IETF Logo Mail Archive

Re: [Dots] clarification questions from the hackathon

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Thu, 28 March 2019 18:07 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3AF81202FA for <dots@ietfa.amsl.com>; Thu, 28 Mar 2019 11:07:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t5cqSdIHTRC8 for <dots@ietfa.amsl.com>; Thu, 28 Mar 2019 11:07:23 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED68B1202CC for <dots@ietf.org>; Thu, 28 Mar 2019 11:07:22 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1553796176; h=From: To:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-forefront-prvs:x-forefront-antispam-report: received-spf:x-ms-exchange-senderadcheck:x-microsoft-antispam-message-info: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=k PeiOo8vVfvZwLPAh97Ma4Fg1aPtfCQe1f6sp2xm6X 8=; b=NaLnIwi0LGKUIPoeb2uaI5hWVFh/on3UQg2YYIRD2OZu vy2PqtfVb+hnem2AIzKqd1O6iyOJWz2qrjekkWyRqCrLMAtLR1 ogBDc5tnUf0+iIgxNg3lftXSCjfkrTCs957vw8YBnOcAbt8dpw Mt2neK0kXxfct5cQsNSUm2WFnJQ=
Received: from DNVEXAPP1N06.corpzone.internalzone.com (unknown [10.44.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 4a7e_67bb_7b19ec73_5389_41c0_a5a5_8977d6c4ec26; Thu, 28 Mar 2019 12:02:55 -0600
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 28 Mar 2019 12:07:06 -0600
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Thu, 28 Mar 2019 12:07:06 -0600
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (10.44.176.240) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 28 Mar 2019 12:07:04 -0600
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2919.namprd16.prod.outlook.com (20.178.235.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.15; Thu, 28 Mar 2019 18:07:04 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::45af:2add:90a4:135f]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::45af:2add:90a4:135f%3]) with mapi id 15.20.1750.014; Thu, 28 Mar 2019 18:07:04 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Jon Shallow <supjps-ietf@jpshallow.com>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, kaname nishizuka <kaname@nttv6.jp>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] clarification questions from the hackathon
Thread-Index: AdTliGx+SHuMyqAwQXGIbxMDIEwnuAAAWf7QAAF98IAAABL/EA==
Date: Thu, 28 Mar 2019 18:07:04 +0000
Message-ID: <BYAPR16MB2790778A96CA207625A0F471EA590@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <108a01d4e588$72f886b0$58e99410$@jpshallow.com> <BYAPR16MB27904C04BA21625D7635237CEA590@BYAPR16MB2790.namprd16.prod.outlook.com> <109501d4e58f$cea682d0$6bf38870$@jpshallow.com>
In-Reply-To: <109501d4e58f$cea682d0$6bf38870$@jpshallow.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [185.125.224.9]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9ece107c-844e-4d5c-3e99-08d6b3a82f02
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:BYAPR16MB2919;
x-ms-traffictypediagnostic: BYAPR16MB2919:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BYAPR16MB291919E25B4CCC71D0E8A2FBEA590@BYAPR16MB2919.namprd16.prod.outlook.com>
x-forefront-prvs: 0990C54589
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(346002)(39860400002)(376002)(366004)(136003)(32952001)(199004)(189003)(13464003)(106356001)(14454004)(102836004)(8676002)(6246003)(14444005)(256004)(81156014)(2906002)(55016002)(6436002)(81166006)(6306002)(26005)(110136005)(76176011)(5024004)(9686003)(80792005)(105586002)(229853002)(25786009)(86362001)(5660300002)(7696005)(72206003)(53936002)(6116002)(66574012)(3846002)(486006)(478600001)(52536014)(99286004)(186003)(316002)(446003)(66066001)(2501003)(53546011)(966005)(74316002)(71200400001)(8936002)(305945005)(6506007)(33656002)(68736007)(476003)(71190400001)(11346002)(97736004)(7736002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2919; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: iof3zjg5aaoj8I9wE0r1q/LjDPye0J9Sdc972kKGt0MK5m3Muu+EMzb3Kw5KTQWzGNiqCAV406c8Sq64j/ocNsi9f92Rp3+dM9fuG0t8ovPVXoa+NP1N5k3qv7VSFiWb6r0pDLU/toQRxId9VaSRdWS6PHJKejOHJ53RihGlBzaNft/KtKPivT/p2JvjJ1EujiAITqOCL7R37nuboO3VY4fuWpyIgvfXNjg6yrqBv6UwWMgpRmrcLRhqSZ+HblTYslkhVNKfSxD7jZICeQuAm5DGr/n2cXWbugWk/ekd3kPuxp8YgAzZqTzDy0yP/Z4ibPMFmmGGtcZx+r2XS/wF+hBsgdoOOxoSXPO9hEMdg4CgNibq4gxytc8HC+BlN9BdoNEM8POj4KL6coGvsJcTGyI3JYYZUeEwhVse71gLyrA=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 9ece107c-844e-4d5c-3e99-08d6b3a82f02
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2019 18:07:04.1575 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2919
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6513> : inlines <7045> : streams <1817037> : uri <2821409>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/A_m4042wCXmoP11aznsw1GYTdew>
Subject: Re: [Dots] clarification questions from the hackathon
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2019 18:07:27 -0000

