IETF Logo Mail Archive

Re: [Dots] Comments on dots-signal-control-filtering-01

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Fri, 18 January 2019 13:54 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B4EF124BE5 for <dots@ietfa.amsl.com>; Fri, 18 Jan 2019 05:54:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.853
X-Spam-Level:
X-Spam-Status: No, score=-8.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DbjmfryHNnCb for <dots@ietfa.amsl.com>; Fri, 18 Jan 2019 05:54:28 -0800 (PST)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D170124D68 for <dots@ietf.org>; Fri, 18 Jan 2019 05:54:27 -0800 (PST)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1547819641; h=From: To:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-office365-filtering-correlation-id:x-microsoft-antispam: x-ms-traffictypediagnostic:x-microsoft-antispam-prvs: x-forefront-prvs:x-forefront-antispam-report: received-spf:x-ms-exchange-senderadcheck:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=CjiZ40SdXQMqkbfMu27WhmJDfz0HbhYAyS1uOI Tsuxc=; b=ozzyPPwJQ9STMwnr3XQ4kDwYY62TPBQB9dZmY91f 8+gUaU0ZDD42eiQr1oPdAzyF5Sia6eypeK2YP06lVzosAhOMey 7tFenmgROhSrpigLww14mQ2KWWYaODPG8zn4K9694wlehBQBao PSLNcOo25Fv3EvmS+4Rqyh2ADKtbWUE=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (unknown [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 2a18_a82b_e4415c45_6e3f_443d_be5b_ead8f0e0f14a; Fri, 18 Jan 2019 07:54:00 -0600
Received: from DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 18 Jan 2019 06:53:51 -0700
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Fri, 18 Jan 2019 06:53:51 -0700
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (10.44.176.240) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 18 Jan 2019 06:53:50 -0700
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2837.namprd16.prod.outlook.com (20.178.234.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.24; Fri, 18 Jan 2019 13:53:49 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::202f:5967:73ad:130f]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::202f:5967:73ad:130f%5]) with mapi id 15.20.1537.018; Fri, 18 Jan 2019 13:53:49 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Takahiko Nagata <nagata@lepidum.co.jp>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] Comments on dots-signal-control-filtering-01
Thread-Index: AQHUrjQ7qebvBkLi4EG6xztFHqgLVaW0nHgAgAAAoHCAAAQ70IAAA/zAgAAJc2CAAEc+cA==
Date: Fri, 18 Jan 2019 13:53:49 +0000
Message-ID: <BYAPR16MB27900D89516C1322CBD734BEEA9C0@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <e508fc49-fe2f-8160-8f0b-cba1868be738@lepidum.co.jp> <787AE7BB302AE849A7480A190F8B93302EA09E84@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790ED34736AB959C030CD94EA9C0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA09EC9@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790AB6791398A387B1B1280EA9C0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA09FB4@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA09FB4@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.100.18
