IETF Logo Mail Archive

Re: [Dots] DOTS Telemetry: Interop Clarification #3

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Fri, 26 June 2020 06:36 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C25893A07A9 for <dots@ietfa.amsl.com>; Thu, 25 Jun 2020 23:36:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Ggi1OP_UaeF for <dots@ietfa.amsl.com>; Thu, 25 Jun 2020 23:36:10 -0700 (PDT)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [216.205.24.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BDDA3A0033 for <dots@ietf.org>; Thu, 25 Jun 2020 23:36:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1593153369; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=NxeKoJ/Mf9mEbQsEcsP0VQc88oyaDGsi8VSksyfwW2I=; b=SnSLvvCfO6ABBRqe/mWs/LtI45LF1XVVMLQhvp0AJZq5QLhAL4alVfC5ejtIZtdgMaini2 fX6hx1cGOhXItdJ/8nfg0RxM6o27iPR3I1ZXU5I8+i2G9Z9LmMrt+31RPjb/J4vBf7vV5p vQYmaqWniWkw1GVh+B4PyjdkyynuKLU=
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2107.outbound.protection.outlook.com [104.47.58.107]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-53-JN451VkpNZq7UbxhGXapGA-1; Fri, 26 Jun 2020 02:36:07 -0400
X-MC-Unique: JN451VkpNZq7UbxhGXapGA-1
Received: from SA0PR16MB3838.namprd16.prod.outlook.com (2603:10b6:806:86::9) by SA0PR16MB3725.namprd16.prod.outlook.com (2603:10b6:806:91::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.23; Fri, 26 Jun 2020 06:36:05 +0000
Received: from SA0PR16MB3838.namprd16.prod.outlook.com ([fe80::f966:fdd8:1532:ecdd]) by SA0PR16MB3838.namprd16.prod.outlook.com ([fe80::f966:fdd8:1532:ecdd%8]) with mapi id 15.20.3131.020; Fri, 26 Jun 2020 06:36:05 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, kaname nishizuka <kaname@nttv6.jp>
CC: "dots@ietf.org" <dots@ietf.org>
Thread-Topic: DOTS Telemetry: Interop Clarification #3
Thread-Index: AdZLJzstzanwENMBRvG6m9wslEq8bAAUJqWgAAHUhuAAAQ4R4A==
Date: Fri, 26 Jun 2020 06:36:05 +0000
Message-ID: <SA0PR16MB3838F0878467387C54C8C69BEA930@SA0PR16MB3838.namprd16.prod.outlook.com>
References: <27464_1593113494_5EF4FB96_27464_425_1_787AE7BB302AE849A7480A190F8B9330314E7645@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <SA0PR16MB38388F3CDF8A3298DDEF2543EA930@SA0PR16MB3838.namprd16.prod.outlook.com> <18913_1593151431_5EF58FC7_18913_57_1_787AE7BB302AE849A7480A190F8B9330314E78C0@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <18913_1593151431_5EF58FC7_18913_57_1_787AE7BB302AE849A7480A190F8B9330314E78C0@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.5.0.60
dlp-reaction: no-action
x-originating-ip: [49.37.202.192]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5f666249-f573-4df8-b80e-08d8199b33ed
x-ms-traffictypediagnostic: SA0PR16MB3725:
x-microsoft-antispam-prvs: <SA0PR16MB372559BB8F835B030A388E35EA930@SA0PR16MB3725.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0446F0FCE1
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sSzAu6cEkJCAnDT+HdavuTbGctw4f6vmA5TPFKn8G5Vk5c5T1tThVT1V4/Fz+hf/9/f50rY5R8d0oegtfNZig7mCmcDmW2W1giqKJkbixGHdZSRxF9+e1ybksSOLtwImR7gs1UQrMjUIyyvT3fW9cp8dDPx1r38C+KUgsg5tvtPOzM0ZIxaKYKcdXHT9yxg5n4p0FhE4WgBD0t6ammPU+jihso4TQWn1ByrLXjFoLVR+OAo8RED2abYN0zwYt0/HcRSpIKBhdV/xff1ZD8dG+0e5VxxJCaAcoyDaPhMXX4Qdm3+HJGp/vgZgPjOGpjLbrdmBnZUjB4MxPq0ou0ssEfFTRHqXtOA3SqUFUt+PdrHGiP4fN3Q1SyZD0PVuWdKvJZnnKBRKeSwgat7e4Z7z5w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA0PR16MB3838.namprd16.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(366004)(396003)(136003)(346002)(376002)(32952001)(7696005)(316002)(9686003)(55016002)(33656002)(86362001)(8676002)(52536014)(4326008)(5660300002)(8936002)(6506007)(64756008)(66476007)(2906002)(66946007)(66446008)(66556008)(186003)(53546011)(76116006)(26005)(71200400001)(478600001)(110136005)(83380400001)(85282002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: VSEakpU8UM9SNyDVrq816bSeXE7ek/RHMnn3ipYDtuZVJ16iw5r18eZjSLxq5SdCUZguXOJGejW2rkPXVsgXEJqSROF4RBsFenL7TIQJsqc+jMQIRGjjqxouhm9Tf9cpy5qtRQF0N0HaLL0VmIuc7TVaG93LhW3ne8zs0MjHRc1a0h5Lm7rWxV8F50gGty7/VbQOjsjy0IuJpORZMcXQnPkKxCJTqElZdxTf0DSmfD2SLYEFzROmm/lcWHXb7E2TuZnv9SMS20SQ4vlSAfeM5JM0zG214lRHOby99AWVv9LxPxVvDmUEvLMKG3SXsTqC1MbsBWvWxqTpQMYCKonswA9S7ungza4wEaxj3kG2sQIxSjsIniVL5clagWFTNR8gqxFRaKNBAvaAL1s5Rj7mNus2GjhVUOvaKcKjm/W82hbGDHNx6zk7hcYDcZawGatQlsiOGMGNuE9dnW6sL3vDUaVsBm02FqJw21/jpdwYa3Gr28tSe3OgK/1qEDXj9a26
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA0PR16MB3838.namprd16.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5f666249-f573-4df8-b80e-08d8199b33ed
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jun 2020 06:36:05.3732 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: gkUH/xhmudgTwqffGje/OkeChy2JlTmWGkj6ns2VzcIPegqWArOrcyEuL+aAc/oKsi/SJ/K/FXbsMOPyKW2wWi+JCCqAimxWUYp/FppPRGQ+1X+UQRRZC6I+M8RpwULp
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR16MB3725
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA40A35 smtp.mailfrom=tirumaleswarreddy_konda@mcafee.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: mcafee.com
Content-Type: multipart/alternative; boundary="_000_SA0PR16MB3838F0878467387C54C8C69BEA930SA0PR16MB3838namp_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/4eUhhmZqHe8yoJOcnA_LaCwr1GQ>
Subject: Re: [Dots] DOTS Telemetry: Interop Clarification #3
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2020 06:36:13 -0000

