Re: [Dots] FW: New Version Notification for draft-reddy-dots-transport-05.txt
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Thu, 18 August 2016 10:40 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAA1112D916 for <dots@ietfa.amsl.com>; Thu, 18 Aug 2016 03:40:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.768
X-Spam-Level:
X-Spam-Status: No, score=-15.768 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z3gNN363nyqo for <dots@ietfa.amsl.com>; Thu, 18 Aug 2016 03:40:45 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5426412D90E for <dots@ietf.org>; Thu, 18 Aug 2016 03:40:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7922; q=dns/txt; s=iport; t=1471516845; x=1472726445; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=UJ4mMIQMQ744/qKy0u3oD0uOyry6uAVgYmsrWOLzsJQ=; b=VS9wKHcR3eVjOo7NwmGSYyz/yps0/GaEB23inp9eYE2jv1oTXyaYwokg +NJDmNhKEbUvmp1L62f4LzZDaRosAnqvEQuZHtGytNzjAl6J4h8A+GrNs 6L4+Ds8JfiGID8PEA8JiDJbmXA9x2WSdVFLQujgCkEVMoz6N6fo96MVdK U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0A/AgDij7VX/51dJa1eg0NWfAe3V4F9JoV3AoFqOBQCAQEBAQEBAV4nhF4BAQUBATg0CQ4EAgEIEQEDAQEBHgkHJwsUAwUBCAIEARIIiCkOvDgBAQEBAQEBAQEBAQEBAQEBAQEBAQEchiqDSoEDhBwBDYVxBY4dhWCFRwGGH4J/hXiBck6EDokChmeFVIN3AR42ghIcgUxuAQGFZgElIH8BAQE
X-IronPort-AV: E=Sophos;i="5.28,539,1464652800"; d="scan'208";a="141830530"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Aug 2016 10:40:40 +0000
Received: from XCH-ALN-016.cisco.com (xch-aln-016.cisco.com [173.36.7.26]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id u7IAeeRv029243 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 18 Aug 2016 10:40:40 GMT
Received: from xch-rcd-017.cisco.com (173.37.102.27) by XCH-ALN-016.cisco.com (173.36.7.26) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 18 Aug 2016 05:40:39 -0500
Received: from xch-rcd-017.cisco.com ([173.37.102.27]) by XCH-RCD-017.cisco.com ([173.37.102.27]) with mapi id 15.00.1210.000; Thu, 18 Aug 2016 05:40:39 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: kaname nishizuka <kaname@nttv6.jp>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] FW: New Version Notification for draft-reddy-dots-transport-05.txt
Thread-Index: AQHR11jVVEDsCwAAOkiBthaVHADSf6ALBdQQgBlqbACAGkrkcIAQWR0A//+yUQA=
Date: Thu, 18 Aug 2016 10:40:39 +0000
Message-ID: <ee626821b8bf4f2a8109184d26b985db@XCH-RCD-017.cisco.com>
References: <20160706073427.7900.59549.idtracker@ietfa.amsl.com> <50de5af611944788898536433cc1dfbd@XCH-RCD-017.cisco.com> <e5c1665f-4a5b-dc52-602f-66aab2e310d6@nttv6.jp> <f00f640674e24663ac738f759898bc2e@XCH-RCD-017.cisco.com> <0cc9e275-8cfa-b172-1cae-11b79e7c84fb@nttv6.jp>
In-Reply-To: <0cc9e275-8cfa-b172-1cae-11b79e7c84fb@nttv6.jp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.65.56.209]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/JUEhYEl3TXtpetZ3Ly6usE2gis0>
Subject: Re: [Dots] FW: New Version Notification for draft-reddy-dots-transport-05.txt
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2016 10:40:48 -0000
Hi Kaname, Please see inline > -----Original Message----- > From: kaname nishizuka [mailto:kaname@nttv6.jp] > Sent: Thursday, August 18, 2016 3:32 PM > To: Tirumaleswar Reddy (tireddy) <tireddy@cisco.com>; dots@ietf.org > Subject: Re: [Dots] FW: New Version Notification for draft-reddy-dots- > transport-05.txt > > Hi Tiru, > > > On 2016/08/08 15:46, Tirumaleswar Reddy (tireddy) wrote: > > Hi Kaname, > > > > Yes, DOTS data channel should also cover pre-provisioning. As per our > discussion at IETF, will remove DOTS channel from this draft, and create a new > draft and pick specific sections and JSON attributes from draft-nishizuka-dots- > inter-domain-mechanism