE7BB302AE849A7480A190F8B93302EA7DAAF@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB279089B075158BFF8C8B2E5FEA090@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA7E01D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <7f1f7363-11d0-9acd-32a5-ba9fc92cf433@nttv6.jp> <787AE7BB302AE849A7480A190F8B93302EA7E072@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <00e801d50b04$54db4a90$fe91dfb0$@jpshallow.com> <787AE7BB302AE849A7480A190F8B93302EA7E37B@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <018f01d50b25$682183a0$38648ae0$@jpshallow.com> <a190f1f1-174a-e06b-6977-64d226907308@nttv6.jp> <787AE7BB302AE849A7480A190F8B93302EA7F973@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <9f500c73-3091-b55e-4c13-ae28d6d28ada@nttv6.jp> <787AE7BB302AE849A7480A190F8B93302EA8EDE1@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
From: kaname nishizuka <kaname@nttv6.jp>
Message-ID: <1c511d2d-6dd8-6f04-d7a4-2f620331e90f@nttv6.jp>
Date: Wed, 5 Jun 2019 10:17:57 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA8EDE1@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Content-Type: multipart/alternative; boundary="------------8E6D735529D1B81DB5BAF4FC"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/2LO3MjTGerHFub3icVMfmGhaBlo>
Subject: Re: [Dots] draft-ietf-dots-filter-control: acl updates
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jun 2019 01:18:04 -0000

Yes.

But if a new draft give us a solid interface of retrieving acl status (and its stats), it doesn't motivate me to implement observe stuff here.

regards,
Kaname

On 2019/05/24 21:52, mohamed.boucadair@orange.com wrote:
>
> Hi Kaname,
>
> The same notification can be sent many times to be sure the notification is successfully delivered.
>
> In both modes:
>
> ·the server needs to track changes on acls bound to a DOTS client. How the tracking is done is implementation-specific.
>
> ·the client needs to be prepared to receive acl attributes in the response.
>
> No?
>
> Cheers,
>
> Med
>
> *De :*Dots [mailto:dots-bounces@ietf.org] *De la part de* kaname nishizuka
> *Envoyé :* vendredi 24 mai 2019 11:03
> *À :*BOUCADAIR Mohamed TGI/OLN; Jon Shallow; dots@ietf.org
> *Objet :* Re: [Dots] draft-ietf-dots-filter-control: acl updates
>
>
> Right, acl stats is not related to the excerpt spec.
>
> But I'm not fully convinced that the observe of the 'activation-type' will be used.
> Notification of the current state of 'activation-type' can be lost in attack time even though it's very important if an external action on DOTS server is unintended by the DOTS client.
> So I prefer to use a polling request in 4.4.2.2.
> It's an implementation specific, but I've just been wondering if there is an alternate to drop the specification of 'activation-type' observation.
>
> regards,
> Kaname
>
> On 2019/05/17 20:16, mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com> wrote:
>
>     Re-,
>
>     That excerpt from the filter-control draft is not related to acl stats.
>
>     Can you please clarify what would be the implications on the filter-control draft if acl-stats are allowed to be returned in GET responses?
>
>     Thank you.
>
>     Cheers,
>
>     Med
>
>     *De :*Dots [mailto:dots-bounces@ietf.org] *De la part de* kaname nishizuka
>     *Envoyé :* vendredi 17 mai 2019 12:00
>     *À :* Jon Shallow; BOUCADAIR Mohamed TGI/OLN; dots@ietf.org <mailto:dots@ietf.org>
>     *Objet :* Re: [Dots] draft-ietf-dots-filter-control: acl updates
>
>     Hi,
>
>     As the conclusion of the discussion about ACL Stats issue, there will be a draft about retrieving ACL Stats over the signal-channel WITHOUT respect to whether ACLs are activated via signal-filter-control.
>
>     I'd like to note that when it came out, the GET response spec in signal-filter-control would be subject to change.
>     Basically, this current specification introduces implementation complexity.
>     >    If, during an active mitigation, the 'activation-type' is changed at
>     >    the DOTS server (e.g., as a result of an external action) for an ACL
>     >    bound to a DOTS client, the DOTS server notifies that DOTS client
>     >    with the change by including the corresponding ACL parameters in an
>     >    asynchronous notification (the DOTS client is observing the active
>     >    mitigation) or in a response to a polling request (Section 4.4.2.2 of
>     >    [I-D.ietf-dots-signal-channel]).
>
>     regards,
>     Kaname
>
>
>     On 2019/05/15 22:52, Jon Shallow wrote:
>
>         Hi Med,
>
>         I think that covers it.  Now I have access to my emails, it was the PUT that I was thinking about, not the GET.
