Re: [Dots] Telemetry draft: Vendor Specific data reduction
Jon Shallow <supjps-ietf@jpshallow.com> Wed, 29 April 2020 09:10 UTC
Return-Path: <supjps-ietf@jpshallow.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A5F93A09F0 for <dots@ietfa.amsl.com>; Wed, 29 Apr 2020 02:10:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pIdI0rVoJ-GW for <dots@ietfa.amsl.com>; Wed, 29 Apr 2020 02:10:54 -0700 (PDT)
Received: from mail.jpshallow.com (mail.jpshallow.com [217.40.240.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D1113A09EA for <dots@ietf.org>; Wed, 29 Apr 2020 02:10:53 -0700 (PDT)
Received: from mail2.jpshallow.com ([192.168.0.3] helo=N01332) by mail.jpshallow.com with esmtp (Exim 4.92.3) (envelope-from <jon.shallow@jpshallow.com>) id 1jTijw-0005qr-07; Wed, 29 Apr 2020 10:10:48 +0100
From: Jon Shallow <supjps-ietf@jpshallow.com>
To: mohamed.boucadair@orange.com, dots@ietf.org
References: <020a01d61954$64b50320$2e1f0960$@jpshallow.com> <00a301d61d37$219f1990$64dd4cb0$@jpshallow.com> <787AE7BB302AE849A7480A190F8B9330314A0CED@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <017201d61d6f$e40b75e0$ac2261a0$@jpshallow.com> <787AE7BB302AE849A7480A190F8B9330314A10FF@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <01d301d61d92$94c9c450$be5d4cf0$@jpshallow.com> <787AE7BB302AE849A7480A190F8B9330314A1A69@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B9330314A1A69@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Date: Wed, 29 Apr 2020 10:10:55 +0100
Message-ID: <02e901d61e06$169244d0$43b6ce70$@jpshallow.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_02EA_01D61E0E.7859BA10"
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-gb
Thread-Index: AQHtT51ggH6aH9X9eXlnZao+3cestAGwV+RpAmslRWUBi4S2MAK1mQgLAgiedYICVX/EVKf7lEZA
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/Gf2j6Utx3TSEwRRhLSZRChpgIcU>
Subject: Re: [Dots] Telemetry draft: Vendor Specific data reduction
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 09:10:58 -0000
Hi Med, Please see inline Jon> Regards Jon From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of mohamed.boucadair@orange.com Sent: 29 April 2020 09:53 To: Jon Shallow; dots@ietf.org Subject: Re: [Dots] Telemetry draft: Vendor Specific data reduction Hi Jon, Please see inline. Cheers, Med De : Jon Shallow [mailto:supjps-ietf@jpshallow.com] Envoyé : mardi 28 avril 2020 21:24 À : BOUCADAIR Mohamed TGI/OLN; dots@ietf.org Objet : RE: [Dots] Telemetry draft: Vendor Specific data reduction Hi Med, I was not thinking of dropping attack-name. I was more thinking of uploading / downloading as appropriate the entire list of id->attack-id<->attack-name. The attack-id<->attack-name list will evolve over time so there will need to be a mechanism of doing updates, or signalling that there are new attack-id in use. [Med] I understood that. I was commenting on the implication on the module. Jon> Sure Putting aside defining attack-id as an integer, I thought your proposal would be as follows (with removing attack-name from the attack-detail). +--:(vendor-mapping) {dots-telemetry}? | +--rw attack-detail* [attack-id] | +--rw vendor-id? uint32 | +--rw attack-id string | +--rw attack-name string +--:(telemetry) {dots-telemetry}? +--rw pre-or-ongoing-mitigation* [cuid tmid] +--rw attack-detail* [attack-id] +--rw vendor-id? uint32 +--rw attack-id string +--rw attack-severity? attack-severity +--rw start-time? uint64 +--rw end-time? uint64 I was suggesting to leave the name under attack-detail but use it only when an attack-id/name mapping is not already shared with the peer. The structure would be as follows: +--:(vendor-mapping) {dots-telemetry}? | +--rw attack-detail* [attack-id] | +--rw vendor-id? uint32 | +--rw attack-id uint32 | +--rw attack-name string +--:(telemetry) {dots-telemetry}? +--rw pre-or-ongoing-mitigation* [cuid tmid] +--rw attack-detail* [attack-id] +--rw vendor-id? uint32 +--rw attack-id uint32 Jon> I see this is now an integer +--rw attack-name? string +--rw attack-severity? attack-severity +--rw start-time? uint64 +--rw end-time? uint64 Please note that the examples we have in the draft do not include attack-name to insist that this is an optional attribute, e.g., Jon> Agreed however an-id needs to be made more human readable at some point. == "attack-detail": [ { "attack-id": "an-id", "start-time": "1957811234", "attack-severity": "emergency" } ] == However, the first time that an attack-id is used, the attack-name can also be included. [Med] Thats better. My suggestion goes a little bit further: the name will be used till the mapping table is updated. Jon> I am beginning to think that vendor-id should be a key as well as attack-id, as attack-id could be the same across multiple vendors but mean different things. Two immediate issues that come to mind are What happens if the telemetry information packet that contains the attack-name gets lost in transit [Med] We dont have this issue with the proposal above. Jon> Agreed until attack mapping has been refreshed which has the potential to fail when not in peace time. Jon> Does the mapping refresh want to be done over the data channel as it could be quite large? If a major attack kicks off with many vectors, all of the attack-ids for the first time, there will be a lot of traffic [Med] Removing