Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-signal-channel-31: (with DISCUSS and COMMENT)

Mirja Kuehlewind <ietf@kuehlewind.net> Mon, 01 July 2019 16:21 UTC

Return-Path: <ietf@kuehlewind.net>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8247120498; Mon, 1 Jul 2019 09:21:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iF2jiwoyGLKG; Mon, 1 Jul 2019 09:21:44 -0700 (PDT)
Received: from wp513.webpack.hosteurope.de (wp513.webpack.hosteurope.de [IPv6:2a01:488:42:1000:50ed:8223::]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E78B5120468; Mon, 1 Jul 2019 09:21:27 -0700 (PDT)
Received: from 200116b82cd06f0044a98311ac51f103.dip.versatel-1u1.de ([2001:16b8:2cd0:6f00:44a9:8311:ac51:f103]); authenticated by wp513.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1hhz3Q-0000uW-Vr; Mon, 01 Jul 2019 18:21:21 +0200
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Mirja Kuehlewind <ietf@kuehlewind.net>
In-Reply-To: <DM5PR16MB1705ABD7DD4CB93E065006E4EAFF0@DM5PR16MB1705.namprd16.prod.outlook.com>
Date: Mon, 1 Jul 2019 18:21:20 +0200
Cc: "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>, "frank.xialiang@huawei.com" <frank.xialiang@huawei.com>, "dots@ietf.org" <dots@ietf.org>, The IESG <iesg@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DDE85C27-EE95-4CF1-896E-10056B017860@kuehlewind.net>
References: <155672175129.924.6789867477696592350.idtracker@ietfa.amsl.com> <20190628222124.GB10013@kduck.mit.edu> <DM5PR16MB1705ABD7DD4CB93E065006E4EAFF0@DM5PR16MB1705.namprd16.prod.outlook.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3445.104.11)
X-bounce-key: webpack.hosteurope.de;ietf@kuehlewind.net;1561998088;84d59de4;
X-HE-SMSGID: 1hhz3Q-0000uW-Vr
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/4PGFXcp1MDY64OvdUysAoqDkstQ>
Subject: Re: [Dots] =?utf-8?q?Mirja_K=C3=BChlewind=27s_Discuss_on_draft-ietf-?= =?utf-8?q?dots-signal-channel-31=3A_=28with_DISCUSS_and_COMMENT=29?=
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jul 2019 16:21:57 -0000

Hi Ben, hi Tiru,

Please see below.

> On 29. Jun 2019, at 14:10, Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; wrote:
> 
> Please see inline
> 
>> -----Original Message-----
>> From: Dots <dots-bounces@ietf.org>; On Behalf Of Benjamin Kaduk
>> Sent: Saturday, June 29, 2019 3:51 AM
>> To: Mirja Kühlewind <ietf@kuehlewind.net>;
>> Cc: draft-ietf-dots-signal-channel@ietf.org; frank.xialiang@huawei.com;
>> dots-chairs@ietf.org; The IESG <iesg@ietf.org>;; dots@ietf.org
>> Subject: Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-signal-
>> channel-31: (with DISCUSS and COMMENT)
>> 
>> 
>> 
>> Hi Mirja,
>> 
>> I wanted to check in with the status of the remaining Discuss points for this
>> document.  I tried to go through the previous discussions and have made my
>> own analysis of where things stand, so hopefully we can compare notes.
>> 
>> On Wed, May 01, 2019 at 07:42:31AM -0700, Mirja Kühlewind via Datatracker
>> wrote:
>>> 
>>> 
>>> ----------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>> 
>>> 1) Port usage (see section 3):
>>> The port request for DOTS was reviewed by the port expert team. Some
>>> members of the team were concerned about the assignment of a separate
>>> port number for DOTS as Coap is used and already has a designated port
>>> number. I believe that Coap is used as a transport in the case and
>>> DOTS provides a separate service compared to what Coap is usually used
>>> for, however, it is not clear why DOTS needs a designated port.
>>> Section 3 says that the port can either be preconfigured or
>>> dynamically detected, therefore it is not clear why a fixed port is
>>> needed (see also section 7.1. of RFC7605). In the port review process
>>> the authored argued that a port is needed to differentiate the DOTS
>>> service in the network. However, this is not an endorsed usage for
>>> port numbers (see section 6.2. of RFC7605). Further, I believe
>>> assigning a fixed port might actually add an attack vector for DOTS,
>>> either by DDoSing the respective port at the DOTS server, or any attempt
>> to block DOTS traffic on the network from the DOTS client to the DOTS server.
>> 
>> If I understand correctly you were supporting a port allocation, but wanted
>> the document to be more clear about its usage and necessity.
>> 
>> There were some text changes, so that we now have:
>> 
>>   In some cases, a DOTS client and server may have mutual agreement to
>>   use a specific port number, such as by explicit configuration or
>>   dynamic discovery [I-D.ietf-dots-server-discovery].  Absent such
>>   mutual agreement, the DOTS signal channel MUST run over port number
>>   TBD as defined in Section 9.1, for both UDP and TCP.  In order to use
>>   a distinct port number (as opposed to TBD), DOTS clients and servers
>>   SHOULD support a configurable parameter to supply the port number to
>>   use.  The rationale for not using the default port number 5684
>>   ((D)TLS CoAP) is to allow for differentiated behaviors in
>>   environments where both a DOTS gateway and an IoT gateway (e.g.,
>>   Figure 3 of [RFC7452]) are present.
>> 
>> Does that address your concerns?