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [122.171.119.30]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR16MB2837; 6:X442w3bd7cHjAM7NCMTNPOC2d9P7apgrCwuNcVdWYYjYCtghjZN3LyN8G1pf0VDPVgz4rS8k3dyacSixG3dDReeIZ3/FxQaX83WUOrF3PO1SnqfjLdAYg1+MXZVvTgDlB0Q/FHisIHNsmA30BNjnzFHAwfOoZKtPmuvm4L/SX0A/PrK5Cfw0UUH4zcrrao0mv4E/U49/iSUJQH0h+eTP0sIMNleTvPgZPTg+YUBSQ5qXSeI6UFUYYwlHBNuBagO91BoqVDeUfFWqy0NaNgq58UXn9Sls/lcKEHMT1Ke9hPME4XISXZM5JDXR3/9NMJlo2pqz4Y7ZDiKJQ11P6FXyNtS6eb859teZ7oWp4OUAD5hu0iLrX0gz0ipUx2wLs70tQicqXqWO4NYw6CO/ktkBXmMBcgNS7urWccBNzKAcbwXuT3o0G1ZJtEIhFi4TsD+bOcRAE/lyX8rzWt/hEyS78Q==; 5:YcMER2YJ4i475MBGLXo1Pgu6vf1CyXkRs2HfiJyBY3RcmFTCvvjeBdcDHkbiG0MHMFjOAUKZezbzQmSy/Z5yvN8eOW8AdpZ6T4+hkkM+vYXzULA5UCAH8aZcsUkBOkX+nm9Yl3MVEY5bNN/V4VGaz64roTE5xAUy6Tos9ZLLK837O0iK0++4I4iVk2yEKduD5ySbJ5lFfpoTbMuONZOdBg==; 7:r1dZRKhInjSLX9ECaZWMePDI0n/V8eGXNlda9J8nWE8rCWFcoI3anfdBKz3M61jPvgzqv/cK1AzBdgJRKCMjnrCV67cgelpQIxozybifYcEzIGHqgTF/d3uvCEBjnFXRnCdH656W4J2O6Skx1BXSgQ==
x-ms-office365-filtering-correlation-id: 63402daa-dfc5-4a7c-9018-08d67d4c5faf
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600109)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:BYAPR16MB2837;
x-ms-traffictypediagnostic: BYAPR16MB2837:
x-microsoft-antispam-prvs: <BYAPR16MB283790B600D15DD1154052CAEA9C0@BYAPR16MB2837.namprd16.prod.outlook.com>
x-forefront-prvs: 0921D55E4F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(136003)(396003)(366004)(376002)(346002)(55784004)(13464003)(32952001)(199004)(189003)(7696005)(316002)(71200400001)(110136005)(476003)(106356001)(486006)(72206003)(186003)(345774005)(71190400001)(8936002)(25786009)(68736007)(5024004)(2906002)(256004)(14444005)(76176011)(86362001)(78486014)(99286004)(93886005)(66066001)(6306002)(3846002)(478600001)(446003)(53936002)(229853002)(6246003)(80792005)(33656002)(6116002)(102836004)(14454004)(74316002)(305945005)(966005)(2501003)(55016002)(7736002)(105586002)(11346002)(9686003)(6436002)(26005)(6506007)(5660300001)(53546011)(81156014)(81166006)(8676002)(97736004)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2837; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: j0TpOs8lv0d3M9hFlW5m/yh3FAB5aUIQx3+QUMAv0IsXzYhgA8ksM0OxolAjXguLa7NMSryNNGOTaGEaQEHZBF7tKEH6xwfIoChv84v4zw3n9jbMs4IJCDboi6q3kQ3L3ho7r329wVuIAUEnIJULidYnYcuQKY7MfYzBv2KASEHPsaPuFHr1UeoJRLbvLMElJU7zfM9VwbWGrQC/VgpqVbd0NIFIegOSXHLJG8xXP3elGUORt92PqC7wbZE0eJHeezKPkkVbPA3ad7XPYvh+qDquZjjnVredztZv47JvcgWqAGl0fh+U8rpSg7x9SaiNj8HxxWm6hKJiDeutbVYcYiyzqOxIqsSFb+RJ1LPwFTrlfF4GXGiIu4zG1lxsfuXvvgt2yKVWcoTaHj61kk7jJVlkdVn8cScZ5INu+EvsNfI=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 63402daa-dfc5-4a7c-9018-08d67d4c5faf
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jan 2019 13:53:49.4710 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2837
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6464> : inlines <6997> : streams <1810442> : uri <2781865>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/5YC3zJTrrzWlnZGCaejKRSrgmQE>
Subject: Re: [Dots] Comments on dots-signal-control-filtering-01
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jan 2019 13:54:31 -0000

