Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt

<mohamed.boucadair@orange.com> Fri, 02 August 2019 07:05 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF0A712008A for <dots@ietfa.amsl.com>; Fri, 2 Aug 2019 00:05:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qp9k8oeppvra for <dots@ietfa.amsl.com>; Fri, 2 Aug 2019 00:05:57 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.35]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A87C8120137 for <dots@ietf.org>; Fri, 2 Aug 2019 00:05:56 -0700 (PDT)
Received: from opfednr04.francetelecom.fr (unknown [xx.xx.xx.68]) by opfednr21.francetelecom.fr (ESMTP service) with ESMTP id 460J8z0vn7z5wKx; Fri, 2 Aug 2019 09:05:55 +0200 (CEST)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.48]) by opfednr04.francetelecom.fr (ESMTP service) with ESMTP id 460J8z03MQz1xqN; Fri, 2 Aug 2019 09:05:55 +0200 (CEST)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM32.corporate.adroot.infra.ftgroup ([fe80::81c9:5f:b9c5:1241%21]) with mapi id 14.03.0468.000; Fri, 2 Aug 2019 09:05:54 +0200
From: <mohamed.boucadair@orange.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, H Y <yuuhei.hayashi@gmail.com>
CC: tirumal reddy <kondtir@gmail.com>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
Thread-Index: AQHVMzOPnOaVrHF+zEGZ3qoxuOmz7qbYNT+AgAGVHKCAAAbagIAAAf6QgAAE3gCAAAhfgP///5jQgA23xQA=
Date: Fri, 2 Aug 2019 07:05:53 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B9330312FB914@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <156233245922.21720.2303446065970922340.idtracker@ietfa.amsl.com> <CAFpG3gcgpJRyLSoLkOMuUWY8pZrBPDCCz6-sc8A=1KW3GMpm+g@mail.gmail.com> <CAA8pjUPY+GDGxNhqDCWsh-6aGnYoOL+A5pGaE=2BaE5j8rY41g@mail.gmail.com> <DM5PR16MB17051F8C7697FE7DAF88AEC4EAC60@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312E739F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB17050D182A4BE8C3B7EFDC3EEAC60@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312E73FA@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <CAA8pjUPe8rf6m2xy2S+JzhTN+xMm_9f3+OaBAsAnY7aV43g11A@mail.gmail.com> <DM5PR16MB17055E4630A2413CB7D212DBEAC60@DM5PR16MB1705.namprd16.prod.outlook.com>
In-Reply-To: <DM5PR16MB17055E4630A2413CB7D212DBEAC60@DM5PR16MB1705.namprd16.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/4-iuW7v6AmoBRFhVllA6U1k1kw0>
Subject: Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2019 07:06:00 -0000

Hi Tiru, 

These questions are valid ones when it comes to decide which mitigation actions to apply. Nevertheless, the source information is part of the characterization of an attack at given time. This does not mean that we necessarily rely on it to mitigate, but this is not excluded either.  

The source information can be included in the notification use case already described by Kaname in this thread, or if the mitigator is enforcing policies based on the source information (because of a local knowledge of an attack) but reaches a limit, it can delegate the policy to a L3 orchestrator (Yuhei case). 

Cheers,
Med

> -----Message d'origine-----
> De : Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
> Envoyé : mercredi 24 juillet 2019 15:35
> À : H Y; BOUCADAIR Mohamed TGI/OLN
> Cc : tirumal reddy; dots@ietf.org
> Objet : RE: [Dots] Fwd: New Version Notification for draft-reddy-dots-
> telemetry-00.txt
> 
> Hi Yuhei,
> 
> What is stopping the attacker to frequently change the IP address
> (especially with IPv6) ?
> What kind of attack traffic is generated by the top talkers and what
> happens if the top talkers are spoofed IP addresses (e.g. amplification
> attack) ?