and include pre-provisioning. > OK, That's great. > > > Please see inline > > > >> -----Original Message----- > >> From: kaname nishizuka [mailto:kaname@nttv6.jp] > >> Sent: Friday, July 22, 2016 12:22 PM > >> To: Tirumaleswar Reddy (tireddy) <tireddy@cisco.com>; dots@ietf.org > >> Subject: Re: [Dots] FW: New Version Notification for > >> draft-reddy-dots- transport-05.txt > >> > >> Hi Tiru, > >> > >> I have a comment on section 6. DOTS Data Channel. > >> > >> * Data channel is for bulk data exchanges > >> * Rough Consensus @ Design Team Meeting: Data channel is for pre- > >> provisioning > > Yup. > > > >> I think we need 2 types of filtering. > >> 1. filtering which limit the scope of mitigation > >> * example > >> - if an organization have other sites from which only > >> legitimate traffic in coming and is afraid of false positive, the > >> sites should be treated as a exception of mitigation with white-list. > > Yes, white-list rules can also be created using the DOTS data channel > discussed in the draft (see traffic-rate attribute defined in DOTS data channel). > > > >> - if a service is working only on port 80, traffic destined to > >> other port can be dropped without any consideration. > > Yes, the above rule can also be provisioned during peacetime using the > DOTS data channel proposed in the draft. > > > >> * this type of filtering may be installed in pre-provisioning > >> phase (on data > >> channel) > >> - can be changed even while it is under attack > > What is the use case for changing these type of filters during the attack ? > One, human make mistakes. > Two, white-list type of filtering rule could need to be more specific in order to > filter out the attack more precisely. Okay, but it may not be possible to setup and exchange bulk-data using DOTS data channel during a DDOS attack. > > > >> Also there should be a limitation on a request > >> * requests from DOTS clients should be limited > > It's an implementation detail, what do you suggest needs to be discussed in > this draft ? > OK, it's an implementation detail. > I just wanted to point out that the DOTS server should not accept all of the > filtering request from the DOTS client without checking the CIDR block of the > DOTS clients' domain. Yes, the mechanism for enforcement is not in the scope of this doc. DOTS servers can use pre-provisioning as part of the configuration for the customer or can also use dynamic mechanisms like RPKI. It's already covered in the architecture doc (https://tools.ietf.org/html/draft-ietf-dots-architecture-00#section-2.2.2). > > >> - request for blocking, rate-limiting, etc.. can be another > >> attack vector if the request is spoofed. > > DOTS client has to authenticate to the DOTS server, how will DOTS requests > be spoofed ? > As described above, the DOTS client can spoof the prefixes of filtering request > (not the DOTS client's address itself) in order to block traffic not to its domain > but to other organization. > > >> - limitation on possible range of target (=IP > >> addresses/prefixes) should be pre-defined per customer basis. > >> - installed in pre-provisioning phase (on data channel) > >> > > Agreed. > > > >> [note]:this filtering is required without regard to protection > >> methods > > I did not get the above line, please clarify. > It was meant to say that "The range of target (=IP addresses/prefixes) in the > requests from DOTS clients should be checked by DOTS server. It is > independent of the protection methods the DOTS server will take." Got it. Cheers, -Tiru > > > >> 2. filtering instruction for mitigation > >> * filtering of traffic is one of protection