IETF Logo Mail Archive

Re: [Dots] clarification questions from the hackathon

"Jon Shallow" <supjps-ietf@jpshallow.com> Thu, 28 March 2019 17:58 UTC

Return-Path: <supjps-ietf@jpshallow.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA95F1202FB for <dots@ietfa.amsl.com>; Thu, 28 Mar 2019 10:58:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FJiY-CdOJNp5 for <dots@ietfa.amsl.com>; Thu, 28 Mar 2019 10:58:25 -0700 (PDT)
Received: from mail.jpshallow.com (mail.jpshallow.com [217.40.240.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27F661202FA for <dots@ietf.org>; Thu, 28 Mar 2019 10:58:14 -0700 (PDT)
Received: from [127.0.0.1] (helo=N01332) by mail.jpshallow.com with esmtp (Exim 4.91) (envelope-from <jon.shallow@jpshallow.com>) id 1h9ZI2-0007Cv-7x; Thu, 28 Mar 2019 17:58:10 +0000
From: Jon Shallow <supjps-ietf@jpshallow.com>
To: "'Konda, Tirumaleswar Reddy'" <TirumaleswarReddy_Konda@mcafee.com>, mohamed.boucadair@orange.com, kaname nishizuka <kaname@nttv6.jp>, dots@ietf.org
References: <108a01d4e588$72f886b0$58e99410$@jpshallow.com> <BYAPR16MB27904C04BA21625D7635237CEA590@BYAPR16MB2790.namprd16.prod.outlook.com>
In-Reply-To: <BYAPR16MB27904C04BA21625D7635237CEA590@BYAPR16MB2790.namprd16.prod.outlook.com>
Date: Thu, 28 Mar 2019 17:58:07 -0000
Message-ID: <109501d4e58f$cea682d0$6bf38870$@jpshallow.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-gb
Thread-Index: AQHt3r5uLxQCm36T4hpiV9AQ3uXfywKMRTmlpdr88ZA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/JkjOyAi3ANH4MzmNQGzwUeAza9U>
Subject: Re: [Dots] clarification questions from the hackathon
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2019 17:58:31 -0000

Hi there,

See inline Jon1

Regards

Jon

> -----Original Message-----
> From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda,
> Tirumaleswar Reddy
> Sent: 28 March 2019 17:39
> To: Jon Shallow; mohamed.boucadair@orange.com; kaname nishizuka;
> dots@ietf.org
> Subject: Re: [Dots] clarification questions from the hackathon
> 
> > > > -----Message d'origine-----
> > > > De : Dots [mailto:dots-bounces@ietf.org] De la part de kaname
> > > > nishizuka Envoyé : jeudi 28 mars 2019 11:38 À : dots@ietf.org Objet
> > > > : [Dots] clarification questions from the hackathon
> > > >
> > > > Hi,
> > > >
> > > > I'd like to continue discussion of these topics in the ML.
> > > >
> > > > #1: Questions about signal-control-filtering
> > > >   1. Should a mitigation request create a mitigation before doing a
> > > > PUT + acl-list [{acl-name, activation-type}] against the active
> > > > mitigation, or is a ‘PUT + acl-list [{acl-name, activation-type}]’
> > > > allowed to create a new mitigation?
> > >
> > > [Med] Both are currently allowed in the draft. I don't still a valid
> > > reason to restrict this.
> >
> > [Jon] As per draft
> >    A DOTS client MUST NOT use the filtering control over DOTS signal
> >    channel if no attack (mitigation) is active;
> >
> > [Jon] then needs to be reworded as there is no active mitigation until the
> > PUT is done...
> > I believe that both cases should be supported.
> 
> Agreed.
> 
> > >
> > > >   2. Should the response to a GET (or Observed GET) include the
> > > > acl-list [{acl-name, activation-type}] if the PUT included it?
> > >
> > > [Med] The current spec says "no". That's said, what would be the value
> > > in returning it? Then, why not allowing to return the references to
> > > all ACLs that are enabled during the mitigation time?
> > >
> > [Jon] When observing the mitigation request, if the activation-type is
> > changed externally, the client will then know about the change. Assuming
> > the response got back to the client, this is effectively an ACK to the fact that
> > the ACL change got through.
> 
> Yup,  the GET response should include the acl-list. We will also have to
> discuss if the observed GET should convey the
> counters for the activated filtering rules using DOTS signal channel.

