IETF Logo Mail Archive

Re: [Dots] draft-fu-dots-ipfix-extension revised into draft-fu-dots-ipfix-tcp-tracking

Roland Dobbins <rdobbins@arbor.net> Mon, 13 March 2017 08:42 UTC

Return-Path: <rdobbins@arbor.net>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCA9312955C for <dots@ietfa.amsl.com>; Mon, 13 Mar 2017 01:42:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thescout.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ETYU8eZBrWUq for <dots@ietfa.amsl.com>; Mon, 13 Mar 2017 01:42:10 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0115.outbound.protection.outlook.com [104.47.33.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B59881294DB for <dots@ietf.org>; Mon, 13 Mar 2017 01:42:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thescout.onmicrosoft.com; s=selector1-arbor-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=sZqq50dSH4d3wpu8TkJ9Xtkch3Gd+O4V4SY7MK1OiU0=; b=c0eGiJbvkbXYEE9VCuoKn7uYHiCNXnF6FAk+anCVcivmcKeqkBD8HJiPny8DJ5zwYLxFN/wDJqMm2uGObHWfjwkIhqMw9J3EMhWl8HqbsiYGESawSJtg4hN0XZd8vL2ucRmpZQyv8qAgfN5u/D1/+ZMQK20P2HMUtnylZWtVIaw=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arbor.net;
Received: from [172.19.254.107] (49.228.115.77) by DM2PR0101MB1038.prod.exchangelabs.com (10.160.129.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.961.17; Mon, 13 Mar 2017 08:42:07 +0000
From: Roland Dobbins <rdobbins@arbor.net>
To: "dots@ietf.org" <dots@ietf.org>
Date: Mon, 13 Mar 2017 15:41:48 +0700
Message-ID: <37558C35-4DC6-4FED-BEF0-9E7A6C82E487@arbor.net>
In-Reply-To: <F8F4995E43962F4996B280E9678CED0001538042@SZXEMI507-MBX.china.huawei.com>
References: <F8F4995E43962F4996B280E9678CED0001538042@SZXEMI507-MBX.china.huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.6r5347)
X-Originating-IP: [49.228.115.77]
X-ClientProxiedBy: HK2PR04CA0054.apcprd04.prod.outlook.com (10.170.154.22) To DM2PR0101MB1038.prod.exchangelabs.com (10.160.129.155)
X-MS-Office365-Filtering-Correlation-Id: c7c8bc0a-a646-473b-8940-08d469ecd55e
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:DM2PR0101MB1038;
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1038; 3:dWqibciW9X3vlc+r+QzNV474RA677OQzBQZpruTYedx2mHBjoDPyxqu4eDmkOck1yLkGQOYSBe7qoVur9mFfdzgE7XT2UVjpU9YQrDHuqmZUyIseL6Py/t5CUnE+P1G+bjrrsSXIwoek2OB4JJ5dEb+tLjh/8hEUgr8lxpAed92FpVaJpm4H0NkQ7Mk9e9GoMY0964WVfP2X//BQt0N7YujSJQz/evtuBLrvH7y82wp/9huxSdXV8pEUCeaO0BcrqFKE5Yc1vCpL+N0NMwQE5A==; 25:DqQlSTTAzUFo1VW+Al8H/A6iVHejUx0FckZdUJwMT/9/9DBh2LDBVUTRrG1VU8rM4y8zVe1e19/yUl+piPDFi8VhvLtg2my8rx54uKMIZdJyNbx52JF0BO3a6JYxDvxaBLNVD5JklfZvBv1hFNluaWV/1xp1CGL6ma5KeVOVLhP5tJo6TK4adtCkV5IBTU/+YSBSuI1QrFJSeGlEwoJXpP2J5AkwXbDJvnJcX3wT8ZxiqL/fqy4gJcUv2qXu3hziqNsfROAtvD7uFd1eLdL0PO/hjq6/HVQzvDTvwwoz5bcI76Kym2TeRnXB8mj+eMpQCUqaI0CvsT5KuMTCsz7wGhZLp2H1IwWpliuZNCxrHE5F30KsYhQZ007oyiTLZLK9G+je+iCrI4mtw84eVDqT2AKkI1nMRgWf56UgRRWcLGE4vUcgdlzirIvqs2P/yaZjVtFSTJiSYHAbZ6gTdhhV4w==
