Re: [Dots] Some comments on draft-ietf-dots-signal-call-home-02
"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 03 July 2019 07:55 UTC
Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7364012073A for <dots@ietfa.amsl.com>; Wed, 3 Jul 2019 00:55:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.748
X-Spam-Level:
X-Spam-Status: No, score=-2.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, GB_AFFORDABLE=1, HTML_MESSAGE=0.001, PRICES_ARE_AFFORDABLE=0.551, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9BtLCUXFepeb for <dots@ietfa.amsl.com>; Wed, 3 Jul 2019 00:55:49 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 485E2120733 for <dots@ietf.org>; Wed, 3 Jul 2019 00:55:49 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1562139897; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-CrossTenant-userprincipalname: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=T XgpiEnO59qB0g/MyQqDTd6JJPA+AOKHGgjClwgNhM o=; b=K4jMSOaMh6wp9noWqtFsQD5Iq9x1HyuwgFbzzc97L4CL JKsR+Y+TrmpY7uVkBzyhrJkzRkKrLmM7/bWtWy8toKEEMUBvNy h54lCveX5HO+t++bDMJz7svrg2f1J6HfKM8oTdomuRpNMZ0RnC jFupTnYyb7ElvKZOR+ljPhx0KP4=
Received: from DNVEXAPP1N04.corpzone.internalzone.com (unknown [10.44.48.88]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 33ed_5b4f_8df13822_dc4d_44d9_813e_bba5a1e84be3; Wed, 03 Jul 2019 01:44:56 -0600
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 3 Jul 2019 01:54:57 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Wed, 3 Jul 2019 01:54:56 -0600
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (10.44.176.240) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 3 Jul 2019 01:54:55 -0600
Received: from DM5PR16MB1705.namprd16.prod.outlook.com (10.172.44.147) by DM5PR16MB2166.namprd16.prod.outlook.com (52.132.142.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2032.18; Wed, 3 Jul 2019 07:54:55 +0000
Received: from DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::89e6:d84d:9681:1065]) by DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::89e6:d84d:9681:1065%5]) with mapi id 15.20.2032.019; Wed, 3 Jul 2019 07:54:55 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Meiling Chen <chenmeiling@chinamobile.com>, "mohamed.boucadair" <mohamed.boucadair@orange.com>, "Panwei (William)" <william.panwei@huawei.com>
CC: dots <dots@ietf.org>
Thread-Topic: [Dots] Some comments on draft-ietf-dots-signal-call-home-02
Thread-Index: AQHVMT57WZL4zk1dcE6NppUmm5aNt6a4UNdQ
Date: Wed, 03 Jul 2019 07:54:54 +0000
Message-ID: <DM5PR16MB170537F6A4C1391169A006E3EAFB0@DM5PR16MB1705.namprd16.prod.outlook.com>
References: <30E95A901DB42F44BA42D69DB20DFA6A69FA5E84@nkgeml513-mbx.china.huawei.com>, <787AE7BB302AE849A7480A190F8B93302EAADB9E@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>, <30E95A901DB42F44BA42D69DB20DFA6A69FA69EC@nkgeml513-mbx.china.huawei.com>, <2019070214454218305711@chinamobile.com>, <787AE7BB302AE849A7480A190F8B93302EAB1FA4@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <2019070309262119316418@chinamobile.com>
In-Reply-To: <2019070309262119316418@chinamobile.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.3.0.8
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [49.37.206.28]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7bb99c34-daa2-4a87-1fa9-08d6ff8bbcb5
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR16MB2166;
x-ms-traffictypediagnostic: DM5PR16MB2166:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <DM5PR16MB2166BADC24C5D644FBB64B5AEAFB0@DM5PR16MB2166.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-forefront-prvs: 00872B689F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(366004)(39860400002)(346002)(376002)(189003)(199004)(85644002)(32952001)(86362001)(64756008)(8676002)(53936002)(80792005)(186003)(66556008)(66476007)(102836004)(66066001)(486006)(6116002)(55016002)(476003)(76176011)(316002)(66446008)(71190400001)(2906002)(446003)(73956011)(71200400001)(5660300002)(3846002)(790700001)(110136005)(478600001)(11346002)(66946007)(6246003)(72206003)(53546011)(53946003)(966005)(606006)(33656002)(81156014)(229853002)(236005)(81166006)(74316002)(52536014)(7696005)(6506007)(54896002)(6436002)(99286004)(6306002)(4326008)(5024004)(9686003)(30864003)(76116006)(14444005)(8936002)(256004)(26005)(7736002)(14454004)(25786009)(68736007)(430464002)(85282002)(559001)(579004); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB2166; H:DM5PR16MB1705.