Re: [Dots] Comments on dots-signal-control-filtering-01
"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Mon, 21 January 2019 07:37 UTC
Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61E25130F7C for <dots@ietfa.amsl.com>; Sun, 20 Jan 2019 23:37:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.854
X-Spam-Level:
X-Spam-Status: No, score=-8.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SEm1ZSTiRM5R for <dots@ietfa.amsl.com>; Sun, 20 Jan 2019 23:37:55 -0800 (PST)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F29D130F7B for <dots@ietf.org>; Sun, 20 Jan 2019 23:37:55 -0800 (PST)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1548056253; h=From: To:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-office365-filtering-correlation-id:x-microsoft-antispam: x-ms-traffictypediagnostic:x-microsoft-antispam-prvs: x-forefront-prvs:x-forefront-antispam-report: received-spf:x-ms-exchange-senderadcheck:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=sAOgFt5yIdNNBsv/lUSzhGHcY4cvH2jlY5dXbB u+s3s=; b=JYzxqMAxSJwZQi4vCat2lkykG8uOzDm5sMoNnWlE A2KmeuqYRDi3QbmDSCdz2EaCQ40QAlikb9gYNES90WhKwjRv0D au8xhdzkKwFa8s5LBmvKbgUCRUEQedLtL1WqQXOSXA6bKCkD8W rk2DoKRxS/7uvmfFfbmM7j7dDHAH6hs=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (DNVEXAPP1N05.corpzone.internalzone.com [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 6494_200f_b3f10833_bbd4_47ed_bf62_6b8b92b94d90; Mon, 21 Jan 2019 00:37:32 -0700
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 21 Jan 2019 00:37:42 -0700
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Mon, 21 Jan 2019 00:37:42 -0700
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (10.44.176.240) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 21 Jan 2019 00:37:41 -0700
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2485.namprd16.prod.outlook.com (20.177.224.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.28; Mon, 21 Jan 2019 07:37:39 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::202f:5967:73ad:130f]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::202f:5967:73ad:130f%5]) with mapi id 15.20.1537.031; Mon, 21 Jan 2019 07:37:39 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Takahiko Nagata <nagata@lepidum.co.jp>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] Comments on dots-signal-control-filtering-01
Thread-Index: AQHUrjQ7qebvBkLi4EG6xztFHqgLVaW0nHgAgAAAoHCAAAQ70IAAA/zAgAAJc2CAAEc+cIAAKT7ggAQpdbA=
Date: Mon, 21 Jan 2019 07:37:39 +0000
Message-ID: <BYAPR16MB279042AEE937ED383E7CC3C2EA9F0@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <e508fc49-fe2f-8160-8f0b-cba1868be738@lepidum.co.jp> <787AE7BB302AE849A7480A190F8B93302EA09E84@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790ED34736AB959C030CD94EA9C0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA09EC9@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790AB6791398A387B1B1280EA9C0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA09FB4@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB27900D89516C1322CBD734BEEA9C0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA0A586@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA0A586@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.100.18
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR16MB2485; 6:k7PL2dw1PqVP1BrY9kzZ3C3VtMI9q3/FoboSciEY+BuqMgXhX2JS7W709Jz1aDGQvECCn2PUlP/nlVQ5cJFcwKzoMArm01oMkIPwEICFO2aWyI7TK/WYuDboyq073rACNMZJQZ69mzu3BxGUM9z/51c/SyMdMZ8EA6mLzMOQYqCVIbapz0N4/7+/wwVfhNUXfrheSwW+Zy5V4MLmh3TyjaFmMTKNnkusBEMCvJ+JsI8OzTluelA3IT9apb8Q1qOYAG2r6q2L5DPDAtaFtdprYnE4/N8YNNmJxF0iPXlvHHoL/vEXbKRucxikNshP9/ZXxh+8UxGlJVEJHXp2uGDMmkjChGl+sfuunmwO7C8FlhntGrFuEE6uHW4Ml5kB4FjqIoMzTtGLI/uqTPn0cIzt4Yn0pNtoSbSHUNBOVxX/a1elM8SnYaB1gA5Rno+pOm0ZtUxmTF3hzBAAgK7JwwVO4Q==; 5:obCZPonj9noityTaGyCntkgVipi1Ukain7G5lXsWZO0MjYvE31dXVHVXQMJke6RPjY+JC1bVuTuakKGWrCK5WcIRratYTDXYmlK5I/oUgsCOKvX2/xYxAzkUpTks00FocJy/vDyRXHLNcA794NHMA9oRYrneWR6JcrYfF2KF9hl42ZHIm8FD0TGtJ0hblm2cpdO6LogWMUZ9fTvvvQXUcw==; 7:M9ifHyKr1WViZLAm8bKvA0Jtz8JpZObvCcFi4jwBbkvu2TykHn3D8FCJuvukey41MTHcbBsaHlJPx8U2meDD78WFgjldKBUeW1spCwKYqbUKpHD4IESjhiyXlrLoE2vZmWfKQPTOruxWUuTnW9napA==