[Jon1] Interesting one - we already have bytes-dropped etc. as an overall return.  Whilst I like the concept of reporting the ACL acl-counters, with a reasonable number of ACLS, there is a good chance of having to split the response over multiple packets - which is supported (RFC7959 and tested during an Interop), but gets very unreliable when the inbound pipe is running full.  If the pipe is not running full, then this information can be obtained over the data channel.

~Jon1
> 
> >
> > Interesting concept about knowing about all the relevant ACLs as returned
> > over the signal channel.  More work for the server to do in determining
> > which ACLs are valid for, say, a specific IP address that is being mitigated.
> > Not entirely convinced of the benefit of this as this generally is available
> > over the data channel.
> >
> > > >   3. Does the response to the PUT (the echoed back response payload
> > > > of the PUT representation
> > > > https://tools.ietf.org/html/rfc7252#section-5.9.1.1 ) include the acl-list (if
> > defined) or not?
> > >
> > > [Med] It doesn't as we don't change the behavior of the base spec.
> > >
> > [Jon] By base spec I assume you mean the signal draft.  However the answer
> > has to be "yes - it is included" if following RFC7252 5.9.1.1 and "The payload
> > returned with the response, if any, is a representation of the action result".
> >
> > Again, it is letting the client know that the PUT actually did get through
> > (assuming the response gets through) prior to doing any GETs.
> 
> Yup, the PUT response should include the acl-list.
> 
> > ~jon
> >
> > > >   4. Is the activation change to the ACL a permanent change to the
> > > > ACL (so a GET on the data channel returns the new type)?
> > >
> > > [Med] Yes. The draft will be updated to make this clearer.
> > >
> > > >   5. Does the activation change to the ACL count as an ACL refresh
> > > > (pending- lifetime update)?
> > >
> > > [Med] Yes. Some text will be added to clarify the refresh point.
> > > That's said, as discussed in the data-channel, the dots client may
> > > need to send a GET after an attack for sync purposes.
> 
> If the pending-lifetime expires when the mitigation is active, the DOTS server
> must not delete the aliases and filtering entries.
> We may want to update DOTS data channel to clarify the above point.
> 
> Cheers,
> -Tiru
> 
> > >
> > > >   6. Is CBOR activation –type comprehension-required or
> > > > comprehension- optional?
> > > >
> > >
> > > [Med] This is a comprehension-required attribute (already discussed in
> > > the draft).
> > >
> > > > Regarding with the 1st point, we got feedbacks from Med and Tiru
> > > > that both should be allowed.
> > > > If ‘PUT + acl-list [{acl-name, activation-type}]’ allowed to create
> > > > a new mitigation, it should be treated as this is a request in "attack-
> time".
> > >
> > > [Med] I confirm.
> > >
> > > >
> > > > (#2: Data Channel Implicit protocol number was addressed clearly by
> > > > Med's
> > > > comment.)
> > > >
> > > > #3: (D)TLS session lifetime
> > > >  From the view point of DOTS server, when to expire the old (D)TLS
> > > > session
> > > is
> > > > implementation specific though, I'd like to hear from experts about
> > > > preferable setting (timer or something else...?)
> > > >
> > >
> > > [Med] For me, this is implementation-specific.
> > >
> > > > thanks,
> > >
> > > [Med] Many thanks for sharing the feedback from the hackathon. Much
> > > appreciated.
> > >
> > > > Kaname
> > > >
> > > > _______________________________________________
> > > > Dots mailing list
> > > > Dots@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/dots
> > > _______________________________________________
> > > Dots mailing list
> > > Dots@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dots
> >
> > _______________________________________________
> > Dots mailing list
> > Dots@ietf.org
> > https://www.ietf.org/mailman/listinfo/dots
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email