Re: [Dots] AD review of draft-ietf-dots-data-channel-25

<mohamed.boucadair@orange.com> Wed, 27 February 2019 15:42 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24567130FF9; Wed, 27 Feb 2019 07:42:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MKGsTt86jw1D; Wed, 27 Feb 2019 07:42:46 -0800 (PST)
Received: from orange.com (mta134.mail.business.static.orange.com [80.12.70.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09DA7128CE4; Wed, 27 Feb 2019 07:42:46 -0800 (PST)
Received: from opfednr06.francetelecom.fr (unknown [xx.xx.xx.70]) by opfednr23.francetelecom.fr (ESMTP service) with ESMTP id 448g1J4B5Mz5w6c; Wed, 27 Feb 2019 16:42:44 +0100 (CET)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.73]) by opfednr06.francetelecom.fr (ESMTP service) with ESMTP id 448g1J3Rq8zDq7V; Wed, 27 Feb 2019 16:42:44 +0100 (CET)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM23.corporate.adroot.infra.ftgroup ([fe80::9108:27dc:3496:8db3%21]) with mapi id 14.03.0435.000; Wed, 27 Feb 2019 16:42:44 +0100
From: mohamed.boucadair@orange.com
To: Benjamin Kaduk <kaduk@mit.edu>
CC: "draft-ietf-dots-data-channel@ietf.org" <draft-ietf-dots-data-channel@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: AD review of draft-ietf-dots-data-channel-25
Thread-Index: AQHUzqsCb7c2dDIvj0uWD4RT8wY9CqXzx9/g
Date: Wed, 27 Feb 2019 15:42:43 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA261BD@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <20190213164622.GX56447@kduck.mit.edu> <787AE7BB302AE849A7480A190F8B93302EA1F03D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190214191707.GM56447@kduck.mit.edu> <787AE7BB302AE849A7480A190F8B93302EA1FCF6@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190227041011.GG53396@kduck.mit.edu> <787AE7BB302AE849A7480A190F8B93302EA25FC4@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190227144456.GJ53396@kduck.mit.edu>
In-Reply-To: <20190227144456.GJ53396@kduck.mit.edu>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/LxthTl9PrfhgIaQehheS8vFPdZI>
Subject: Re: [Dots] AD review of draft-ietf-dots-data-channel-25
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2019 15:42:48 -0000

Re-,

I agree. 

Let's add your proposed text to the architecture I-D. 

Cheers,
Med

> -----Message d'origine-----
> De : Benjamin Kaduk [mailto:kaduk@mit.edu]
> Envoyé : mercredi 27 février 2019 15:45
> À : BOUCADAIR Mohamed TGI/OLN
> Cc : draft-ietf-dots-data-channel@ietf.org; dots@ietf.org
> Objet : Re: AD review of draft-ietf-dots-data-channel-25
> 
> On Wed, Feb 27, 2019 at 10:25:36AM +0000, mohamed.boucadair@orange.com wrote:
> > Hi Ben,
> >
> > > >
> > > > [Med] Let's add that text into the architecture I-D.
> > >
> > > Okay.  Tiru had a follow-up about how servers can identify DOTS client's
> > > domains, which is okay but not quite what I was aiming for.  In the text
> > > Tiru quoted, we note that
> > >
> > >    The DOTS server enforces authorization of DOTS clients' signals for
> > >    mitigation.  The mechanism of enforcement is not in scope for this
> > >    document, but is expected to restrict requested mitigation scope to
> > >    addresses, prefixes, and/or services owned by the DOTS client's
> > >    administrative domain, such that a DOTS client from one domain is not
> > >    able to influence the network path to another domain.
> > >
> > > I was hoping to see something like "For a given client (administrative)
> > > domain, the DOTS server needs to be able to determine whether a given
> > > resource is in that domain.  This could take the form of associating a
> set
> > > of IP Prefixes per domain, for example."  But I'm open to being persuaded
> > > that the existing text conveys the same meaning.
> > >
> >
> > [Med] Your proposed wording can be added to the architecture I-D, IMHO.
> >
> > FWIW, we do have this text in the protocol spec:
> >
> >    DOTS servers MUST verify that requesting DOTS clients are entitled to
> >    enforce filtering rules on a given IP prefix.  That is, only
> >    filtering rules on IP resources that belong to the DOTS client's
> >    domain can be authorized by a DOTS server.  The exact mechanism for
> >    the DOTS servers to validate that the target prefixes are within the
> >    scope of the DOTS client's domain is deployment-specific.
> 
> To me that text is just reading that it mandates authorization checks,
> whereas the text in the data-channel document that prompted this comment
> has me thinking that the DOTS server needs an explicit mapping between
> "DOTS client domain" and "this set of IP addresses and/or other
> identifiers", which is a slightly different thing.