Re: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?
kaname nishizuka <kaname@nttv6.jp> Fri, 29 September 2017 00:32 UTC
Return-Path: <kaname@nttv6.jp>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E49A71344B8 for <dots@ietfa.amsl.com>; Thu, 28 Sep 2017 17:32:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nNCrpWfi7Y5L for <dots@ietfa.amsl.com>; Thu, 28 Sep 2017 17:32:02 -0700 (PDT)
Received: from guri.nttv6.jp (guri.nttv6.jp [IPv6:2402:c800:ff06:136::140]) by ietfa.amsl.com (Postfix) with ESMTP id E4391126B71 for <Dots@ietf.org>; Thu, 28 Sep 2017 17:31:58 -0700 (PDT)
Received: from z.nttv6.jp (z.nttv6.jp [192.168.8.15]) by guri.nttv6.jp (NTTv6MTA) with ESMTP id 7677C25F68D; Fri, 29 Sep 2017 09:31:57 +0900 (JST)
Received: from [IPv6:::1] (fujiko.nttv6.jp [IPv6:2402:c800:ff06:136::141]) by z.nttv6.jp (NTTv6MTA) with ESMTP id 150A875900F; Fri, 29 Sep 2017 09:31:57 +0900 (JST)
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, "Xialiang (Frank)" <frank.xialiang@huawei.com>, "Dots@ietf.org" <Dots@ietf.org>
References: <C02846B1344F344EB4FAA6FA7AF481F12BB2D185@DGGEML502-MBX.china.huawei.com> <C02846B1344F344EB4FAA6FA7AF481F12BB2D19B@DGGEML502-MBX.china.huawei.com> <DM5PR16MB17880F012FB44009155ADCA1EAB50@DM5PR16MB1788.namprd16.prod.outlook.com> <C02846B1344F344EB4FAA6FA7AF481F12BB2D39C@DGGEML502-MBX.china.huawei.com> <DM5PR16MB17888218351CF06BDF691F34EAB50@DM5PR16MB1788.namprd16.prod.outlook.com>
From: kaname nishizuka <kaname@nttv6.jp>
Message-ID: <2acd7300-6684-1491-4f98-7029d0b7c1b0@nttv6.jp>
Date: Fri, 29 Sep 2017 09:31:55 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <DM5PR16MB17888218351CF06BDF691F34EAB50@DM5PR16MB1788.namprd16.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------D004E21E09396FAA20DAD3D1"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/5WDIAT4lNtDWSTJ6D2HAc2g84M8>
Subject: Re: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Sep 2017 00:32:05 -0000
Hi Tiru, in section 9 of signal-channel draft, AAA server exists. Let me clarify the text. Mutual authentication between a DOTS client and a DOTS gateway MUST use (client) certificates? Between them (in the same domain), a mutual authentication without certificates (i.e. choices other than EAP-TLS) would be a good option, if it meets the mutual authentication and encryption requirement. TLS-PSK mode and Subject Public Key Info (SPKI) looks good to me. I hope those options would be discussed in WGmeeting. On 2017/08/07 19:19, Konda, Tirumaleswar Reddy wrote: > > You may want to look into https://tools.ietf.org/html/rfc6959#section-7 <https://tools.ietf.org/html/rfc6959#section-7> > > <snip> > > Even if every Internet-connected network implements source address > > validation at the ultimate network ingress, and assurances exist that > > intermediate devices are to never modify datagram source addresses, > > source addresses cannot be used as an authentication mechanism. > > -Tiru > > *From:*Xialiang (Frank) [mailto:frank.xialiang@huawei.com] > *Sent:* Monday, August 7, 2017 3:28 PM > *To:* Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; Dots@ietf.org > *Subject:* 答复: another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA? > > Hi Tiru, > > Thanks for your analysis. It makes sense to me~~ > > To be accurate, IP whitelist does not relax the mutual authentication requirement, but indeed lose the encryption benefits. > > B.R. > > Frank > > *发件人**:*Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com] > *发送时间:* 2017年8月7日 17:51 > *收件人:* Xialiang (Frank); Dots@ietf.org <mailto:Dots@ietf.org> > *主题:* RE: another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA? > > TLS supports pre-shared key based authentication. The other mechanisms are Subject Public Key Info (SPKI) Fingerprint pin set for mutual authentication (self-signed certificates or raw public keys) without having to deal with CA. > > I don’t think DOTS should relax the mutual authentication and encryption requirements. > > -TIru > > *From:*Dots [mailto:dots-bounces@ietf.org] *On Behalf Of *Xialiang (Frank) > *Sent:* Monday, August 7, 2017 6:25 AM > *To:* Dots@ietf.org <mailto:Dots@ietf.org> > *Subject:* [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA? > > In addition to IP whitelist and certificate, pre-share key can also be an option. > > Right? > > *发件人**:*Dots [mailto:dots-bounces@ietf.org] *代表 *Xialiang (Frank) > *发送时间:* 2017年8月7日 8:52 > *收件人:* Dots@ietf.org <mailto:Dots@ietf.org> > *主题:* [Dots] Can DOTS protocol support IP whitelist for DOTS client's AA? > > Hi, > > I think the direct use of IP whitelist on the DOTS server to authenticate and authorize the DOTS client is a simple and effect method, at least in some special use cases, like: DOTS client does not support certificate, an ISP which detects the spoofed source address, etc. > > So, should we support this as an optional way for the DOTS client’s AA and add it into the DOTS protocol drafts? > > B.R. > > Frank > > > > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots
- Re: [Dots] another option://答复: Can DOTS protocol… Konda, Tirumaleswar Reddy
- Re: [Dots] another option://答复: Can DOTS protocol… kaname nishizuka
- [Dots] Can DOTS protocol support IP whitelist for… Xialiang (Frank)
- [Dots] another option://答复: Can DOTS protocol sup… Xialiang (Frank)
- Re: [Dots] Can DOTS protocol support IP whitelist… Artyom Gavrichenkov
- Re: [Dots] another option://答复: Can DOTS protocol… Konda, Tirumaleswar Reddy
- [Dots] 答复: another option://答复: Can DOTS protocol… Xialiang (Frank)
- Re: [Dots] another option://答复: Can DOTS protocol… Konda, Tirumaleswar Reddy
- Re: [Dots] another option://答复: Can DOTS protocol… kaname nishizuka
- Re: [Dots] another option://答复: Can DOTS protocol… Konda, Tirumaleswar Reddy
- Re: [Dots] another option://答复: Can DOTS protocol… Roland Dobbins
- Re: [Dots] another option://答复: Can DOTS protocol… Roland Dobbins