IETF Logo Mail Archive

Re: [Dots] Adoption call for draft-reddy-dots-home-network-04

Daniel Migault <daniel.migault@ericsson.com> Thu, 25 April 2019 21:25 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BD89120140; Thu, 25 Apr 2019 14:25:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3jP2Gu74K87V; Thu, 25 Apr 2019 14:25:26 -0700 (PDT)
Received: from mail-lf1-f43.google.com (mail-lf1-f43.google.com [209.85.167.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B0C2120158; Thu, 25 Apr 2019 14:25:26 -0700 (PDT)
Received: by mail-lf1-f43.google.com with SMTP id t30so747530lfd.8; Thu, 25 Apr 2019 14:25:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=U41v/BPURRNQFk9u352HCNnp2YHrm9EntYdKcztJ/oU=; b=Dz3deXuVQJTjcUTyIVDTAYJN0SfH2jB8/JkuEDgQyUr/W0lspxZoerFNSltg2G/4cH UyCXS7nHl6io7ZxOPhfz+cl1XjbbMN3FaERRazyryt0DMCKVYSleBhElO6JSjvIdUQuF EsYYWajEKZJvzkkQcoVTv8ZVi9Yels692xDKc7OrfyifVjMi1Nik6zKYn2XY2bloRLfn R3yuVNpAOFFdGCvKgQk/PBbindv/VVMjXmMvJ4EfkfdtJrtTWdSlxDCa05FG8pPUrJbB sKK40/ryB3na9WBadbv+C09Onb0LEpt3IkPF0262sVRLw7w/4C5FmtFVPL1PyOuIIZL0 wbIg==
X-Gm-Message-State: APjAAAXmtD/4O3Buzbs/wFmXbajm4KDqn3/zWT0wNE7JmqZomiOsI8Fa 3hUMnUiYCnQB6j9HCLSJnlzZF8L/T0b8KOwKogw=
X-Google-Smtp-Source: APXvYqzjYBvwejlQJZK48rhA/8G9RD1+HRZeVEpXHgWR1EpOD2NxdRqCNUJVt1p2H7YBEx4AumLyZ7Xcg5ah3B3Y0zI=
X-Received: by 2002:ac2:5315:: with SMTP id c21mr23758193lfh.25.1556227524172; Thu, 25 Apr 2019 14:25:24 -0700 (PDT)
MIME-Version: 1.0
References: <023d01d4ee1f$c2bcb190$483614b0$@smyslov.net> <30E95A901DB42F44BA42D69DB20DFA6A69F3A581@nkgeml513-mbx.china.huawei.com> <CADZyTkmtyO25-JiHMicZDUL2F+5RXpnFPsYHmyn67yfHTns5fA@mail.gmail.com> <BYAPR16MB2790ECCDECA7EA5E62F76F0DEA260@BYAPR16MB2790.namprd16.prod.outlook.com>
In-Reply-To: <BYAPR16MB2790ECCDECA7EA5E62F76F0DEA260@BYAPR16MB2790.namprd16.prod.outlook.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Thu, 25 Apr 2019 17:25:12 -0400
Message-ID: <CADZyTkn7gmnOAhwQ0sKY=R9J-icPvqRdEnqaf0KP3sYTw0MsuQ@mail.gmail.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>
Cc: "Panwei (William)" <william.panwei@huawei.com>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, Valery Smyslov <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>, "kaduk@mit.edu" <kaduk@mit.edu>
Content-Type: multipart/alternative; boundary="000000000000c4a4fc058761742c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/73FglhWx3xoM-2QrlEwNesL7Pg8>
Subject: Re: [Dots] Adoption call for draft-reddy-dots-home-network-04
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2019 21:25:29 -0000

Thanks Tiru,

Thanks for the feedback. Please see my comments/response and clarification.
Apology for being so long to respond.

Yours,
Daniel

On Thu, Apr 18, 2019 at 8:53 AM Konda, Tirumaleswar Reddy <
TirumaleswarReddy_Konda@mcafee.com> wrote:

