IETF Logo Mail Archive

Re: [Dots] DOTS Telemetry: Interop Clarification #3

mohamed.boucadair@orange.com Fri, 26 June 2020 11:32 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44AF83A1250 for <dots@ietfa.amsl.com>; Fri, 26 Jun 2020 04:32:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 42oLrW5mHtzW for <dots@ietfa.amsl.com>; Fri, 26 Jun 2020 04:32:42 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C53D3A109C for <dots@ietf.org>; Fri, 26 Jun 2020 04:32:42 -0700 (PDT)
Received: from opfedar00.francetelecom.fr (unknown [xx.xx.xx.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by opfedar24.francetelecom.fr (ESMTP service) with ESMTPS id 49tZVw1zr0z5xfS; Fri, 26 Jun 2020 13:32:40 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1593171160; bh=lvbTouU/tqSO0RDdYEk1grkxtK6HVZjNSiXX19cSdbQ=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=TxkH/LaxjRDB9C2qpiT1AGah948eVIS1nUhdLQv+WNvaM4/H4aF8C4OHM8eDl+YiE 9YDFBlk+vK+5sAyw/3mZh9bw+lhHEbR8L3/7eCZTb+tNo87KQ8ZTsPCthK/LzUs9dD 5cpzHfXG5Gc24UYbKajSR8x4UfSYZDAWBddw7EL1JxIqEO9aihceZQ3kHt7gmfreXe yHH4U6ckSljzTF1CL7ffO3546b6YFqwHhf8iIZmLqmGrg85mX9SDZPRca9MYAt/O10 x3xfxwEsRqYhR5aLdvvuIdG+RgePSE5Rs6gj5nGHrWgp4vdwlQcWZril+SX9xcQ/yi 55rltoNtLI7yg==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by opfedar00.francetelecom.fr (ESMTP service) with ESMTPS id 49tZVw0h7gzCqk7; Fri, 26 Jun 2020 13:32:40 +0200 (CEST)
From: mohamed.boucadair@orange.com
To: Jon Shallow <supjps-ietf@jpshallow.com>, "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>, kaname nishizuka <kaname@nttv6.jp>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] DOTS Telemetry: Interop Clarification #3
Thread-Index: AQMQVzkSw5+t7i57rG6sbLPe/e+VwQG84YKvAXQMfC0BrvdSFAHq/x6TAipc4uYDARGzraYW2rCggAAcAAA=
Date: Fri, 26 Jun 2020 11:32:39 +0000
Message-ID: <11184_1593171160_5EF5DCD8_11184_207_1_787AE7BB302AE849A7480A190F8B9330314E7C2F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <27464_1593113494_5EF4FB96_27464_425_1_787AE7BB302AE849A7480A190F8B9330314E7645@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <SA0PR16MB38388F3CDF8A3298DDEF2543EA930@SA0PR16MB3838.namprd16.prod.outlook.com> <18913_1593151431_5EF58FC7_18913_57_1_787AE7BB302AE849A7480A190F8B9330314E78C0@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <SA0PR16MB3838F0878467387C54C8C69BEA930@SA0PR16MB3838.namprd16.prod.outlook.com> <29225_1593156067_5EF5A1E3_29225_308_1_787AE7BB302AE849A7480A190F8B9330314E7A1F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BLAPR16MB38278E86C67891BF1449D78BEA930@BLAPR16MB3827.namprd16.prod.outlook.com> <25557_1593157938_5EF5A932_25557_94_1_787AE7BB302AE849A7480A190F8B9330314E7A8E@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <080801d64ba6$5810d200$08327600$@jpshallow.com>
In-Reply-To: <080801d64ba6$5810d200$08327600$@jpshallow.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B9330314E7C2FOPEXCAUBMA2corp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/4nKHWifwWU3oDY-URwWarSTekGI>
Subject: Re: [Dots] DOTS Telemetry: Interop Clarification #3
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2020 11:32:44 -0000

Hi Jon,

Please see inline.

Cheers,
Med

De : Jon Shallow [mailto:supjps-ietf@jpshallow.com]
Envoyé : vendredi 26 juin 2020 12:41
À : BOUCADAIR Mohamed TGI/OLN; Konda, Tirumaleswar Reddy; kaname nishizuka; dots@ietf.org
Objet : RE: [Dots] DOTS Telemetry: Interop Clarification #3

Hi All,

See inline

Regards

Jon.


From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of mohamed.boucadair@orange.com
Sent: 26 June 2020 08:52
To: Konda, Tirumaleswar Reddy; kaname nishizuka
Cc: dots@ietf.org
Subject: Re: [Dots] DOTS Telemetry: Interop Clarification #3

Re-,

I do agree that having a latest-update leaf in the mapping table is useful (easily detect mismatches). This is something we can add to the data channel extension.

Jon> In the attack mapping over the dots data channel I would like to see "vendor-name" and "vendor-mapping-last-updated".
[Med] Works for me as well

I'm not sure it is useful to send that new attribute in the signal channel as the attack details won' be useful in the lack of the attack description.

Jon> If a new attack-id has been created and the new attack vector is occurring, but mappings have not been refreshed, then I think that the attack-id should be used over the signal channel.  If the receiving DOTS agent is a DOTS client, it can then try to initiate the transfer of a new mapping over the data channel.
[Med] ... which will fail.

If the receiving DOTS agent is a server, then I can think of no server triggered mechanism that can be used to request the client to send a new mapping table.  However, the client should know it has a new attack-id - hence new mapping - and should initiate the sending of a new mapping.
[Med] which it needs to do anyway before an attack happens. We do already have the following:

   The DOTS client uses the PUT request to modify its vendor attack
   mapping details maintained by the DOTS server (e.g., add a new
   mapping).

Jon> Worst case is an out of band conversation to determine what this new attack-id really is.

I do think that the current wording in the draft is appropriate: (1) agents should ensure they are in sync as much as possible, (2) avoid including the attack details in the signal channel with one exception when an agent detects a synch issue.

==
   When conveying attack details in DOTS telemetry messages (Sections
   7.2, 7.3, and 8), DOTS agents MUST NOT include 'attack-name'
   attribute except if the corresponding attack mapping details were not
   shared with the peer DOTS agent.
==

If there is a message size issue, a dots agent can send the telemetry in separate messages, use the new bloc options, etc.

Jon> I am moving in the direction of attack-name/attack-description should never be used over  the signal channel.  Makes things a lot simpler.
[Med] Going that direction has many implications:

·         Mandate the data channel, which is against what we set in the arch spec:

   "As illustrated in Figure 2, there are two interfaces between a DOTS
   server and a DOTS client; a signal channel and (optionally) a data
                                              ^^^^^^^^^^^^^^^^
   channel."


·         Change the following to a MUST

   In order to optimize the size of telemetry data conveyed over the
   DOTS signal channel, DOTS agents MAY use the DOTS data channel
   [RFC8783] to exchange vendor-specific attack mapping details (that
   is, {vendor identifier, attack identifier} ==> attack description).

And so on.

The current approach in the draft accommodates all these concerns.

~Jon


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email