> -----Original Message-----
> From: Jon Shallow <supjps-ietf@jpshallow.com>
> Sent: Thursday, March 28, 2019 6:58 PM
> To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
> mohamed.boucadair@orange.com; kaname nishizuka <kaname@nttv6.jp>;
> dots@ietf.org
> Subject: RE: [Dots] clarification questions from the hackathon
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is
> safe.
> 
> Hi there,
> 
> See inline Jon1
> 
> Regards
> 
> Jon
> 
> > -----Original Message-----
> > From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda,
> > Tirumaleswar Reddy
> > Sent: 28 March 2019 17:39
> > To: Jon Shallow; mohamed.boucadair@orange.com; kaname nishizuka;
> > dots@ietf.org
> > Subject: Re: [Dots] clarification questions from the hackathon
> >
> > > > > -----Message d'origine-----
> > > > > De : Dots [mailto:dots-bounces@ietf.org] De la part de kaname
> > > > > nishizuka Envoyé : jeudi 28 mars 2019 11:38 À : dots@ietf.org
> > > > > Objet
> > > > > : [Dots] clarification questions from the hackathon
> > > > >
> > > > > Hi,
> > > > >
> > > > > I'd like to continue discussion of these topics in the ML.
> > > > >
> > > > > #1: Questions about signal-control-filtering
> > > > >   1. Should a mitigation request create a mitigation before
> > > > > doing a PUT + acl-list [{acl-name, activation-type}] against the
> > > > > active mitigation, or is a ‘PUT + acl-list [{acl-name, activation-type}]’
> > > > > allowed to create a new mitigation?
> > > >
> > > > [Med] Both are currently allowed in the draft. I don't still a
> > > > valid reason to restrict this.
> > >
> > > [Jon] As per draft
> > >    A DOTS client MUST NOT use the filtering control over DOTS signal
> > >    channel if no attack (mitigation) is active;
> > >
> > > [Jon] then needs to be reworded as there is no active mitigation
> > > until the PUT is done...
> > > I believe that both cases should be supported.
> >
> > Agreed.
> >
> > > >
> > > > >   2. Should the response to a GET (or Observed GET) include the
> > > > > acl-list [{acl-name, activation-type}] if the PUT included it?
> > > >
> > > > [Med] The current spec says "no". That's said, what would be the
> > > > value in returning it? Then, why not allowing to return the
> > > > references to all ACLs that are enabled during the mitigation time?
> > > >
> > > [Jon] When observing the mitigation request, if the activation-type
> > > is changed externally, the client will then know about the change.
> > > Assuming the response got back to the client, this is effectively an
> > > ACK to the fact that the ACL change got through.
> >
> > Yup,  the GET response should include the acl-list. We will also have
> > to discuss if the observed GET should convey the counters for the
> > activated filtering rules using DOTS signal channel.
> 
> [Jon1] Interesting one - we already have bytes-dropped etc. as an overall
> return.  

The don't think bytes-dropped includes the overall bytes dropped. If the client activates a rate-limit ACL, the ACL could be applied at the PE router (because the DMS is not capable of handling the attack volume).
The rate-limit ACL will rate-limit both legitimate and attack traffic, and the DMS will scrub the rate-limited traffic and drop the attack traffic.

