Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-data-channel-28: (with DISCUSS and COMMENT)

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 02 July 2019 14:23 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49FBA12006B; Tue, 2 Jul 2019 07:23:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A439cGOjpb13; Tue, 2 Jul 2019 07:23:06 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42AA6120041; Tue, 2 Jul 2019 07:23:04 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1562076774; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: Content-Transfer-Encoding:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-CrossTenant-userprincipalname: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=yC0jvxk5V1ckKeob6j/610lwnlEkOMhEG5JETe FLJig=; b=Az81hHxqH58LxPOX6QHb63/73S0c2snu59eFg0On lWhndcRf9B1XeJFDLy+edMjH8+4TfuuAi5xwL1c4eugun9PbBB bZWgbpZVX5Ro9GqJDWj5VwIKgVj4V6GTgJcdbrR9RgZbmaV7b/ O2okF1nb3RhaN9yVadhjxoEqDusZc8A=
Received: from DNVEXAPP1N04.corpzone.internalzone.com (unknown [10.44.48.88]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 66d4_190a_8c35bc3b_3ce6_4561_8225_4572ecff09df; Tue, 02 Jul 2019 08:12:53 -0600
Received: from DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 2 Jul 2019 08:22:16 -0600
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Tue, 2 Jul 2019 08:22:16 -0600
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (10.44.176.242) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 2 Jul 2019 08:22:14 -0600
Received: from DM5PR16MB1705.namprd16.prod.outlook.com (10.172.44.147) by DM5PR16MB0025.namprd16.prod.outlook.com (10.172.85.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2032.20; Tue, 2 Jul 2019 14:22:14 +0000
Received: from DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::89e6:d84d:9681:1065]) by DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::89e6:d84d:9681:1065%5]) with mapi id 15.20.2032.019; Tue, 2 Jul 2019 14:22:14 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Mirja Kuehlewind <ietf@kuehlewind.net>
CC: Benjamin Kaduk <kaduk@mit.edu>, Roman Danyliw <rdd@cert.org>, "dots@ietf.org" <dots@ietf.org>, The IESG <iesg@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "draft-ietf-dots-data-channel@ietf.org" <draft-ietf-dots-data-channel@ietf.org>
Thread-Topic: =?utf-8?B?W0RvdHNdICBNaXJqYSBLw7xobGV3aW5kJ3MgRGlzY3VzcyBvbiBkcmFmdC1p?= =?utf-8?B?ZXRmLWRvdHMtZGF0YS1jaGFubmVsLTI4OiAod2l0aCBESVNDVVNTIGFuZCBD?= =?utf-8?Q?OMMENT)?=
Thread-Index: AQHVAN3ugjmuTslNjEWiBUcliI6afaa2ROeAgAAN3QCAAQGxAIAAaHOAgAABS2A=
Date: Tue, 2 Jul 2019 14:22:14 +0000
Message-ID: <DM5PR16MB170529399AC19B88B321A35DEAF80@DM5PR16MB1705.namprd16.prod.outlook.com>
References: <155679628494.24951.9145538661531263463.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93302EA68C8B@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190701154032.GB13810@kduck.mit.edu> <A4BD2109-EC58-4FED-A8B0-2EE5AC47A69C@kuehlewind.net> <DM5PR16MB1705BED0F42996593B0C0A70EAF80@DM5PR16MB1705.namprd16.prod.outlook.com> <24FFE7CE-B91A-4CF4-BB85-D6108ACE0043@kuehlewind.net>
In-Reply-To: <24FFE7CE-B91A-4CF4-BB85-D6108ACE0043@kuehlewind.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.3.0.8
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [185.221.69.46]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 266a24e1-5a33-4cd7-d079-08d6fef8adeb
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR16MB0025;
x-ms-traffictypediagnostic: DM5PR16MB0025:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <DM5PR16MB0025B69B16C63A5982DC96B3EAF80@DM5PR16MB0025.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 008663486A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(136003)(396003)(376002)(346002)(39860400002)(13464003)(189003)(199004)(32952001)(66574012)(229853002)(33656002)(52536014)(2906002)(71200400001)(99286004)(9686003)(316002)(71190400001)(66446008)(478600001)(55016002)(966005)(6436002)(6116002)(4326008)(76116006)(64756008)(66946007)(66556008)(66476007)(5660300002)(54906003)(53936002)(66066001)(73956011)(86362001)(256004)(80792005)(7696005)(3846002)(76176011)(53546011)(6246003)(11346002)(68736007)(486006)(14444005)(224303003)(26005)(186003)(102836004)(25786009)(6916009)(6506007)(476003)(305945005)(7736002)(446003)(14454004)(8936002)(74316002)(72206003)(6306002)(81166006)(81156014)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB0025; H:DM5PR16MB1705.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: YP0fr859jo/Ia8IO4p++mUsu9uVPbBEVV0wakMCM3NCBaHmvzjDsHM6WtsOixnn55qFPLf/9AyWnR3b37WPjIVNWNUO6k+EA+kviBJJovzzx0WfwxermKJsGMgpqnqWXV8i0WQOPwTAD3ylRXlBusLv5X8uOW6bVRuQ9S8r7R6oEvqe9RqjlFI07FMO7LSamQmi+p6ItflGQuemUnz0mLmbqoIpAjcoxWM5H9RXPt7oWGS2iAYgl9isYwwvJNbdmZ8v4nbB8lrn3WPxifOha9agwfLsgIbZxw3he9p6vgc63lMCVigrm1yJtskoosDBTbSzJ0ck2u/6D/gyY+emkbeYOZxnXCcyeYcUbPDnTwk5fqTuwcsi6v+QVx21obnOMvxDzM70NhI3TyjD40ojTOozqhzghqXMDMDyu4AG5uIM=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 266a24e1-5a33-4cd7-d079-08d6fef8adeb
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jul 2019 14:22:14.1470 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TirumaleswarReddy_Konda@McAfee.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB0025
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.4
X-NAI-Spam-Version: 2.3.0.9418 : core <6581> : inlines <7113> : streams <1826189> : uri <2862925>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/EfTedd_806UA0aL_oYBZU8ltxkI>
Subject: Re: [Dots] =?utf-8?q?Mirja_K=C3=BChlewind=27s_Discuss_on_draft-ietf-?= =?utf-8?q?dots-data-channel-28=3A_=28with_DISCUSS_and_COMMENT=29?=
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2019 14:23:09 -0000

