Re: [Dots] draft-fu-dots-ipfix-extension revised into draft-fu-dots-ipfix-tcp-tracking
"Zhenghui (Marvin)" <marvin.zhenghui@huawei.com> Fri, 17 March 2017 01:51 UTC
Return-Path: <marvin.zhenghui@huawei.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83BA4129BB3 for <dots@ietfa.amsl.com>; Thu, 16 Mar 2017 18:51:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r8p2SpG6mHQ3 for <dots@ietfa.amsl.com>; Thu, 16 Mar 2017 18:51:29 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4A5A129BA0 for <dots@ietf.org>; Thu, 16 Mar 2017 18:51:28 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml709-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DCY01396; Fri, 17 Mar 2017 01:51:27 +0000 (GMT)
Received: from SZXEMI411-HUB.china.huawei.com (10.86.210.34) by lhreml709-cah.china.huawei.com (10.201.108.32) with Microsoft SMTP Server (TLS) id 14.3.301.0; Fri, 17 Mar 2017 01:51:25 +0000
Received: from SZXEMI507-MBX.china.huawei.com ([169.254.8.223]) by szxemi411-hub.china.huawei.com ([10.86.210.34]) with mapi id 14.03.0235.001; Fri, 17 Mar 2017 09:51:21 +0800
From: "Zhenghui (Marvin)" <marvin.zhenghui@huawei.com>
To: Roland Dobbins <rdobbins@arbor.net>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] draft-fu-dots-ipfix-extension revised into draft-fu-dots-ipfix-tcp-tracking
Thread-Index: AdKbyycv4ZM58GBcQp6mg2Ssqy0mugAR5PJwABh/KBAASgofEAAhESzw///A3YCAAAomgP/+jfZw
Date: Fri, 17 Mar 2017 01:51:21 +0000
Message-ID: <F8F4995E43962F4996B280E9678CED00015394A9@SZXEMI507-MBX.china.huawei.com>
References: <F8F4995E43962F4996B280E9678CED0001538042@SZXEMI507-MBX.china.huawei.com> <359EC4B99E040048A7131E0F4E113AFC0104F19267@marathon> <F8F4995E43962F4996B280E9678CED00015389FC@SZXEMI507-MBX.china.huawei.com> <359EC4B99E040048A7131E0F4E113AFC0104F1C5A1@marathon> <F8F4995E43962F4996B280E9678CED0001538F0E@SZXEMI507-MBX.china.huawei.com> <20170316110115.8499287.34698.143525@sandvine.com> <707552ED-22FA-4455-9D9F-95A8670620F1@arbor.net>
In-Reply-To: <707552ED-22FA-4455-9D9F-95A8670620F1@arbor.net>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.135.87.2]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020201.58CB411F.00D8, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.8.223, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: dd8395589a27cdffb920f9a384f79ae2
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/JZnpYu0S7GGPOSZNtki4SXmzBO8>
Subject: Re: [Dots] draft-fu-dots-ipfix-extension revised into draft-fu-dots-ipfix-tcp-tracking
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 01:51:31 -0000
Hi Roland, Telemetry performance is definitely a concern. We've actually implemented a prototype and hooked it to a domestic ISP's network in China. I haven't received the performance report from them yet. So, no detailed information to share with you at the moment. Again, I understand your concern about the scope thing. We will handle it with discretion. Best Regards, Zhenghui (Marvin) -----Original Message----- From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Roland Dobbins Sent: Thursday, March 16, 2017 7:38 PM To: dots@ietf.org Subject: Re: [Dots] draft-fu-dots-ipfix-extension revised into draft-fu-dots-ipfix-tcp-tracking On 16 Mar 2017, at 18:01, Dave Dolson wrote: > Clearly these are intended to be collected by stateful devices that do > see both directions of traffic, not generic routers. From draft-fu-dots-ipfix-extension: 'For a network device, such as a router, to detect anomaly TCP traffics, it has to understand the semantics of TCP operations, more specifically, it has to be able to track TCP connection states. If a router has implemented such ability, it can export characteristics information regarding the TCP connections.' It's pretty clear that the draft authors were in fact explicitly talking about generic routers, which is the source of some (but not all) previously-expressed objections. There are also multiple incorrect statements and implied statements in the draft, which indicate a lack of awareness of the current state of the art in attack detection/classification utilizing existing telemetry capabilities. Furthermore, the amount of state required to try and track the things highlighted in the draft is way more than even a stateful middlebox could handle for even a relatively small amount of traffic. It's a lot more efficient to export the relevant telemetry to a collection/analysis system (which could in fact be an on-board power-sucking-alien general-purpose computer) and do this sort of thing there. Trying to do these calculations and maintain this state in the data-plane is a non-starter at any kind of speed/scale. Again, all this is out of scope for DOTS. It would be more appropriate to talk to the appropriate AD and/or submit these to the registry for review, as Roman indicated. It would be even more appropriate to implement them and see how well they actually work in practice before doing either. ----------------------------------- Roland Dobbins <rdobbins@arbor.net> _______________________________________________ Dots mailing list Dots@ietf.org https://www.ietf.org/mailman/listinfo/dots
- [Dots] draft-fu-dots-ipfix-extension revised into… Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roland Dobbins
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Teague, Nik
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roman Danyliw
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roland Dobbins
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roland Dobbins
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roland Dobbins
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roman Danyliw
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Dave Dolson
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roland Dobbins
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roland Dobbins
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roland Dobbins