x-ms-office365-filtering-correlation-id: 6fd507c9-5ae8-4022-dbc4-08d67f735220
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(7193020); SRVR:BYAPR16MB2485;
x-ms-traffictypediagnostic: BYAPR16MB2485:
x-microsoft-antispam-prvs: <BYAPR16MB2485A95FFCA888F75BA9BAAAEA9F0@BYAPR16MB2485.namprd16.prod.outlook.com>
x-forefront-prvs: 0924C6A0D5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39850400004)(396003)(376002)(366004)(346002)(136003)(199004)(189003)(13464003)(55784004)(32952001)(256004)(14444005)(5024004)(26005)(86362001)(72206003)(8676002)(81156014)(229853002)(74316002)(25786009)(9686003)(6306002)(66066001)(966005)(486006)(53936002)(2906002)(11346002)(476003)(93886005)(478600001)(186003)(14454004)(446003)(76176011)(7696005)(6116002)(316002)(110136005)(80792005)(68736007)(71200400001)(3846002)(99286004)(7736002)(33656002)(6246003)(71190400001)(6506007)(8936002)(53546011)(102836004)(97736004)(81166006)(106356001)(55016002)(305945005)(6436002)(105586002)(2501003)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2485; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: vlhpNITjHXgbDzrZMS06eptM1olzTMfvHtin/Ubv5Z9xXRaykBrlowyArkbQUxTEt4Aaw9HK4A8l0vxCB+z9Y6KGFe1ncnH4fbJQxpLfLLC5RibkmZaBu/uLOf+cUdJtoni/Eq+0WnK8yMlZ43otMkyv9Zji9ubYS2eByqGe1zkTG4vM1lZdS1AW3R4RJKTe6rXIRFFg7wtgw1w/LAwXCgBxbtqtW2hL+qaeWP1eHuKBtjh3idQX7R5ULFfqHMQn3zmnVUTUelg2Uyz/b7jJYCZt1q2XT7oBJESs4sJ9zaiA98ogNKouP2aUJCwQp58nAStRiXs8iIZSOo1ZSbPnLtn5fcdMYV9fkQwtZEaukGmmY673beQ6myyU3mJcgblvGySZ/MIL3cxcrilj/F3YJ67XwhTy9LpA2ovZjumeMhE=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 6fd507c9-5ae8-4022-dbc4-08d67f735220
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jan 2019 07:37:39.4144 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2485
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.5
X-NAI-Spam-Version: 2.3.0.9418 : core <6464> : inlines <6998> : streams <1810703> : uri <2783225>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/L0WHte1nufNdGw4kVyeUHEExiOM>
Subject: Re: [Dots] Comments on dots-signal-control-filtering-01
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jan 2019 07:37:57 -0000
Hi Med, Please see inline > -----Original Message----- > From: mohamed.boucadair@orange.com <mohamed.boucadair@orange.com> > Sent: Friday, January 18, 2019 8:36 PM > To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; > Takahiko Nagata <nagata@lepidum.co.jp>; dots@ietf.org > Subject: RE: [Dots] Comments on dots-signal-control-filtering-01 > > This email originated from outside of the organization. Do not click links or > open attachments unless you recognize the sender and know the content is safe. > > Re-, > > Please see inline. > > Cheers, > Med > > > -----Message d'origine----- > > De : Konda, Tirumaleswar Reddy > > [mailto:TirumaleswarReddy_Konda@McAfee.com] > > Envoyé : vendredi 18 janvier 2019 14:54 À : BOUCADAIR Mohamed TGI/OLN; > > Takahiko Nagata; dots@ietf.org Objet : RE: [Dots] Comments on > > dots-signal-control-filtering-01 > > > > Hi Med, > > > > Please see inline > > > > > > > > > > > > > > A Mitigation request with "trigger-mitigation" set to false > > > > > > must only be sent in the peace time and not during the attack time. > > > > > > During the peace time, I don't see the need to > > > > > > activate/de-activate ACLs using DOTS signal channel protocol. > > > > > > > > > > [Med] The point is that the control functionality will be there. > > > > > It is up > > > > to the > > > > > client to decide to use: > > > > > > > > > > * its data channel to alter the acl and then wait for a signal > > > > > channel > > > > notification. > > > > > These notifications may not be set by the client. > > > > > * its signal channel to alter the acl. > > > > > > > > > > With that approach we don't overload the server with extra > > > > > validation on trigger-mitigation to decide about the behavior to > > follow. > > > > > > > > This draft is