IETF Logo Mail Archive

Re: [Dots] Roman Danyliw's Discuss on draft-ietf-dots-signal-call-home-11: (with DISCUSS and COMMENT)

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Thu, 17 December 2020 10:05 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21C643A15B0 for <dots@ietfa.amsl.com>; Thu, 17 Dec 2020 02:05:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lx0SdwXv_yZp for <dots@ietfa.amsl.com>; Thu, 17 Dec 2020 02:05:53 -0800 (PST)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [216.205.24.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24B183A15AD for <dots@ietf.org>; Thu, 17 Dec 2020 02:05:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1608199551; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gk/hx66YEZSo9DZmbmF/WHkLyEQgCiIoDyYbd+y3Ymg=; b=eT9XYe/VmuKoIgyOGtg1KlvEfh/+MXI4EvBYVp+WKTycdUdricxegUuLQKdVAgKNiyFU39 R9TTRBDBnm58C/1VXqWtgx24wXmg3R4TjektF4MMvMEehIzQw5AoThDGckxOlMBOXSyPiN 0NwJ4EDBvfVP/koSjzD9SDctXsDUgmI=
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-bn3nam04lp2052.outbound.protection.outlook.com [104.47.46.52]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-173-NRzOipzePyqKGJp43wkcJQ-1; Thu, 17 Dec 2020 05:05:50 -0500
X-MC-Unique: NRzOipzePyqKGJp43wkcJQ-1
Received: from DM6PR16MB3402.namprd16.prod.outlook.com (2603:10b6:5:148::13) by DM5PR16MB1466.namprd16.prod.outlook.com (2603:10b6:3:b9::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.12; Thu, 17 Dec 2020 10:05:48 +0000
Received: from DM6PR16MB3402.namprd16.prod.outlook.com ([fe80::dc33:7194:64da:2b21]) by DM6PR16MB3402.namprd16.prod.outlook.com ([fe80::dc33:7194:64da:2b21%6]) with mapi id 15.20.3654.026; Thu, 17 Dec 2020 10:05:48 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
CC: "draft-ietf-dots-signal-call-home@ietf.org" <draft-ietf-dots-signal-call-home@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "valery@smyslov.net" <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] Roman Danyliw's Discuss on draft-ietf-dots-signal-call-home-11: (with DISCUSS and COMMENT)
Thread-Index: AQHW0x1Lbu6HSCMZbU2f1UBmx3TqlKn7DIBA
Date: Thu, 17 Dec 2020 10:05:48 +0000
Message-ID: <DM6PR16MB3402A2719D188E4447C369FEEAC40@DM6PR16MB3402.namprd16.prod.outlook.com>
References: <160806244514.15552.2884622118358344184@ietfa.amsl.com>
In-Reply-To: <160806244514.15552.2884622118358344184@ietfa.amsl.com>
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.6.0.76
dlp-reaction: no-action
x-originating-ip: [49.37.165.3]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bf977103-ea5b-4ba7-5794-08d8a27353cf
x-ms-traffictypediagnostic: DM5PR16MB1466:
x-microsoft-antispam-prvs: <DM5PR16MB14664E9BB822FA2D8CD970FFEAC40@DM5PR16MB1466.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: WRzrdNQTAmYPgN2w+nvTzFG3hGFkZvCNeiebNDAm3ZIuWPKpMYsuqA8FjzPDZc1ks4AcYLtIeq+RVMaGm8YZs7feeZ7w2FfLaGRrwva3ShwLoYWQ85U/4e1h7Kky/HrtuF4VLOuWfQmAkPE7shaii1zeaWpYCqkLQisQMHXqHhNuy+10Rx34sdTzRr4nwvghq6uS1rUe0+fdp5S194NmiSvQUAy0o653GctHHRivQG8uWYhVR5VUa00OR5d7DFAPO9pTtU2LVBUKatTL5RX42l5thmivOStbRNJn2Xgvgya1ZDP74Jp3nw+K0B/dgi4HBa99D4+RFVtbFVJjPnP9xrxxbubBKrIpVzkoY6r2kRJlbPsnNlkCUq+Na4tqMBf0ELE5cmHvEUMf4LDTNy79a6iqK1DRCTBqe4hFKwaa9eEyPP7ZCw5LO6oc0mvbo9qM8dCBLwkZUaKurPxLX5Hik3GR4l77GNMK9YQuHtrUUVU=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR16MB3402.namprd16.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(376002)(346002)(39860400002)(396003)(366004)(32952001)(55016002)(186003)(71200400001)(86362001)(66476007)(5660300002)(52536014)(7696005)(26005)(66556008)(33656002)(316002)(53546011)(64756008)(6506007)(76116006)(110136005)(9686003)(8936002)(966005)(2906002)(66446008)(54906003)(66946007)(4326008)(478600001)(83380400001)(8676002)(66574015)(85282002); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata: 6Yq8Qebf0pZWynsbwdcriWR/FfgVGmcahCbu5KJ0csXjHUVmFsNQf20kq4A0lwTyzcZMhK4rOHMfpOXkx/XG+7MGSQfckEupVoBfdncDWCXTlWLOAwkCSzFn/0vp7rjSCU6RQINJZPtC5eEK6GNq78G5nvrF26WJQWsSnW9EumGFs1Fjp1BhuMFWmvCGAurKw6zgju5HNUjZ6r+2ofeZfSfRb1eZwH5mVzI73Hv7tbmoc235UcyGN2dY5CMxMfk2BM7XaknNV4wW3U8LQTUi/YUEB6S35r9wjj7Fnr1kyY+1Q3j3+yCAjkZ+vdhf1CYysF0F4+MdWrZAhYZgygcSDJ4Z01CfPUs0Qt5gHuLp4P3AiAiFZufgOnR3V8n7aIafl66kn7i1GAtOm24/HPN2bgeT4tY+eVHw1F3AM3RxziTTYP6+58on5TGWVq+DHbjckMeRcHpYKZOjU44aGrCt+UVqhyqTEmg4ml0HSkRSDGqjAz6s09MsdFJmihfIlRDiAYdajZ6L25X+SRx1bRPzm+RuMaxTgh5oqIEfZtMzuVw521M2mNEfmzULNrIFcwFElI3bomyN0j+K/Kz2qcTdWLC2PDnkSu+Zxvg7H8rPhElVZBpqgfpGZ/gLhTW7WimdzcuO5/P5Rkt83ELE9NR/3tMloYSZRQiFdO+wzAfvpJQXDO3MimAP8IFvuid5pEV34MPuHXrkBeIUUe15/N4kIAYZd/NHWBHO1sdq4cYCNWLNt8zGEhxKEjtDecQ6rMK5ha2lqYD9QhajzffSvt70Ovl98gKEi+p8ZQTYRHSrWrfN6h7r/a670pK5eEkynB45k6oP3w3MsOimLIML92N0NabocR1/YSUBgLtllz++GfDtHgdLA27JoNZivRW30mIbJoo987tETMhWvJcuq3CeFAjvc/eTb5Vl/U6yHdYYiVBYP3SO/8bFo2R2rB0C46IEuw38w6SuGs5pXfFxGo97+ZW9ep8Q9IjBa+WOy3vQOok=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR16MB3402.namprd16.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bf977103-ea5b-4ba7-5794-08d8a27353cf
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Dec 2020 10:05:48.3171 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: N/QfMCezcLtWpJVlgPYGuYK5X/HlbcROmV18JDZLRJlzh1b0oQYcKiM45PYrKE6QYKu7P+KNFGUWcM1ufBusuFKSabDKWnG0qf5yBOJoUYyP90SeLFQkiKj9BJjeXGyk
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB1466
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA40A35 smtp.mailfrom=tirumaleswarreddy_konda@mcafee.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: mcafee.com
Content-Language: en-US
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/BZL6h6q1ueNOPXt8Pq3kLhMz1s0>
Subject: Re: [Dots] Roman Danyliw's Discuss on draft-ietf-dots-signal-call-home-11: (with DISCUSS and COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2020 10:05:56 -0000

Hi Roman,

Thanks for the review. Please see inline for responses to comments.

