Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-data-channel-28: (with DISCUSS and COMMENT)

Mirja Kuehlewind <ietf@kuehlewind.net> Mon, 01 July 2019 16:30 UTC

Return-Path: <ietf@kuehlewind.net>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95B941204E8; Mon, 1 Jul 2019 09:30:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yvBf5XRpiAXr; Mon, 1 Jul 2019 09:30:22 -0700 (PDT)
Received: from wp513.webpack.hosteurope.de (wp513.webpack.hosteurope.de [IPv6:2a01:488:42:1000:50ed:8223::]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 972F81204B0; Mon, 1 Jul 2019 09:30:22 -0700 (PDT)
Received: from 200116b82cd06f0044a98311ac51f103.dip.versatel-1u1.de ([2001:16b8:2cd0:6f00:44a9:8311:ac51:f103]); authenticated by wp513.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1hhzBy-00027g-Qt; Mon, 01 Jul 2019 18:30:10 +0200
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Mirja Kuehlewind <ietf@kuehlewind.net>
In-Reply-To: <20190701154032.GB13810@kduck.mit.edu>
Date: Mon, 1 Jul 2019 18:30:10 +0200
Cc: mohamed.boucadair@orange.com, Roman Danyliw <rdd@cert.org>, "dots@ietf.org" <dots@ietf.org>, The IESG <iesg@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "draft-ietf-dots-data-channel@ietf.org" <draft-ietf-dots-data-channel@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A4BD2109-EC58-4FED-A8B0-2EE5AC47A69C@kuehlewind.net>
References: <155679628494.24951.9145538661531263463.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93302EA68C8B@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190701154032.GB13810@kduck.mit.edu>
To: Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3445.104.11)
X-bounce-key: webpack.hosteurope.de;ietf@kuehlewind.net;1561998622;58701958;
X-HE-SMSGID: 1hhzBy-00027g-Qt
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/5am0PB7qyB8shxS2G3Twkp3R5ww>
Subject: Re: [Dots] =?utf-8?q?Mirja_K=C3=BChlewind=27s_Discuss_on_draft-ietf-?= =?utf-8?q?dots-data-channel-28=3A_=28with_DISCUSS_and_COMMENT=29?=
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jul 2019 16:30:25 -0000

Hi Ben, hi Med,

Please see below.

> On 1. Jul 2019, at 17:40, Benjamin Kaduk <kaduk@mit.edu>; wrote:
> 
> Hi Mirja,
> 
> Can you please let us know whether these replies address your concerns?
> 
> Thanks,
> 
> Ben
> 
> On Thu, May 02, 2019 at 11:54:50AM +0000, mohamed.boucadair@orange.com wrote:
>> Re-,
>> 
>> Please see inline. 
>> 
>> Cheers,
>> Med
>> 
>>> -----Message d'origine-----
>>> De : Mirja Kühlewind via Datatracker [mailto:noreply@ietf.org]
>>> Envoyé : jeudi 2 mai 2019 13:25
>>> À : The IESG
>>> Cc : draft-ietf-dots-data-channel@ietf.org; Roman Danyliw; dots-
>>> chairs@ietf.org; rdd@cert.org; dots@ietf.org
>>> Objet : Mirja Kühlewind's Discuss on draft-ietf-dots-data-channel-28: (with
>>> DISCUSS and COMMENT)
>>> 
>>> Mirja Kühlewind has entered the following ballot position for
>>> draft-ietf-dots-data-channel-28: Discuss
>>> 
>>> When responding, please keep the subject line intact and reply to all
>>> email addresses included in the To and CC lines. (Feel free to cut this
>>> introductory paragraph, however.)
>>> 
>>> 
>>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>>> for more information about IESG DISCUSS and COMMENT positions.
>>> 
>>> 
>>> The document, along with other ballot positions, can be found here:
>>> https://datatracker.ietf.org/doc/draft-ietf-dots-data-channel/
>>> 
>>> 
>>> 
>>> ----------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>> 
>>> I support Suresh's discuss that the process of how it is indicated if a 1 or
>>> 2
>>> byte mask is used is not clear. However, I would additionally like to discuss
>>> why this bit mask is needed at all. The TCP flags field in RFC8519 is already
>>> defined as bits. Storing these bits in a signal 8 bit field and applying a
>>> matching operation is implementation specific only and doesn't require any
>>> changes to the YANG model.
>> 
>> [Med] The motivation is similar to the one for the IPv4 flags:  
>> 
>>   Nevertheless,
>>   the use of 'flags' is problematic since it does not allow to define a
>>   bitmask.  For example, setting other bits not covered by the 'flags'
>>   filtering clause in a packet will allow that packet to get through
>>   (because it won't match the ACE).  
>> 
>> The use of bitmask will also ease inter-working witg BGP flowspec.

Okay, this is fine based on discussion with Suresh.

>> 
>>> 
>>> I would also quickly like to discuss the use of keep-alives as described in
>>> Section 3.1: "While the communication to the DOTS server is
>>>   quiescent, the DOTS client MAY probe the server to ensure it has
>>>   maintained cryptographic state.  Such probes can also keep alive
>>>   firewall and/or NAT bindings.  A TLS heartbeat [RFC6520] verifies
>>>   that the DOTS server still has TLS state by returning a TLS message."
>>> I understood that multiple requests can and should be send in the same
>>> connection, however, I would expect that those requests are send basically
>>> right after each other, such as a look-up and then change of the config. I
>>> don't see a need to keep up the connection for a long time otherwise.
>>> Especially any action performed are (other than in the signal channel case)
>>> not
>>> time critical. Therefore I would rather recommend to close and reopen
>>> connections and not recommend to use keep-alives at all.
>> 
>> [Med] The activity of the DOTS client may be used to track/detect stale entries:
>> 
>>   Also, DOTS servers
>>   may track the inactivity timeout of DOTS clients to detect stale
>>   entries.
>> 
My understanding is that this is orthogonal. You can also see that a client is inactive when it didn’t open a new connection for a certain time…?

Mirja


>> 
>>> 
>>> 
>>> ----------------------------------------------------------------------
>>> COMMENT:
>>> ----------------------------------------------------------------------
>>> 
>>> Editorial comment: As alias 
>> 
>> [Med] The grouping "target" is defined in the data-channel, and reused in the signal channel. The name cannot be reused because it is a key of the aliases in data-channel and a node in the signal-channel. 
>> 
>> and migration-scope 
>> 
>> [Med] I guess you meant "mitigation-scope". There is no such item in the data channel. Please note that "ietf-data:target" is called in the signal-channel under mitigation-scope. 
>> 
>> (in the signal channel
>>> document) have the same fields, wouldn't it make sense to only definite it
>>> once
>>> somewhere?
>>> 
>> 
> 
>