Re: [Dots] AD evaluation of draft-ietf-dots-use-cases-20
Daniel Migault <mglt.ietf@gmail.com> Fri, 15 May 2020 19:59 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B02033A08B3; Fri, 15 May 2020 12:59:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jAxSoJFo4vy3; Fri, 15 May 2020 12:59:46 -0700 (PDT)
Received: from mail-vs1-xe34.google.com (mail-vs1-xe34.google.com [IPv6:2607:f8b0:4864:20::e34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84EE03A08B1; Fri, 15 May 2020 12:59:46 -0700 (PDT)
Received: by mail-vs1-xe34.google.com with SMTP id e20so1398980vsb.5; Fri, 15 May 2020 12:59:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tR9cOUCsQBTAq+YbJuk1HdgqsqVMCb5OVka3yO0NVuU=; b=BPM6lLPBte+G3NqZTQYGNfAq4YGnwmhv4ASq/wicdTIl7F+b+yMfmQbjscxk8+1bD1 2DoekBoYA4EcAsoAaVAnZEI28d368kaCtmoX0VlzDXURQaWdSHTAfG9Mt+oVErACmjPW J61yvyseOu4AHmCxAM5xmekgxW55VJYdgSRkFWhw145VfeAbFM/FvlwFXeLeruFbbb3J +gFWVcG/4GScZdQzFTQbSEzPF6PJUbEU5A4exSY3Y4nm5rQ8CtRIOwnO/oX7UGiBOMx8 RlsSK+HIc9AlGwxDT7R4Ydawzm5kdcxdP3D06tnJJCrHRBDlFzAP8oukDKIGE4FXo9N2 DYQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tR9cOUCsQBTAq+YbJuk1HdgqsqVMCb5OVka3yO0NVuU=; b=XIIYnVfns9nMsiGUibmVKgpQ7fp81cLzvXghmHYwZpY5QJ3gdeC0uRUjwpYlM7LQ8q iV28vUEN4rrBCOTpISFAIBuM7I3b2koNcPtCBr6iTlZZmEUD2jm6wLjmap9Y+QY04HoX aHqroMJpXjoj9AIHiFib6Yhhawt677xz+iVgN6L8WMQaOpSPgJoz0yAALvFbJ2dO20cn zyU8m2duAui2A7J6iRGklbCUMcRQnam19thB81kll40m+PM/CYsBCflfCL7yN3Ox/qj0 7xkMyLS7+WhRX52Ydf7wzqm7678j7cGNSoZo2uB2RDl/8Mssps6VMvLBh/DvTMpzKAr4 NYHw==
X-Gm-Message-State: AOAM532rspbhRcZgQdBl2miEmWbDDV0mxCt8Gz5RY8omLxwuuurmT0gr 4cdnQ/LZqyn2HvfcU17FmUqyqbU3KhjXcMgMrSo=
X-Google-Smtp-Source: ABdhPJxWabqGrtW2cpKkq93TboOZ7dP3CtCkNHT9EOPJI+OQZgHpM5oTueYPUKrlqCyduXd7ylUMt+wvNiOOcZ/oDs8=
X-Received: by 2002:a67:2e01:: with SMTP id u1mr3886560vsu.31.1589572785425; Fri, 15 May 2020 12:59:45 -0700 (PDT)
MIME-Version: 1.0
References: <20200512202205.GF27494@kduck.mit.edu> <CADZyTkkk1rgnUOc=pnPWQbLB5vcniko_QDKn_pwYz0hTL79=dw@mail.gmail.com> <20200514024918.GQ27494@kduck.mit.edu>
In-Reply-To: <20200514024918.GQ27494@kduck.mit.edu>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Fri, 15 May 2020 15:59:34 -0400
Message-ID: <CADZyTknsy4gZxCK4Y26u9+fgQp4zEEc1QehfoBSuz+ufsRObkA@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: draft-ietf-dots-use-cases.all@ietf.org, dots <dots@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003850e905a5b5417c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/5rFky1MdRDkNZQWRfCNtiWJ5qKM>
Subject: Re: [Dots] AD evaluation of draft-ietf-dots-use-cases-20
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2020 19:59:50 -0000
Hi Ben, Thanks for the follow up. I believe I implemented the changes, and will publish a new version. Yours, Daniel On Wed, May 13, 2020 at 10:49 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > Hi Daniel, > > Just a few replies inline. > > On Wed, May 13, 2020 at 12:06:45PM -0400, Daniel Migault wrote: > > Hi, > > > > Thank you Ben for you comments. Please find inline how these have been > > addressed. The updated version has been pushed to [1]. > > > > The main questions I have for the co-authors are: > > * does the change of volumetry to volume causes any concern ? > > * I guess we could be a little be more specific regarding the delegation > > and the pre-arrangement, in particular if BGP is secured. Please update > > the text that has been proposed. > > > > Yours, > > Daniel > > > > > > [1] https://github.com/dotswg/dots-use-cases > > > > On Tue, May 12, 2020 at 4:22 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > > > > > Hi all, > > > > > > This one is in pretty good shape -- I don't have any major comments on > it. > > > I did write up some editorial nit-level stuff as a github pull request: > > > https://github.com/dotswg/dots-use-cases/pull/12 . I think that > nothing > > > there should be controversial, but please let me know if I am wrong > about > > > that. > > > > > > Please confirm that all six authors made significant contributions: I > > > will need to defend this to the rest of the IESG, since per RFC 7322 > the > > > author count is generally limited to five individuals. Right now I > don't > > > have a good response when someone asks. > > > > > > > <mglt> > > As far as I know all authors mentioned significantly contributed to the > > document. It is true that there are many co-authors, but I think that > > reflected that DOTS needs to coordinate multiple actors that were not so > > much coordinated before. > > </mglt> > > Thanks, that is good to know. > > > > > > > Section 1 > > > > > > As DDoS solutions are broadly heterogeneous among vendors, the > > > primary goal of DOTS is to provide high-level interaction amongst > > > differing DDoS solutions, such as