Re: [Dots] AD review of draft-ietf-dots-requirements-15
"Mortensen, Andrew" <Andrew.Mortensen@netscout.com> Fri, 19 October 2018 16:27 UTC
Return-Path: <prvs=3830b9f79a=andrew.mortensen@netscout.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 540AF130FBB for <dots@ietfa.amsl.com>; Fri, 19 Oct 2018 09:27:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.4
X-Spam-Level:
X-Spam-Status: No, score=-0.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KHOP_DYNAMIC=1.999, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=thescout.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JMxLEoo5Rziv for <dots@ietfa.amsl.com>; Fri, 19 Oct 2018 09:27:16 -0700 (PDT)
Received: from mx0a-00196b01.pphosted.com (mx0b-00196b01.pphosted.com [67.231.157.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D7D3130FF4 for <dots@ietf.org>; Fri, 19 Oct 2018 09:27:16 -0700 (PDT)
Received: from pps.filterd (m0072399.ppops.net [127.0.0.1]) by mx0b-00196b01.pphosted.com (8.16.0.23/8.16.0.23) with SMTP id w9JGLCtl015661; Fri, 19 Oct 2018 12:27:15 -0400
Received: from nam03-co1-obe.outbound.protection.outlook.com (mail-co1nam03lp0019.outbound.protection.outlook.com [216.32.181.19]) by mx0b-00196b01.pphosted.com with ESMTP id 2n3fgkqqya-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 19 Oct 2018 12:27:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thescout.onmicrosoft.com; s=selector1-netscout-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ftm1gIlOL9FfWCdVwzPNFvuY4Pu4Mg4Kd4OFe/u8gTg=; b=XmI18RM4RvgjslSv/zkZSle9hi5jEHvbNEXcdyciujZzqX9oPtovemMielZzATbdOXU+nIGyhCydG4G2pXyHKnTDdau4OMbnlc+dyJtvZz0ZaA3wA9uPx7xEMF/kECkgNqHtiDBlAw1Yn5uQPiteG35xd6MNZhGLsxuONeiJ9Lc=
Received: from SN2PR01MB2063.prod.exchangelabs.com (10.166.208.138) by SN2PR01MB2093.prod.exchangelabs.com (10.166.208.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1228.24; Fri, 19 Oct 2018 16:27:11 +0000
Received: from SN2PR01MB2063.prod.exchangelabs.com ([fe80::b5f3:abc4:9300:4011]) by SN2PR01MB2063.prod.exchangelabs.com ([fe80::b5f3:abc4:9300:4011%7]) with mapi id 15.20.1228.033; Fri, 19 Oct 2018 16:27:11 +0000
From: "Mortensen, Andrew" <Andrew.Mortensen@netscout.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: dots <dots@ietf.org>
Thread-Topic: AD review of draft-ietf-dots-requirements-15
Thread-Index: AQHUZ8iWEDkU2l/x4EChHAJR6qt9CA==
Date: Fri, 19 Oct 2018 16:27:11 +0000
Message-ID: <42BD8BA0-DA0D-4099-9B0F-FE03A84939BA@netscout.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [216.130.192.4]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN2PR01MB2093; 6:MkZHle6YeX+LbF+nxttVFog95PN8dzyY9Q0xbsUzZmul8Lo3bnZexlaPJEpvkac96/iFx+sk4UU0lcuyAuMNqt35n+2UeeAb00dFJnC0usLleAV/ZJaNPLKc6lNkEsEdmj12LOUQvyFuHvOyYXJ1NVZXVFGLqHoxMizq7PAg+vzYCts26UmmhQZWssxo+vwSHqRMXpQunNZCslXWN07mDlnZmuBEcrYV5s/BxFxk4RYFC9/sxLhCUoYi+tZgvJlYriJgpr4bC9B8xFcNvcmsSrQdYNzmBObmNYI1B/6XyQYJ2edmJXQTq7F8aIrWwayvH+LqMGnXlx63pQxAYAt+ZR1wEqo9I71DIT1Rg2wDYufqFfXnpj1KF6g0Kqir4bFQLPR3vzi3p5Ew4fU5PwHsCITI4/dHHggFclT4iP+BRH8D5I0zaqqxn3/VZBqAEkG+zLNZ+JgmALKOA5/1Soxnvg==; 5:tW982xxLw54p4PH8/13zJhBm3wNloJqvCCWgzPUsWK3MS+DWgIcOuLnj0M8Y5XabmbPh958JI8uIcdLdMoovNdAaD1ekYJIVR4ucDUVCS77GXZ7WaIKVA8ETioTnLCbTDxPdhtJC3srTTcoCVQBDLQpS2TpaqNwnzJNnvLhmm/Y=; 7:A2G5owf4mnBXD+WbB5qtHRrOwAcA1pBdLptUToX7LQssX3GMScvbgIZ8M7ydm2DBH1YSaMOOBBwgYC0BfBkESwhqSgNSAvgRYNQIiw1+43Hn9LHaNK3ZEJyD/i71QawZbqkcgz1fuoJwlSX83rUiT7H8W9rlayb0hbA51vpPtWrklTfrn3zHZ8aR+fyaEwjpudXNpbvYJRHzuOzR2Nwh3sia+WofUI2eNnATntYSKEshsGr5G20mtE8Fr+N4MvLJ
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: a092a776-0b89-4124-76a3-08d635dfb8cf
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:SN2PR01MB2093;
x-ms-traffictypediagnostic: SN2PR01MB2093:
x-netscout-xtra: NETSCOUT to External through ProofPoint
x-microsoft-antispam-prvs: <SN2PR01MB209345B5D98389C9538EF6B7E6F90@SN2PR01MB2093.prod.exchangelabs.com>
x-exchange-antispam-report-test: UriScan:(275740015457677)(166708455590820)(240460790083961)(158342451672863)(20558992708506)(192374486261705)(269456686620040);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(3231355)(944501410)(52105095)(3002001)(93006095)(93001095)(10201501046)(148016)(149066)(150057)(6041310)(20161123558120)(20161123564045)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699051)(76991095); SRVR:SN2PR01MB2093; BCL:0; PCL:0; RULEID:; SRVR:SN2PR01MB2093;