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ZB62o0qvgZ7P6Biq3KRGRLrVmYu1TkRFpXRH9qKEnqXGprQ2nRhE6pjIzfsPTE/1p0XFlMq+G+0CintFoL84/uqOJhXe+HcZZYk4qfM4mRmrleRGAfAZFyh3yOQYxYMPTkS84mKeli4vXJTWO/hIjd8vsqw6nVRkzCoTaRZjXUC9gPveHjmG5NpZULtz+PuaZjiV7E85BZl9NFm3cT3xV2OzTCw2QAEFY/PUEVrGI5Ir5IJLcaJOkfrHd1q2stRtzLGsio1T0TNiX3dpzjXD44dHlIVLNGUt9TOsJiagA7LJNJWDNCgalZYScixWmV/0rDIofY2x+sVa4zYlThUi6a+ImeNdorWjY4i/CqLOJMpYBiS3bGR9QEnZ+S7eiHdJ+YpcN3H77Prtc0VPjIN3DYTCvFoEgkepeUk9JxPjdl4=
Content-Type: multipart/alternative; boundary="_000_DM5PR16MB170537F6A4C1391169A006E3EAFB0DM5PR16MB1705namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 7bb99c34-daa2-4a87-1fa9-08d6ff8bbcb5
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jul 2019 07:54:54.9996 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TirumaleswarReddy_Konda@McAfee.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB2166
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6581> : inlines <7113> : streams <1826256> : uri <2863203>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/3qytSNF4PKsk5Rwwcs3M7AtmNrk>
Subject: Re: [Dots] Some comments on draft-ietf-dots-signal-call-home-02
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2019 07:55:55 -0000
The purpose of the gateway is to act as proxy or back to back user agent, see https://tools.ietf.org/html/draft-ietf-dots-architecture-14#section-2.2.3. Further, gateway may or may not be present between the DOTS client and server. The proposed mechanism in the draft does not require additional parameter and 1-RTT overhead to switch roles. We are using the technique similar to the one used in NETCONF/RESTCONF call home https://tools.ietf.org/html/rfc8071 . Cheers, -Tiru From: Dots <dots-bounces@ietf.org> On Behalf Of Meiling Chen Sent: Wednesday, July 3, 2019 6:56 AM To: mohamed.boucadair <mohamed.boucadair@orange.com>; Panwei (William) <william.panwei@huawei.com> Cc: dots <dots@ietf.org> Subject: Re: [Dots] Some comments on draft-ietf-dots-signal-call-home-02 CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe. ________________________________ Hi med, * if signal call home just exchange the role of client and server, why not just use gateway? gateway can play both client and server roles. * signal call home parameters: source-prefix、source-port-range、source-icmp-type; source-prefix and source-port-range have no difference with target-prefix and target-port-range in form, * If you want to make a clear distinction, why not just add a parameter in signal channel to indicate the general signal channel or call home signal channel? From: mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> Date: 2019-07-02 19:24 To: MeiLing Chen<mailto:chenmeiling@chinamobile.com>; Panwei (William)<mailto:william.panwei@huawei.com> CC: dots<mailto:dots@ietf.org> Subject: RE: Re: [Dots] Some comments on draft-ietf-dots-signal-call-home-02 Hi Meiling, A scenario where both base and call home signal channels may co-exist is as follows: • A CPE embeds a dots client used to seek for help whenever incoming attacks are detected (base dots signal/data channels) • The same CPE embeds a DOTS server to interact with a DOTS client hosted by its network provider (signal call home): the network provide uses this channel to place mitigation requests for outbound attacks that are originating from the CPE’s network. There is no call home extension defined for the data channel. If some ACLs needs to be communicated, for example, to the CPE, an option would be to use RFC8071 (RESTCONF/NETCONF Call Home).. Cheers, Med De : MeiLing Chen [mailto:chenmeiling@chinamobile.com] Envoyé : mardi 2 juillet 2019 08:46 À : Panwei (William); BOUCADAIR