IETF Logo Mail Archive

Re: [Dots] Mirja's DISCUSS: Pending Point (AD Help Needed)

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Fri, 19 July 2019 12:05 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33EE41200B3 for <dots@ietfa.amsl.com>; Fri, 19 Jul 2019 05:05:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4
X-Spam-Level:
X-Spam-Status: No, score=-4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hqLTYv6NpVaz for <dots@ietfa.amsl.com>; Fri, 19 Jul 2019 05:05:48 -0700 (PDT)
Received: from us-smtp-delivery-210.mimecast.com (us-smtp-delivery-210.mimecast.com [63.128.21.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38BD9120019 for <dots@ietf.org>; Fri, 19 Jul 2019 05:05:48 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1563537281; h=ARC-Seal: ARC-Message-Signature:ARC-Authentication-Results: From:To:Subject:Thread-Topic:Thread-Index: Date:Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: Content-Transfer-Encoding:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-CrossTenant-userprincipalname: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=w9QYvtQqj4CJSx3JcgxKAICtTB3LnnFF88MMSI iSdYI=; b=EeeDEG6DDuVktPAdoUq4why2iU5jlRmyX8KovcaG vI4/vK++UjDGRr1u+wztkFucDulcPEoirfAq9/UD7osJsp+0Vu E0w1ZapSr6+j9sXPzWXSrekVirpjwvLi6zK8Zg41lnK5tTlNwC rNaokpYDNnWfjA6xXqIycxvaoAtIrlc=
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-296-zuU9mxqJNBat2WfUbdetiQ-1; Fri, 19 Jul 2019 08:05:43 -0400
Received: from DNVEXAPP1N06.corpzone.internalzone.com (unknown [10.44.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 6f0d_f66a_eed52bfa_f1ea_44f4_850e_556f748e1ce7; Fri, 19 Jul 2019 05:54:40 -0600
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 19 Jul 2019 06:05:39 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Fri, 19 Jul 2019 06:05:39 -0600
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (10.44.176.241) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 19 Jul 2019 06:05:38 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WgyvDijgARXLV9cSIgZBzHB09hAAvGdfOpAz0PRRCHQmzImqjibXwjAyG+kXK/TnWX7s1SapvhGx65/nRsPZlSEyPRG1QAhtb0UNhfT3x6Q8Wv5v7sDQoDDCgDiMP2fQKdvlgkCxZR4PgsYy83tJ9XyeYWkd0FWrMk810Nkpo+jKWJHDjmLw6iTtzn3QZoMTPEzj00Ermi8lNDP2JA7n7kcKRAAFonnU+rB9z084ztZe+0WupgfDM/N5K7rGiOLtEv0bJkKSdzOrP9Oh2XV5gh8d6POr/PDqGwkvuRcaC3pZNZIm/z0lLvsbbLmdCfOrKbviBgOQCIuutg/x+muQVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=w9QYvtQqj4CJSx3JcgxKAICtTB3LnnFF88MMSIiSdYI=; b=Arrt555I/aqIzbTqRmq+xthnyHD81Q5tBvStfRSbL6C37TS4qdaBVgQ6v9F+GvrZRXYfw5xXQ+Kz08CkqkRA/BExLvBx1RzhA0ytO4yqRPW12O2PenSg4bdPGWTZXsDM3cfGgkN8SeFpnOAAlle4VH0pYUn2MRO3eIWTRKQS2rpNq5KtfgrrUmwshxug9HJ8mPXkBlQIjEawFg7hwub8exGRAZ0+ksxqg2Xy6W7v+VE8AX03NI9868M88rmwSf5AHTWb+B55xkWrSJDERH6JV4Gq1SXabUuSk157jdEuhUBjQ44ixM2SukeXyyEA2F6ho+tSIjWnWI4f90w8DdZAbQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=mcafee.com;dmarc=pass action=none header.from=mcafee.com;dkim=pass header.d=mcafee.com;arc=none
Received: from DM5PR16MB1705.namprd16.prod.outlook.com (10.172.44.147) by DM5PR16MB1834.namprd16.prod.outlook.com (10.174.178.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.14; Fri, 19 Jul 2019 12:05:38 +0000
Received: from DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::570:2208:75c2:5f17]) by DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::570:2208:75c2:5f17%8]) with mapi id 15.20.2073.012; Fri, 19 Jul 2019 12:05:38 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Valery Smyslov <valery@smyslov.net>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, 'Benjamin Kaduk' <kaduk@mit.edu>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] Mirja's DISCUSS: Pending Point (AD Help Needed)
Thread-Index: AdU9/zWZw7DhsbF6RNCA2PYrEJMCCAAJ+IgAAABxlPA=
Date: Fri, 19 Jul 2019 12:05:38 +0000
Message-ID: <DM5PR16MB1705B5FC8E9204012E34636FEACB0@DM5PR16MB1705.namprd16.prod.outlook.com>
References: <787AE7BB302AE849A7480A190F8B93302FA841A9@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <00c201d53e27$194cfc20$4be6f460$@smyslov.net>
In-Reply-To: <00c201d53e27$194cfc20$4be6f460$@smyslov.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.3.0.16
dlp-reaction: no-action
x-originating-ip: [49.37.206.28]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 09fa9f9b-0a6a-4b82-e304-08d70c416a0e
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR16MB1834;
x-ms-traffictypediagnostic: DM5PR16MB1834:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM5PR16MB1834E173CE0C15EE51B3B49FEACB0@DM5PR16MB1834.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 01039C93E4
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(136003)(39850400004)(346002)(376002)(396003)(189003)(13464003)(51444003)(199004)(32952001)(3846002)(55016002)(8676002)(33656002)(9686003)(6246003)(53936002)(2171002)(6116002)(6306002)(7736002)(305945005)(966005)(74316002)(478600001)(68736007)(6436002)(486006)(2201001)(8936002)(66556008)(14444005)(52536014)(81156014)(81166006)(53546011)(76116006)(6506007)(110136005)(186003)(256004)(66476007)(64756008)(66446008)(2501003)(66946007)(71200400001)(316002)(102836004)(86362001)(26005)(71190400001)(446003)(11346002)(476003)(66066001)(80792005)(25786009)(2906002)(14454004)(99286004)(7696005)(5660300002)(229853002)(76176011)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB1834; H:DM5PR16MB1705.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: f6ARDxNMnGaR/zkTRppCCJTCS48TmK/K3YiBXnctPgLl1HvrZrncc3VwyOar9I4DW4gmp3TzoOtl06XBIBvybziTuDOvgkp0ncP5uq/nSXAVfywMac/ihQpZn3emtFahWn37CQHuIbTkpmK1UTQMKU8b/mT/mA/eRHyDSje3cwDjSE6k4gUw3makcGZLjbhsJAkt47zqMPUzzuYpsutfgrWD4YmBo82kVtsn8He9PqZCkPaia3ZeGUU/+m0Ve8G9tIWvcd7XmNKnbd9rk0mh/8N6El7Q+tM+9gMn0slzDZmqoGvE9eZ79IfjsdHKJiBQsALqdHwWurlDxg4YIKn5WbpM20lAubnCry4TFqCiWoWZMDNX0/+xYRwQUrgTj5zBuCtDGP8dx/4RvK6k+nMn0co3YcSO/Yv+ZiBha3t2alg=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 09fa9f9b-0a6a-4b82-e304-08d70c416a0e
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jul 2019 12:05:38.6661 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TirumaleswarReddy_Konda@McAfee.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB1834
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6593> : inlines <7120> : streams <1827803> : uri <2869307>
X-MC-Unique: zuU9mxqJNBat2WfUbdetiQ-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/D69RoVyveao5shaQhM7SbdHHEyI>
Subject: Re: [Dots] Mirja's DISCUSS: Pending Point (AD Help Needed)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jul 2019 12:05:52 -0000

Hi Valery,

The message transmission parameters including missing-hb-allowed is only for UDP transport (not for TCP). For the UDP, she is suggesting us to go with a mechanism that checks both side of the connectivity using non-confirmable message with ping and pong at the application layer instead of relying on the CoAP ping/pong. 

Cheers,
-Tiru

> -----Original Message-----
> From: Dots <dots-bounces@ietf.org> On Behalf Of Valery Smyslov
> Sent: Friday, July 19, 2019 5:13 PM
> To: mohamed.boucadair@orange.com; 'Benjamin Kaduk' <kaduk@mit.edu>;
> dots-chairs@ietf.org; dots@ietf.org
> Subject: Re: [Dots] Mirja's DISCUSS: Pending Point (AD Help Needed)
> 
> 
> 
> Hi Med,
> 
> I believe Mirja's main point was that if you use liveness check mechanism in
> the transport layer, then if it reports that liveness check fails, then it _also_
> closes the transport session.
> 
> Quotes from her emails:
> "Yes, as Coap Ping is used, the agent should not only conclude that the DOTS
> signal session is disconnected but also the Coap session and not send any
> further Coap messages anymore."
> 
> and
> 
> "Actually to my understanding this will not work. Both TCP heartbeat and
> Coap Ping are transmitted reliably. If you don’t receive an ack for these
> transmissions you are not able to send any additional messages and can only
> close the connection."
> 
> I'm not familiar with CoAP, but I suspect she's right about TCP - if TCP layer
> itself doesn't receive ACK for the sent data after several retransmissions, the
> connection is closed.
> 
> As far as I understand the current draft allows underlying liveness check to
> fail and has a parameter to restart this check several times if this happens. It
> seems that a new transport session will be created in this case (at least if TCP
> is used). In my reading of the draft this seems not been assumed, it is
> assumed that the session remains the same. So, I think that main Mirja's
> concern is that it won't work (at least with TCP).
> 
> I didn't participate in the WG discussion on this, so I don't know what was
> discussed regarding this issue. If it was discussed and the WG has come to
> conclusion that this is not an issue, then I believe more text should be added
> to the draft so, that people like Mirja, who didn't participate in the discussion,
> don't have any concerns while reading the draft.
> 
> Regards,
> Valery.
> 
> 
> 
> 
> > -----Original Message-----
> > From: mohamed.boucadair@orange.com
> > <mohamed.boucadair@orange.com>
> > Sent: Friday, July 19, 2019 9:57 AM
> > To: Benjamin Kaduk (kaduk@mit.edu) <kaduk@mit.edu>; dots-
> > chairs@ietf.org; dots@ietf.org
> > Subject: Mirja's DISCUSS: Pending Point (AD Help Needed)
> >
> > Hi Ben, chairs, all,
> >
> > (restricting the discussion to the AD/chairs/WG)
> >
> > * Status:
> >
> > All DISCUSS points from Mirja's review were fixed, except the one
> > discussed in this message.
> >
> > * Pending Point:
> >
> > Rather than going into much details, I consider the following as the
> > summary of the remaining DISCUSS point from Mirja:
> >
> > > I believe there are flaws in the design. First it’s a layer
> > > violation, but if more an idealistic concern but usually designing
> > > in layers is a good approach. But more importantly, you end up with
> > > un-frequent messages which may still terminate the connection at
> > > some point, while what you want is to simply send messages
> > > frequently in an unreliable fashion but a low rate until the attack is over.
> >
> > * Discussion:
> >
> > (1) First of all, let's remind that RFC7252 does not define how CoAP
> > ping must be used. It does only say:
> >
> > ==
> >       Provoking a Reset
> >       message (e.g., by sending an Empty Confirmable message) is also
> >       useful as an inexpensive check of the liveness of an endpoint
> >       ("CoAP ping").
> > ==
> >
> > How the liveness is assessed is left to applications. So, there is **
> > no layer violation **.
> >
> > (2) What we need isn't (text from Mirja):
> >
> > > to simply send messages frequently in an unreliable fashion but a
> > > low rate until the attack is over "
> >
> > It is actually the other way around. The spec says:
> >
> >   "... This is particularly useful for DOTS
> >    servers that might want to reduce heartbeat frequency or cease
> >    heartbeat exchanges when an active DOTS client has not requested
> >    mitigation."
> >
> > What we want can be formalized as:
> >  - Taking into account DDoS traffic conditions, a check to assess the
> > liveness of the peer DOTS agent + maintain NAT/FW state on on-path
> devices.
> >
> > An much more elaborated version is documented in SIG-004 of RFC 8612.
> >
> > * My analysis:
> >
> > - The intended functionality is naturally provided by existing CoAP
> messages.
> > - Informed WG decision: The WG spent a lot of cycles when specifying
> > the current behavior to be meet the requirements set in RFC8612.
> > - Why not an alternative design: We can always define messages with
> > duplicated functionality, but that is not a good design approach
> > especially when there is no evident benefit.
> > - The specification is not broken: it was implemented and tested.
> >
> > And a logistic comment: this issue fits IMHO under the non-discuss
> > criteria in https://www.ietf.org/blog/discuss-criteria-iesg-review/#stand-
> undisc.
> >
> > * What's Next?
> >
> > As an editor, I don't think a change is needed but I'd like to hear
> > from Ben, chairs, and the WG.
> >
> > Please share your thoughts and whether you agree/disagree with the
> > above analysis.
> >
> > Cheers,
> > Med
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email