x-forefront-prvs: 0830866D19
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(376002)(396003)(39850400004)(366004)(136003)(53754006)(51914003)(54164003)(199004)(189003)(57704003)(5660300001)(236005)(186003)(6306002)(25786009)(6486002)(54896002)(8676002)(229853002)(8936002)(4326008)(316002)(102836004)(26005)(476003)(68736007)(2900100001)(486006)(81156014)(81166006)(6436002)(606006)(53936002)(6246003)(14454004)(2616005)(6506007)(2906002)(4744004)(14444005)(256004)(478600001)(86362001)(36756003)(83716004)(71190400001)(72206003)(3846002)(99286004)(6116002)(7736002)(71200400001)(82746002)(2171002)(5250100002)(53546011)(6916009)(106356001)(105586002)(33656002)(6512007)(66066001)(97736004); DIR:OUT; SFP:1102; SCL:1; SRVR:SN2PR01MB2093; H:SN2PR01MB2063.prod.exchangelabs.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: netscout.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 8ATnf0b5DmA/I70egts/KzRy4CW0AV7g5ZTEnnBMXdHOFfN9gZRVPdqHmtBzsObl47z60LYeoWkOW4lK0bF+kgY/Z/2XRLNBwSEpjZ2UVtSv6/AdxgB4S8PuNcs69e6CUZPRj/DognrezbOjwFUDYkaJHBIrPnsDkF3VxfVxFRo5mkfG9jPQNgmJW1s6/J2j3iMuBaGGZniazaXWLR4yKUSivzES1bdOXWwCJPKBcQ9S4imd2Wgppeuvg5ZJIpTK5b+230d7jPwnVcTkRbAiLHSBjt0vuRXIYqWaPZHinw+Tn5n0WFtH8YRurzde13cfACUV3e1CB31uPUVs/AWfdKn/TN6CnONwdyZRdjg5I2g=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_42BD8BA0DA0D40999B0FFE03A84939BAnetscoutcom_"
MIME-Version: 1.0
X-OriginatorOrg: netscout.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a092a776-0b89-4124-76a3-08d635dfb8cf
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Oct 2018 16:27:11.2465 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 54f11205-d4aa-4809-bd36-0b542199c5b2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR01MB2093
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-10-19_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810190145
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/MXLG9OwLL5LbLTmHiYRwVJLrFI0>
Subject: Re: [Dots] AD review of draft-ietf-dots-requirements-15
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2018 16:27:29 -0000
Hi Ben. I’ve got a preliminary revision addressing your feedback up on GitHub: Formatted text: <https://raw.githubusercontent.com/amortensen/dots-requirements/mortensen_ad_feedback/draft-ietf-dots-requirements.txt> Diff: <https://github.com/amortensen/dots-requirements/commit/b58ca2609e79a9d230e94d4b174c82135f6f52be#diff-605866c1e67988414cce30d3d5d4d454> The one thing I haven’t yet addressed is what to do with the black/whitelist terminology. It’s used *very* lightly in the requirements draft. I think we could quickly alter the text to use the term “filters” everywhere black/whitelist are used, e.g., DATA-004 becomes “Filter management”. andrew On Oct 16, 2018, at 1:49 PM, Benjamin Kaduk <kaduk@mit.edu<mailto:kaduk@mit.edu>> wrote: [EXTERNAL EMAIL] I had intended to cc the WG list on this; sorry I missed it at the time. Andrew, do you expect to be able to prepare an update? Thanks, Ben On Mon, Oct 08, 2018 at 09:56:01AM -0500, Benjamin Kaduk wrote: Hi all, Thanks for the fine document, and sorry for the processing delay -- the timing interacted poorly with my travel schedule. I just have some editorial notes that it would be nice to fix before we send this out for broader review; I'll list them section-by-section. Section 1.1 A standardized method to coordinate a real-time response among involved operators will increase the speed and effectiveness of DDoS attack mitigation, and reduce the impact of these attacks. This document describes the required characteristics of protocols that enable attack coordination and mitigation of DDoS attacks. "protocols that enable attack coordination" can be read as if we are generating DDoS attacks, which is probably not the intention. Section 1.2 RFC 8174 has updated BCP 14 boilerplate; proactively changing to use it will save lots of reviewers from pointing this out. Mitigator: An entity, typically a network element, capable of performing mitigation of a detected or reported DDoS attack. The means by which this entity performs these mitigations and how they are requested of it are