I think this still leaves my original question open. I agree that using port 5684 is no alternative. However, I still don’t see why a fixed port is needed at all. In all scenarios described either the server IP address needs to be configured or a detection mechanism is used. In both cases this could be used to also configure or detect the port.


>> 
>>> 2) Section 4.3 says:
>>> "In reference to Figure 4, the DOTS client sends two TCP SYNs and two
>>>   DTLS ClientHello messages at the same time over IPv6 and IPv4."
>>> However, RFC8305 explicitly states that connection attempts SHOULD NOT
>>> be made simultaneously (see sec 5).
>>> 
>>> Further Figure 4 shows a different order of request as recommended in
>>> the text (text says: "UDP over IPv6, UDP over IPv4, TCP over IPv6, and
>>> finally TCP over IPv4"). Also why are the UDP connection attempts
>>> repeated? I guess that is meant to be the retransmission of the DTLS
>>> Hello? However, usually you should receive the TCP SYNACK before you
>>> retransmit or in the best case even before you start the next
>>> connection attempt. Therefore that should be not displayed like this in the
>> figure or needs further explanation.
>> 
>> We changed this behavior to be sequential and adhere to 8305 most of the
>> time, but allow dropping the connection attempt delay to 100ms during
>> (congestive) attacks.

Thanks! This is good!

>> 
>>> 3) Why are these statements SHOULDs and not MUSTs (see section 4.4)?
>>>  "DOTS agents SHOULD follow the data transmission guidelines discussed
>>>   in Section 3.1.3 of [RFC8085] and control transmission behavior by
>>>   not sending more than one UDP datagram per round-trip time (RTT) to
>>>   the peer DOTS agent on average."
>>> and
>>>  "If the DOTS client cannot maintain an RTT estimate, it
>>>   SHOULD NOT send more than one Non-confirmable request every 3
>>>   seconds"
>>> as well as in section 4.4.2.1:
>>>  "If the DOTS server cannot maintain an RTT
>>>   estimate, it SHOULD NOT send more than one asynchronous notification
>>>   every 3 seconds"
>>> and again in section 4.4.2.2:
>>> "The frequency of polling the DOTS server to get the
>>>   mitigation status SHOULD follow the transmission guidelines in
>>>   Section 3.1.3 of [RFC8085].
>> 
>> These changes made, except for the last one, IIUC.

This one is a weird MUST now because RFC8085 only gives guidelines: 
  "DOTS agents MUST follow the data transmission guidelines discussed in
   Section 3.1.3 of [RFC8085] and control transmission behavior by not
   sending more than one UDP datagram per round-trip time (RTT) to the
   peer DOTS agent on average.”

I would rather recommend something like
  "DOTS agents MUST not 
   sending more than one UDP datagram per round-trip time (RTT) to the
   peer DOTS agent on average following the data transmission guidelines discussed in Section 3.1.3 of [RFC8085].”

And I think the last one (4.4.2.2) also needs a more concrete statement.


>> 
>>> However, most of the communication pattern used by DOTS rely on a
>>> request/reply pattern and Coap specifies for this case that only one
>>> request can be outstanding at a time (until the reply is received or
>>> message is assumed to be
>>> lost) (see section 4.7 and 4.2 of RFC7252) which therefore will be
>>> used in this case. Only migration updates are send without reply, and
>>> here a MUST would be more appropriate.
>>> 
>>> Please also note that if there can only be one request outstanding
>>> (before a reply is received) it is also not possible that requests are
>>> received out of order (see e.g. 4.4.3: "If UDP is used as transport,
>>> CoAP requests may arrive out-of-order.").
>> 
>> We did get some pointers to cases in which requests may well arrive out of
>> order.

In theory yes, however, this is very unlikely because you still should only send one request per 3 seconds (or wait for a reply).

