Re: [Dots] Adoption call for draft-reddy-dots-home-network-04
Daniel Migault <daniel.migault@ericsson.com> Thu, 25 April 2019 21:25 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BD89120140; Thu, 25 Apr 2019 14:25:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3jP2Gu74K87V; Thu, 25 Apr 2019 14:25:26 -0700 (PDT)
Received: from mail-lf1-f43.google.com (mail-lf1-f43.google.com [209.85.167.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B0C2120158; Thu, 25 Apr 2019 14:25:26 -0700 (PDT)
Received: by mail-lf1-f43.google.com with SMTP id t30so747530lfd.8; Thu, 25 Apr 2019 14:25:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=U41v/BPURRNQFk9u352HCNnp2YHrm9EntYdKcztJ/oU=; b=Dz3deXuVQJTjcUTyIVDTAYJN0SfH2jB8/JkuEDgQyUr/W0lspxZoerFNSltg2G/4cH UyCXS7nHl6io7ZxOPhfz+cl1XjbbMN3FaERRazyryt0DMCKVYSleBhElO6JSjvIdUQuF EsYYWajEKZJvzkkQcoVTv8ZVi9Yels692xDKc7OrfyifVjMi1Nik6zKYn2XY2bloRLfn R3yuVNpAOFFdGCvKgQk/PBbindv/VVMjXmMvJ4EfkfdtJrtTWdSlxDCa05FG8pPUrJbB sKK40/ryB3na9WBadbv+C09Onb0LEpt3IkPF0262sVRLw7w/4C5FmtFVPL1PyOuIIZL0 wbIg==
X-Gm-Message-State: APjAAAXmtD/4O3Buzbs/wFmXbajm4KDqn3/zWT0wNE7JmqZomiOsI8Fa 3hUMnUiYCnQB6j9HCLSJnlzZF8L/T0b8KOwKogw=
X-Google-Smtp-Source: APXvYqzjYBvwejlQJZK48rhA/8G9RD1+HRZeVEpXHgWR1EpOD2NxdRqCNUJVt1p2H7YBEx4AumLyZ7Xcg5ah3B3Y0zI=
X-Received: by 2002:ac2:5315:: with SMTP id c21mr23758193lfh.25.1556227524172; Thu, 25 Apr 2019 14:25:24 -0700 (PDT)
MIME-Version: 1.0
References: <023d01d4ee1f$c2bcb190$483614b0$@smyslov.net> <30E95A901DB42F44BA42D69DB20DFA6A69F3A581@nkgeml513-mbx.china.huawei.com> <CADZyTkmtyO25-JiHMicZDUL2F+5RXpnFPsYHmyn67yfHTns5fA@mail.gmail.com> <BYAPR16MB2790ECCDECA7EA5E62F76F0DEA260@BYAPR16MB2790.namprd16.prod.outlook.com>
In-Reply-To: <BYAPR16MB2790ECCDECA7EA5E62F76F0DEA260@BYAPR16MB2790.namprd16.prod.outlook.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Thu, 25 Apr 2019 17:25:12 -0400
Message-ID: <CADZyTkn7gmnOAhwQ0sKY=R9J-icPvqRdEnqaf0KP3sYTw0MsuQ@mail.gmail.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>
Cc: "Panwei (William)" <william.panwei@huawei.com>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, Valery Smyslov <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>, "kaduk@mit.edu" <kaduk@mit.edu>
Content-Type: multipart/alternative; boundary="000000000000c4a4fc058761742c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/73FglhWx3xoM-2QrlEwNesL7Pg8>
Subject: Re: [Dots] Adoption call for draft-reddy-dots-home-network-04
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2019 21:25:29 -0000
Thanks Tiru, Thanks for the feedback. Please see my comments/response and clarification. Apology for being so long to respond. Yours, Daniel On Thu, Apr 18, 2019 at 8:53 AM Konda, Tirumaleswar Reddy < TirumaleswarReddy_Konda@mcafee.com> wrote: > Hi Daniel, > > > > Thanks for the review, Please see inline [TR] > > > > *From:* Dots <dots-bounces@ietf.org> *On Behalf Of * Daniel Migault > *Sent:* Monday, April 15, 2019 9:34 PM > *To:* Panwei (William) <william.panwei@huawei.com> > *Cc:* dots-chairs@ietf.org; Valery Smyslov <valery@smyslov.net>; > dots@ietf.org; kaduk@mit.edu > *Subject:* Re: [Dots] Adoption call for draft-reddy-dots-home-network-04 > > > > *CAUTION*: External email. Do not click links or open attachments unless > you recognize the sender and know the content is safe. > ------------------------------ > > I support the adoption of the draft, please see my comments on the current > version. None of them should be considered as preventing the adoption. > > > > Yours, > > Daniel > > > > Some random comments: > > > > > > Section 1: > > > > """ > > Some of the DDoS attacks like spoofed RST or FIN packets, Slowloris, > > and TLS re-negotiation are difficult to detect on the home network > > devices without adversely affecting its performance. The reason is > > typically home routers have fast path to boost the throughput. For > > every new TCP/UDP flow, only the first few packets are punted through > > the slow path. Hence, it is not possible to detect various DDoS > > attacks in the slow path, since the attack payload is sent to the > > target server after the flow is switched to fast path. Deep packet > > inspection (DPI) of all the packets of a flow would be able to detect > > some of the attacks. However, a full-fledged DPI