> -----Original Message-----
> From: Mirja Kuehlewind <ietf@kuehlewind.net>;
> Sent: Tuesday, July 2, 2019 7:36 PM
> To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
> Cc: Benjamin Kaduk <kaduk@mit.edu>;; Roman Danyliw <rdd@cert.org>;;
> dots@ietf.org; The IESG <iesg@ietf.org>;; dots-chairs@ietf.org;
> mohamed.boucadair@orange.com; draft-ietf-dots-data-channel@ietf.org
> Subject: Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-data-
> channel-28: (with DISCUSS and COMMENT)
> 
> 
> 
> Hi Tiru,
> 
> Please see below.
> 
> > On 2. Jul 2019, at 09:55, Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@McAfee.com>; wrote:
> >
> >>>>> I would also quickly like to discuss the use of keep-alives as
> >>>>> described in Section 3.1: "While the communication to the DOTS
> >>>>> server is  quiescent, the DOTS client MAY probe the server to
> >>>>> ensure it has  maintained cryptographic state.  Such probes can
> >>>>> also keep alive  firewall and/or NAT bindings.  A TLS heartbeat
> >>>>> [RFC6520] verifies  that the DOTS server still has TLS state by returning
> a TLS message."
> >>>>> I understood that multiple requests can and should be send in the
> >>>>> same connection, however, I would expect that those requests are
> >>>>> send basically right after each other, such as a look-up and then
> >>>>> change of the config. I don't see a need to keep up the connection
> >>>>> for a
> >> long time otherwise.
> >>>>> Especially any action performed are (other than in the signal
> >>>>> channel case) not time critical. Therefore I would rather
> >>>>> recommend to close and reopen connections and not recommend to
> use
> >>>>> keep-alives at all.
> >>>>
> >>>> [Med] The activity of the DOTS client may be used to track/detect
> >>>> stale
> >> entries:
> >>>>
> >>>>  Also, DOTS servers
> >>>>  may track the inactivity timeout of DOTS clients to detect stale
> >>>> entries.
> >>>>
> >> My understanding is that this is orthogonal. You can also see that a
> >> client is inactive when it didn’t open a new connection for a certain time…?
> >
> > The drop-list rules could be frequently updated by the DOTS client
> > based on the tests used by the DOTS client domain (e.g. cryptographic
> > challenge) to detect whether the IP address is for legitimate use or
> > not, or based on threat intelligence feeds from security vendors
> > providing the botnet/malicious IP addresses feed.  Further, persistent
> > DOTS data channel is required to handle updates to target resources
> > (e.g. CDN hosting a domain, and it needs DDoS protection) and target
> > IP/prefix may also change frequently (mobile branch office, prefix
> > re-numbering etc.)
> 
> This still doesn’t sounds like it is desirable to keep the TCP connection open.
> Also if you can bear the time to reconnect (1-2 RTT for the handshake) that is
> usually the better and easier options. I don’t think the information we talk
> about here are that time-critical, is it? When you say frequent what time
> frame do you mean, Hours, minutes, seconds, milliseconds?

The frequency of updates to drop-list rules can be few milliseconds.  For example, CAPTCHA and cryptographic puzzles can be used by DOTS client domain to determine whether the IP address is used for legitimate purpose or not, and can configure the drop-list rules.
Further, the specification does not mandate the connection to be persistent, but when needed, the probe mechanism applies.

-Tiru

> 
> Mirja
> 
> 
> >
> > Further, we are not mandating the connection to be persistent, but when
> needed, the probe mechanism applies. Please note
> https://tools.ietf.org/html/draft-ietf-netconf-netconf-client-server-13
> discusses persistent-connection and it’s a client preference on how the
> connection is maintained (persistent or periodic).