introduced to alter the ACL using DOTS signal > > > > channel only during mitigation time because data channel does not > > > > work during attack time, and ACL alteration using DOTS signal > > > > channel should not be allowed during peace time. > > > > If allowed, the client can use both the DOTS data and signal > > > > channels to alter the ACL during peace time and can create > > > > inconsistent > > configuration. > > > > > > [Med] If there is a risk of inconsistent configuration, it won't be > > specific to this > > > case but a generic one. > > > > It's not a generic scenario, the inconsistent configuration is be > > because two protocols are allowed to alter the ACL at the same time. > > [Med] But this is what we are doing in dots-signal-control-filtering. It is true > that when an attack is ongoing, the client will use the signal channel to control > the ACL, still the object is controllable either by signal or data channels. > > > > > > > > > > Why use two protocols to do the same job ? > > > > > > [Med] Because: > > > * the functionality is there and its use will be for free. > > > * the server checks are simplified. No need to do extra checks based > > > on "trigger-mitigation" > > > * the client may not subscribe to notification. Please note that we > > > don't > > have a > > > MUST, but a SHOULD. > > > > Without the notification from the server, How will the client know the > > ACL needs to be altered ? > > [Med] this is covered by this part in the draft: > > If not, the > polling mechanism in Section 4.4.2.2 of > [I-D.ietf-dots-signal-channel] has to be followed by the DOTS client. > > > > If the client detects the white-listed traffic is attacking the target > > by itself, it can use DOTS data channel protocol to alter the ACL. > > [Med] Yes. That would be straightforward, but the client needs to get an update > (either by notification or by polling the server). > > > https://tools.ietf.org/html/draft-nishizuka-dots-signal-control-filter > > ing- > > 01#section-1.1 only discusses the scenario where it is useful to alter > > the ACL using signal channel during attack time, Please provide an > > attack scenario where allowing this alternation using signal channel > > is useful during peace time. > > [Med] You seem to miss my point, Tiru. What I'm saying is that there isn't a > significant benefit in asking the server to enforce validation checks based on > the trigger-mitigation. If the server is able to get control when an attack is > ongoing, it will be able to do so when for pre-configured requests, too. You seem to missing the significant benefit, consider a scenario where the DOTS client uses different DOTS servers in the same domain for signal and data channel protocols. These servers could be in different zones, and policy synchronization will not be instantaneous, and will take some time. If the DOTS client uses the same server to alter the ACL during peace time, policy inconsistencies will not arise at all, and the DOTS server system only needs to share the state during attack time and reduces the operational concerns, and the delay incurred to respond to the client. Cheers, -Tiru > > We may provide a guidance for the client to recommend dc for pre-configured > requests, but we should not discard control message when they show up > (either). > > > > > Cheers > > -Tiru
- Re: [Dots] Comments on dots-signal-control-filter… mohamed.boucadair
- [Dots] Comments on dots-signal-control-filtering-… Takahiko Nagata
- Re: [Dots] Comments on dots-signal-control-filter… mohamed.boucadair
- Re: [Dots] Comments on dots-signal-control-filter… Konda, Tirumaleswar Reddy
- Re: [Dots] Comments on dots-signal-control-filter… Konda, Tirumaleswar Reddy
- Re: [Dots] Comments on dots-signal-control-filter… mohamed.boucadair
- Re: [Dots] Comments on dots-signal-control-filter… Konda, Tirumaleswar Reddy
- Re: [Dots] Comments on dots-signal-control-filter… mohamed.boucadair
- Re: [Dots] Comments on dots-signal-control-filter… Konda, Tirumaleswar Reddy