>
>         Regards
>
>         Jon
>
>         *From:*Dots [mailto: dots-bounces@ietf.org <mailto:dots-bounces@ietf.org>] *On Behalf Of *mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com>
>         *Sent:* 15 May 2019 12:22
>         *To:* Jon Shallow; dots@ietf.org <mailto:dots@ietf.org>
>         *Subject:* Re: [Dots] draft-ietf-dots-filter-control: acl updates
>
>         Re-,
>
>         Noted. Thanks.
>
>         With regards to your second point, we do have the following in the draft:
>
>            If, during an active mitigation, the 'activation-type' is changed at
>
>            the DOTS server (e.g., as a result of an external action) for an ACL
>
>            bound to a DOTS client, the DOTS server notifies that DOTS client
>
>            with the change by including the corresponding ACL parameters in an
>
>            asynchronous notification (the DOTS client is observing the active
>
>            mitigation) or in a response to a polling request (Section 4.4.2.2 of
>
>            [I-D.ietf-dots-signal-channel]).
>
>         Do we need to say more?
>
>         Cheers,
>
>         Med
>
>         *De :*Jon Shallow [mailto:supjps-ietf@jpshallow.com]
>         *Envoyé :* mercredi 15 mai 2019 11:56
>         *À :* BOUCADAIR Mohamed TGI/OLN; kaname nishizuka; Konda, Tirumaleswar Reddy; dots@ietf.org <mailto:dots@ietf.org>
>         *Objet :* RE: [Dots] draft-ietf-dots-filter-control: acl updates
>
>         Hi Guys,
>
>         I concur with (2).
>
>         I think that we have the ‘mid’ wrap properly covered (more likely to occur now with lots of ‘tweaks’ to the mitigation when trying out different acl-lists).
>
>         With (2) changing the activation-types, it is possible that some packets may not get through, and so an activation-type may be in an unexpected state.  I know  that we encourage regular monitor of the status of a mitigation (by signal channel observing), but  am unable to find as to whether acl-list etc. is returned on signal channel GET response (there are no GET signal channel response examples).  There was discussion about this on the mailing list, but it did not get a final resolution.
>
>         Regards
>
>         Jon
>
>         *From:*Dots [mailto: dots-bounces@ietf.org <mailto:dots-bounces@ietf.org>] *On Behalf Of *mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com>
>         *Sent:* 15 May 2019 09:05
>         *To:* kaname nishizuka; Konda, Tirumaleswar Reddy; dots@ietf.org <mailto:dots@ietf.org>
>         *Subject:* Re: [Dots] draft-ietf-dots-filter-control: acl updates
>
>         Re-,
>
>         Thank you for sharing your thoughts.
>
>         -00 allows to use both a new or existing ‘mid’. With (2) taken into account, we need the following change:
>
>         OLD:
>
>            A DOTS client may include acl-* attributes in a mitigation request
>
>         having a new or an existing 'mid'.  When acl-* attributes are to be
>
>         included in a mitigation request with an existing 'mid', the DOTS
>
>         client MUST repeat all the other parameters as sent in the original
>
>         mitigation request (i.e., having that 'mid') apart from a possible
>
>         change to the lifetime parameter value.
>
>         NEW:
>
>            During an attack time, DOTS clients may include 'acl-list', 'acl-
>
>            name', and 'activation-type' attributes in a mitigation request.
>
>            This request may be the initial mitigation request for a given
>
>            mitigation scope or a new one overriding an existing request.  In
>
>            both case, a new 'mid' MUST be used.
>
>            As the attack evolves, DOTS clients can adjust the 'activation-type'
>
>            of an ACL conveyed in a mitigation request or control other filters
>
>            as necessary.  This can be achieved by sending a PUT request with a
>
>            new 'mid' value.
>
>         Cheers,
>
>         Med
>
>         *De :*kaname nishizuka [mailto:kaname@nttv6.jp]
>         *Envoyé :* mercredi 15 mai 2019 09:59
>         *À :* BOUCADAIR Mohamed TGI/OLN; Konda, Tirumaleswar Reddy; dots@ietf.org <mailto:dots@ietf.org>
>         *Objet :* Re: [Dots] draft-ietf-dots-filter-control: acl updates
>
>         Hi Tiru, Med,
>
>         I agree with Tiru.
>
>         > FWIW, the changes to implement (2) can be seen at:
>         >
>         > https://github.com/boucadair/filter-control/blob/master/wdiff%20draft-ietf-dots-signal-filter-control-00.txt%20draft-ietf-dots-signal-filter-control-01.pdf
>         >
>         Could you specify where it is?
>         (2) is taken account as the current version of the draft allows to include acl attributes in requests with new ‘mid’s.
