[Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)
Mirja Kühlewind <ietf@kuehlewind.net> Wed, 20 February 2019 17:53 UTC
Return-Path: <ietf@kuehlewind.net>
X-Original-To: dots@ietf.org
Delivered-To: dots@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 854A2130E5F; Wed, 20 Feb 2019 09:53:48 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Mirja Kühlewind <ietf@kuehlewind.net>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dots-requirements@ietf.org, Liang Xia <frank.xialiang@huawei.com>, dots-chairs@ietf.org, frank.xialiang@huawei.com, dots@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.91.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <155068522853.31498.10686203344983870104.idtracker@ietfa.amsl.com>
Date: Wed, 20 Feb 2019 09:53:48 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/2iZPYsJPYDAmpHjlnHab3_VbEoo>
Subject: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 17:53:49 -0000
Mirja Kühlewind has entered the following ballot position for draft-ietf-dots-requirements-18: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dots-requirements/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thanks for addressing the TSV-ART comments (and thanks Joe for the review)! In-line with Joe's comment, please see some additional comments below. 1) One minor edit is required still for SIG-002: for PLMTUD the correct reference is RFC4821, however, as commented by Joe RFC1191 is less reliable and therefore usually not recommended. I would recommend to re-add a reference to RFC4821 and no reference to RFC1191 (or only with a warning that RFC4821 is preferred due to ICMP blocking). Further, the correct reference for datagram PLMTUD is draft-ietf-tsvwg-datagram-plpmtud. 2) Also on this text in SIG-004: "The heartbeat interval during active mitigation could be negotiable, but MUST be frequent enough to maintain any on-path NAT or Firewall bindings during mitigation. When TCP is used as transport, the DOTS signal channel heartbeat messages need to be frequent enough to maintain the TCP connection state." As Joe commented already, different heartbeats at different layers can be used at the same time for different purposes. You can use heartbeats at the application layer to check service availability while e.g. using a higher frequent heartbeat at the transport layer to maintain firewall and NAT state. The advantage to such an approach is that there is less application layer overhead/load e.g. in scenarios where it might be expensive to wake up the application or a server is already highly loaded. Also note that the time-outs values of NATs and firewalls on the path are usually unknown, therefore an application can never rely on heartbeats (no matter at which level) and must be prepared to try to reconnect on the application layer if the connection fails. Usually, the main reason for using heartbeats to maintain NAT or firewall state (vs. reconnect every time) in TCP is if the application is time-sensitive and a full TCP handshake takes too long for the desired service. I'm not sure that the case for DOTS, however, I understand it may be beneficial to have established state if an attack is on-going. For UDP I guess it's more complicated in your case. Time-outs are usually very short, however, state is created with the first packet of a flow (as there is no handshake in UDP). As you don't see blocking if state is expired as new state is created immediately, it's kind of impossible to measure the configured time-out values. Only if the firewall is under attack it would start blocking UDP traffic that is has no state for yet. So I understand why it is desirable to maintain UDP state for you, however, I don't understand how you can know that your frequency is high enough to actually keep the state open. Note that TCP time-outs are usually in the order of hours, while UDP time-outs are usually in range of tens of seconds, and might expire even quicker if a system is under attack. If that is a scenario that is important for you, and assuming that not all time-outs values on the path can be known, I guess it would be recommendable to use TCP instead. In any case this can not be a MUST requirement (as timers are usually not known). I would recommend to state something like: "MAY be frequent enough to maintain NAT or firewall state, if timer values are known, or if TCP is used, SHOULD use in addition TCP heartbeats to maintain the TCP connection state and reconnect immediately if a failure is detected." And also for this part it is different for TCP and UDP: "Because heartbeat loss is much more likely during volumetric attack, DOTS agents SHOULD avoid signal channel termination when mitigation is active and heartbeats are not received by either DOTS agent for an extended period." If TCP would be used and no ACKs are received, TCP would try to retransmit a few times and some point terminate the connection. However, UDP is a connection-less protocol, there is nothing to terminate. Also note that for reliable transports, it is sufficient if one end-hosts sends heartbeats as the other end is required to acknowledge the reception on the transport layer (and if no ack is received the connection is terminated on the transport layer). So I guess what you want to say above is that if a connection-less protocol is used, heartbeats should continuously be sent even if no heartbeats are received from the other end. However, I think you still need to define a termination criteria, as you for sure don't want to keep sending heartbeats forever. Also the next part: " * To handle possible DOTS server restart or crash, the DOTS clients MAY attempt to establish a new signal channel session, but MUST continue to send heartbeats on the current session so that the DOTS server knows the session is still alive. If the new session is successfully established, the DOTS client can terminate the current session." There is nothing like connection re-establishing in UDP, you just keep sending traffic. While in TCP, as explained above, the connection will be terminated at the transport layer and there is no way to keep sending heartbeats on the "old" session. Or do have something like DTLS in mind in this case? 3) In SIG-006 you say: " Due to the higher likelihood of packet loss during a DDoS attack, DOTS servers MUST regularly send mitigation status to authorized DOTS clients which have requested and been granted mitigation, regardless of client requests for mitigation status." Please note that this is only true if a not-reliable transport is used. If a reliable transport is used, data is received at the application level without loss (but maybe some delay) or the connection is terminated (if loss is too high to retransmit successfully). ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- One editorial comment on SEC-002: "A security mechanism at the network layer (e.g., TLS) is thus adequate to provide hop-by-hop security. In other words, end-to-end security is not required for DOTS protocols." TLS is transport layer security (not network layer) and therefore known as providing end-to-end security while the term hop-by-hop is used for e.g. IPSec. I would recommend to change the wording here in order to avoid confusion, e.g. "A security mechanism at the transport layer (e.g., TLS) is thus adequate to provide security between different DOTS agents. In other words, a direct security association between the server and client, excluding any proxy, is not required for DOTS protocols." And finally one general comment: I understand that having wg consensus for this document is import to proceed the work of the group, however, I don't see the value in archiving this document in the IETF RFC series as a stand-alone document. If the group thinks documenting these requirements for consumption outside the group's work at a later point in time is valuable, I would rather recommend to add the respective requirements to the appendix of the respective protocol specs.
- [Dots] Mirja Kühlewind's Discuss on draft-ietf-do… Mirja Kühlewind
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Teague, Nik
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)