Re: [Dots] Can DOTS protocol support IP whitelist for DOTS client's AA?
Artyom Gavrichenkov <ximaera@gmail.com> Mon, 07 August 2017 02:04 UTC
Return-Path: <ximaera@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 972A2124BAC for <dots@ietfa.amsl.com>; Sun, 6 Aug 2017 19:04:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ztm5-1GAHc1d for <dots@ietfa.amsl.com>; Sun, 6 Aug 2017 19:04:23 -0700 (PDT)
Received: from mail-pg0-x235.google.com (mail-pg0-x235.google.com [IPv6:2607:f8b0:400e:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EC081243F6 for <Dots@ietf.org>; Sun, 6 Aug 2017 19:04:20 -0700 (PDT)
Received: by mail-pg0-x235.google.com with SMTP id u5so28027110pgn.0 for <Dots@ietf.org>; Sun, 06 Aug 2017 19:04:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=I7cOotPnuCxjXG1GKyEs+dodsKvBEvUFL9heKGdM9WE=; b=kz6DdFBiVeFSfFKLVJsGFOS/b4h37X58V9UIMFzUcjZoyrcE2fOmoVnmRl8vSqaYwZ 2xlV1BI7M6atwwugCwx5EwzshJvbmkBCS2NcaJbXdv0i5kU4KYwUs6Q0W+XTGGeExD72 hy722tU3xq1Ax0+zo/wEerrNMvj3IvMu2pUvDFZCMCSZjfN/5OB3YLLZaaCTAJO3YKei uRNZkapKRNrlmbAvMj1m5rmEnygBx/dCXNzK7LCYndXVM1SskksrUuYzpt+aLhzJFwcA zAR7JV6ppQGJ36o5oK01UOfGOgEqmv6w7ftJPEiItnXvm61JI6Xlea+NnQgEZAUzwLYD OgGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=I7cOotPnuCxjXG1GKyEs+dodsKvBEvUFL9heKGdM9WE=; b=cvqwFRUjwxGIOImDSzE0JNh3gQ4N9+cwLsXMaVMDb6ne9in6jdvXQTQ37oel3xLVOr xM6DcjqCxn0/HtAUd1YvY423ZnRM4M39mmQl7tdTcadrQJ3sFmyMvPBZViNIjYaZ0Sxt P7fRdI1d1ql7izJtP4cv/VelNyRqbvMWo5knu/jdgkImi4E5kcw3LnES1SQH0Jj25CBC HhcS1LXkshF52tcYKPm+i8id8bLOgJpETV2VW6zvHg/jeZPlpIws0ph8BFbJGG8GfPFI NMOSNjDJP1vdtTaLZE4c/Kk3fZFF74QJu7jhFSBRI9vDdlcOOG3v09xmhdgjZHdBNLBe cWhg==
X-Gm-Message-State: AIVw113cmT9TNq7KxsIXlQvLckPROcySxYkrV6pmf4o0C4HhpZ7HQqCd edREnhLtemPloV6aC9nOieIBHZxUSy4WwaE=
X-Received: by 10.84.132.129 with SMTP id e1mr12171223ple.316.1502071459851; Sun, 06 Aug 2017 19:04:19 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.133.150 with HTTP; Sun, 6 Aug 2017 19:03:59 -0700 (PDT)
In-Reply-To: <C02846B1344F344EB4FAA6FA7AF481F12BB2D185@DGGEML502-MBX.china.huawei.com>
References: <C02846B1344F344EB4FAA6FA7AF481F12BB2D185@DGGEML502-MBX.china.huawei.com>
From: Artyom Gavrichenkov <ximaera@gmail.com>
Date: Mon, 07 Aug 2017 05:03:59 +0300
Message-ID: <CALZ3u+aR8a_JUo=SD4ejgRY9jx7L_cKDh-vR7FakVpVxCBCtpw@mail.gmail.com>
To: "Xialiang (Frank)" <frank.xialiang@huawei.com>
Cc: "Dots@ietf.org" <Dots@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/JUnrsp8HC7eIdp4Eri9lw4hzBPY>
Subject: Re: [Dots] Can DOTS protocol support IP whitelist for DOTS client's AA?
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2017 02:04:26 -0000
Hi there, Current DOTS requirements draft goes to great lengths to protect a DOTS connection from a passive attacker capturing packets on the way from a client to a server and back (SEC-001, SEC-002, SEC-003, DATA-002). One can come up with a handful of use cases where it's important. Enabling a DOTS server to skip the certificate auth in favour of the simple IP auth obviously violates this requirement. Moreover, given recent ongoing research attempts on spoofing TCP connections with either PRNG prediction or simple brute force ([1], [2]) -- and yes, it's still rather easy to protect a network service from such attacks, but it's currently not required from a DOTS server to implement such protection -- I'd further say the IP auth sans decent encryption is not suitable for a network service like that. But of course that may be only me. [1] http://lgms.nl/blog-7 [2] https://security.stackexchange.com/questions/107036/didnt-understood-what-the-purpose-of-the-newly-discovered-tcp-faking-attack | Artyom Gavrichenkov | gpg: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191 | mailto: ximaera@gmail.com | fb: ximaera | telegram: xima_era | skype: xima_era | tel. no: +7 916 515 49 58 On Mon, Aug 7, 2017 at 3:52 AM, Xialiang (Frank) <frank.xialiang@huawei.com> wrote: > Hi, > > I think the direct use of IP whitelist on the DOTS server to authenticate > and authorize the DOTS client is a simple and effect method, at least in > some special use cases, like: DOTS client does not support certificate, an > ISP which detects the spoofed source address, etc. > > > > So, should we support this as an optional way for the DOTS client’s AA and > add it into the DOTS protocol drafts? > > > > B.R. > > Frank > > > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots >
- Re: [Dots] another option://答复: Can DOTS protocol… Konda, Tirumaleswar Reddy
- Re: [Dots] another option://答复: Can DOTS protocol… kaname nishizuka
- [Dots] Can DOTS protocol support IP whitelist for… Xialiang (Frank)
- [Dots] another option://答复: Can DOTS protocol sup… Xialiang (Frank)
- Re: [Dots] Can DOTS protocol support IP whitelist… Artyom Gavrichenkov
- Re: [Dots] another option://答复: Can DOTS protocol… Konda, Tirumaleswar Reddy
- [Dots] 答复: another option://答复: Can DOTS protocol… Xialiang (Frank)
- Re: [Dots] another option://答复: Can DOTS protocol… Konda, Tirumaleswar Reddy
- Re: [Dots] another option://答复: Can DOTS protocol… kaname nishizuka
- Re: [Dots] another option://答复: Can DOTS protocol… Konda, Tirumaleswar Reddy
- Re: [Dots] another option://答复: Can DOTS protocol… Roland Dobbins
- Re: [Dots] another option://答复: Can DOTS protocol… Roland Dobbins