Re: [Dots] 2-way heartbeats RE: Mirja Kühlewind's Discuss on draft-ietf-dots-signal-channel-31: (with DISCUSS and COMMENT)

Mirja Kuehlewind <ietf@kuehlewind.net> Wed, 03 July 2019 10:12 UTC

Return-Path: <ietf@kuehlewind.net>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9892120733; Wed, 3 Jul 2019 03:12:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ZwSioMeCtQi; Wed, 3 Jul 2019 03:12:55 -0700 (PDT)
Received: from wp513.webpack.hosteurope.de (wp513.webpack.hosteurope.de [IPv6:2a01:488:42:1000:50ed:8223::]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F5EA12029A; Wed, 3 Jul 2019 03:12:55 -0700 (PDT)
Received: from 200116b82468ed0068c3f61f5d01a906.dip.versatel-1u1.de ([2001:16b8:2468:ed00:68c3:f61f:5d01:a906]); authenticated by wp513.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1hicFv-0004tw-RK; Wed, 03 Jul 2019 12:12:52 +0200
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Mirja Kuehlewind <ietf@kuehlewind.net>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EAB2B51@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Date: Wed, 3 Jul 2019 12:12:51 +0200
Cc: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, Benjamin Kaduk <kaduk@mit.edu>, "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>, "frank.xialiang@huawei.com" <frank.xialiang@huawei.com>, "dots@ietf.org" <dots@ietf.org>, The IESG <iesg@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3044574C-65E5-4713-B2B5-02F305C8FDA2@kuehlewind.net>
References: <787AE7BB302AE849A7480A190F8B93302EAB2B51@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
To: mohamed.boucadair@orange.com
X-Mailer: Apple Mail (2.3445.104.11)
X-bounce-key: webpack.hosteurope.de;ietf@kuehlewind.net;1562148775;85cfe98e;
X-HE-SMSGID: 1hicFv-0004tw-RK
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/Du-lywHWMJkU28_BEqUntxxG0pY>
Subject: Re: [Dots] =?utf-8?q?2-way_heartbeats_RE=3A___Mirja_K=C3=BChlewind?= =?utf-8?q?=27s_Discuss_on_draft-ietf-dots-signal-channel-31=3A_=28with_DI?= =?utf-8?q?SCUSS_and_COMMENT=29?=
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2019 10:12:58 -0000

Hi Med,

Please see below.

> On 3. Jul 2019, at 10:50, <mohamed.boucadair@orange.com>; <mohamed.boucadair@orange.com>; wrote:
> 
> Mirja, 
> 
> Your initial DISCUSS point was: 
> 
> (1) "heartbeat should only be send in one direction (as the
> Other end will send an ack)"
> 
> We clarified that we need both HBs because there are cases where the DOTS server needs to determine if the incoming link to the DOTS client is saturated (due to an ongoing DDoS attack). It can conclude so because it receives HBs from the client but no replies to its own HBs. The server uses that information to tweak its mitigation strategy (in case a mitigation is already in place). It also can conclude that the client didn't detected an attack.

Here is the point that I don't understand: Let’s assume both ends are sending pings but the client does not receive any pings from the server. I would also that in this case the client would also not received any pongs from the server (in response to their own ping), therefore believe that the connection is Brocken, then close the connection and stop sending pings, which then will be detected by the server. What do I miss?