Mohamed TGI/OLN Cc : dots Objet : Re: Re: [Dots] Some comments on draft-ietf-dots-signal-call-home-02 Hi Med, general signal channel and call home function can both exist in the same scene? And I am also not so clear about how data channel used in call home scenerio? From: Panwei (William)<mailto:william.panwei@huawei.com> Date: 2019-06-27 15:49 To: mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> CC: dots<mailto:dots@ietf.org> Subject: Re: [Dots] Some comments on draft-ietf-dots-signal-call-home-02 Hi Med, Thank you for your reply. For the sake of convenience, I move the discussion to the front. 4. In Section 4.1, it requests the IANA to assign a separate port number to the DOTS Signal Channel Call Home Protocol. In Section 3.3.1, it says Signal Channel Call Home can use not only this assigned port number but also some other port numbers configured by the administrator. So can the Signal Channel Port Number (4646) be configured as the Signal Channel Call Home Port Number? The draft should add some normative requirements about this. [Med] It is up to the client/server to agree on the alternate port. IMO, we don’t need to elaborate on these deployment considerations. [Wei] The base spec defines that Port 4646 is used for ordinary Signal Channel, if this port is also configured as Signal Channel Call Home Port Number, can the two signal channels be established simultaneously by both using Port 4646? Will these two signal channel work perfectly without mutual interference? If one port is enough for using, I don’t think another port need to be assigned? If different ports are needed, then the draft should explain the reason and add some normative requirements. 6. For this call home scenario, the draft doesn’t contain anything about data channel, is the data channel omitted by mistake? Does the data channel need to extend in the call home scenario? For the case that the home gateway acts as both DOTS client and DOTS server simultaneously, will it need two data channels just like it needs the two signal channels? [Med] No, that is on purpose. The data channel may fail when an attack is ongoing. [Wei] In call home scenario, can the DOTS server (home gateway) establish a Data Channel with the DOTS client (ISP or DMS) ? If can, 1) What’s the Call Home Data Channel used for? 2) How does it work? Is there any difference between Call Home Data Channel and ordinary Data Channel? 3) When home gateway acts both as DOTS server and DOTS client, there are two data channels with different directions, how to distinguish these two data channels? Will these two date channels work perfectly without any modification to data-channel-specification? If can’t, Why? And How to prevent it? In conclusion, my point of the above two comments is about the compatibility between the call home scenario and basic DOTS Signal/Data Channel. I don’t know whether you have considered the compatibility already. If not, these my preliminary thoughts may offer some help for considering about compatibility. I suggest a section can be added to clarify the compatibility. If you allow I’m willing to contribute more. 11. In Section 4.3, is the name “request-rejected” good enough? Because comparing to the names of other conflict causes, it seems this name can’t represent this specific conflict case, DOTS server can ‘reject the request’ in all the conflict cases. [Med] Do you have a preference? What about request-rejected-legitimate-traffic? [Wei] It works for me. 13. In Section 3.1.1, it says “the DOTS client MUST validate that attacker prefixes are within the scope of the DOTS server domain”. But how should the DOTS client know the scope of each DOTS server domain? [Med] Following similar means for a dots server to do that validation in the base spec. [Wei] OK, I’ll check the base spec for details. Maybe you can also add some references or guidance to the base spec in the call home draft. Regards & Thanks! 