to detect these > > type of DDoS attacks is functionally or operationally not possible > > for all the devices attached to the home network owing to the memory > > and CPU limitations of the home routers. Further, for certain DDoS > > attacks the ability to distinguish legitimate traffic from attacker > > traffic on a per packet basis is complex. This complexity originates > > from the fact that the packet itself may look "legitimate" and no > > attack signature can be identified. The anomaly can be identified > > only after detailed statistical analysis. > > """ > > > > I understand, the paragraph below as saying that detection at the ISP is > > easier than at the homenet level as the ISP aggregates the traffic. This > > is correct and I agree with the text. However, if we are going a bit > > further, the detection is even easier to the DDoS target. I believe that > > the same mechanism could be deployed between a DDoS target, its Cloud > > provider major ISPs up to the origin. The example of the Homenet and the > > ISP is only one bound but the mechanism can be generalized and actually > > help coordination between independent domains. I believe the draft can > > be placed in a larger perspective. > > > > [TR] Agreed, it is relatively easy for the DDoS mitigation provider for > the attack target to detect sophisticated DDoS attacks (especially if the > attack uses encrypted traffic). > > > > I will add the following lines: > > > > BGP defines a mechanism as described in [RFC5575] that can be used to > > automate inter-domain coordination of traffic filtering, such as what > > is required in order to mitigate DDoS attacks. DDoS mitigation provider > > for the attack target can detect sophisticated DDoS attacks > > using encrypted attack traffic, and can possibly use BGP flowspec > [RFC5575] to > > convey the filtering rules to filter block, or rate-limit DDoS attack > traffic originating > > from the ISP's subscribers to the attack target. > > > > > > Section 3.1 Procedure: > > > > I am not convinced this is the right approach to switch the roles > > between clients and servers. I believe that while the previous dots > > signal-channel was foreseeing the relation as asymmetric, we are now > > considering DOTS Client and DOTS Server as mostly symmetric. Maybe one > > way to see this could be to have a DOTS communication between different > > entities, and exchanges can be in both directions. The one initiating > > the exchange could be designated as DOTS Initiator, while the receiving > > side is the DOTS Responder. > > > > Here is a more concrete example while Client / Server might be > > confusing. When a server sends an alert when under attach it is designated > > as the DOTS Client, while the same client specifying these IP addresses > > are detected as belonging to an attacker will be the Server. > > > > It seems also to me that establishment of the (D)TLS channel can be sent > > by any other peer, not necessarily the peer sending further > > notification/request. Typically the DOTS Client may have set the DOTS > > channel protected by (D)TLS, and the DOTS Server may re-use that exact > > same channel. > > > > I am also wondering if the support of the extension is agreed or > > announced. If so this would ease the negotiation of which peer is able > > to handle the requests and be a "Server". > > > > [TR] Both draft-reddy-dots-home-network and RFC8071 adopt the same > approach for managing roles and connections. You may want to look into > RFC8071. > > CoAP allows asynchronous messages but the request is always sent > by the CoAP client. > > > <mglt>ok thanks. and we wants to map the DOTS Client with the CoAP client. In other words, it is out of scope to have a DOT CLient with a CoAP client and a CoAP server. When I wrote the comment I had a push request in mind, and observe does not work ;-)</mglt> > I believe the clarification and comparison with the > > "traditional"/"initial" DOTS use cases is useful and needs to stay for > > clarification purpose. However, one should make sure also that such > > signalling can also be made with a signal dots signalling established in > > the initial use cases. Typically, the DOTS client may have set the DOTS > > channel and set a DTLS session which could