> 
> Cheers,
> -Tiru
> 
> > -----Original Message-----
> > From: H Y <yuuhei.hayashi@gmail.com>;
> > Sent: Wednesday, July 24, 2019 6:57 PM
> > To: Mohamed Boucadair <mohamed.boucadair@orange.com>;
> > Cc: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;;
> > tirumal reddy <kondtir@gmail.com>;; dots@ietf.org
> > Subject: Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-
> > telemetry-00.txt
> >
> >
> >
> > Hi Med,
> >
> > > [Med] Yes. My point is if one has to return a list of top-talkers in
> terms of
> > pps, another list of top-talkers in terms of second_criteria, or other
> > information relying on source-prefix dedicated attributes will be needed
> > because this cannot be inferred from the current source-prefix
> attribute.
> > [hayashi] +1. This top-talker information is helpful for the
> orchestrator to
> > decide which attack traffic should be blocked preferentially in network.
> The
> > criteria information is also needed.
> >
> > Thanks,
> > Yuhei
> >
> > 2019年7月24日(水) 8:56 <mohamed.boucadair@orange.com>;:
> > >
> > > Re-,
> > >
> > > Please see inline.
> > >
> > > Cheers,
> > > Med
> > >
> > > > -----Message d'origine-----
> > > > De : Konda, Tirumaleswar Reddy
> > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > Envoyé : mercredi 24 juillet 2019 14:45 À : BOUCADAIR Mohamed
> > > > TGI/OLN; H Y; tirumal reddy Cc : dots@ietf.org Objet : RE: [Dots]
> > > > Fwd: New Version Notification for draft-reddy-dots- telemetry-00.txt
> > > >
> > > > > -----Original Message-----
> > > > > From: mohamed.boucadair@orange.com
> > <mohamed.boucadair@orange.com>;
> > > > > Sent: Wednesday, July 24, 2019 6:02 PM
> > > > > To: Konda, Tirumaleswar Reddy
> > > > > <TirumaleswarReddy_Konda@McAfee.com>;; H Y
> > > > > <yuuhei.hayashi@gmail.com>;; tirumal reddy <kondtir@gmail.com>;
> > > > > Cc: dots@ietf.org
> > > > > Subject: RE: [Dots] Fwd: New Version Notification for
> > > > > draft-reddy-dots- telemetry-00.txt
> > > > >
> > > > > This email originated from outside of the organization. Do not
> > > > > click
> > > > links or
> > > > > open attachments unless you recognize the sender and know the
> > > > > content is safe.
> > > > >
> > > > > Hi Tiru,
> > > > >
> > > > > That’s true...but fragmentation is a general issue each time we
> > > > > need to supply more telemetry information in the signal channel.
> > > > > As already
> > > > noted in
> > > > > the draft, we will need to figure out when it is better to provide
> > > > > some telemetry information using data channel.
> > > >
> > > > Yes, normal traffic baseline attributes can be conveyed in the DOTS
> > > > data channel and traffic from top talkers can also be
> > > > blocked/rate-limited using the DOTS data channel during peace time.
> > > >
> > > > >
> > > > > BTW, "top talker" can already be supplied using source-prefix
> attribute.
> > > > > Whether top-talker needs to be defined as a separated attribute,
> > > > > but structured as a list of source-prefixes is a design details
> > > > > (if the WG
> > > > agrees to
> > > > > include it in the telemetry information).
> > > >
> > > > Source-prefix is already a list/array.
> > >
> > > [Med] Yes. My point is if one has to return a list of top-talkers in
> terms of
> > pps, another list of top-talkers in terms of second_criteria, or other
> > information relying on source-prefix dedicated attributes will be needed
> > because this cannot be inferred from the current source-prefix
> attribute.
> > >
> > > >
> > > > >
> > > > > Anyway, let's continue collecting candidate telemetry information
> > > > > and
> > > > then
> > > > > make a selection in a second phase.
> > > >
> > > > Sure.