>
>         regards,
>         Kaname
>
>         On 2019/05/15 16:28, mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com> wrote:
>
>             Hi Tiru,
>
>             Agree.
>
>             Looking forward to hear  more.
>
>             FWIW, the changes to implement (2) can be seen at:
>
>             https://github.com/boucadair/filter-control/blob/master/wdiff%20draft-ietf-dots-signal-filter-control-00.txt%20draft-ietf-dots-signal-filter-control-01.pdf
>
>             Cheers,
>
>             Med
>
>             *De :*Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
>             *Envoyé :* mercredi 15 mai 2019 09:11
>             *À :* BOUCADAIR Mohamed TGI/OLN; dots@ietf.org <mailto:dots@ietf.org>
>             *Objet :* RE: draft-ietf-dots-filter-control: acl updates
>
>             I don’t think approach (1) is a good idea because of out of order delivery of packets. Further, the anti-relay detection technique in DTLS uses sliding windows procedure. An MITM can possibility cache and drop the packets from the client, and replay the cached packets that fall within the sliding window. For instance in the below example, the server could receive packets in the order T0, T4, T1, T2.
>
>             Monotonically increasing ‘mid’ is the only defense against this mechanism, and I don’t think the signal channel draft needs any update.
>
>             Cheers,
>
>             -Tiru
>
>             *From:*Dots <dots-bounces@ietf.org>; <mailto:dots-bounces@ietf.org> *On Behalf Of *mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com>
>             *Sent:* Tuesday, May 14, 2019 8:14 PM
>             *To:* dots@ietf.org <mailto:dots@ietf.org>
>             *Subject:* [Dots] draft-ietf-dots-filter-control: acl updates
>
>             *CAUTION*:External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>             ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>             Hi all,
>
>             The current version of the draft allows to include acl attributes in requests with new or existing ‘mid’s. By “existing mid’, we meant an existing request which does not include acl attributes when the request was initially created. For such requests, the activation-type of the same acl can be changed as the attack evolve or even control other ACLs. This is supposed to be covered by this text:
>
>             When acl-* attributes are to be
>
>             included in a mitigation request with an existing 'mid', the DOTS
>
>             client MUST repeat all the other parameters as sent in the original
>
>             mitigation request (i.e., having that 'mid') apart from a possible
>
>             change to the lifetime parameter value.
>
>             For example:
>
>             T0: R(mid)
>
>             T1: R(mid, acl1, activation-type=value1)
>
>             T2: R(mid, acl2, activation-type=value2)
>
>             T3: R(mid, acl1, activation-type=value2)
>
>             T4: R(mid)
>
>             ...
>
>             Now, if acl attributes are included in a request with a new mid, we need to specify how activation-type (and acl-list in general) can be updated. We do have two options:
>
>              1. Update the draft with this NEW text:
>
>                If 'acl-list', 'acl-name', and 'activation-type' attributes are
>
>                included in the initial mitigation request (that is, a mitigation
>
>                request with a new 'mid'), the DOTS client may update the
>
>                'acl-list' as an active attack evolves.  To do so, the DOTS
>
>                client MUST repeat all the other parameters as sent in the original
>
>                mitigation request apart from a possible change to the 'acl-list’
>
>                and the lifetime parameter values.
>
>                And the signal channel spec as follows:
>
>                For a mitigation request to continue beyond the initial negotiated
>
>                lifetime, the DOTS client has to refresh the current mitigation
>
>                request by sending a new PUT request..  This PUT request MUST use the
>
>                same 'mid' value, and MUST repeat all the other parameters as sent in
>
>                the original mitigation request apart from a possible change to the
>
>                lifetime parameter value or other changes to attributes defined in future extensions.
>
>                                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>             For example:
>
>             T0: R(mid, acl1, activation-type=value1)
>
>             T1: R(mid, acl2, activation-type=value2)
>
>             T2: R(mid, acl1, activation-type=value2)
>
>             ..
>
>              2. Require a new mid each time a client has to insert acl attributes.
>
>             For example:
>
>             T0: R(mid0)
>
>             T1: R(mid1, acl1, activation-type=value1)
>
>             T2: R(mid2, acl2, activation-type=value2)
>
>             T3: R(mid3, acl1, activation-type=value2)
>
>             ...
>
>             Thoughts?
>
>             Cheers,
>
>             Med
>
>             _______________________________________________
>
>             Dots mailing list
>
>             Dots@ietf.org  <mailto:Dots@ietf.org>
>
>             https://www.ietf.org/mailman/listinfo/dots
>
>
>
>
>         _______________________________________________
>
>         Dots mailing list
>
>         Dots@ietf.org  <mailto:Dots@ietf.org>
>
>         https://www.ietf.org/mailman/listinfo/dots
>
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots