Re: [Dots] clarification questions from the hackathon

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Mon, 01 April 2019 15:27 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 793A9120052 for <dots@ietfa.amsl.com>; Mon, 1 Apr 2019 08:27:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kh594UNupB-J for <dots@ietfa.amsl.com>; Mon, 1 Apr 2019 08:27:07 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 118E312000F for <dots@ietf.org>; Mon, 1 Apr 2019 08:27:03 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1554132144; h=From: To:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-forefront-prvs:x-forefront-antispam-report: received-spf:x-ms-exchange-senderadcheck:x-microsoft-antispam-message-info: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=g xjRwiJyIJlFcy1af6RN35mNkvutxbLIUsfSIU99Ea M=; b=dLL68MSFOEelaGF8RnFzLiNTDNL0PYSw4OoZESeZG/I+ SQwqepHyQ7fP7yyHWG0PqW29jtDWOwYtI8V+0qgRr1mvKa4Wy5 2X+tt4ecL3zLFzMpdq7yuiM+zYS5+IRaNv83+dn/NPcgAvzxNQ vCCvJ4/3F2/PGJjDY7nAFaqk/0Q=
Received: from DNVEXAPP1N04.corpzone.internalzone.com (DNVEXAPP1N04.corpzone.internalzone.com [10.44.48.88]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 7776_4d3f_84ac27c6_112a_43c7_977d_7016c505d4e1; Mon, 01 Apr 2019 09:22:24 -0600
Received: from DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 1 Apr 2019 09:26:48 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Mon, 1 Apr 2019 09:26:48 -0600
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (10.44.176.243) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 1 Apr 2019 09:26:46 -0600
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2773.namprd16.prod.outlook.com (20.178.233.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.20; Mon, 1 Apr 2019 15:26:47 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::959f:8bd7:8c34:238d]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::959f:8bd7:8c34:238d%6]) with mapi id 15.20.1750.021; Mon, 1 Apr 2019 15:26:47 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Jon Shallow <supjps-ietf@jpshallow.com>, kaname nishizuka <kaname@nttv6.jp>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] clarification questions from the hackathon
Thread-Index: AdTliGx+SHuMyqAwQXGIbxMDIEwnuAAFAkKAALfbG4AABL07wAAAeoKgAAOXWlA=
Date: Mon, 1 Apr 2019 15:26:46 +0000
Message-ID: <BYAPR16MB2790507E1356AA360777DAEDEA550@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <108a01d4e588$72f886b0$58e99410$@jpshallow.com> <787AE7BB302AE849A7480A190F8B93302EA4F27E@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <787AE7BB302AE849A7480A190F8B93302EA50720@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB279064CD877BD1FEF041DE88EA550@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA5092C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA5092C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [49.37.205.163]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: da4fbd05-aa66-4674-e5ba-08d6b6b67441
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600139)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:BYAPR16MB2773;
x-ms-traffictypediagnostic: BYAPR16MB2773:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BYAPR16MB277347509044E21A35988A79EA550@BYAPR16MB2773.namprd16.prod.outlook.com>
x-forefront-prvs: 0994F5E0C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(136003)(366004)(376002)(39860400002)(396003)(32952001)(13464003)(189003)(199004)(229853002)(66066001)(86362001)(74316002)(26005)(6306002)(14454004)(9686003)(256004)(55016002)(14444005)(68736007)(72206003)(5024004)(966005)(2501003)(99286004)(7696005)(93886005)(316002)(66574012)(33656002)(6116002)(3846002)(52536014)(25786009)(76176011)(6506007)(80792005)(186003)(97736004)(446003)(476003)(478600001)(11346002)(110136005)(6246003)(81166006)(53546011)(7736002)(561944003)(8676002)(2906002)(486006)(71200400001)(6436002)(71190400001)(102836004)(105586002)(8936002)(305945005)(81156014)(53936002)(106356001)(5660300002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2773; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 5Gw90MoxSz+pM+f7ZdWmGnNAT1kh43ARq8xFgTfq8Nn8SuZj9MNh4Aef5IAZq+Hpe83U0RBStzfjZ5PFdWq+Ee7nLRfukt43O1FfuohO0R42c7KR0as1fno6KbAdepfmJbn4DKZ+psllM5lKM7Ce45tsZ+oDFWGby6BD7RDog7DI3fRb3NFEnw2uqDS6L02TBl/iCLX9N5/cRMBZHizVnvCtbD/Nq7mXkPKsCr68+9BUL/Nlx8AsWiZ5a6nY5dg07cQyxlVjUEIuM7h93q0SYN9alS+24OBDVYn2YtKplsuAZPLEjE2T4+bVnZlzUFKinI5pDWT/RPFDcsQHeULOpocPaoDh/hvQHFc0doKi+ZaCSZBj3DMxy7Tywfr1dq/IZvBIIZTOhsZg0eOj5xHwpIs9olEGYod+/f2xMw1mQRU=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: da4fbd05-aa66-4674-e5ba-08d6b6b67441
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Apr 2019 15:26:46.8391 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2773
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6515> : inlines <7045> : streams <1817407> : uri <2823856>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/GQBXkQqysTaTEamgPYj0mAUHci8>
Subject: Re: [Dots] clarification questions from the hackathon
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2019 15:27:10 -0000


