IETF Logo Mail Archive

[Dots] 答复: FW: Prior discussion about draft-fu-ipfix-network-security-00

"Xialiang (Frank)" <frank.xialiang@huawei.com> Wed, 25 March 2015 12:12 UTC

Return-Path: <frank.xialiang@huawei.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 705781ACE76 for <dots@ietfa.amsl.com>; Wed, 25 Mar 2015 05:12:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.911
X-Spam-Level:
X-Spam-Status: No, score=-3.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gDJaBW3E2KK6 for <dots@ietfa.amsl.com>; Wed, 25 Mar 2015 05:12:37 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44A151ACE6C for <dots@ietf.org>; Wed, 25 Mar 2015 05:12:37 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml402-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BQR65206; Wed, 25 Mar 2015 12:12:35 +0000 (GMT)
Received: from SZXEMA411-HUB.china.huawei.com (10.82.72.70) by lhreml402-hub.china.huawei.com (10.201.5.241) with Microsoft SMTP Server (TLS) id 14.3.158.1; Wed, 25 Mar 2015 12:12:34 +0000
Received: from SZXEMA502-MBS.china.huawei.com ([169.254.4.144]) by szxema411-hub.china.huawei.com ([10.82.72.70]) with mapi id 14.03.0158.001; Wed, 25 Mar 2015 20:12:29 +0800
From: "Xialiang (Frank)" <frank.xialiang@huawei.com>
To: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>, will <mbset@sbcglobal.net>
Thread-Topic: [Dots] FW: Prior discussion about draft-fu-ipfix-network-security-00
Thread-Index: AQHQZbIoG194KPXTRmOmHM/JVOfdOZ0qPLoAgAAy8ICAAAs1AIAAGBYAgAFE7YCAADnxAIABCZOg
Date: Wed, 25 Mar 2015 12:12:28 +0000
Message-ID: <C02846B1344F344EB4FAA6FA7AF481F12ADA77CF@SZXEMA502-MBS.china.huawei.com>
References: <358188D97DBE45F787E97C9E29B1C0A3@takeAsus> <D1360207.B412%nteague@verisign.com> <77FA386512F0D748BC7C02C36EB1106D955C93@szxeml557-mbs.china.huawei.com> <1C9F17D1873AFA47A969C4DD98F98A75153AC9EA@xmb-rcd-x10.cisco.com> <D1364C2B.B4E6%nteague@verisign.com> <551204A9.5060406@sbcglobal.net> <1C9F17D1873AFA47A969C4DD98F98A75153B049E@xmb-rcd-x10.cisco.com>
In-Reply-To: <1C9F17D1873AFA47A969C4DD98F98A75153B049E@xmb-rcd-x10.cisco.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.149.132]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <http://mailarchive.ietf.org/arch/msg/dots/6mJgGQsQ7dLMq5zQ5UCvSl1dKVQ>
Cc: "dots@ietf.org" <dots@ietf.org>
Subject: [Dots] 答复: FW: Prior discussion about draft-fu-ipfix-network-security-00
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 12:12:42 -0000

Agree with Panos's comments. I also think our most important job right now is to discuss a clear scope of DOTS and work out a new charter.

Another point I want to note is, current two drafts are for two different scenarios, and they are all valuable for operators and security service providers. So, we should consider them together in the beginning to avoid the unnecessary waste.

B.R.
Frank

-----邮件原件-----
发件人: Dots [mailto:dots-bounces@ietf.org] 代表 Panos Kampanakis (pkampana)
发送时间: 2015年3月24日 23:11
收件人: will; dots@ietf.org
主题: Re: [Dots] FW: Prior discussion about draft-fu-ipfix-network-security-00

I think that is a strong assumption that would simplify the problem, but probably is not very practical.

After attending the BOF today it seems the problem trying to solve here is signaling over saturated links and the a data representation of DDoS activity to be exchanged. For the latter, existing representations could do the job IMO, unless there is DDoS info that cannot be described. But then we would need specific examples.

As someone put it in the BOF call today, scope should be well-defined if this ends up being a WG I believe.

Panos


-----Original Message-----
From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of will
Sent: Tuesday, March 24, 2015 8:43 PM
To: dots@ietf.org
Subject: Re: [Dots] FW: Prior discussion about draft-fu-ipfix-network-security-00

If we are worried about trying to signal over saturated links, maybe we should consider using out of band signaling.

On 03/24/2015 01:20 AM, Teague, Nik wrote:
> Hi,
>
> On 23/03/2015 22:54, "Panos Kampanakis (pkampana)" 
> <pkampana@cisco.com>
> wrote:
>
>> Hello,
>>
>> It seems to me that the "signaling in order to mitigate DDoS" problem 
>> has been solved already by BGP FlowSpec. I am not sure if defining 
>> more verbose and detailed communications between network elements 
>> would add much value, since these devices cannot do more than 
>> signalling and mitigate.
>>
>> Panos
> Flowspec is very effective within the bounds of its capabilities - if 
> a bad actor is hammering my network with an ntp reflection attack or 
> my web server with a whole swathe of large udp packets then I can 
> easily build filters to handle that - if the bad actor is hitting my 
> web server with a syn flood from a massively random source pool then I 
> have to consider rate limiting as probably my best, but maybe not 
> ideal, option.  If I try and generate more than 12k flow route filters 
> to push to either my equipment or my service providers (depending upon 
> whether they support Flowspec) then things can get a little hairy.
> DDoS mitigation CPE and DDoS mitigation providers exist because the 
> need is there - The DOTS proposal is that effective signaling is 
> necessary between these elements, not specifically generic network 
> elements, but actual elements that are concerned with often complex 
> attacks that a flow route filter is unable to deal with.  If my 
> ingress links are saturated then signaling via a tcp oriented session 
> can potentially result in more cycles being spent trying to initiate 
> and maintain a session than actual information transferŠ and if the connection drops then the whole thing has to start again.
>
> Thanks,
>
> -Nik
>
>
>
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots
>

_______________________________________________
Dots mailing list
Dots@ietf.org
https://www.ietf.org/mailman/listinfo/dots

_______________________________________________
Dots mailing list
Dots@ietf.org
https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email