-Tiru

Whilst I like the concept of reporting the ACL acl-counters, with a
> reasonable number of ACLS, there is a good chance of having to split the
> response over multiple packets - which is supported (RFC7959 and tested
> during an Interop), but gets very unreliable when the inbound pipe is
> running full.  If the pipe is not running full, then this information can be
> obtained over the data channel.
> 
> ~Jon1
> >
> > >
> > > Interesting concept about knowing about all the relevant ACLs as
> > > returned over the signal channel.  More work for the server to do in
> > > determining which ACLs are valid for, say, a specific IP address that is
> being mitigated.
> > > Not entirely convinced of the benefit of this as this generally is
> > > available over the data channel.
> > >
> > > > >   3. Does the response to the PUT (the echoed back response
> > > > > payload of the PUT representation
> > > > > https://tools.ietf.org/html/rfc7252#section-5.9.1.1 ) include
> > > > > the acl-list (if
> > > defined) or not?
> > > >
> > > > [Med] It doesn't as we don't change the behavior of the base spec.
> > > >
> > > [Jon] By base spec I assume you mean the signal draft.  However the
> > > answer has to be "yes - it is included" if following RFC7252 5.9.1.1
> > > and "The payload returned with the response, if any, is a representation
> of the action result".
> > >
> > > Again, it is letting the client know that the PUT actually did get
> > > through (assuming the response gets through) prior to doing any GETs.
> >
> > Yup, the PUT response should include the acl-list.
> >
> > > ~jon
> > >
> > > > >   4. Is the activation change to the ACL a permanent change to
> > > > > the ACL (so a GET on the data channel returns the new type)?
> > > >
> > > > [Med] Yes. The draft will be updated to make this clearer.
> > > >
> > > > >   5. Does the activation change to the ACL count as an ACL
> > > > > refresh
> > > > > (pending- lifetime update)?
> > > >
> > > > [Med] Yes. Some text will be added to clarify the refresh point.
> > > > That's said, as discussed in the data-channel, the dots client may
> > > > need to send a GET after an attack for sync purposes.
> >
> > If the pending-lifetime expires when the mitigation is active, the
> > DOTS server must not delete the aliases and filtering entries.
> > We may want to update DOTS data channel to clarify the above point.
> >
> > Cheers,
> > -Tiru
> >
> > > >
> > > > >   6. Is CBOR activation –type comprehension-required or
> > > > > comprehension- optional?
> > > > >
> > > >
> > > > [Med] This is a comprehension-required attribute (already
> > > > discussed in the draft).
> > > >
> > > > > Regarding with the 1st point, we got feedbacks from Med and Tiru
> > > > > that both should be allowed.
> > > > > If ‘PUT + acl-list [{acl-name, activation-type}]’ allowed to
> > > > > create a new mitigation, it should be treated as this is a
> > > > > request in "attack-
> > time".
> > > >
> > > > [Med] I confirm.
> > > >
> > > > >
> > > > > (#2: Data Channel Implicit protocol number was addressed clearly
> > > > > by Med's
> > > > > comment.)
> > > > >
> > > > > #3: (D)TLS session lifetime
> > > > >  From the view point of DOTS server, when to expire the old
> > > > > (D)TLS session
> > > > is
> > > > > implementation specific though, I'd like to hear from experts
> > > > > about preferable setting (timer or something else...?)
> > > > >
> > > >
> > > > [Med] For me, this is implementation-specific.
> > > >
> > > > > thanks,
> > > >
> > > > [Med] Many thanks for sharing the feedback from the hackathon.
> > > > Much appreciated.
> > > >
> > > > > Kaname
> > > > >
> > > > > _______________________________________________
> > > > > Dots mailing list
> > > > > Dots@ietf.org
> > > > > https://www.ietf.org/mailman/listinfo/dots
> > > > _______________________________________________
> > > > Dots mailing list
> > > > Dots@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/dots
> > >
> > > _______________________________________________
> > > Dots mailing list
> > > Dots@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dots
> > _______________________________________________
> > Dots mailing list
> > Dots@ietf.org
> > https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email