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1038; 31:vsrJ2vySmhp/6qgbRUpP4nTvBJXoJPjPxGKUyQUdZkd8p0/CEssYgEbvAvAY5Ux9tQR+FbKaIiEfLFjJoMaI6BHZ6OQdYwvlXbMy8duYdJmLBuwv70ZCF0Y4jofIkAoedq3xMJTnzi+LvdQgcyeGwix3kpRG9i6xYewN6+9unEr+/S7ivenQRAbRTru0xNBXuqSomce7hdL/ZTPOW/4B1E/9HuCjZWaYw6AVKt+d5H8Lzpl+qordNwDNq6gjlTPFBoG1b+rvqPpirklPFUmFNvAfRSPIFm5gL5OFS3XbPA4=; 20:Hbqg50h3wUooG/DGWDpPcGwS6bafFgNz23aTxQgyvIqg9hnJSJs2o6Vj5tKtX8lPeLk7WcZUUkJ0M1Jvy5Om2pcg2ZVDSTyW4c684h2OU8BTGJyF14ol952ZemtjcICILbseF0iyi4GcxgqVOXSEiUK9mer1mJXm4yRTCOlL+l7zCRPBGKoqOL4jn+cL/25uR1Q+CEpGaxUfZlzo89aOqvSL/tkSzgIZ/1joT0mkABR9ahMLIGD8r6Inm/i3W5W54qIXdEbhh+bpkaHWM65VtG2GAeshkkRTNDCgwdbHY7El5xfaqkaJPitK55HQlNrZKSK5vjQFTt1KkrD5L8hwsknGmBI85deV2yWk2ZbnrYc1o4gs9f1bxMuV5kvOmS/aMjl8tsc7FJHLBUvnsjP4gZo0No+c6ATkd9dGLfiRRCSAPOaPan0O1T4m8k7yxQVvu3nGh7ILg14bo5wdYcQY7KsaieeYuosOSNi9eRACxPAYaWhQGHp/VUOEfzoBdIeZ
X-Microsoft-Antispam-PRVS: <DM2PR0101MB1038BD50EF0AF09801CDEB57CA250@DM2PR0101MB1038.prod.exchangelabs.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040375)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6041248)(20161123562025)(20161123555025)(20161123560025)(20161123564025)(20161123558025)(6072148); SRVR:DM2PR0101MB1038; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0101MB1038;
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1038; 4:QPZXKG2GaTtYF4pHBsRgpP2yE36xiBdK3Nupp43DqA1unzyA7wRREPRMKbuR4mDL77QN9Vx1cTbZcKgOJU3Bq19PMVRhIWftX0Vnwsem8eyp8O2nY/IzTPeSpPwc//EfmAJsR5+YILU+1S5ZKNdE2cYBs1o8LPv6RDPwYLIcCOG1GRpikZuCqb34fx369CEv+cUP/FHcNCZOV1iyt0EOLyC1no/xkjOoF/S9FCBvI0Pl5F0i1dLnf7D/VVKGtR0BDspRg7KGo2u6G5f94BFihfLkF2srnfsXRASrSPclUlzn0n6hTNB3NGzwF+HeBng2qBykeDtaczBKDo84P2ZiU+J9v9tQoSBz06B/V4PSk3HHlOg+twADZrumvC3DpdJ8SHDtPIMnc7RtaEDbZxOZbQqg7+SsecrV3y/S1QtGlEv/FnVyElDyRJg5bbcUkyOxBkLr187yZePFAasZK9fVZj4lpuVKByBXJ/CK73wMYMMhs3eXXyVTFsjtPGHNWsFG8hucBbgXmNOqdAU5yHYOdVG7TpFfRUvr2NgOgMf1hA7Z3Zx81eNXZkXcpliQjD0lYMVnVXxcu5JClfjBl60ULQ==
X-Forefront-PRVS: 0245702D7B
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4630300001)(6049001)(6009001)(39450400003)(24454002)(66066001)(77096006)(23676002)(6486002)(42186005)(6666003)(2351001)(50986999)(76176999)(53936002)(5660300001)(36756003)(90366009)(189998001)(6916009)(33656002)(2950100002)(50226002)(83716003)(229853002)(305945005)(25786008)(110136004)(6246003)(2870700001)(38730400002)(53546006)(2906002)(5640700003)(8676002)(7736002)(81166006)(82746002)(6116002)(3846002)(1730700003)(86362001)(47776003)(230783001)(2501003)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0101MB1038; H:[172.19.254.107]; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1;DM2PR0101MB1038;23:9cFjwm0ahNl2EqUncLFBk1xQuiqGIbXezQ/Vi49PSWp+bogzqHCUpdgfmscB5ZaT1iC+4h6v+rLyYagaPBUuUBp/7Pv66zKMjRAh1xbNNJkfjITPPTw1Rjw6GzwzoBN/2drZ8JkmxOOC5KFfUFuItBoDk1lvYz2ujCyfVjrF+g6fvM9XC4V8NPcVJQJwED9xlE/wZzRa2OTcQFJ9Up+Y7g9S/pQTYXh6TcfypM3misL7Q3UOfiGuKxO0BX3KycDByxv4efnC4gkeVcikV0c92b8V44KyABG4GMR3b5mT9x6ginAfa5uxHMLCnfv+lETFAdefOc0xNaAbQO7NxzgKIF5rJAoND3Tgf9x82l8CqVQLnr3qdQT/hpXfN91xXrPSmcndD3iSsYAtfL5kkPFVhMfD14aSu5nBTfRh12aX9e6Y2Qa1Ltuhq+3WBs3SH4hruKMfQhTcRPAAzxsEIjfQ2jgWb4WgZMP8Oui3ISzNpv0QsFXYum54MQlB+BmbtjlRJX0U+PRB+Y4pz/ot7ga/4OY8srYfWBzVakyj9IH10TPuLADSqlzJgw6Lov5rBnEw6Re+v7+9hUTwfROMBUrx0Q7AmuPn1pCbl4oaeBx6Nc+hwDbWc/xYPoqLxKLkXA4JF8R+A0ln1CMjCab4S+eyChh2LWfBkJmsuD3Dsf3ZTRoxjzSCxGD0IAKczFdufWcZhnMj1EGfa0bvmmT+MgJBj5M61S8shLiCi0mX1A4jWnUXyvx3H+G4Tofc5VT3+ugVjH7pYCuEymVeUt+Z/zs0CklJz4tSo5NNgs/jO82qNTNmGr5Jk1vHjmq1NnngrUpqQS7Qw4upGbTi3bvOdSJoEWsRLlGpbh9QHMOlkDAZXtAJyKrVJCnGkstUHRsSu2ppUk5UrZP1DXK0lRdcjPw/SWgolkBvQncS+5aiWvRnqJYUL5Vbf5M3rYruCkVdneOw/K2gaABcNcEY8Ym54SM5chiOVNXto7NelH9pW2dVjXKyT+nO9c5+RMMEQIEKlmcEz0YtWaiR5akdBTHC8FihXfById9/SbZpQD7cOgx+YEAXwhzQEyuQHI1BuWx1eQ0gHs9JPQTBpxwoGGj5yc5hElGDs+6KJ7Lcced63MHgPNA=
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1038; 6:btPERTMwhwqYt6+Qez2G8tcN8sKVHxJQBlrHy+X3wk71toqLepu7DL4YVbMPAudY1kN0DKUldU3uyi9z0BRrVk2UfyLd4KPtX6WTYD4y/TxsbmvcDhbE2tk59tW98JpkoIzL5EgNZ4OZFZI1+udtDba0q/R1WIlZ112y0Ld+hg4bfbf6SiH9LGojCwdg7sTj9roU4NVtR8gcIcC5YOtSA6sZnlrFaF9u/FoiG1SaZ+tAe2yinbIdHrVqBnqbMlp4PWTrVfI9A2drzStvHq6jpGnXrE/2ZjgIyvOdnJ7dNx4ptNxTDj+FaeYkN29yyu1wqGsvHYeuTLWaLQms3AJzsGX+985j7VmNJ6DqGbmcjJvmB9edc3XMyasD7HwYmk3iB5BZuF4xQst5uzjTs8Wc/g==; 5:HAjCWbDjnavPDKNEQI3CwxZihWw9MGhsUw9M1KSVEZam2OxdBKVQl8z/lhRjzUZTsZx+dSQAFhOS07QJBrpj899U0lckAnU8k2YGwxtrXCl6O3EUC3RBOlIA8kfXeY/K9r4G+z0Z+oZKZPgu5jFq2w==; 24:Gg389dOWt/BcxJ521STjCmLiMNoJBoylii6AytyNWBASLfd+R5Cy2EkkUAmeWcIhgNo7flR+hh8FqHSpxQdl6WUjvLz+cmf+Zzv5HceB4No=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1038; 7:jzm8FfjadthZYOjETPk0z0UfaxwKggwTei/KuE/yfJBU5SIbUWR/YKt/fGJ4Asf2U0kJ+ML2PRWHigZbbHME7cKji6gw7B7W+ONI2l3OeLyxb0MLn8lecVUZA/qEdsw+re//uuR3c9x7SBfn7zJu7Tp9S580wb9X+z++BJs4KtLT9Xaumf015tMa9MefGGLoA4x2sITkh/CrnyUExo9bnhhdc4dkcpoECxYYWlUubMcJYwLjrjwOoFR2McHEoj4bKA0VITcpWmt5oyrCHHhLVdSWm6NgsIp/eq4lW+tOHcoulB3t6VWe1yzq2bjitqRxJnNY/hLHbvQZfT3k7p1MqA==
X-OriginatorOrg: arbor.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Mar 2017 08:42:07.1210 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0101MB1038
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/768JjtQRMJFDDMdY5yZuJXLmpQk>
Subject: Re: [Dots] draft-fu-dots-ipfix-extension revised into draft-fu-dots-ipfix-tcp-tracking
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 08:42:13 -0000