> Hi Daniel,
>
>
>
> Thanks for the review, Please see inline [TR]
>
>
>
> *From:* Dots <dots-bounces@ietf.org> *On Behalf Of * Daniel Migault
> *Sent:* Monday, April 15, 2019 9:34 PM
> *To:* Panwei (William) <william.panwei@huawei.com>
> *Cc:* dots-chairs@ietf.org; Valery Smyslov <valery@smyslov.net>;
> dots@ietf.org; kaduk@mit.edu
> *Subject:* Re: [Dots] Adoption call for draft-reddy-dots-home-network-04
>
>
>
> *CAUTION*: External email. Do not click links or open attachments unless
> you recognize the sender and know the content is safe.
> ------------------------------
>
> I support the adoption of the draft, please see my comments on the current
> version. None of them should be considered as preventing the adoption.
>
>
>
> Yours,
>
> Daniel
>
>
>
> Some random comments:
>
>
>
>
>
> Section 1:
>
>
>
> """
>
>    Some of the DDoS attacks like spoofed RST or FIN packets, Slowloris,
>
>    and TLS re-negotiation are difficult to detect on the home network
>
>    devices without adversely affecting its performance.  The reason is
>
>    typically home routers have fast path to boost the throughput.  For
>
>    every new TCP/UDP flow, only the first few packets are punted through
>
>    the slow path.  Hence, it is not possible to detect various DDoS
>
>    attacks in the slow path, since the attack payload is sent to the
>
>    target server after the flow is switched to fast path.  Deep packet
>
>    inspection (DPI) of all the packets of a flow would be able to detect
>
>    some of the attacks.  However, a full-fledged DPI to detect these
>
>    type of DDoS attacks is functionally or operationally not possible
>
>    for all the devices attached to the home network owing to the memory
>
>    and CPU limitations of the home routers.  Further, for certain DDoS
>
>    attacks the ability to distinguish legitimate traffic from attacker
>
>    traffic on a per packet basis is complex.  This complexity originates
>
>    from the fact that the packet itself may look "legitimate" and no
>
>    attack signature can be identified.  The anomaly can be identified
>
>    only after detailed statistical analysis.
>
> """
>
>
>
> I understand, the paragraph below as saying that detection at the ISP is
>
> easier than at the homenet level as the ISP aggregates the traffic. This
>
> is correct and I agree with the text. However, if we are going a bit
>
> further, the detection is even easier to the DDoS target. I believe that
>
> the same mechanism could be deployed between a DDoS target, its Cloud
>
> provider major ISPs up to the origin. The example of the Homenet and the
>
> ISP is only one bound but the mechanism can be generalized and actually
>
> help coordination between independent domains.  I believe the draft can
>
> be placed in a larger perspective.
>
>
>
> [TR] Agreed, it is relatively easy for the DDoS mitigation provider for
> the attack target to detect sophisticated DDoS attacks (especially if the
> attack uses encrypted traffic).
>
>
>
> I will add the following lines:
>
>
>
> BGP defines a mechanism as described in [RFC5575] that can be used to
>
> automate inter-domain coordination of traffic filtering, such as what
>
> is required in order to mitigate DDoS attacks. DDoS mitigation provider
>
> for the attack target can detect sophisticated DDoS attacks
>
> using encrypted attack traffic, and can possibly use BGP flowspec
> [RFC5575] to
>
>   convey the filtering rules to filter block, or rate-limit DDoS attack
> traffic originating
>
>   from the ISP's subscribers to the attack target.
>
>
>
>
>
> Section 3.1 Procedure:
>
>
>
> I am not convinced this is the right approach to switch the roles
>
> between clients and servers. I believe that while the previous dots
>
> signal-channel was foreseeing the relation as asymmetric, we are now
>
> considering DOTS Client and DOTS Server as mostly symmetric. Maybe one
>
> way to see this could be to have a DOTS communication between different
>
> entities, and exchanges can be in both directions. The one initiating
>
> the exchange could be designated as DOTS Initiator, while the receiving
>
> side is the DOTS Responder.
>
>
>
> Here is a more concrete example while Client / Server  might be
>
> confusing. When  a server sends an alert when under attach it is designated
>
> as the DOTS Client, while the same client specifying these IP addresses
>
> are detected as belonging to an attacker will be the Server.
>
>
>
> It seems also to me that establishment of the (D)TLS channel can be sent
>
> by any other peer, not necessarily the peer sending further
>
> notification/request. Typically the DOTS Client may have set the DOTS
>
> channel protected by (D)TLS, and the DOTS Server may re-use that exact
>
> same channel.
>
>
>
> I am also wondering if the support of the extension is agreed or
>
> announced. If so this would ease the negotiation of which peer is able
>
> to handle the requests and be a "Server".
>
>
>
> [TR] Both draft-reddy-dots-home-network and RFC8071 adopt the same
> approach for managing roles and connections. You may want to look into
> RFC8071.
>
>         CoAP allows asynchronous messages but the request is always sent
> by the CoAP client.
>
>
>
<mglt>ok thanks. and we wants to map the DOTS Client with the CoAP client.
In other words, it is out of scope to have a DOT CLient with a CoAP client
and a CoAP server. When I wrote the comment I had a push request in mind,
and observe does not work ;-)</mglt>


> I believe the clarification and comparison with the
>
> "traditional"/"initial" DOTS use cases is useful and needs to stay for
>
> clarification purpose. However, one should make sure also that such
>
> signalling can also be made with a signal dots signalling established in
>
> the initial use cases. Typically, the DOTS client may have set the DOTS
>
> channel and set a DTLS session which could carry the signalling of the
>
> draft.
>
>
>
> [TR] I don’t get the above comment.
>
<mglt>I suppose my mouse pointer tricked me. The idea I wanted to provide
was that *maybe* it would be good to think as DOTS peers that establish a
channel using DTLS and each peer can be over the same channel act as a
client or server. We would rather talk about initiator and responder. In
other word, to make teh protocol less asymmetric. </mglt>

>
>
> Cheers,
>
> -Tiru
>
>
>
>
>
> On Sun, Apr 14, 2019 at 11:06 PM Panwei (William) <
> william.panwei@huawei.com> wrote:
>
> Hi,
>
> I support adoption of this draft.
>
> Best Regards
> Wei Pan
>
> -----Original Message-----
> From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Valery Smyslov
> Sent: Monday, April 08, 2019 11:29 PM
> To: dots@ietf.org
> Cc: dots-chairs@ietf.org; kaduk@mit.edu
> Subject: [Dots] Adoption call for draft-reddy-dots-home-network-04
>
> Hi all,
>
> the chairs recently received an adoption request for
> draft-reddy-dots-home-network-04.
>
> This message starts a two-week adoption call for
> draft-reddy-dots-home-network-04.
> The call ends up on Tuesday, April the 23rd.
>
> Please send your opinion regarding adoption of this document to the list
> before this date.
> If you think the draft should be adopted, please indicate whether you're
> willing to review it/to work on it. If you think the draft should not be
> adopted, please explain why.
>
> Regards,
> Frank & Valery.
>
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots
>

v2.23.0 | Report a Bug | By Email