> > > >
> > > > Cheers,
> > > > -Tiru
> > > >
> > > > >
> > > > > Cheers,
> > > > > Med
> > > > >
> > > > > > -----Message d'origine-----
> > > > > > De : Dots [mailto:dots-bounces@ietf.org] De la part de Konda,
> > > > > > Tirumaleswar Reddy Envoyé : mercredi 24 juillet 2019 14:18 À : H
> > > > > > Y; tirumal reddy Cc : dots@ietf.org Objet : Re: [Dots] Fwd: New
> > > > > > Version Notification for draft-reddy-dots- telemetry-00.txt
> > > > > >
> > > > > > Hi Yuhei,
> > > > > >
> > > > > > Thanks for the support. The problem is fragmentation of the DOTS
> > > > > > telemetry message, DOTS Telemetry is sent over the DOTS signal
> > > > > > channel using UDP and the message size cannot exceed PMTU.
> > > > > >
> > > > > > Cheers,
> > > > > > -Tiru
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Dots <dots-bounces@ietf.org>; On Behalf Of H Y
> > > > > > > Sent: Tuesday, July 23, 2019 5:28 PM
> > > > > > > To: tirumal reddy <kondtir@gmail.com>;
> > > > > > > Cc: dots@ietf.org
> > > > > > > Subject: Re: [Dots] Fwd: New Version Notification for
> > > > > > > draft-reddy-dots- telemetry-00.txt
> > > > > > >
> > > > > > > This email originated from outside of the organization. Do not
> > > > > > > click
> > > > > > links or
> > > > > > > open attachments unless you recognize the sender and know the
> > > > > > > content is safe.
> > > > > > >
> > > > > > > Hi Tiru,
> > > > > > >
> > > > > > > I read the draft and I also support this draft.
> > > > > > > Sending detail information about attack traffic helps my dms
> > > > > > > offload
> > > > > > scenario
> > > > > > > because the orchestrator can decide what to do based on the
> > > > > > > detail information.
> > > > > > >
> > > > > > > IMO, "top talker" attribute defined in my previous draft is
> > > > > > > also
> > > > > > feasible to
> > > > > > > send and effective to mitigate attack correctly.
> > > > > > > https://datatracker.ietf.org/doc/draft-h-dots-mitigation-offlo
> > > > > > > ad-
> > > > > > expansion/
> > > > > > > What do you think about including the top talker attribute to
> > > > > > > the
> > > > > > telemetry?
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Yuhei
> > > > > > >
> > > > > > > 2019年7月5日(金) 9:21 tirumal reddy <kondtir@gmail.com>;:
> > > > > > > >
> > > > > > > > Hi all,
> > > > > > > >
> > > > > > > > https://tools.ietf.org/html/draft-reddy-dots-telemetry-00
> > > > > > > > aims to
> > > > > > enrich
> > > > > > > DOTS protocols with various telemetry attributes allowing
> > > > > > > optimal DDoS attack mitigation. This document specifies the
> > > > > > > normal traffic baseline
> > > > > > and
> > > > > > > attack traffic telemetry attributes a DOTS client can convey
> > > > > > > to its DOTS
> > > > > > server
> > > > > > > in the mitigation request, the mitigation status telemetry
> > > > > > > attributes a
> > > > > > DOTS
> > > > > > > server can communicate to a DOTS client, and the mitigation
> > > > > > > efficacy telemetry attributes a DOTS client can communicate to
> a
> > DOTS server.
> > > > > > The
> > > > > > > telemetry attributes can assist the mitigator to choose the
> > > > > > > DDoS
> > > > > > mitigation
> > > > > > > techniques and perform optimal DDoS attack mitigation.
> > > > > > > >
> > > > > > > > Comments, suggestions, and questions are more than welcome.