>> 
>>> 4) draft-ietf-core-hop-limit is used in section 10:
>>> "The presence of DOTS gateways may lead to infinite forwarding loops,
>>>   which is undesirable.  To prevent and detect such loops, this
>>>   document uses the Hop-Limit Option."
>>> This sounds like it should be required (and normative language should
>>> be used) and therefore draft-ietf-core-hop-limit should also be a
>> normative reference.
>>> Also draft-ietf-core-comi should probably another normative reference.
>> 
>> hop-limit is now normative, and per Alexey's suggestion the comi usage has
>> been described inline.

Okay, thanks!

>> 
>>> 5)Section 4.5.2: You give recommendations for min and max in a note,
>>> however, these values should be specified normatively and in best with a
>> MUST.
>> 
>> It got changed to RECOMMENDED.  (I do see you asked why there was a
>> need for a maximum at all, which I don't remember seeing an answer to.)
> 
> All the configuration parameters have min, current and max values.

Okay for me.

> 
>> 
>>> 6) Section 4.7: "the DOTS
>>>   agent sends a heartbeat over the signal channel to maintain its half
>>>   of the channel.  The DOTS agent similarly expects a heartbeat from
>>>   its peer DOTS agent"
>>> and
>>> "DOTS servers MAY trigger their heartbeat requests immediately after
>>>   receiving heartbeat probes from peer DOTS clients."
>>> Actually heartbeat should only be send in one direction (as the other
>>> end will send an ack) and the protocol should clearly specify which
>>> endpoint is responsible for triggering the ping.
>> 
>> I'm not sure I see resolution on this; do the authors still need to answer why
>> the "pong" reply cannot serve as a reverse-path heartbeat?
> 
> If the DOTS client domain is subjected to volumetric DDoS attack and the incoming link is saturated, the pong response from the server will not reach the client. DOTS server gets traffic from the client but receives no responses to its ping requests indicating the client has not detected the attack or, if an attack mitigation is in progress, it implies the applied DDoS mitigation actions are not yet effective to handle the DDoS attack volume.  

Yes, I understand what heartbeat are used for. However, what you described implies that the server should send the ping and client sends the pong. This is fine. The text however seems to imply that both server and client test their have connection separately and both send pings and pongs. That doesn’t seem to be need.


> 
> Cheers,
> -Tiru
> 
>> 
>>> 7) sec 7.3:"To avoid DOTS signal message fragmentation and the
>> subsequent
>>>   decreased probability of message delivery, DOTS agents MUST ensure
>>>   that the DTLS record MUST fit within a single datagram."
>>> This should be handled by the DTLS record layer and not by DOTS that
>>> works on top of DTLS (actually Coap), therefor it seems straight to
>>> have a normative requirement here in the DOTS spec. Also note that the
>>> calculation provided is not valid for early data (0-RTT) as the hello
>>> messages could be transmitted in the same datagram.
>> 
>> There was some clarifying discussion here; do you still see an issue?

I was wrong that DTLS helps you, however rfc7252 (soap) does and specifies message sizes. While for Coap this is a SHOULD, you have a MUST here. I think that is correctly and therefore it’s fine to specify it normatively. Not need to change. Still I recommend to highlight this difference!

>> 
>>> 8) Also sec 7.3: "If the path
>>>   MTU is not known to the DOTS server, an IP MTU of 1280 bytes SHOULD
>>>   be assumed."
>>>  Actually this is only true for IPv6. The later note mentions that the
>>>  situation is different from IPV4, however, it should probably be made
>> clear
>>>  from the beginning that 1280 can only be assumed for IPv6.
>> 
>> Currently we're at a MAY-level limit of 576 bytes when it's known that IPv4
>> systems are present.

I think this is okay.

>> 
>>> 9) sec 9.6: What's the registration policy for the newly created registries?
>> 
>> Standards Action, as indicated.

Yes, sorry, I did overlook that one.

>> 
>>> 10) The document should more explicitly provide more guidance about
>>> when a client should start a session and what should be done (from the
>>> client side) if a session is detected as inactive (other than during
>>> migration which is discussed a bit in 4.7). Is the assumption to have
>>> basically permanently an active session or connect for migration and
>>> configuration requests separately at a time?
>> 
>> I think there was some clarifying text added, but please confirm if you think it
>> is sufficient.

Sorry, don’t see where text was added. Can you provide a pointer?

Mirja

>> 
>> Thanks,
>> 
>> Ben
>> 
>> _______________________________________________
>> Dots mailing list
>> Dots@ietf.org
>> https://www.ietf.org/mailman/listinfo/dots