detecting, initiating, terminating > > > DDoS mitigation assistance or requesting the status of a DDoS > > > mitigation. > > > > > > nit: the list structure is not properly parallel. It looks like the > > > various clauses are meant to be "detecting DDoS", > > > "initiating/terminating mitigation assistance", and "requesting > > > mitigation status", so maybe this could become: > > > > > > % As DDoS solutions are broadly heterogeneous among vendors, the > > > % primary goal of DOTS is to provide high-level interaction amongst > > > % differing DDoS solutions, such as detecting DDoS attacks, > > > % initiating/terminating DDoS mitigation assistance, or requesting the > > > % status of a DDoS mitigation. > > > > > > <mglt> > > fixed > > </mglt> > > > > > Section 3.1 > > > > > > Over the course of the attack, the DOTS server of the ITP > > > periodically informs the DOTS client on the enterprise DMS > mitigation > > > status, statistics related to DDoS attack traffic mitigation, and > > > related information. Once the DDoS attack has ended, or decreased > to > > > the certain level that the enterprise DMS can handle by itself, the > > > DOTS server signals the enterprise DMS DOTS client that the attack > > > has subsided. > > > > > > It's interesting that this is worded in such a way that the (ITP) DOTS > > > server knows the specific threshold for what level of attack traffic > the > > > enterprise DMS can handle, since it's the DOTS server signalling to the > > > client that "the attack has subsided". > > > > > > <mglt> > > In most cases, if I recall correctly, we expect this to reflect a > > contractual relation. That said, it is ultimately the DOTS client that > > terminates the mitigation. To remove the impression that the ITP sort of > > controls the DOTS client, I propose to change "can handle" by "may > > handle". Here is the updated text: > > > > Once the DDoS attack has ended, or decreased to the certain > > level that the enterprise DMS may handle by itself, the DOTS server > > signals the enterprise DMS DOTS client that the attack has subsided. > > </mglt> > > I'd consider "might" instead of "may", since sometimes in English "may" has > a connotation of granting permission. > <mglt> changed. </mglt> > > > Section 3.3 > > > > > > Upon receipt of the DOTS mitigation request from the DDoS telemetry > > > system, the orchestrator DOTS server responds with an > acknowledgment, > > > to avoid retransmission of the request for mitigation. The > > > orchestrator may begin collecting additional fine-grained and > > > specific information from various DDoS telemetry systems in order to > > > correlate the measurements and provide an analysis of the event. > > > Eventually, the orchestrator may ask for additional information from > > > the DDoS telemetry system; however, the collection of this > > > information is out of scope. > > > > > > The last sentence seems to say that how the orchestrator gets data from > > > the initial DOTS client telemtry system is out-of-scope, but the > > > previous sentence talks about the orchestrator collecting information > > > from (other) DOTS telemetry systems. Is that similarly out of scope? > > > If so, then the fact that they are specifically *DOTS* telemetry > systems > > > seems irrelevant and we should probably just describe them as generic > > > telemetry or monitoring systems. > > > > > > <mglt> > > I agree that we should not have DOTS telemetry systems and leave them as > > DDoS telemetry systems. I checked the current version and there is no > > mention of DOTS telemetry but only DDoS telemetry. > > Oops, I seem to have misread this text! Of course, generic DDoS telemetry > systems make sense in this context. > > > I also suggest the we specify that such collection is out of scope of > DOTS. > > with the following sentence: > > > > the collection of this information is out of scope of DOTS. > > Okay. > > > </mglt> > > > > > > > Upon receiving a request to mitigate a DDoS attack performed over a > > > target, the orchestrator may evaluate the volumetry of the attack as > > > > > > nit(?): is "performed over" a conventional usage? I would have > expected > > > something more like "aimed at" given my personal background, but could > > > just be ignorant of typical usage. > > > > > <mglt> > > changed. > > </mglt> > > > > > > > > Also, I think "volumetry" is not the right word here, and just "volume" > > > suffices. > > > > > <mglt> > > I am fine either way. The current version changed to volume, but I am > > waiting co-authors to confirm they agree with the change. > > </mglt> > > > > > > > > filter the traffic. In this case, the DDoS mitigation system > > > implements a DOTS client while the orchestrator implements a DOTS > > > server. Similar to other DOTS use cases, the offloading scenario > > > assumes that some validation checks are followed by the DMS, the > > > orchestrator, or both (e.g., avoid exhausting the resources of the > > > forwarding nodes or disrupting the service). These validation > checks > > > are part of the mitigation, and are therefore out of the scope of > the > > > document. > > > > > > I know we added this last chunk of text after a long exchange during > the > > > last WGLC, and understand the desire to avoid going into too many > > > details on a topic that is mostly out of scope for DOTS. That said, > I'd > > > suggest adding a couple more words around "disrupting the service" > > > (especially since some level of service disruption during an attack > > > might be expected!) to help the reader make the link to what kind of > > > validation is expected, perhaps something like "inadvertent disruption > > > of legitimate services". > > > > > > <mglt> > > fixed with the follwoing snetence: > > > > Similar to other DOTS use cases, the offloading scenario assumes that > some > > validation checks are followed by the DMS, the orchestrator, or both > (e.g., > > avoid exhausting the resources of the forwarding nodes or inadvertent > > disruption of legitimate services). > > </mglt> > > > > > Section 4 > > > > > > In light of my previous comment I don't want to go too far here, but I > > > could see it being relevant to have a note that in the "orchestration" > > > case it's possible for something that locally to one telemetry system > > > looks like an attack is not actually an attack when seen from the > > > broader scope (e.g., of the orchestrator). > > > > > > <mglt> > > I added the note in the following paragraph. > > > > These systems are configured so that when an event or some measurement > > indicators reach a predefined level their associated DOTS client sends a > > DOTS mitigation request to the orchestrator DOTS server. The DOTS > > mitigation request may be associated with some optional mitigation hints > > to let the orchestrator know what has triggered the request. In > particular, > > it's possible for something that locally to one telemetry system looks > like > > an attack is not actually an attack when seen from the broader scope > (e.g., > > of the orchestrator) > > </mglt> > > > > In the Third Party MSP case we mention BGP as a way to steer traffic to > > > the mitigation service. We could consider (but don't have to) > > > mentioning that efforts to secure BGP will need to be considered when > > > making pre-arrangements for how traffic is to be moved, since in some > > > contexts such BGP announcements could themselves be considered to be an > > > attack. > > > > > > <mglt> > > Being ignorant on BGP, I am wondering if you are thinking of a BGP > > procedure to announce routes or some procedure for enabling a delegation > > when BGPsec is considered. > > I think either could be problmatic in some (rare?) circumstances -- I > believe in some cases there are allow-lists for which neighbors' > announcements of which prefixes are acted upon, and of course when the RPKI > comes into play that needs to validate properly as well. > > > I porpose the following text: > > > > These exact mechanisms > > used for traffic steering are out of scope of DOTS, but will need to be > > pre-arranged, while in some context such changed could be detected and > > considered as an attack. > > I agree with the other commenters that a separate BCP is where the details > should be covered. > > > </mglt> > > > > > I guess it probably goes without saying that when you add a third-party > > > DMS to your setup, you depend on that third party to be operational in > > > order for your setup to work properly. > > > > > > Section 7 > > > > > > We'll probably get someone asking to move RFC 8612 to be a Normative > > > reference since we use it for terminology, but I don't mind leaving it > > > be for now. > > > > > > > <mglt> > > I put it as normative. > > Thanks, > > Ben > -- Daniel Migault Ericsson
- [Dots] AD evaluation of draft-ietf-dots-use-cases… Benjamin Kaduk
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… Daniel Migault
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… Daniel Migault
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… Teague, Francis
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… Daniel Migault
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… kaname nishizuka
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… Benjamin Kaduk
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… Jon Shallow
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… Daniel Migault
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… Daniel Migault