Hi Med,

Please see inline

> -----Original Message-----
> From: Dots <dots-bounces@ietf.org> On Behalf Of
> mohamed.boucadair@orange.com
> Sent: Friday, January 18, 2019 1:47 PM
> To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
> Takahiko Nagata <nagata@lepidum.co.jp>; dots@ietf.org
> Subject: Re: [Dots] Comments on dots-signal-control-filtering-01
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is safe.
> 
> Re-,
> 
> See inline.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Dots [mailto:dots-bounces@ietf.org] De la part de Konda,
> > Tirumaleswar Reddy Envoyé : vendredi 18 janvier 2019 08:48 À :
> > BOUCADAIR Mohamed TGI/OLN; Takahiko Nagata; dots@ietf.org Objet : Re:
> > [Dots] Comments on dots-signal-control-filtering-01
> >
> > > -----Original Message-----
> > > From: mohamed.boucadair@orange.com
> <mohamed.boucadair@orange.com>
> > > Sent: Friday, January 18, 2019 1:01 PM
> > > To: Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@McAfee.com>;
> > > Takahiko Nagata <nagata@lepidum.co.jp>; dots@ietf.org
> > > Subject: RE: [Dots] Comments on dots-signal-control-filtering-01
> > >
> > > This email originated from outside of the organization. Do not click
> > > links
> > or
> > > open attachments unless you recognize the sender and know the
> > > content is
> > safe.
> > >
> > > Tiru,
> > >
> > > Please see inline.
> > >
> > > Cheers,
> > > Med
> > >
> > > > -----Message d'origine-----
> > > > De : Konda, Tirumaleswar Reddy
> > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > Envoyé : vendredi 18 janvier 2019 08:14 À : BOUCADAIR Mohamed
> > > > TGI/OLN; Takahiko Nagata; dots@ietf.org Objet : RE: [Dots]
> > > > Comments on
> > > > dots-signal-control-filtering-01
> > > >
> > > > > -----Original Message-----
> > > > > From: Dots <dots-bounces@ietf.org> On Behalf Of
> > > > > mohamed.boucadair@orange.com
> > > > > Sent: Friday, January 18, 2019 12:37 PM
> > > > > To: Takahiko Nagata <nagata@lepidum.co.jp>; dots@ietf.org
> > > > > Subject: Re: [Dots] Comments on dots-signal-control-filtering-01
> > > > >
> > > > > This email originated from outside of the organization. Do not
> > > > > click links
> > > > or
> > > > > open attachments unless you recognize the sender and know the
> > > > > content is
> > > > safe.
> > > > >
> > > > > Hi Takahiko,
> > > > >
> > > > > Thank you for sharing the comments.
> > > > >
> > > > > Please see inline.
> > > > >
> > > > > Cheers,
> > > > > Med
> > > > >
> > > > > > -----Message d'origine-----
> > > > > > De : Dots [mailto:dots-bounces@ietf.org] De la part de
> > > > > > Takahiko Nagata Envoyé : jeudi 17 janvier 2019 08:13 À :
> > > > > > dots@ietf.org Objet : [Dots] Comments on
> > > > > > dots-signal-control-filtering-01
> > > > > >
> > > > > > Hi Kaname,
> > > > > >
> > > > > > I would like to 2 comments on dots-signal-control-filtering-01.
> > > > > >
> > > > > > (Comment1) Minimal attributes for control-filtering. ("lifetime"
> > > > behavior)
> > > > > >   Minimal attributes of SignalChannel MitigationRequest
> > > > > >   for control-filtering is only the followings, I think.
> > > > > >   - acl-list(acl-name, activation-type)
> > > > > >   - lifetime
> > > > > >
> > > > > >   So, We can send acl-list via SignalChannel without
> > > > > >   other Mitigation request parameters.
> > > > >
> > > > > [Med] When the same mid is used, the request is considered as a
> > > > > refresh. As such the attributes that were included in the first
> > > > > request must be
> > > > included.
> > > > >
> > > > > >
> > > > > >   In this case, we need to decide behavior of "lifetime".
> > > > > >   I think "lifetime" is ignored in this case.
> > > > >
> > > > > [Med] No. This is a particular case of this text from the signal
> > > > > channel
> > > > spec:
> > > > >
> > > > >    For a mitigation request to continue beyond the initial negotiated
> > > > >    lifetime, the DOTS client has to refresh the current mitigation
> > > > >    request by sending a new PUT request.  This PUT request MUST use
> the
> > > > >    same 'mid' value, and MUST repeat all the other parameters as
> > > > > sent
> > in
> > > > >    the original mitigation request apart from a possible change to the
> > > > >    lifetime parameter value.
> > > > >
> > > > > >   Because acl-list(acl-name, activation-type) should be
> > > > > >   managed only DataChannel side for specification simply.
> > > > > >
> > > > > >
> > > > > > (Comment2) Should be specified behavior.
> > > > > > (a) Not be affected by "trigger-mitigation"
> > > > > >   acl-list(acl-name, activation-type) is soon be applied
> > > > > >   even if "trigger-mitigation" is false.
> > > > >
> > > > > [Med] The procedure applies independently of the value of
> > > > > "trigger-
> > > > mitigation".
> > > > > We can say this explicitly on the draft.
> > > >
> > > > A Mitigation request with "trigger-mitigation" set to false must
> > > > only be sent in the peace time and not during the attack time.
> > > > During the peace time, I don't see the need to
> > > > activate/de-activate ACLs using DOTS signal channel protocol.
> > >
> > > [Med] The point is that the control functionality will be there. It
> > > is up
> > to the
> > > client to decide to use:
> > >
> > > * its data channel to alter the acl and then wait for a signal
> > > channel
> > notification.
> > > These notifications may not be set by the client.
> > > * its signal channel to alter the acl.
> > >
> > > With that approach we don't overload the server with extra
> > > validation on trigger-mitigation to decide about the behavior to follow.
> >
> > This draft is introduced to alter the ACL using DOTS signal channel
> > only during mitigation time because data channel does not work during
> > attack time, and ACL alteration using DOTS signal channel  should not
> > be allowed during peace time.
> > If allowed, the client can use both the DOTS data and signal channels
> > to alter the ACL during peace time and can create inconsistent configuration.
> 
> [Med] If there is a risk of inconsistent configuration, it won't be specific to this
> case but a generic one.

