IETF Logo Mail Archive

Re: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

kaname nishizuka <kaname@nttv6.jp> Mon, 02 October 2017 04:53 UTC

Return-Path: <kaname@nttv6.jp>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5804213430A for <dots@ietfa.amsl.com>; Sun, 1 Oct 2017 21:53:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8gN3URf7aBE1 for <dots@ietfa.amsl.com>; Sun, 1 Oct 2017 21:53:42 -0700 (PDT)
Received: from guri.nttv6.jp (guri.nttv6.jp [IPv6:2402:c800:ff06:136::140]) by ietfa.amsl.com (Postfix) with ESMTP id 7754313306F for <Dots@ietf.org>; Sun, 1 Oct 2017 21:53:42 -0700 (PDT)
Received: from z.nttv6.jp (z.nttv6.jp [IPv6:2402:c800:ff06:6::f]) by guri.nttv6.jp (NTTv6MTA) with ESMTP id 5DE0325F68D; Mon, 2 Oct 2017 13:53:40 +0900 (JST)
Received: from SR2-nishizuka.lv4.nttv6.jp (fujiko.nttv6.jp [IPv6:2402:c800:ff06:136::141]) by z.nttv6.jp (NTTv6MTA) with ESMTP id 0BC4D75909F; Mon, 2 Oct 2017 13:53:39 +0900 (JST)
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, "Xialiang (Frank)" <frank.xialiang@huawei.com>, "Dots@ietf.org" <Dots@ietf.org>
References: <C02846B1344F344EB4FAA6FA7AF481F12BB2D185@DGGEML502-MBX.china.huawei.com> <C02846B1344F344EB4FAA6FA7AF481F12BB2D19B@DGGEML502-MBX.china.huawei.com> <DM5PR16MB17880F012FB44009155ADCA1EAB50@DM5PR16MB1788.namprd16.prod.outlook.com> <C02846B1344F344EB4FAA6FA7AF481F12BB2D39C@DGGEML502-MBX.china.huawei.com> <DM5PR16MB17888218351CF06BDF691F34EAB50@DM5PR16MB1788.namprd16.prod.outlook.com> <2acd7300-6684-1491-4f98-7029d0b7c1b0@nttv6.jp> <DM5PR16MB17880DA8BDE932F1A758E27AEA7E0@DM5PR16MB1788.namprd16.prod.outlook.com>
From: kaname nishizuka <kaname@nttv6.jp>
Message-ID: <b6399159-a13e-ac06-f876-00285511b1f7@nttv6.jp>
Date: Mon, 02 Oct 2017 13:53:44 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <DM5PR16MB17880DA8BDE932F1A758E27AEA7E0@DM5PR16MB1788.namprd16.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------337B8FC5FF85C7D91FC8BDAA"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/9kumnUt_-2YRmJX_jDxHjvqn6yY>
Subject: Re: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Oct 2017 04:53:45 -0000

OK!

The reason why I need the clarification is that the line in Section 9 "Also, DOTS gateway and DOTS server MUST perform mutual authentication using certificates." is confusing.
I feel it is needed to be clarified in the signal channel draft or the new draft that in which case the certificates are mandatory.
I think that is the case DOTS agents are in the different domain.

thanks,
kaname


On 2017/09/29 13:22, Konda, Tirumaleswar Reddy wrote:
>
> The signal channel draft does not mandate certificates for mutual authentication (Using an AAA server is only an example deployment). DOTS agents in the same domain can use other mechanisms like TLS-PSK and SPKI. Andrew and I am planning put up a draft on DOTS provisioning.
>
> -Tiru
>
> *From:*Dots [mailto:dots-bounces@ietf.org] *On Behalf Of *kaname nishizuka
> *Sent:* Friday, September 29, 2017 6:02 AM
> *To:* Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; Xialiang (Frank) <frank.xialiang@huawei.com>; Dots@ietf.org
> *Subject:* Re: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?
>
> Hi Tiru,
>
> in section 9 of signal-channel draft, AAA server exists.
> Let me clarify the text.
>
> Mutual authentication between a DOTS client and a DOTS gateway MUST use (client) certificates?
> Between them (in the same domain), a mutual authentication without certificates (i.e. choices other than EAP-TLS) would be a good option, if it meets the mutual authentication and encryption requirement.
>
> TLS-PSK mode and Subject Public Key Info (SPKI)  looks good to me.
>
> I hope those options would be discussed in WGmeeting.
>
>
> On 2017/08/07 19:19, Konda, Tirumaleswar Reddy wrote:
>
>     You may want to look into https://tools.ietf.org/html/rfc6959#section-7 <https://tools.ietf.org/html/rfc6959#section-7>
>
>     <snip>
>
>        Even if every Internet-connected network implements source address
>
>     validation at the ultimate network ingress, and assurances exist that
>
>     intermediate devices are to never modify datagram source addresses,
>
>     source addresses cannot be used as an authentication mechanism.
>
>     -Tiru
>
>     *From:*Xialiang (Frank) [mailto:frank.xialiang@huawei.com]
>     *Sent:* Monday, August 7, 2017 3:28 PM
>     *To:* Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com> <mailto:TirumaleswarReddy_Konda@McAfee.com>; Dots@ietf.org <mailto:Dots@ietf.org>
>     *Subject:* 答复: another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?
>
>     Hi Tiru,
>
>     Thanks for your analysis. It makes sense to me~~
>
>     To be accurate, IP whitelist does not relax the mutual authentication requirement, but indeed lose the encryption benefits.
>
>     B.R.
>
>     Frank
>
>     *发件人**:*Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
>     *发送时间:* 2017年8月7日 17:51
>     *收件人:* Xialiang (Frank); Dots@ietf.org <mailto:Dots@ietf.org>
>     *主题:* RE: another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?
>
>     TLS supports pre-shared key based authentication. The other mechanisms are Subject Public Key Info (SPKI) Fingerprint pin set for mutual authentication (self-signed certificates or raw public keys) without having to deal with CA.
>
>     I don’t think DOTS should relax the mutual authentication and encryption requirements.
>
>     -TIru
>
>     *From:*Dots [mailto:dots-bounces@ietf.org] *On Behalf Of *Xialiang (Frank)
>     *Sent:* Monday, August 7, 2017 6:25 AM
>     *To:* Dots@ietf.org <mailto:Dots@ietf.org>
>     *Subject:* [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?
>
>     In addition to IP whitelist and certificate, pre-share key can also be an option.
>
>     Right?
>
>     *发件人**:*Dots [mailto:dots-bounces@ietf.org] *代表 *Xialiang (Frank)
>     *发送时间:* 2017年8月7日 8:52
>     *收件人:* Dots@ietf.org <mailto:Dots@ietf.org>
>     *主题:* [Dots] Can DOTS protocol support IP whitelist for DOTS client's AA?
>
>     Hi,
>
>     I think the direct use of IP whitelist on the DOTS server to authenticate and authorize the DOTS client is a simple and effect method, at least in some special use cases, like: DOTS client does not support certificate, an ISP which detects the spoofed source address, etc.
>
>     So, should we support this as an optional way for the DOTS client’s AA and add it into the DOTS protocol drafts?
>
>     B.R.
>
>     Frank
>
>
>
>
>     _______________________________________________
>
>     Dots mailing list
>
>     Dots@ietf.org <mailto:Dots@ietf.org>
>
>     https://www.ietf.org/mailman/listinfo/dots
>

v2.23.0 | Report a Bug | By Email