Re: [Dots] Paul Wouters' Discuss on draft-ietf-dots-multihoming-11: (with DISCUSS and COMMENT)
mohamed.boucadair@orange.com Thu, 21 April 2022 07:33 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 178E93A0D12; Thu, 21 Apr 2022 00:33:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UhWjH6yXwZD3; Thu, 21 Apr 2022 00:33:48 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D16863A0039; Thu, 21 Apr 2022 00:33:47 -0700 (PDT)
Received: from opfedar00.francetelecom.fr (unknown [xx.xx.xx.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfedar22.francetelecom.fr (ESMTP service) with ESMTPS id 4KkTmn6Yl9z2yMr; Thu, 21 Apr 2022 09:33:45 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1650526425; bh=Bl0o7XM7SDbUel9gsdrLAMhqD4eTnohYnvt5VTf1Q7c=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=uHKO4B0nKXHl8COdLDlXJcG9QkG/wc1cveewYRj9x742vHHopXESgqkAeJxs3hsan E7QbssZg2fsCYkACH5hIfYbo2nnJtkTBOV5m5UYW7WebKq8W4JXc7/5l263hD2MQwF ytDHOKB15S5EK80J+uNHEwkgzkJdf/2qYbaKue7kb3O2g37pd5ZOoRxwEOaRd9uqjA /YLEkTWesA0w9QKLhy4KkCwNZfWJzyzNIjjQDxbdOJ6iDssr7sbZIht6kyyEN2DYsu 1vTNWkSfoXdnpPxsDDZtRIyjsrl/4YwKwla4w3SXTwCryrISiMBQlmzuvDQAQj6jrG 6N9lfuHaO0biw==
From: mohamed.boucadair@orange.com
To: Paul Wouters <paul.wouters@aiven.io>, The IESG <iesg@ietf.org>
CC: "draft-ietf-dots-multihoming@ietf.org" <draft-ietf-dots-multihoming@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "dots@ietf.org" <dots@ietf.org>, "valery@smyslov.net" <valery@smyslov.net>
Thread-Topic: Paul Wouters' Discuss on draft-ietf-dots-multihoming-11: (with DISCUSS and COMMENT)
Thread-Index: AQHYVR58XCpTSlAckkatuvJgAolqlaz55otA
Content-Class:
Date: Thu, 21 Apr 2022 07:33:45 +0000
Message-ID: <24382_1650526425_626108D9_24382_108_1_5fa53a2f90504c5fab4d00361ec0051f@orange.com>
References: <165050423925.9388.8731199064028378279@ietfa.amsl.com>
In-Reply-To: <165050423925.9388.8731199064028378279@ietfa.amsl.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2022-04-21T06:24:29Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=0c45c8e7-9f2b-4bc9-bf87-45df765a6a84; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-originating-ip: [10.115.26.50]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/9FBpA3fbVjr7syeFepENFL0HLwc>
Subject: Re: [Dots] Paul Wouters' Discuss on draft-ietf-dots-multihoming-11: (with DISCUSS and COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2022 07:33:53 -0000
Hi Paul, Thank you for the review. Please see inline. Cheers, Med > -----Message d'origine----- > De : Paul Wouters via Datatracker <noreply@ietf.org> > Envoyé : jeudi 21 avril 2022 03:24 > À : The IESG <iesg@ietf.org> > Cc : draft-ietf-dots-multihoming@ietf.org; dots-chairs@ietf.org; > dots@ietf.org; valery@smyslov.net; valery@smyslov.net > Objet : Paul Wouters' Discuss on draft-ietf-dots-multihoming-11: > (with DISCUSS and COMMENT) > > Paul Wouters has entered the following ballot position for > draft-ietf-dots-multihoming-11: Discuss > > When responding, please keep the subject line intact and reply to > all email addresses included in the To and CC lines. (Feel free to > cut this introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/about/groups/iesg/statements/handling-ballot- > positions/ > for more information about how to handle DISCUSS and COMMENT > positions. > > > The document, along with other ballot positions, can be found > here: > https://datatracker.ietf.org/doc/draft-ietf-dots-multihoming/ > > > > ------------------------------------------------------------------ > ---- > DISCUSS: > ------------------------------------------------------------------ > ---- > > Thanks for a clear document and thanks to Kathleen for the SecDir > review. I > have one minor DISCUSS item that can probably be resolved easily > by adding a > sentence or two. > > [1] > The DOTS client SHOULD use the certificate > provided by a provisioning domain to authenticate itself to the > DOTS > server(s) provided by the same provisioning domain. > > This sentence suggests there is either another authentication > method [Med] Yes. RFC9132 includes the following: Implementations compliant with this profile MUST implement all