Mirja



> 
> To which you suggested the following:
> 
> (2) "what you described implies that the server should send the ping and client sends the pong. This is fine."
> 
> We clarified that pings from the server may be discarded by on path NATs/FWs. The HBs from the client are also meant to maintain a state alive in those functions.
> 
> We also reminded that 8085 recommends "to ** independently ** check both directions" for long-lived association. We are adhering to that recommendation. 
> 
> Can you please let us know how we can achieve the above with one single HB direction? Thank you.  
> 
> Cheers,
> Med
> 
>> -----Message d'origine-----
>> De : Mirja Kuehlewind [mailto:ietf@kuehlewind.net]
>> Envoyé : mardi 2 juillet 2019 16:00
>> À : BOUCADAIR Mohamed TGI/OLN
>> Cc : Konda, Tirumaleswar Reddy; Benjamin Kaduk; draft-ietf-dots-signal-
>> channel@ietf.org; frank.xialiang@huawei.com; dots@ietf.org; The IESG;
>> dots-chairs@ietf.org
>> Objet : Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-signal-
>> channel-31: (with DISCUSS and COMMENT)
>> 
>> 
>>> 
>>>> 
>>>>> 
>>>>>> 
>>>>>>> 6) Section 4.7: "the DOTS
>>>>>>> agent sends a heartbeat over the signal channel to maintain its
>> half
>>>>>>> of the channel.  The DOTS agent similarly expects a heartbeat from
>>>>>>> its peer DOTS agent"
>>>>>>> and
>>>>>>> "DOTS servers MAY trigger their heartbeat requests immediately after
>>>>>>> receiving heartbeat probes from peer DOTS clients."
>>>>>>> Actually heartbeat should only be send in one direction (as the
>> other
>>>>>>> end will send an ack) and the protocol should clearly specify which
>>>>>>> endpoint is responsible for triggering the ping.
>>>>>> 
>>>>>> I'm not sure I see resolution on this; do the authors still need to
>>>> answer why
>>>>>> the "pong" reply cannot serve as a reverse-path heartbeat?
>>>>> 
>>>>> If the DOTS client domain is subjected to volumetric DDoS attack and
>> the
>>>> incoming link is saturated, the pong response from the server will not
>>>> reach the client. DOTS server gets traffic from the client but receives
>> no
>>>> responses to its ping requests indicating the client has not detected
>> the
>>>> attack or, if an attack mitigation is in progress, it implies the
>> applied
>>>> DDoS mitigation actions are not yet effective to handle the DDoS attack
>>>> volume.
>>>> 
>>>> Yes, I understand what heartbeat are used for. However, what you
>> described
>>>> implies that the server should send the ping and client sends the pong.
>>>> This is fine.
>>> 
>>> [Med] Choosing the other way around may be problematic because of
>> NAT/FWs. This is why the heartbeats from the server will fly right after
>> the one from the client so that we can use the warm mappings. Having both
>> directions allows to accommodate the scenario described by Tiru.
>>> 
>>> As you know, RFC4787 mandates the NAT outbound refresh behavior (packets
>> go from the internal side of the NAT to the external side of the NAT to
>> refresh the timer value) but not the NAT inbound refresh behavior.
>>> 
>>> The text however seems to imply that both server and client
>>>> test their have connection separately and both send pings and pongs.
>> That
>>>> doesn’t seem to be need.
>>> 
>>> [Med] In addition to the clarification above, we have also added a
>> pointer to this part of 8085:
>>> 
>>> ==
>>>  A UDP application with a long-lived association between the sender
>>>  and receiver, ought to be designed so that the sender periodically
>>>  checks that the receiver still wants ("consents") to receive traffic
>>>  and need to be designed to stop if there is no explicit confirmation
>>>  of this [RFC7675].  Applications that require communications in two
>>>  directions to implement protocol functions (such as reliability or
>>>  congestion control) will need to independently check both directions
>>>                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>  of communication, and may have to exchange keep-alive messages to
>>>  ^^^^^^^^^^^^^^^^
>>>  traverse middleboxes (see Section 3.5).
>>> ==
>> 
>> Yes, you use keep-alive messages here. A ping on one direction and a
>> pong/ack as reply in the direction. I’m not we are maybe talking past each
>> other… I think the following is sufficient
>> 
>> 
>> Client ping —————>
>>            <———— server pong
>> 
>> 
>> While what I read from the document is that you do this:
>> 
>> Client ping —————>
>>            <———— server pong
>> 
>>            <———— server ping
>> Client pong —————>
>> 
>> If that is not what your are doing you need to clarify this in the
>> document.
>> 
>> If you actually want to have two different ping/pong’s you need to explain
>> me why you need both. 
>