carry the signalling of the > > draft. > > > > [TR] I don’t get the above comment. > <mglt>I suppose my mouse pointer tricked me. The idea I wanted to provide was that *maybe* it would be good to think as DOTS peers that establish a channel using DTLS and each peer can be over the same channel act as a client or server. We would rather talk about initiator and responder. In other word, to make teh protocol less asymmetric. </mglt> > > > Cheers, > > -Tiru > > > > > > On Sun, Apr 14, 2019 at 11:06 PM Panwei (William) < > william.panwei@huawei.com> wrote: > > Hi, > > I support adoption of this draft. > > Best Regards > Wei Pan > > -----Original Message----- > From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Valery Smyslov > Sent: Monday, April 08, 2019 11:29 PM > To: dots@ietf.org > Cc: dots-chairs@ietf.org; kaduk@mit.edu > Subject: [Dots] Adoption call for draft-reddy-dots-home-network-04 > > Hi all, > > the chairs recently received an adoption request for > draft-reddy-dots-home-network-04. > > This message starts a two-week adoption call for > draft-reddy-dots-home-network-04. > The call ends up on Tuesday, April the 23rd. > > Please send your opinion regarding adoption of this document to the list > before this date. > If you think the draft should be adopted, please indicate whether you're > willing to review it/to work on it. If you think the draft should not be > adopted, please explain why. > > Regards, > Frank & Valery. > > > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots > > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots > > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots >
- [Dots] Adoption call for draft-reddy-dots-home-ne… Valery Smyslov
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Teague, Nik
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Jon Shallow
- Re: [Dots] Adoption call for draft-reddy-dots-hom… 林 裕平
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Prashanth Patil (praspati)
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Andrew Mortensen
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Panwei (William)
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Daniel Migault
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Dan Wing
- Re: [Dots] Adoption call for draft-reddy-dots-hom… MeiLing Chen
- Re: [Dots] Adoption call for draft-reddy-dots-hom… mohamed.boucadair
- Re: [Dots] Adoption call for draft-reddy-dots-hom… kaname nishizuka
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Konda, Tirumaleswar Reddy
- Re: [Dots] Adoption call for draft-reddy-dots-hom… mohamed.boucadair
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Konda, Tirumaleswar Reddy
- Re: [Dots] Adoption call for draft-reddy-dots-hom… mohamed.boucadair
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Valery Smyslov
- Re: [Dots] Adoption call for draft-reddy-dots-hom… mohamed.boucadair
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Konda, Tirumaleswar Reddy
- Re: [Dots] Adoption call for draft-reddy-dots-hom… mohamed.boucadair
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Konda, Tirumaleswar Reddy
- Re: [Dots] Adoption call for draft-reddy-dots-hom… mohamed.boucadair
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Konda, Tirumaleswar Reddy
- Re: [Dots] Adoption call for draft-reddy-dots-hom… mohamed.boucadair
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Konda, Tirumaleswar Reddy
- Re: [Dots] Adoption call for draft-reddy-dots-hom… mohamed.boucadair
- Re: [Dots] Adoption call for draft-reddy-dots-hom… mohamed.boucadair
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Jon Shallow
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Konda, Tirumaleswar Reddy
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Konda, Tirumaleswar Reddy
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Jon Shallow
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Konda, Tirumaleswar Reddy
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Daniel Migault
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Daniel Migault
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Daniel Migault
- Re: [Dots] Adoption call for draft-reddy-dots-hom… mohamed.boucadair
- Re: [Dots] Adoption call for draft-reddy-dots-hom… Daniel Migault