attack-name does not eliminate this risk. The discussion we had about block2/4 or managing this at the DOTS layer applies here. Jon> Agreed. However if the attack mapping is in place, there will be a lot less data which would potentially ease the issue. ~Jon Regards Jon From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of mohamed.boucadair@orange.com Sent: 28 April 2020 16:57 To: Jon Shallow; dots@ietf.org Subject: Re: [Dots] Telemetry draft: Vendor Specific data reduction Re-, If attack-name is completely removed for the attack-details, this means the remote peer cant make use of the information till the list is refreshed. Isnt better to maintain the attribute as in the current design but an agent uses this attribute only for new attacks? Cheers, Med De : Jon Shallow [mailto:supjps-ietf@jpshallow.com] Envoyé : mardi 28 avril 2020 17:16 À : BOUCADAIR Mohamed TGI/OLN; dots@ietf.org Objet : RE: [Dots] Telemetry draft: Vendor Specific data reduction Hi Med, To give an example for attack-id and attack-name the DDOS Mitigator that I work with has several components that identify the same attack Index: 3016 Short-Name: tcpattack_synflood Descriptive-Name: TCP Attack - Syn Flood" And in the code I was using the index for attack-id and the Descriptive-Name for the attack-name for the recent telemetry Interop with Kaname. With a multi-vector attack, the descriptive name information was a substantive part of the telemetry information being passed back to the client. Similarly, if the DDoS Mitigator was to act as a client to an upstream DOTS server (which in my case it can), then again there is a lot of information being relayed that could be reduced with a mapping between attack-id and attack-name for a specific vendor id being uploaded ahead of time and can be refreshed if new attacks are discovered and mitigated. Regards Jon From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of mohamed.boucadair@orange.com Sent: 28 April 2020 12:00 To: Jon Shallow; dots@ietf.org Subject: Re: [Dots] Telemetry draft: Vendor Specific data reduction Hi Jon, Apologies for the delay to follow on this one. attack-name is more about a description than a name. This field may also be used to map attack details from distinct vendors because there is no a global registry (and we dont want to create one). Having the ability to retrieve a list prior to an attack is interesting to consider but the (optional) attribute may still be needed to be included for new attack types. Note that the name attribute is also used by a DOTS client to send telemetry to a DOTS server. Attack-id is defined as a string because we inspired from existing event notification formats. Some of these formats allow for an even ID to be integer or string. Cheers, Med De : Dots [mailto:dots-bounces@ietf.org] De la part de Jon Shallow Envoyé : mardi 28 avril 2020 10:29 À : dots@ietf.org Objet : Re: [Dots] Telemetry draft: Vendor Specific data reduction Hi All, Any thoughts on this data reduction? While it is possible for a Vendor to come up with their own augmented YANG to cover their vendor specifics, it gets problematic when 2 or more Vendor specifics need to be understood by a client or a server. Having a /vendor-mapping operation path means that vendor mapping of attack-id and attack-name can easily be exchanged. If attack-id is an integer instead of a string, then attack-id could become a Vendor specific set of enums (they do not need to start from 1) based on id. Regards Jon From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Jon Shallow Sent: 23 April 2020 10:49 To: dots@ietf.org Subject: [Dots] Telemetry draft: Vendor Specific data reduction Hi All, When passing telemetry attack information back and forth, there are some ways that we need to consider on data reduction, thus reducing the likelihood of having to do Block transfers. My understanding is that there is a one-to-one relationship between attack-id and attack-name. My first suggestion is that the client is able to upload to a server, and the server can download on request, a vendors mapping of attack-id to attack-name for the specific vendor id. Then, whenever there is telemetry information id + attack-id need to be provided, but much space can be saved by not having to also include attack-name. Second suggestion is that attack-id is an integer instead of a string to again save on space in the telemetry data. Regards Jon
- [Dots] Telemetry draft: Vendor Specific data redu… Jon Shallow
- Re: [Dots] Telemetry draft: Vendor Specific data … Jon Shallow
- Re: [Dots] Telemetry draft: Vendor Specific data … mohamed.boucadair
- Re: [Dots] Telemetry draft: Vendor Specific data … Jon Shallow
- Re: [Dots] Telemetry draft: Vendor Specific data … mohamed.boucadair
- Re: [Dots] Telemetry draft: Vendor Specific data … Jon Shallow
- Re: [Dots] Telemetry draft: Vendor Specific data … mohamed.boucadair
- Re: [Dots] Telemetry draft: Vendor Specific data … Jon Shallow
- Re: [Dots] Telemetry draft: Vendor Specific data … mohamed.boucadair
- Re: [Dots] Telemetry draft: Vendor Specific data … Jon Shallow
- Re: [Dots] Telemetry draft: Vendor Specific data … mohamed.boucadair
- Re: [Dots] Telemetry draft: Vendor Specific data … Jon Shallow
- Re: [Dots] Telemetry draft: Vendor Specific data … mohamed.boucadair