It's not a generic scenario, the inconsistent configuration is be because two protocols are allowed to alter the ACL at the same time.

> 
> > Why use two protocols to do the same job ?
> 
> [Med] Because:
> * the functionality is there and its use will be for free.
> * the server checks are simplified. No need to do extra checks based on
> "trigger-mitigation"
> * the client may not subscribe to notification. Please note that we don't have a
> MUST, but a SHOULD.

Without the notification from the server, How will the client know the ACL needs to be altered ?
If the client detects the white-listed traffic is attacking the target by itself, it can use DOTS data channel protocol to alter the ACL. 
https://tools.ietf.org/html/draft-nishizuka-dots-signal-control-filtering-01#section-1.1 only discusses the scenario where it is useful to alter the ACL using signal channel during attack time, 
Please provide an attack scenario where allowing this alternation using signal channel is useful during peace time.

Cheers
-Tiru

> 
> >
> > -Tiru
> >
> > >
> > > >
> > > > Cheers,
> > > > -Tiru
> > > >
> > > > >
> > > > > >
> > > > > > (b) Do not affect to "Efficacy Update"
> > > > > >   acl-list(acl-name, activation-type) would be ignored
> > > > > >   at "Efficacy Update" success or reject.
> > > > >
> > > > > [Med] Agree. We are not updating that part of the signal channel
> > > > > spec. acl-
> > > > list
> > > > > clauses won't be included in the efficacy update.
> > > > >
> > > > > >
> > > > > > (c) GET response of Mitigation Request
> > > > > >   acl-list(acl-name, activation-type) would not be included
> > > > > >   on respose of GET Mitigation Request.
> > > > >
> > > > > [Med] Yes. Will be make this clear in the draft.
> > > > >
> > > > > >
> > > > > > (d) In DELETE, no behavior(ex: rollback) for acl-list.
> > > > >
> > > > > [Med] Yes.
> > > > >
> > > > > >
> > > > > >
> > > > > > Best Regards,
> > > > > > Takahiko Nagata
> > > > > >
> > > > > > _______________________________________________
> > > > > > Dots mailing list
> > > > > > Dots@ietf.org
> > > > > > https://www.ietf.org/mailman/listinfo/dots
> > > > >
> > > > > _______________________________________________
> > > > > Dots mailing list
> > > > > Dots@ietf.org
> > > > > https://www.ietf.org/mailman/listinfo/dots
> > _______________________________________________
> > Dots mailing list
> > Dots@ietf.org
> > https://www.ietf.org/mailman/listinfo/dots
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.45.0 | Report a Bug | By Email | System Status