of the following items: ... * At least one of raw public keys [RFC7250] or PSK handshake [RFC4279] with (EC)DHE key exchange. This reduces the size of the ServerHello. Also, this can be used by DOTS agents that cannot obtain certificates. Added this NEW: The reader may refer to Section 7.1 of [RFC9132] for more details about DOTS authentication methods. , or it > allows for unauthenticated DOTS clients. If the latter, than I > would expect a > significant Security Considerations section on how to avoid/reduce > malicious > clients impact of such a setup. eg I could envision a compromised > device from > falsely reporting a DDOS attack from a certain network to block > the compromised > device/network from receiving traffic from certain remote > networks. > > > ------------------------------------------------------------------ > ---- > COMMENT: > ------------------------------------------------------------------ > ---- > > Some links seem broken in the rendering of the htmlized version in > the > datatracker, for example "[RFC8174]" in Section 2. > [Med] Thanks. Will double check. > It talks about DOTS clients, DOTS servers, and then suddenly DOTS > agents. Are > those clients or servers or something else? "agents" are not > mentioned in the > Introduction or Terminology sections. (Unfortunately, looking at > RFC 8811 did > not help me as it has the exact same problem of only defining DOTS > clients and > DOTS servers and then mentioning DOTS agents. [Med] This was defined in RFC8612: DOTS agent: Any DOTS-aware software module capable of participating in a DOTS signal or data channel. It can be a DOTS client, DOTS server, or, as a logical agent, a DOTS gateway. We are pointing to 8811, which itself includes the following: This document uses the terms defined in [RFC8612]. Added a direct pointer to 8612 for the reader's convenience. > > Similarly, the term "DOTS Gateway" appears without explanation. Is > this a proxy > like DOTS server for clients and a DOTS client to the real DOTS > server? [Med] This is also defined in RFC8612. > > I'm a bit confused about the applicability of the enduser CPE > case. Wouldn't a > lot of deployments have the CPE in bridging mode so that the > customers own > favourite device gets the actual IP address on it instead of being > behind the > CPE with NAT? Is there a deployment scenario possible for that? [Med] The intent is not to be exhaustive as mentioned in the document: This section describes some multi-homing scenarios that are relevant to DOTS. In the following subsections, only the connections of border routers are shown; internal network topologies are not elaborated. We approached the topologies from L3 (hence the use on purpose of "router" in this text). > > I would move Figure 5 up to the start of the section. I now had to > scroll down > a lot and then back up again, and then when done reading had to > skip the figure > 5. [Med] Sure. Done. > > If PI addresses/prefixes are in use, the DOTS client MUST send > a > mitigation request to all the DOTS servers. The use of anycast > addresses to reach these DOTS servers is NOT RECOMMENDED. > > Why is the recommendation about anycast addresses limited to PI > space? [Med] Because for the PA case, multiple IP addresses/prefixes can be assigned directly to the client (IPv6 case). The source address can be set as function of the mitigation to be sent. Couldn't > there by multicast addresses in both PA and PI space? [Med] That taxonomy does not apply for multicast addresses. (I guess your question is whether we can have multicast addresses that are specific to a network, the answer is yes: unicast-prefix-based multicast. However, that's not related to the topic of this draft) > > a prefix filter that will be against DDoS detection alarms > > I don't quite parse/understand "will be against" ? [Med] Changed to "a prefix filter that is used to filter DDoS detection alarms". > > _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [Dots] Paul Wouters' Discuss on draft-ietf-dots-m… Paul Wouters via Datatracker
- Re: [Dots] Paul Wouters' Discuss on draft-ietf-do… mohamed.boucadair