> -----Original Message-----
> From: mohamed.boucadair@orange.com
> <mohamed.boucadair@orange.com>
> Sent: Monday, April 1, 2019 7:32 PM
> To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
> Jon Shallow <supjps-ietf@jpshallow.com>; kaname nishizuka
> <kaname@nttv6.jp>; dots@ietf.org
> Subject: RE: [Dots] clarification questions from the hackathon
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is
> safe.
> 
> Hi Tiru,
> 
> Please see inline.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Konda, Tirumaleswar Reddy
> > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > Envoyé : lundi 1 avril 2019 15:31
> > À : BOUCADAIR Mohamed TGI/OLN; Jon Shallow; kaname nishizuka;
> > dots@ietf.org Objet : RE: [Dots] clarification questions from the
> > hackathon
> >
> > Update looks good, couple of points to consider:
> >
> > 1> when the mitigation request is successfully applied, the response
> > 1> must
> > include the acl-* attributes conveyed in the request (as per RFC7252
> > 5.9.1.1).
> 
> [Med] I hesitated to add this one. What is the purpose of returning the acl-*
> in the response given that 2.01/2.04 are explicit that the type was
> successfully updated. Receiving a response such as the one in Figure 10 of
> the signal channel is straightforward.

Yup.

> 
> > 2> It looks useful to return the activated ACL statistics, for example
> > 2> If the
> > client activates a rate-limit ACL, the ACL could be applied at the PE
> > router (because the DMS is not capable of handling the attack volume).
> > The rate- limit ACL will rate-limit both legitimate and attack
> > traffic, and the DMS will scrub the rate-limited traffic and drop the
> > attack traffic. The client may want to know the statistics of the
> > traffic dropped because of the rate- limit ACL.
> 
> [Med] This one needs more discussion, IMO. I suggest to leave this one open
> for future revisions.

Sure, please add to github issues for tracking purpose.

-Tiru

> 
> >
> > -Tiru
> >
> > > -----Original Message-----
> > > From: Dots <dots-bounces@ietf.org> On Behalf Of
> > > mohamed.boucadair@orange.com
> > > Sent: Monday, April 1, 2019 4:43 PM
> > > To: Jon Shallow <supjps-ietf@jpshallow.com>; kaname nishizuka
> > > <kaname@nttv6.jp>; dots@ietf.org
> > > Subject: Re: [Dots] clarification questions from the hackathon
> > >
> > > This email originated from outside of the organization. Do not click
> > > links
> > or
> > > open attachments unless you recognize the sender and know the
> > > content is safe.
> > >
> > > Jon, Kaname, all,
> > >
> > > FWIW, a proposal to integrate the interop comments is available at:
> > > https://github.com/boucadair/filter-control/blob/master/wdiff%20draf
> > > t-
> > > nishizuka-dots-signal-control-filtering-05.txt%20draft-nishizuka-dot
> > > s-
> > signal-
> > > control-filtering-06.pdf
> > >
> > > Cheers,
> > > Med
> > >
> > > > > >
> > > > > > > -----Message d'origine-----
> > > > > > > De : Dots [mailto:dots-bounces@ietf.org] De la part de
> > > > > > > kaname nishizuka Envoyé : jeudi 28 mars 2019 11:38 À :
> > > > > > > dots@ietf.org Objet : [Dots] clarification questions from
> > > > > > > the hackathon
> > > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > I'd like to continue discussion of these topics in the ML.
> > > > > > >
> > > > > > > #1: Questions about signal-control-filtering
> > > > > > >   1. Should a mitigation request create a mitigation before
> > > > > > > doing a PUT
> > > > +
> > > > > > > acl-list [{acl-name, activation-type}] against the active
> > > > > > > mitigation,
> > > > or
> > > > > is a
> > > > > > > ‘PUT + acl-list [{acl-name, activation-type}]’ allowed to
> > > > > > > create a new mitigation?
> > > > > >
> > > > > > [Med] Both are currently allowed in the draft. I don't still a
> > > > > > valid
> > > > reason
> > > > > to
> > > > > > restrict this.
> > > > >
> > > > > [Jon] As per draft
> > > > >    A DOTS client MUST NOT use the filtering control over DOTS signal
> > > > >    channel if no attack (mitigation) is active;
> > > > >
> > > >
> > > > [Med] What is meant actually is:
> > > >
> > > >    A DOTS client MUST NOT use the filtering control over DOTS signal
> > > >    channel in 'idle' time;
> > > >
> > > > Will update the text.
> > > >
> > > > > [Jon] then needs to be reworded as there is no active mitigation
> > > > > until the PUT is done...
> > > > > I believe that both cases should be supported.
> > > > > >
> > > > > > >   2. Should the response to a GET (or Observed GET) include
> > > > > > > the
> > > > > > > acl-
> > > > list
> > > > > > > [{acl-name, activation-type}] if the PUT included it?
> > > > > >
> > > > > > [Med] The current spec says "no". That's said, what would be
> > > > > > the value in returning it? Then, why not allowing to return
> > > > > > the references to all ACLs
> > > > > that
> > > > > > are enabled during the mitigation time?
> > > > > >
> > > > > [Jon] When observing the mitigation request, if the
> > > > > activation-type is changed externally, the client will then know about
> the change.
> > > > > Assuming
> > > > the
> > > > > response got back to the client, this is effectively an ACK to
> > > > > the fact
> > > > that
> > > > > the ACL change got through.
> > > >
> > > > [Med] The observe case makes sense, indeed.
> > > >
> > > > >
> > > > > Interesting concept about knowing about all the relevant ACLs as
> > > > > returned over the signal channel.  More work for the server to
> > > > > do in determining
> > > > which
> > > > > ACLs are valid for, say, a specific IP address that is being mitigated.
> > > > Not
> > > > > entirely convinced of the benefit of this as this generally is
> > > > > available
> > > > over
> > > > > the data channel.
> > > > >
> > > >
> > > > [Med] I'm not convinced, either.
> > > >
> > > _______________________________________________
> > > Dots mailing list
> > > Dots@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dots