IETF Logo Mail Archive

Re: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Mon, 07 August 2017 09:50 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE097132195 for <dots@ietfa.amsl.com>; Mon, 7 Aug 2017 02:50:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vBAV6CjBmtIO for <dots@ietfa.amsl.com>; Mon, 7 Aug 2017 02:50:51 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1996132190 for <Dots@ietf.org>; Mon, 7 Aug 2017 02:50:44 -0700 (PDT)
Received: from MIVEXAPP1N02.corpzone.internalzone.com (unknown [10.48.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp id 6ddc_6502_4291cd88_f97f_4801_bb5e_a30705acbff9; Mon, 07 Aug 2017 04:50:33 -0500
Received: from MIVEXAPP1N02.corpzone.internalzone.com (10.48.48.89) by MIVEXAPP1N02.corpzone.internalzone.com (10.48.48.89) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 7 Aug 2017 05:50:32 -0400
Received: from MIVO365EDGE3.corpzone.internalzone.com (10.48.176.86) by MIVEXAPP1N02.corpzone.internalzone.com (10.48.48.89) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend Transport; Mon, 7 Aug 2017 05:50:32 -0400
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (10.48.176.243) by edge.mcafee.com (10.48.176.86) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 7 Aug 2017 05:50:26 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.onmicrosoft.com; s=selector1-mcafee-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=KHYR1YFeWdVmdOXDQo1guSCYOKI54cp5ZTh2qsT61Hs=; b=RZ0KUCE56/sBNRLo8JZsnGvll/wYL3H2PAZ2PkLb1JdewxLTZP8x2lSw7D3iL2SjTRLucNTIytoV3oBF72Hyzgw5c7VvHI9N2EGfOFERdDS0a5QkDsJqlxRB1Jv4XgZsoStR64fWp0/wfU7nMo/mvVx6bVmb+RHO3f4JfsF8SBY=
Received: from DM5PR16MB1788.namprd16.prod.outlook.com (10.172.44.144) by DM5PR16MB1786.namprd16.prod.outlook.com (10.172.44.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1320.16; Mon, 7 Aug 2017 09:50:31 +0000
Received: from DM5PR16MB1788.namprd16.prod.outlook.com ([10.172.44.144]) by DM5PR16MB1788.namprd16.prod.outlook.com ([10.172.44.144]) with mapi id 15.01.1320.018; Mon, 7 Aug 2017 09:50:31 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "Xialiang (Frank)" <frank.xialiang@huawei.com>, "Dots@ietf.org" <Dots@ietf.org>
Thread-Topic: another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?
Thread-Index: AdMPF2QONmutCNOvSwe0CfD0yMkBTgAACUnwAA6poPA=
Date: Mon, 07 Aug 2017 09:50:31 +0000
Message-ID: <DM5PR16MB17880F012FB44009155ADCA1EAB50@DM5PR16MB1788.namprd16.prod.outlook.com>
References: <C02846B1344F344EB4FAA6FA7AF481F12BB2D185@DGGEML502-MBX.china.huawei.com> <C02846B1344F344EB4FAA6FA7AF481F12BB2D19B@DGGEML502-MBX.china.huawei.com>
In-Reply-To: <C02846B1344F344EB4FAA6FA7AF481F12BB2D19B@DGGEML502-MBX.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR16MB1786; 6:jvzAC3NZnNEqks+v0jajuPzkXpxswtLIRRfrMJErjpsFam1I/HiEIrT1mF4lu8CT6TV2U4qpmZD2UWdD4RYVajdjbG34z9M+qbpIoKIgaxlgC2HIXj2PhIEO3uE5Yeev+TaT50C7YfVUdy8tAzsAr8Dda6SOXehwWwrGqGycuW39svtPYHI8YmZ6bhIfWfjB1lfx79dL7cOVAHnSbJ7LslyayiaUyVFHmjnTW182LFLvQIZTK/yc0YbPlTYL6eT1Nr8w3hGzQzyAXugrBJGqAZCwVYCAPdBXrncOxWX+aIPs0viuFcxK+iMOK06pf7Mx5ibfpU91rnCqfIRpegs2cQ==; 5:hhTnroNt0PvJN8SK4H69cDv56XqcTr5N39AbjMjv+p8q7hWQh4NiwQVgDDa70iIoVcNlPGnhh+ymdqJqWZ3PLiUMte6E8p+gYTz5S4li6Sc1UqHfCiWvNPEnahepHWnYp4H7Xa5NBpmNTBIJTZCRcg==; 24:r84FBiWpkeEZ62EuNCAE8/ZXtYTomW+L8y99xG31qstRNGSzdrxeP2PxHMXuTfzpXlNOeJtDdfpPbA4OSnZ5hYZOrW+YOZnzHoAdgUKqkjA=; 7:DduFO85FcgoYXDGbWA5uLq8pH+xIBPtzpo/bsxrXSK5j2Ndic5ZPbyqbe4VlCBmlaWuDBnIwHeUDBt55/Yua421sgazKP92XViK8KFZFUEA6UA0o6HCZQJX4TVFll1mUwzl4cL/hMxmbwAMq0kUE+CNvAFywUsGlLB8PYD59jT2Mz9oNHmm/uuF8ulYPFk3oyvfK4xyADaFLyTQobBjo6YFwSxyq4MnIve1N3BHz35E=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 1eacf68e-90f2-4c29-5c03-08d4dd79bde5