潘伟 Wei Pan 华为技术有限公司 Huawei Technologies Co., Ltd. From: mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> [mailto:mohamed.boucadair@orange.com] Sent: Wednesday, June 26, 2019 5:50 PM To: Panwei (William) <william.panwei@huawei.com<mailto:william.panwei@huawei.com>>; dots <dots@ietf.org<mailto:dots@ietf.org>> Subject: RE: Some comments on draft-ietf-dots-signal-call-home-02 Hi Pan, Thank you for the comments. Please see inline. Cheers, Med De : Dots [mailto:dots-bounces@ietf.org] De la part de Panwei (William) Envoyé : mercredi 26 juin 2019 10:25 À : dots Objet : [Dots] Some comments on draft-ietf-dots-signal-call-home-02 Hi authors, I’ve read the latest version draft, and I have the following comments: Some nits: 1. In Section 1.1, the second paragraph, s/at affordable price/at affordable prices/. 2. In Section 1.1, the second last paragraph, s/a IPv6 home network/an IPv6 home network/. 3. In Section 2, the reference I-D.ietf-dots-requirements should be changed to RFC8612. 4. In Section 3.3..1, Figure 4 and Figure 5, s/NAT Embeded in a CPE/NAT Embedded in a CPE/. 5. In section 5, the third paragraph, s/inspect all the traffic from the compromised to the target/inspect all the traffic from the compromised device to the target/. [Med] Fixed. Thanks Comments: 1. The Section 3.3.1 contains three things: the new parameters of the mitigation request, the considerations of NAT deployment, the extension of conflict-clause. These 3 things make this section too long. For a better structure and readability, my suggestion is to split this section into 3 sections, or at least to put the NAT considerations into a separate section. [Med] OK to moved address sharing considerations into a separate section. 2. In Section 3.3..1, when describing the source-port-range, it says: For TCP, UDP, Stream Control Transmission Protocol (SCTP) [RFC4960], or Datagram Congestion Control Protocol (DCCP) [RFC4340], a range of ports can be, for example, 0-1023, 1024-65535, or 1024-49151. My understanding of these 3 examples is that they want to show the readers the ports can range from 0 to 65535. It’s better to say this explicitly before listing the examples. [Med] Those are examples of valid ranges. OK to add a mention that any subrange of 0-65535 is a valid range. 3. In Section 3.3..1, it uses ‘source-icmp-type’ when explaining this new parameter, while other places using ‘source-icmp-type-range’. I think ‘source-icmp-type-range’ should be used here too. [Med] Thank you for catching this. Fixed. 4. In Section 4.1, it requests the IANA to assign a separate port number to the DOTS Signal Channel Call Home Protocol. In Section 3.3.1, it says Signal Channel Call Home can use not only this assigned port number but also some other port numbers configured by the administrator. So can the Signal Channel Port Number (4646) be configured as the Signal Channel Call Home Port Number? The draft should add some normative requirements about this. [Med] It is up to the client/server to agree on the alternate port. IMO, we don’t need to elaborate on these deployment considerations. 5. In Section 3.3..1, it says ‘source-prefix’ is an optional attribute, and it also says: The ’source-prefix’ parameter is a mandatory attribute when the attack traffic information is signaled by a DOTS client in the Call Home scenario. [Med] It is an optional attribute with regards to the base signal spec, but it is mandatory when used in the call home scenario. 5.1. Can the ordinary signal channel use the call home extension? For example, if the signal channel is established by using the Signal Channel Port Number (4646), can the mitigation request contain the source-prefix, source-port-range and source-icmp-type-range? (I guess YES, so for ordinary signal channel these parameters are optional) [Med] Yes, this is why these attributes are said to be optional. 