Re: [Dots] AD evaluation of draft-ietf-dots-use-cases-20
Benjamin Kaduk <kaduk@mit.edu> Thu, 14 May 2020 02:49 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B7703A0934; Wed, 13 May 2020 19:49:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ps2sRW2paqzI; Wed, 13 May 2020 19:49:24 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 735A83A0933; Wed, 13 May 2020 19:49:23 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 04E2nIW5002628 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 13 May 2020 22:49:20 -0400
Date: Wed, 13 May 2020 19:49:18 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: draft-ietf-dots-use-cases.all@ietf.org, dots <dots@ietf.org>
Message-ID: <20200514024918.GQ27494@kduck.mit.edu>
References: <20200512202205.GF27494@kduck.mit.edu> <CADZyTkkk1rgnUOc=pnPWQbLB5vcniko_QDKn_pwYz0hTL79=dw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CADZyTkkk1rgnUOc=pnPWQbLB5vcniko_QDKn_pwYz0hTL79=dw@mail.gmail.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/9AaZL5_jhqXUIftd3HBmCGELDRc>
Subject: Re: [Dots] AD evaluation of draft-ietf-dots-use-cases-20
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2020 02:49:27 -0000
Hi Daniel, Just a few replies inline. On Wed, May 13, 2020 at 12:06:45PM -0400, Daniel Migault wrote: > Hi, > > Thank you Ben for you comments. Please find inline how these have been > addressed. The updated version has been pushed to [1]. > > The main questions I have for the co-authors are: > * does the change of volumetry to volume causes any concern ? > * I guess we could be a little be more specific regarding the delegation > and the pre-arrangement, in particular if BGP is secured. Please update > the text that has been proposed. > > Yours, > Daniel > > > [1] https://github.com/dotswg/dots-use-cases > > On Tue, May 12, 2020 at 4:22 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > > > Hi all, > > > > This one is in pretty good shape -- I don't have any major comments on it. > > I did write up some editorial nit-level stuff as a github pull request: > > https://github.com/dotswg/dots-use-cases/pull/12 . I think that nothing > > there should be controversial, but please let me know if I am wrong about > > that. > > > > Please confirm that all six authors made significant contributions: I > > will need to defend this to the rest of the IESG, since per RFC 7322 the > > author count is generally limited to five individuals. Right now I don't > > have a good response when someone asks. > > > > <mglt> > As far as I know all authors mentioned significantly contributed to the > document. It is true that there are many co-authors, but I think that > reflected that DOTS needs to coordinate multiple actors that were not so > much coordinated before. > </mglt> Thanks, that is good to know. > > > > Section 1 > > > > As DDoS solutions are broadly heterogeneous among vendors, the > > primary goal of DOTS is to provide high-level interaction amongst > > differing DDoS solutions, such as detecting, initiating, terminating > > DDoS mitigation assistance or requesting the status of a DDoS > > mitigation. > > > > nit: the list structure is not properly parallel. It looks like the > > various clauses are meant to be "detecting DDoS", > > "initiating/terminating mitigation assistance", and "requesting > > mitigation status", so maybe this could become: > > > > % As DDoS solutions are broadly heterogeneous among vendors, the > > % primary goal of DOTS is to provide high-level interaction amongst > > % differing DDoS solutions, such as detecting DDoS attacks, > > % initiating/terminating DDoS mitigation assistance, or requesting the > > % status of a DDoS mitigation. > > > > <mglt> > fixed > </mglt> > > > Section 3.1 > > > > Over the course of the attack, the DOTS server of the ITP > > periodically informs the DOTS client on the enterprise DMS mitigation > > status, statistics related to DDoS attack traffic mitigation, and > > related information. Once the DDoS attack has ended, or decreased to > > the certain level that the enterprise DMS can handle by itself, the > > DOTS server signals the enterprise DMS DOTS client that the attack > > has subsided. > > > > It's interesting that this is worded in such a way that the (ITP) DOTS > > server knows the specific threshold for what level of attack traffic the > > enterprise DMS can handle, since it's the DOTS server signalling to the > > client that "the attack has subsided". > > > > <mglt> > In most cases, if I recall correctly, we expect this to reflect a > contractual relation. That said, it is ultimately the DOTS client that > terminates the mitigation. To remove the impression that the ITP sort of > controls the DOTS client, I propose to change "can handle" by "may > handle". Here is the updated text: > > Once the DDoS attack has ended, or decreased to the certain > level that the enterprise DMS may handle by itself, the DOTS server > signals the enterprise DMS DOTS client that the attack has subsided. > </mglt> I'd consider "might" instead of "may", since sometimes in English "may" has a connotation of granting permission. > Section 3.3 > > > > Upon receipt of the DOTS mitigation request from the DDoS telemetry > > system, the orchestrator DOTS server responds with an acknowledgment, > > to avoid retransmission of the request for mitigation. The > > orchestrator may begin collecting additional fine-grained and > > specific information from various DDoS telemetry systems in order to > > correlate the measurements and provide an analysis of the event. > > Eventually, the orchestrator may ask for additional information from > > the DDoS telemetry system; however, the collection of this > > information is out of scope. > > > > The last sentence seems to say that how the orchestrator gets data from > > the initial DOTS client telemtry system is out-of-scope, but the > > previous sentence talks about the orchestrator collecting information > > from (other) DOTS telemetry systems. Is that similarly out of