I meant attack mapping details can be sent in the DOTS data channel and no need to use DOTS signal channel. The capabilities of a DOTS mitigator cannot be updated dynamically during mitigation that would warrant the need to send the attack-description in the DOTS signal channel during attack mitigation. Identifying a new attack requires update to the DOTS mitigator, human-intervention is required to create the attack description and attack-id.

In short, no need overload DOTS signal channel to send the attack description.

-Tiru

From: mohamed.boucadair@orange.com <mohamed.boucadair@orange.com>
Sent: Friday, June 26, 2020 11:34 AM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; kaname nishizuka <kaname@nttv6.jp>
Cc: dots@ietf.org
Subject: RE: DOTS Telemetry: Interop Clarification #3


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

________________________________
Hi Tiru,

Not sure to get your comment. Can you please clarify?

Cheers,
Med

De : Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
Envoyé : vendredi 26 juin 2020 07:15
À : BOUCADAIR Mohamed TGI/OLN; kaname nishizuka
Cc : dots@ietf.org<mailto:dots@ietf.org>
Objet : RE: DOTS Telemetry: Interop Clarification #3

Hi Med,

I don't think the capabilities of the mitigator will get updated dynamically during an active attack to send the new attack details (attack-name) in the DOTS signal channel protocol.

Cheers,
-Tiru

From: Dots <dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>> On Behalf Of mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>
Sent: Friday, June 26, 2020 1:02 AM
To: kaname nishizuka <kaname@nttv6.jp<mailto:kaname@nttv6.jp>>
Cc: dots@ietf.org<mailto:dots@ietf.org>
Subject: [Dots] DOTS Telemetry: Interop Clarification #3


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

________________________________
Re-,

You reported the following in the interim :
==
3."DOTS agents MUST NOT include 'attack-name' attribute except if the corresponding attack mapping details were not shared with the peer DOTS agent". But how can the DOTS server know they're shared or not?
===

This is implementation-specific. The DOTS server may record which version of the mapping table it shared with a DOTS client.

Do you think that we need to include such details in the spec? or do you have mind something else?

Thanks.

Cheers,
Med



_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.

v2.23.0 | Report a Bug | By Email