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:DM5PR16MB1786;
x-ms-traffictypediagnostic: DM5PR16MB1786:
x-exchange-antispam-report-test: UriScan:(158342451672863)(21748063052155);
x-microsoft-antispam-prvs: <DM5PR16MB17864322AF37FCB23E108630EAB50@DM5PR16MB1786.namprd16.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(3002001)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123560025)(20161123558100)(20161123564025)(20161123555025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM5PR16MB1786; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM5PR16MB1786;
x-forefront-prvs: 0392679D18
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(39850400002)(39840400002)(39450400003)(39410400002)(39400400002)(199003)(377454003)(189002)(32952001)(97736004)(80792005)(8936002)(790700001)(6116002)(102836003)(81156014)(81166006)(3846002)(2900100001)(53936002)(86362001)(6436002)(7736002)(6306002)(54896002)(9686003)(2501003)(236005)(3280700002)(53546010)(99286003)(66066001)(224303003)(7696004)(25786009)(6246003)(105586002)(6506006)(74316002)(77096006)(189998001)(101416001)(38730400002)(106356001)(5660300001)(33656002)(478600001)(55016002)(54356999)(76176999)(50986999)(229853002)(14454004)(68736007)(72206003)(3660700001)(2950100002)(2906002)(85282002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB1786; H:DM5PR16MB1788.namprd16.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR16MB17880F012FB44009155ADCA1EAB50DM5PR16MB1788namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Aug 2017 09:50:31.2007 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB1786
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.9
X-NAI-Spam-Version: 2.3.0.9418 : core <6087> : inlines <6011> : streams <1757537> : uri <2478131>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/ChlmYbDEcnwVLSb-Hhy0AjT_HmY>
Subject: Re: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2017 09:50:53 -0000

TLS supports pre-shared key based authentication. The other mechanisms are Subject Public Key Info (SPKI) Fingerprint pin set for mutual authentication (self-signed certificates or raw public keys) without having to deal with CA.

I don’t think DOTS should relax the mutual authentication and encryption requirements.

-TIru

From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Xialiang (Frank)
Sent: Monday, August 7, 2017 6:25 AM
To: Dots@ietf.org
Subject: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

In addition to IP whitelist and certificate, pre-share key can also be an option.
Right?

发件人: Dots [mailto:dots-bounces@ietf.org] 代表 Xialiang (Frank)
发送时间: 2017年8月7日 8:52
收件人: Dots@ietf.org<mailto:Dots@ietf.org>
主题: [Dots] Can DOTS protocol support IP whitelist for DOTS client's AA?

Hi,
I think the direct use of IP whitelist on the DOTS server to authenticate and authorize the DOTS client is a simple and effect method, at least in some special use cases, like: DOTS client does not support certificate, an ISP which detects the spoofed source address, etc.

So, should we support this as an optional way for the DOTS client’s AA and add it into the DOTS protocol drafts?

B.R.
Frank

v2.23.0 | Report a Bug | By Email