Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dots-architecture-16: (with COMMENT)
<mohamed.boucadair@orange.com> Thu, 06 February 2020 06:47 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7F6C12003E; Wed, 5 Feb 2020 22:47:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JDehC-8xwnGA; Wed, 5 Feb 2020 22:47:07 -0800 (PST)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.41]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4B6B120033; Wed, 5 Feb 2020 22:47:06 -0800 (PST)
Received: from opfedar06.francetelecom.fr (unknown [xx.xx.xx.8]) by opfedar23.francetelecom.fr (ESMTP service) with ESMTP id 48CprS5V2FzBrsS; Thu, 6 Feb 2020 07:47:04 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1580971624; bh=ToQv2X6LCZhqsZRYKme0FnvGPowxmexmHbGjskUk6ao=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=a/plw/W0cHOyH4o4fvaqQaoD+ZigXzgeUFzCZOGfumEwt+xktMAbWjrG7ofWsphqB WPJcspBv+V9hR9JzwS4zDKVBRNXhQWVs8i0DFXsKkxsrcuDEhN7EWPeq5NgnBzCPGB rZ4EBesLTqk5rqwhbIOeCnOtjC/i2FoyaL1PfoqmmKcZ0VqMcxtWuUVqllDlnixA4/ n6j3+SMk5R2qAaFiJZzOXQw3FTMqqi163YXTdZclV7G8sNAmhYSRMCtYYgOoOPq3WJ yUnBv4+GTq4v8cKL2imud8tUjE2xnUW+tVrBQ6GHJREHwh5p6i2uD7d6vloujQUQ3s UhvRsNCC+hxMg==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.20]) by opfedar06.francetelecom.fr (ESMTP service) with ESMTP id 48CprS3xpnz3wcm; Thu, 6 Feb 2020 07:47:04 +0100 (CET)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBMA1.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0468.000; Thu, 6 Feb 2020 07:47:04 +0100
From: mohamed.boucadair@orange.com
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
CC: Roman Danyliw <rdd@cert.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "valery@smyslov.net" <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>, "draft-ietf-dots-architecture@ietf.org" <draft-ietf-dots-architecture@ietf.org>
Thread-Topic: [Dots] Benjamin Kaduk's Yes on draft-ietf-dots-architecture-16: (with COMMENT)
Thread-Index: AQHV3LCzo0iHvHy700Ka0kODdp03iqgNt3BQ
Date: Thu, 06 Feb 2020 06:47:03 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93303142F675@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <158096794633.30610.7698585491429934350.idtracker@ietfa.amsl.com>
In-Reply-To: <158096794633.30610.7698585491429934350.idtracker@ietfa.amsl.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/GUq7jYv0sSECbugF_vSMFN6zePA>
Subject: Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dots-architecture-16: (with COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2020 06:47:10 -0000
Hi Ben, Please see one comment inline. Cheers, Med > -----Message d'origine----- > De : Dots [mailto:dots-bounces@ietf.org] De la part de Benjamin Kaduk > via Datatracker > Envoyé : jeudi 6 février 2020 06:46 > À : The IESG > Cc : Roman Danyliw; dots-chairs@ietf.org; valery@smyslov.net; > dots@ietf.org; draft-ietf-dots-architecture@ietf.org > Objet : [Dots] Benjamin Kaduk's Yes on draft-ietf-dots-architecture- > 16: (with COMMENT) > > Benjamin Kaduk has entered the following ballot position for > draft-ietf-dots-architecture-16: Yes > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut > this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss- > criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dots-architecture/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks for this well-written document! It's a great high-level > summary of > DOTS and I just have some fairly minor comments. > > There might be a bit of mismatch between describing the signal channel > session as associated with "an ephemeral security association" in > Section > 3.1 and as "expected to be long-lived" in Section 3.2.4.1. > > Section 2.2.3 > > The DOTS gateway MUST perform full stack DOTS session termination > and > reorigination between its client and server side. The details of > how > this is achieved are implementation specific. The DOTS protocol > does > not include any special features related to DOTS gateways, and > hence > from a DOTS perspective, whenever a DOTS gateway is present, the > DOTS > session simply terminates/originates there. > > Does the 'cdid' count as a "special feature"? [Med] Good catch. I suggest to delete the last sentence of the above excerpt. (we don't specify how the client and server sides are glued but we do have feature to avoid loops when GWs are involved, enforce policies on a per client or domain