Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-data-channel-28: (with DISCUSS and COMMENT)

<> Thu, 02 May 2019 11:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2CD9F1200B9; Thu, 2 May 2019 04:54:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id twY3Nf5ec61J; Thu, 2 May 2019 04:54:53 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 493B4120099; Thu, 2 May 2019 04:54:53 -0700 (PDT)
Received: from (unknown [xx.xx.xx.65]) by (ESMTP service) with ESMTP id 44vtwq3rkHz1yJH; Thu, 2 May 2019 13:54:51 +0200 (CEST)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.23]) by (ESMTP service) with ESMTP id 44vtwq2PXSzDq7V; Thu, 2 May 2019 13:54:51 +0200 (CEST)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM41.corporate.adroot.infra.ftgroup ([fe80::857d:4f67:b0a7:10d7%21]) with mapi id 14.03.0439.000; Thu, 2 May 2019 13:54:51 +0200
To: Mirja Kühlewind <>, The IESG <>
CC: "" <>, Roman Danyliw <>, "" <>, "" <>
Thread-Topic: Mirja Kühlewind's Discuss on draft-ietf-dots-data-channel-28: (with DISCUSS and COMMENT)
Thread-Index: AQHVANmmJifqnS0lyUewKQhvJpIf2KZXshyA
Date: Thu, 02 May 2019 11:54:50 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA68C8B@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <>
In-Reply-To: <>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-data-channel-28: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 May 2019 11:54:56 -0000


Please see inline. 


> -----Message d'origine-----
> De : Mirja Kühlewind via Datatracker []
> Envoyé : jeudi 2 mai 2019 13:25
> À : The IESG
> Cc :; Roman Danyliw; dots-
> Objet : Mirja Kühlewind's Discuss on draft-ietf-dots-data-channel-28: (with
> Mirja Kühlewind has entered the following ballot position for
> draft-ietf-dots-data-channel-28: Discuss
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> Please refer to
> for more information about IESG DISCUSS and COMMENT positions.
> The document, along with other ballot positions, can be found here:
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> I support Suresh's discuss that the process of how it is indicated if a 1 or
> 2
> byte mask is used is not clear. However, I would additionally like to discuss
> why this bit mask is needed at all. The TCP flags field in RFC8519 is already
> defined as bits. Storing these bits in a signal 8 bit field and applying a
> matching operation is implementation specific only and doesn't require any
> changes to the YANG model.

[Med] The motivation is similar to the one for the IPv4 flags:  

   the use of 'flags' is problematic since it does not allow to define a
   bitmask.  For example, setting other bits not covered by the 'flags'
   filtering clause in a packet will allow that packet to get through
   (because it won't match the ACE).  

The use of bitmask will also ease inter-working witg BGP flowspec.

> I would also quickly like to discuss the use of keep-alives as described in
> Section 3.1: "While the communication to the DOTS server is
>    quiescent, the DOTS client MAY probe the server to ensure it has
>    maintained cryptographic state.  Such probes can also keep alive
>    firewall and/or NAT bindings.  A TLS heartbeat [RFC6520] verifies
>    that the DOTS server still has TLS state by returning a TLS message."
> I understood that multiple requests can and should be send in the same
> connection, however, I would expect that those requests are send basically
> right after each other, such as a look-up and then change of the config. I
> don't see a need to keep up the connection for a long time otherwise.
> Especially any action performed are (other than in the signal channel case)
> not
> time critical. Therefore I would rather recommend to close and reopen
> connections and not recommend to use keep-alives at all.

[Med] The activity of the DOTS client may be used to track/detect stale entries:

   Also, DOTS servers
   may track the inactivity timeout of DOTS clients to detect stale

> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> Editorial comment: As alias 

[Med] The grouping "target" is defined in the data-channel, and reused in the signal channel. The name cannot be reused because it is a key of the aliases in data-channel and a node in the signal-channel. 

and migration-scope 

[Med] I guess you meant "mitigation-scope". There is no such item in the data channel. Please note that "ietf-data:target" is called in the signal-channel under mitigation-scope. 

(in the signal channel
> document) have the same fields, wouldn't it make sense to only definite it
> once
> somewhere?