IETF Logo Mail Archive

Re: [Dots] Review of draft-ietf-dots-multihoming

mohamed.boucadair@orange.com Mon, 05 July 2021 07:12 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38D683A1D50 for <dots@ietfa.amsl.com>; Mon, 5 Jul 2021 00:12:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KHB0PD6l25Mj for <dots@ietfa.amsl.com>; Mon, 5 Jul 2021 00:12:13 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAA5B3A1D4F for <dots@ietf.org>; Mon, 5 Jul 2021 00:12:12 -0700 (PDT)
Received: from opfedar04.francetelecom.fr (unknown [xx.xx.xx.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfedar21.francetelecom.fr (ESMTP service) with ESMTPS id 4GJH1g6cdGz7tJg; Mon, 5 Jul 2021 09:12:07 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1625469127; bh=406jbmFNECc2Wp3FlxHTw1r7FEvj3Nh0wDc1xka7ewY=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=EV2oKoC7JfHXr+vk6LKKJztZfcv9UvoFNqRkkTe8rWZVjcQk6hAayrJkgtMv1OEv6 Nk7YfGd3ivYari4SW2fXepLLxmm0a7whbYmHumtTURwaZQOGagzuO67Iq/Q1cr7PLV YRCH9aaPGy8JDFsb5jIPnF3gFeR64zzZgybQWsqvhAxJzfDcG02KWD8xeuF60nJERy 0JKxNOeoZjREcrWh6SUmOynLXdN1NKIki8x+vSHHK3sHaNt8+iIE2XipXNeorLgdsB I8igY3eqQj0YlpdXWnI14qyvEyP6y+u9JNhEsgK6BF7qyasp29j2p3+0QXhoE9QC8V BN1UfWY7WRUiw==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by opfedar04.francetelecom.fr (ESMTP service) with ESMTPS id 4GJH1g5HBhz1xpr; Mon, 5 Jul 2021 09:12:07 +0200 (CEST)
From: mohamed.boucadair@orange.com
To: Jon Shallow <supjps-ietf@jpshallow.com>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] Review of draft-ietf-dots-multihoming
Thread-Index: AddvWudDcUgmBKmzR+ShoFd1LWw6kwCEKz/Q
Date: Mon, 05 Jul 2021 07:12:06 +0000
Message-ID: <12096_1625469127_60E2B0C7_12096_200_3_787AE7BB302AE849A7480A190F8B9330353B7418@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <047d01d76f5b$962ce270$c286a750$@jpshallow.com>
In-Reply-To: <047d01d76f5b$962ce270$c286a750$@jpshallow.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/GEZ-2cUN-RvtHsiAvGvd-Y30Rh4>
Subject: Re: [Dots] Review of draft-ietf-dots-multihoming
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jul 2021 07:12:17 -0000

Hi Jon, 

Thank you for the review. All good suggestions. You may track the changes at: https://tinyurl.com/dots-multihoming-latest. 

BTW, do we need to include some notes about the handling of mid (and other related identifiers(?)) as it may be tempting, for example, to use the same ids when a request is sent to multiple servers for the PI case. We may include a reminder that ids should be handled per dots server/provisioning domain, not per target prefix. 

Cheers,
Med

> -----Message d'origine-----
> De : Dots [mailto:dots-bounces@ietf.org] De la part de Jon Shallow
> Envoyé : vendredi 2 juillet 2021 18:02
> À : dots@ietf.org
> Objet : [Dots] Review of draft-ietf-dots-multihoming
> 
> Hi all,
> 
> I have done a review of draft-ietf-dots-multihoming and have come up
> with some things that I think need to be corrected/updated.
> 
> s/I-D.ietf-dots-use-cases/RFC8903/g
> s/RFC8782/I-D.ietf-dots-rfc8782-bis/g
> 
> 1. Introduction
> 
> OLD - needs rewording
> 
>    In many deployments, it may not be possible for a network to
>    determine the cause of a distributed Denial-of-Service (DoS)
> attack
>    [RFC4732].  Rather, the network may just realize that some
> resources
>    seem to be under attack.  To improve such situation, the IETF is
>    specifying the DDoS Open Threat Signaling (DOTS) architecture
>    [RFC8811], where a DOTS client can inform a DOTS server that the
>    network is under a potential attack and that appropriate
> mitigation
>    actions are required.  Indeed, because the lack of a common
> method to
>    coordinate a real-time response among involved actors and network
>    domains jeopardizes the efficiency of DDoS attack mitigation
> actions,
>    the DOTS protocol is meant to carry requests for DDoS attack
>    mitigation, thereby reducing the impact of an attack and leading
> to
>    more efficient responsive actions.
> 
> NEW
> 
>    In many deployments, it may not be possible for a network to
>    determine the root cause of a distributed Denial-of-Service (DoS)
> attack
>    [RFC4732].  Rather, the network may just realize that some
> resources
>    appear to be under attack.  To help with such situations, the
> IETF has
>    specified the DDoS Open Threat Signaling (DOTS) architecture
>    [RFC8811], where a DOTS client can inform an upstream DOTS server
> that its
>    network is under a potential attack and that appropriate
> mitigation
>    actions are required.  The DOTS protocols can be used to
> coordinate real-time mitigation efforts which can evolve at the
> attacks mutate,
>   thereby reducing the impact of an attack and leading to
>    more efficient responsive actions.
> 
> OLD
> 
> provided DOTS server(s) addresses (e.g.,
>    [RFC8973]).
> 
> NEW
> 
> provided DOTS server(s) addresses (e.g., by using
>    [RFC8973]).
> 
> OLD
> 
>           * Send a DOTS mitigation request to an arbitrary DOTS
> server
>           won't help mitigating a DDoS attack.
> 
> NEW
> 
>           * Sending a DOTS mitigation request to an arbitrary DOTS
> server
>           Will not necessarily help in  mitigating a DDoS attack.
> 
> s/Sketch guidelines and recommendations/Give guidelines and
> recommendations/
> 
> s/ Identify cases where anycast is not recommended./ Identify cases
> where anycast is not recommended for DOTS./
> 
> 3. Terminology
> 
> Define PA and PI addresses (I know we define them in Section 1, but
> this may help  the reader).
> 
> 4.2 Multi-Homed Enterprise: Single CPE, Multiple Upstream ISPs
> 
> s/is connected to the Internet using one single router is connected
> to the Internet using a single router/
> 
> 4.4 Multi-homed Enterprise with the Same ISP
> 
> Do we need to consider 4.1 in the same light - ISPs here in the UK
> are now offering wired plus backup 4G options to the Residential
> user?  In other words, I think we need to add in to the relevant
> places "Multi-Homed Residential, Single provisioning domain".
> 
> 5.1 Residential CPE
> 
> s/ be established and maintained with each of the DOTS servers
> because/ be established and MUST be maintained with each of the DOTS
> servers because/
> 
> s/ the mitigation scope of these servers is restricted./ the
> mitigation scope of each of these servers is restricted./
> 
> OLD
> 
>   the DOTS client among the DOTS servers available MUST select a
> DOTS
>    server whose network has assigned the IP prefixes from which
> target
> 
> NEW
> 
>   the DOTS client MUST select an available DOTS
>    server whose network has assigned the IP prefixes from which
> target
> 
> s/ domain another domain than the one that owns those addresses/
> domain other than the one that owns those addresses/
> 
> " Nevertheless, if the DDoS attack is
>    received from one single network, then only the DOTS server of
> that
>    network MUST be contacted."
> 
> Does not make sense to me and either needs to be re-written or
> removed.
> 
> 5.2 Multi-Homed Enterprise: Single CPE, Multiple Upstream ISPs
> 
> s/ One of more DOTS clients/ One or more DOTS clients/
> 
> s/ some issues arise to steer traffic towards the appropriate DOTS
> server/ some issues may arise in how to steer traffic towards the
> appropriate DOTS server
> 
> 6. Security Considerations
> 
> OLD
> 
>    DOTS client should not leak information specific to a given link
> to
>    DOTS servers not authorized to mitigate attacks received on that
>    link.
> 
> NEW
> 
>    DOTS client SHOULD NOT leak information specific to a given link
> to
>    DOTS servers on different interconnection links that are not
> authorized to mitigate attacks for that given link.
> 
> 
> 
> Regards
> 
> Jon
> 
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email