> -----Original Message-----
> From: Dots <dots-bounces@ietf.org> On Behalf Of Roman Danyliw via
> Datatracker
> Sent: Wednesday, December 16, 2020 1:31 AM
> To: The IESG <iesg@ietf.org>
> Cc: draft-ietf-dots-signal-call-home@ietf.org; dots-chairs@ietf.org;
> valery@smyslov.net; dots@ietf.org
> Subject: [Dots] Roman Danyliw's Discuss on draft-ietf-dots-signal-call-home-
> 11: (with DISCUSS and COMMENT)
> 
> CAUTION: External email. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> Roman Danyliw has entered the following ballot position for
> draft-ietf-dots-signal-call-home-11: Discuss
> 
> When responding, please keep the subject line intact and reply to all email
> addresses included in the To and CC lines. (Feel free to cut this introductory
> paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-dots-signal-call-home/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> It seems to me there is a missing operational guidance or undocumented
> deployment assumptions.  Since the motivational use case seems to be
> home networks (per Section 1.1), I assumed that the call home servers are
> running primarily consumer grade routers not managed by professional IT
> expertise.  If that assumption is true (and it should be documented if that is
> the case), then I find many of the operational recommendations not
> congruent with that environment.  Specifically, the degree of interaction and
> tuning seems outside the realm of expertise of someone without IT training
> and capabilities of home network ecosystem.  In particular:
> 
> -- Section 1.2
> The Call Home DOTS server uses the DDoS attack traffic information to
>    identify the compromised device in its domain that is responsible for
>    launching the DDoS attack, optionally notifies a network
>    administrator, and takes appropriate mitigation action(s).
> 
> How would such notification work?
> 
> -- Section 1.2 and 5.1.  Leaves credentials configuration as out of scope.
> Section 1.2 references [I-D.ietf-dots-server-discovery] for provisioning.  In
> turn, Section 1 of [I-D.ietf.server-discovery] also declares this problem out of
> scope by saying “This document assumes that security credentials to
> authenticate DOTS server(s) are pre-provisioned to a DOTS client using a
> mechanism such as (but not limited to) those discussed in [RFC8572] or [I-
> D.ietf-anima-bootstrapping-keyinfra]”.  However, RFC8572 seems to rely on
> NETCONF and RESTCONF which seems like a rather uncommon feature of
> home routers.  BRKSI relies on a manufacturer supplied/contracted
> infrastructure and keystores that also seem uncommon for consumer grade
> equipment.
> 
> -- Section 5.3.1.
> The Call Home DOTS server domain administrator consent MAY be
>    required to block the traffic from the compromised device to the
>    attack target.  An implementation MAY have a configuration knob to
>    block the traffic from the compromised device to the attack target
>    with or without DOTS server domain administrator consent.
> 
> The suggestion here seems to be that consumers are acquiring devices that
> can be remotely reconfigured with out a defined trust model?  Some policy
> or operational context seems appropriate here.
> 
> -- Section 5.3.1
> ... notifies the CPE
>    administrator about the compromised device
> 
> Notify how?
> 
> -- Section 8.
> Appropriate
>    filters (e.g., access control lists) can be installed on the Call
>    Home DOTS server and network between the Call Home DOTS agents so
>    that only communications from a trusted Call Home DOTS client to the
>    Call Home DOTS server are allowed.
> 
> This seems like a level of sophistication beyond your average home router
> user and a place where implementations should consider a secure defaults.
> 
> -- Section 8.
> Call Home DOTS servers can also seek the consent of DOTS
>    server domain administrator to block the traffic from the potentially
>    compromised device to the target (see Section 5.3.1).
> 
> What would be the means to gain such consent?
> 
> -- Section 9.
> Note that a Call Home DOTS server can seek an administrator's
>    consent, validate the request by inspecting the relevant traffic for
>    attack signatures, or proceed with both courses of action.
> 
> As above.
> 
> -- Section 9.
> 
>     The DOTS Call Home is only advisory in nature.  Concretely, the DOTS
>    Call Home does not impose any action to be enforced within the
>    network hosting an attack source; it is up to the Call Home DOTS
>    server (and/or network administrator) to decide whether and which
>    actions are required.
> 
> Such a decisions seems out beyond the ability of your average home router
> user.
> 
> -- Section 8  “... explicit policy (e.g., the Call Home DOTS client and server are
> managed by the same administrative entity),
> 
> Is there an underlying assumption that the ISP is managing the device?
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thank you to Radia Perlman for the SECDIR review.
> 
> ** Section 1.1.  The motivation for this protocol in the “home network device”
> ecosystem could use a bit more focus.
> 
> (a) network devices in a home network can offer network
>    security functions (e.g., firewall [RFC4949] or Intrusion Protection
>    System (IPS) service [I-D.ietf-i2nsf-terminology] on a home router)
> 
> (b) Hence, it is not possible to detect various DDoS attacks in
>    the slow path ...
> 
> (c) a full-fledged DPI to
>    detect these type of DDoS attacks is functionally or operationally
>    not possible for all the devices
> 
> If IPS is done per (a), (b) and (c) don’t seem like issues. Certainly, NOT all
> devices support (a), but not ALL devices or limited by (b) and (c).