scope? > > If so, then the fact that they are specifically *DOTS* telemetry systems > > seems irrelevant and we should probably just describe them as generic > > telemetry or monitoring systems. > > > > <mglt> > I agree that we should not have DOTS telemetry systems and leave them as > DDoS telemetry systems. I checked the current version and there is no > mention of DOTS telemetry but only DDoS telemetry. Oops, I seem to have misread this text! Of course, generic DDoS telemetry systems make sense in this context. > I also suggest the we specify that such collection is out of scope of DOTS. > with the following sentence: > > the collection of this information is out of scope of DOTS. Okay. > </mglt> > > > > Upon receiving a request to mitigate a DDoS attack performed over a > > target, the orchestrator may evaluate the volumetry of the attack as > > > > nit(?): is "performed over" a conventional usage? I would have expected > > something more like "aimed at" given my personal background, but could > > just be ignorant of typical usage. > > > <mglt> > changed. > </mglt> > > > > > Also, I think "volumetry" is not the right word here, and just "volume" > > suffices. > > > <mglt> > I am fine either way. The current version changed to volume, but I am > waiting co-authors to confirm they agree with the change. > </mglt> > > > > > filter the traffic. In this case, the DDoS mitigation system > > implements a DOTS client while the orchestrator implements a DOTS > > server. Similar to other DOTS use cases, the offloading scenario > > assumes that some validation checks are followed by the DMS, the > > orchestrator, or both (e.g., avoid exhausting the resources of the > > forwarding nodes or disrupting the service). These validation checks > > are part of the mitigation, and are therefore out of the scope of the > > document. > > > > I know we added this last chunk of text after a long exchange during the > > last WGLC, and understand the desire to avoid going into too many > > details on a topic that is mostly out of scope for DOTS. That said, I'd > > suggest adding a couple more words around "disrupting the service" > > (especially since some level of service disruption during an attack > > might be expected!) to help the reader make the link to what kind of > > validation is expected, perhaps something like "inadvertent disruption > > of legitimate services". > > > > <mglt> > fixed with the follwoing snetence: > > Similar to other DOTS use cases, the offloading scenario assumes that some > validation checks are followed by the DMS, the orchestrator, or both (e.g., > avoid exhausting the resources of the forwarding nodes or inadvertent > disruption of legitimate services). > </mglt> > > > Section 4 > > > > In light of my previous comment I don't want to go too far here, but I > > could see it being relevant to have a note that in the "orchestration" > > case it's possible for something that locally to one telemetry system > > looks like an attack is not actually an attack when seen from the > > broader scope (e.g., of the orchestrator). > > > > <mglt> > I added the note in the following paragraph. > > These systems are configured so that when an event or some measurement > indicators reach a predefined level their associated DOTS client sends a > DOTS mitigation request to the orchestrator DOTS server. The DOTS > mitigation request may be associated with some optional mitigation hints > to let the orchestrator know what has triggered the request. In particular, > it's possible for something that locally to one telemetry system looks like > an attack is not actually an attack when seen from the broader scope (e.g., > of the orchestrator) > </mglt> > > In the Third Party MSP case we mention BGP as a way to steer traffic to > > the mitigation service. We could consider (but don't have to) > > mentioning that efforts to secure BGP will need to be considered when > > making pre-arrangements for how traffic is to be moved, since in some > > contexts such BGP announcements could themselves be considered to be an > > attack. > > > > <mglt> > Being ignorant on BGP, I am wondering if you are thinking of a BGP > procedure to announce routes or some procedure for enabling a delegation > when BGPsec is considered. I think either could be problmatic in some (rare?) circumstances -- I believe in some cases there are allow-lists for which neighbors' announcements of which prefixes are acted upon, and of course when the RPKI comes into play that needs to validate properly as well. > I porpose the following text: > > These exact mechanisms > used for traffic steering are out of scope of DOTS, but will need to be > pre-arranged, while in some context such changed could be detected and > considered as an attack. I agree with the other commenters that a separate BCP is where the details should be covered. > </mglt> > > > I guess it probably goes without saying that when you add a third-party > > DMS to your setup, you depend on that third party to be operational in > > order for your setup to work properly. > > > > Section 7 > > > > We'll probably get someone asking to move RFC 8612 to be a Normative > > reference since we use it for terminology, but I don't mind leaving it > > be for now. > > > > <mglt> > I put it as normative. Thanks, Ben
- [Dots] AD evaluation of draft-ietf-dots-use-cases… Benjamin Kaduk
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… Daniel Migault
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… Daniel Migault
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… Teague, Francis
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… Daniel Migault
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… kaname nishizuka
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… Benjamin Kaduk
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… Jon Shallow
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… Daniel Migault
- Re: [Dots] AD evaluation of draft-ietf-dots-use-c… Daniel Migault