5.2. Can the call home signal channel not use the call home extension? For example, if the signal channel is established by using the Signal Channel Call Home Port Number (4647), can the mitigation request not contain the source-prefix? (I guess NO, so for call home signal channel the ’source-prefix‘ is mandatory) [Med] The source-prefix is mandatory when used in call home. 5.3. Even if the ordinary signal channel can use the call home extension, a separate call home signal channel can also be helpful for the case that home gateway acts as both DOTS client and DOTS server simultaneously. Any other reasons to invent the separate call home signal channel? [Med] The home gateway will need to maintain two signal sessions as a function of its DOTS agent role. 5.4. How to identify the ‘Call Home scenario’ ? By the signal channel port number? [Med] Yes, but also in the reversal of (D)TLS roles. 5.5. I prefer to make all the above things explicit and clear in the draft. [Med] Will double check the text. 6. For this call home scenario, the draft doesn’t contain anything about data channel, is the data channel omitted by mistake? Does the data channel need to extend in the call home scenario? For the case that the home gateway acts as both DOTS client and DOTS server simultaneously, will it need two data channels just like it needs the two signal channels? [Med] No, that is on purpose. The data channel may fail when an attack is ongoing. 7. In Section 4.2, it says: This specification registers the ’source-prefix’ and ’source-port- range’ parameters in the IANA "DOTS Signal Channel CBOR Mappings" registry established by [I-D.ietf-dots-signal-channel]. Here mentions ‘source-prefix’ and ‘source-port-range’, but the ‘source-icmp-type-range’ is missing. [Med] Good catch. 8. In Section 4.2, the IANA registry “DOTS Signal Channel CBOR Mappings” can’t be find in the signal channel draft by searching the quoted name directly.. (Should be “DOTS Signal Channel CBOR Key Values”?) [Med] Agree. Fixed. 9. In Section 4.2, the table is better to be given a number and name. In terms of format, this table matches Table 4 of the signal channel draft, and doesn't match any of the IANA registries of the signal channel draft. [Med] OK. 10. In Section 4.3, the registry name should be “DOTS Signal Channel Conflict Cause Codes” (this name is from the signal channel draft). [Med] Fixed. 11. In Section 4.3, is the name “request-rejected” good enough? Because comparing to the names of other conflict causes, it seems this name can’t represent this specific conflict case, DOTS server can ‘reject the request’ in all the conflict cases. [Med] Do you have a preference? What about request-rejected-legitimate-traffic? 12. In NAT considerations of Section 3.3.1, for the case that the NAT translator deployed in the source network, the DOTS client should send the external IP address of the attacker and the DOTS server should find the correspondent internal IP address. Comparing to the CGN case, I suggest that some normative words can also be used here. [Med] Will double check the language. 13. In Section 3.1.1, it says “the DOTS client MUST validate that attacker prefixes are within the scope of the DOTS server domain”. But how should the DOTS client know the scope of each DOTS server domain? [Med] Following similar means for a dots server to do that validation in the base spec. In the call home scenario, there might be tens of thousands of DOTS servers, are there some easy methods to let the DOTS client know the scope of each DOTS server domain? In addition, I think this is critical for deploying DOTS call home, and we need to address this in the draft. Regards & Thanks! 潘伟 Wei Pan 华为技术有限公司 Huawei Technologies Co., Ltd.
- [Dots] Some comments on draft-ietf-dots-signal-ca… Panwei (William)
- Re: [Dots] Some comments on draft-ietf-dots-signa… mohamed.boucadair
- Re: [Dots] Some comments on draft-ietf-dots-signa… Panwei (William)
- Re: [Dots] Some comments on draft-ietf-dots-signa… MeiLing Chen
- Re: [Dots] Some comments on draft-ietf-dots-signa… mohamed.boucadair
- Re: [Dots] Some comments on draft-ietf-dots-signa… mohamed.boucadair
- Re: [Dots] Some comments on draft-ietf-dots-signa… Meiling Chen
- Re: [Dots] Some comments on draft-ietf-dots-signa… Konda, Tirumaleswar Reddy