Typically network security services co-located on home routers are limited by (b) and (c).  Home routers are constrained network devices and network security service co-located on the home router cannot run a full-fledged DPI. In addition, network security services in SOHO/SMB may or may not be able to detect DDoS attacks using DPI. ISPs offering DDoS mitigation service have DDoS Detection capability using anomaly detection (for example, see https://www.netscout.com/sites/default/files/2018-10/SECPDS_004_EN-1802-Arbor-Threat-Mitigation-System-%28TMS%29.pdf) to identify zero day DDoS attacks and to detect DDoS attacks that cannot be detected using signatures and rate-limit techniques. 

> 
> The abstract is also clear that “The DOTS signal channel Call Home is not
> specific to home networks; the solution targets any deployment in which it is
> required to block DDoS attack traffic closer to the source(s) of a DDoS attack",
> but that fairly large other use cases doesn’t seem acknowledged here.
> 
> Bottom-line, I had difficulty following the motivation.
> 
> ** Section 1.1 presents an incomplete view of the problem to motivate the
> solution.  It notes that ISPs can already detect a DDoS attack down to the
> individual home network, but not the device (because of NATs).  The
> problem of what happens next remains unsaid.  It seems to me that options
> are the ISP shapes the traffic of that home network (affecting all of its
> devices) which is likely undesirable/blunt or the ISP tries to gain cooperation
> of the home network edge router to do something (which is the point of this
> document).

The problem is not specific to devices behind NAT, ISP cannot identify devices using IPv6 addresses attached to the home network to isolate and remediate compromised devices launching DDoS attack. We have the following text in Section 1.1.

   Even in case of an IPv6 home network, although the ISP can identify the infected device in the
   home network launching the DDoS traffic by tracking its unique IPv6
   address, the infected device can easily change its IPv6 address to
   evade remediation.  A security function on the local home network is
   better positioned to track the compromised device across IPv6 address
   (and potentially even MAC address) changes and thus ensure that
   remediation remains in place across such events.

> 
> ** Section 1.1.
> 
>    Existing approaches are still suffering from misused access network
>    resources by abusive devices; the support of means for blocking such
>    attacks close to the sources are missing.
> 
> I didn’t understand what this means.  What “existing approaches”?

Thanks, will modify the above text for clarity:

   Existing approaches discussed above suffer from misused access network
   resources by abusive devices; the support of means for blocking such
   attacks close to the sources are missing.

> 
> ** Section 1.2.  For the home network case, the text seems to be missing
> text saying that this “Call Home DOTS” solution needs to be deployed on a
> CPE capable of some degree of mitigation per the kinds of features DOTS can
> express (and the details of this integration is out of scope).

We already have the following text in Section 1.2:
In a typical deployment scenario, the Call Home DOTS server is enabled on a Customer Premises Equipment (CPE), which is aligned with recent trends to enrich the CPE with advanced security features.

Cheers,
-Tiru

> 
> 
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email