> > > > > > > >
> > > > > > > > Cheers,
> > > > > > > > -Tiru
> > > > > > > >
> > > > > > > > ---------- Forwarded message ---------
> > > > > > > > From: <internet-drafts@ietf.org>;
> > > > > > > > Date: Fri, 5 Jul 2019 at 18:44
> > > > > > > > Subject: New Version Notification for
> > > > > > > > draft-reddy-dots-telemetry-00.txt
> > > > > > > > To: Tirumaleswar Reddy <kondtir@gmail.com>;, Ehud Doron
> > > > > > > > <ehudd@radware.com>;, Mohamed Boucadair
> > > > > > > <mohamed.boucadair@orange.com>;
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > A new version of I-D, draft-reddy-dots-telemetry-00.txt has
> > > > > > > > been successfully submitted by Tirumaleswar Reddy and posted
> > > > > > > > to the IETF repository.
> > > > > > > >
> > > > > > > > Name:           draft-reddy-dots-telemetry
> > > > > > > > Revision:       00
> > > > > > > > Title:          Distributed Denial-of-Service Open Threat
> > > > Signaling
> > > > > > (DOTS)
> > > > > > > Telemetry
> > > > > > > > Document date:  2019-07-05
> > > > > > > > Group:          Individual Submission
> > > > > > > > Pages:          13
> > > > > > > > URL:            https://www.ietf.org/internet-drafts/draft-
> reddy-
> > > > dots-
> > > > > > > telemetry-00.txt
> > > > > > > > Status:         https://datatracker.ietf.org/doc/draft-
> reddy-dots-
> > > > > > telemetry/
> > > > > > > > Htmlized:       https://tools.ietf.org/html/draft-reddy-
> dots-
> > > > > > telemetry-00
> > > > > > > > Htmlized:       https://datatracker.ietf.org/doc/html/draft-
> reddy-
> > > > > > dots-
> > > > > > > telemetry
> > > > > > > >
> > > > > > > >
> > > > > > > > Abstract:
> > > > > > > >    This document aims to enrich DOTS signal channel protocol
> with
> > > > > > > >    various telemetry attributes allowing optimal DDoS attack
> > > > > > mitigation.
> > > > > > > >    This document specifies the normal traffic baseline and
> attack
> > > > > > > >    traffic telemetry attributes a DOTS client can convey to
> > > > > > > > its
> > > > DOTS
> > > > > > > >    server in the mitigation request, the mitigation status
> > > > telemetry
> > > > > > > >    attributes a DOTS server can communicate to a DOTS
> > > > > > > > client, and
> > > > the
> > > > > > > >    mitigation efficacy telemetry attributes a DOTS client
> can
> > > > > > > >    communicate to a DOTS server.  The telemetry attributes
> > > > > > > > can
> > > > assist
> > > > > > > >    the mitigator to choose the DDoS mitigation techniques
> > > > > > > > and
> > > > perform
> > > > > > > >    optimal DDoS attack mitigation.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Please note that it may take a couple of minutes from the
> > > > > > > > time of submission until the htmlized version and diff are
> > > > > > > > available at
> > > > > > tools.ietf.org.
> > > > > > > >
> > > > > > > > The IETF Secretariat
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Dots mailing list
> > > > > > > > Dots@ietf.org
> > > > > > > > https://www.ietf.org/mailman/listinfo/dots
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > ----------------------------------
> > > > > > > Yuuhei HAYASHI
> > > > > > > 08065300884
> > > > > > > yuuhei.hayashi@gmail.com
> > > > > > > iehuuy_0220@docomo.ne.jp
> > > > > > > ----------------------------------
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Dots mailing list
> > > > > > > Dots@ietf.org
> > > > > > > https://www.ietf.org/mailman/listinfo/dots
> > > > > > _______________________________________________
> > > > > > Dots mailing list
> > > > > > Dots@ietf.org
> > > > > > https://www.ietf.org/mailman/listinfo/dots
> >
> >
> >
> > --
> > ----------------------------------
> > Yuuhei HAYASHI
> > 08065300884
> > yuuhei.hayashi@gmail.com
> > iehuuy_0220@docomo.ne.jp
> > ----------------------------------