On 13 Mar 2017, at 14:37, Zhenghui (Marvin) wrote:

> So, we’d like to hear from the WG, is that some pointers can be 
> given on the next step of the draft,

The draft belies a lack of understanding of how current IPFIX 
capabilities are utilized every day to detect, classify, and traceback 
DDoS attacks.  It makes factually incorrect statements such as 'not 
suitable for attack detection, and impractical suggestinos such as 
'connection sampling' which a) won't work on routers/layer-3 switches of 
any size and b) are unnecessary.

It is suggested that the authors of the draft gain operational 
experience using existing IPFIX implementations and IPFIX 
collection/analysis systems in order to fully understand the utility of 
IPFIX as presently defined as well as the full range of capabilities of 
IPFIX collection/analysis systems.  It would also be a good idea for the 
authors of the draft to understand the division of labor between IPFIX 
exporters and IPFIX collectors/analyzers, as well as the capabilities 
and limitations of hardware-based routing/switching platforms.

> We submitted this draft to DOTS because IPFIX WG had been closed

It is entirely possible to re-open the IPFIX WG, if it is deemed useful 
to do so.  The authors of the draft should contact the appropriate Area 
Director in order to discuss.

-----------------------------------
Roland Dobbins <rdobbins@arbor.net>

v2.23.0 | Report a Bug | By Email