methods taken by > >> mitigators > > Okay. > > > >> * DOTS client can request filtering of traffic with desired action > >> (blocking, > >> rate-limiting...) > >> * instructed while it is under attack (on signaling channel) > > DOTS signaling channel does not signal filtering rules, it's the job of DOTS > data channel. > > > >> Data model of Filtering Rules described in section 6 (DOTS Data > >> Channel) looks like type 2 of filtering. > > No, Filtering rules can be provisioned either before or during the attack. > > I will update the draft to clarify, currently the draft is only high-lighting the > example of black-list rules provisioned during an attack. > Okay, I'll see that. > > regards, > kaname > > > -Tiru > > > >> So I think it looks like for signaling channel. > >> > >> > >> best regards, > >> kaname nishizuka > >> > >> > >> On 2016/07/06 9:46, Tirumaleswar Reddy (tireddy) wrote: > >>> Added new section > >>> https://tools.ietf.org/html/draft-reddy-dots-transport- > >> 05#section-8 to discuss about mutual authentication of DOTS Agents & > >> authorization of DOTS clients. Comments and suggestions are welcome. > >>> Cheers, > >>> -Tiru > >>> > >>> -----Original Message----- > >>> From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] > >>> Sent: Wednesday, July 06, 2016 1:04 PM > >>> To: Prashanth Patil (praspati); Dan Wing (dwing); Mike Geller > >>> (mgeller); Robert Moskowitz; Mohamed Boucadair; Tirumaleswar Reddy > >>> (tireddy) > >>> Subject: New Version Notification for > >>> draft-reddy-dots-transport-05.txt > >>> > >>> > >>> A new version of I-D, draft-reddy-dots-transport-05.txt has been > >>> successfully submitted by Tirumaleswar Reddy and posted to the IETF > >>> repository. > >>> > >>> Name: draft-reddy-dots-transport > >>> Revision: 05 > >>> Title: Co-operative DDoS Mitigation > >>> Document date: 2016-07-06 > >>> Group: Individual Submission > >>> Pages: 26 > >>> URL: https://www.ietf.org/internet-drafts/draft-reddy-dots- > transport- > >> 05.txt > >>> Status: https://datatracker.ietf.org/doc/draft-reddy-dots-transport/ > >>> Htmlized: https://tools.ietf.org/html/draft-reddy-dots-transport-05 > >>> Diff: https://www.ietf.org/rfcdiff?url2=draft-reddy-dots-transport-05 > >>> > >>> Abstract: > >>> This document specifies a mechanism that a DOTS client can use to > >>> signal that a network is under a Distributed Denial-of-Service (DDoS) > >>> attack to an upstream DOTS server so that appropriate mitigation > >>> actions are undertaken (including, blackhole, drop, rate-limit, or > >>> add to watch list) on the suspect traffic. The document specifies > >>> both DOTS signal and data channels. Happy Eyeballs considerations > >>> for the DOTS signal channel are also elaborated. > >>> > >>> > >>> > >>> > >>> Please note that it may take a couple of minutes from the time of > >>> submission until the htmlized version and diff are available at > tools.ietf.org. > >>> > >>> The IETF Secretariat > >>> > >>> _______________________________________________ > >>> Dots mailing list > >>> Dots@ietf.org > >>> https://www.ietf.org/mailman/listinfo/dots
- Re: [Dots] FW: New Version Notification for draft… Jérôme François
- [Dots] FW: New Version Notification for draft-red… Tirumaleswar Reddy (tireddy)
- Re: [Dots] FW: New Version Notification for draft… Tirumaleswar Reddy (tireddy)
- Re: [Dots] FW: New Version Notification for draft… kaname nishizuka
- Re: [Dots] FW: New Version Notification for draft… Tirumaleswar Reddy (tireddy)
- Re: [Dots] FW: New Version Notification for draft… kaname nishizuka
- Re: [Dots] FW: New Version Notification for draft… Tirumaleswar Reddy (tireddy)