basis, etc.). > > Section 2.3.1 > > An example is a DOTS gateway at the network client's side, and > another one at the server side. The first gateway can be located > at > a CPE to aggregate requests from multiple DOTS clients enabled in > an > > nit: "CPE" does not appear as "well known" at > https://www.rfc-editor.org/materials/abbrev.expansion.txt and should > be > expanded on first use. > > Section 3.2.3 > > We could mention that the recursing gateway (e.g., Cn in Figure 12) > must > still be authorized to request mitigation for the resources (also) > controlled by client Cc (though perhaps the closing discussion about > there > typically being a SLA among client, recursed, and recursing domain > suffices). > > Section 3.2.4.1 > > DOTS client to initialize a new DOTS session. This challenge might > in part be mitigated by use of resumption via a PSK in TLS 1.3 > [RFC8446] and DTLS 1.3 [I-D.ietf-tls-dtls13] (session resumption in > TLS 1.2 [RFC5246] and DTLS 1.2 [RFC6347]), but keying material must > be available to all DOTS servers sharing the anycast Service > Address > in that case. > > "which has operational challenges of its own", perhaps. > > session may involve diverting traffic to a scrubbing center. If > the > DOTS session flaps due to anycast changes as described above, > mitigation may also flap as the DOTS servers sharing the anycast > DOTS > service address toggles mitigation on detecting DOTS session loss, > depending on whether the client has configured mitigation on loss > of > signal. > > I am not sure if we've mentioned configuring mitigation on loss of > signal, > yet. A forward reference to Section 3.3.3 might help. > > Section 3.2.5 > > Network address translators (NATs) are expected to be a common > feature of DOTS deployments. The Middlebox Traversal Guidelines in > [RFC8085] include general NAT considerations for DOTS deployments > when the signal channel is established over UDP. > > nit: the guidelines in 8085 are not specifically about DOTS > deployments, so > probably we should say "that are applicable to" DOTS deployments. > > Section 3.2.5.1 > > request accurate mitigation scopes. To that aim, the DOTS client > can > rely on mechanisms, such as [RFC8512] to retrieve static explicit > mappings. This document does not prescribe the method by which > > nit: no comma. > > Section 3.3.3 > > The impact of mitigating due to loss of signal in either direction > must be considered carefully before enabling it. Signal loss is > not > caused by links congested with attack traffic alone, and as such > mitigation requests triggered by signal channel degradation in > either > > nit: I think this could be parsed as "links are congested by attack > traffic > and other traffic", whereas we intend to say that "attack traffic is > not the > only possible cause of link congestion". Perhaps "Attack traffic > congesting > links is not the only reason why signal could be lost" is more clear. > > Section 5 > > DOTS is at risk from three primary attack vectors: agent > impersonation, traffic injection and signal blocking. These > vectors > > We seem to only partially discuss countermeasures for these attacks in > the > rest of the section; one piece that seems noteworthy in its absence is > the > requirement (already described in the body text) to authenticate the > peer > and perform authorization checks on client requests. Mitigating > against > signal blocking is in general hard, but we could consider mentioning > again > that the automated mitigation on loss of signal discussed in Section > 3.3.3 > is an option, albeit one with risks of its own. > > Section 8.2 > > One could perhaps argue that RFC 4033 and RFC 6887 should be normative > ("[RFC4033] must be used where [...]", "[RFC6887] may be used to > [...]"). > > There's a stronger case that RFC 4786 should be normative, as we use a > BCP > 14 keyword allowing its deployment. > > > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots
- [Dots] Benjamin Kaduk's Yes on draft-ietf-dots-ar… Benjamin Kaduk via Datatracker
- Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dot… mohamed.boucadair
- Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dot… Konda, Tirumaleswar Reddy
- Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dot… Konda, Tirumaleswar Reddy
- Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dot… Benjamin Kaduk