out of scope. The mitigator and DOTS server receiving a mitigation request are assumed to belong to the same administrative entity. It may be best to avoid an unqualified "out of scope" and be clear about if it's out of scope for this document, for the WG, etc. DOTS signal: A concise authenticated status/control message transmitted over the signal channel between DOTS agents, used to indicate the client's need for mitigation, as well as to convey the status of any requested mitigation. Is the message itself authenticated in addition to the authentication provided by the signal channel? It might be confusing to mention authentication in both places if it's just the channel providing authentication. Also, I would suggest to s/as well as/or/, since (presumably) a single message can do just one or the other. Data channel: A bidirectional, mutually authentication communication channel between two DOTS agents used for infrequent but reliable bulk exchange of data not easily or appropriately communicated through the signal channel under attack conditions. This definition left me wondering whether the data channel is supposed to function during attack conditions (i.e., if the attack condition rendered the signal channel unusable for this purpose, so the data channel was created to still work under attack conditions). The rest of the document seems to clarify that the data channel is not expected to be useful during attack conditions, so perhaps this could be clarified here. Blacklist: A list of filters indicating sources from which traffic should be blocked, regardless of traffic content. Whitelist: A list of filters indicating sources from which traffic should always be allowed, regardless of contradictory data gleaned in a detected attack. I note without further comment that there was recently a long thread on ietf@ietf.org<mailto:ietf@ietf.org> about potentially offensive terminology, which included both of these words as examples. Section 2 The DOTS protocol must at a minimum make it possible for a DOTS client to request aid mounting a defense, coordinated by a DOTS server, against a suspected attack, signaling within or between domains as requested by local operators. [...] This sentence has a lot of commas that breaks up the flow trying to read it. It could perhaps be split into two, as % The DOTS protocol must at a minimum make it possible for a DOTS % client to request aid mounting a defense against a suspected attack. % This defense could be coordinated by a DOTS server and include signaling % within or between domains as requested by local operators. [...] clients need to justify withdrawing help requests: the decision is local to the DOTS clients' domain. Multi-homed DOTS clients must be able to select the appropriate DOTS server(s) to which a mitigation request is to be sent. The method for selecting the appropriate DOTS server in a multi-homed environment is out of scope. (same comment about "out of scope"). DOTS protocol implementations face competing operational goals when maintaining this bidirectional communication stream. On the one hand, DOTS must include protections ensuring message confidentiality, integrity and authenticity to keep the protocols from becoming additional vectors for the very attacks it is meant to help fight off. [...] It's probably worth including freshness/replay protection in this list. Section 2.1 GEN-001 Extensibility: Protocols and data models developed as part of DOTS MUST be extensible in order to keep DOTS adaptable to operational and proprietary DDoS defenses. Future extensions MUST be backward compatible. DOTS protocols MUST use a version number system to distinguish protocol revisions. Implementations of older protocol versions SHOULD ignore information added to DOTS messages as part of newer protocol versions. No change specifically needed, but I'll note that using a version number mostly precludes using individual per-feature tags to indicate feature support. It's okay for a WG to be making such a design choice at this point in the process; I'm just pointing out that it is something of a design choice. GEN-002 Resilience and Robustness: The signaling protocol MUST be designed to maximize the probability of signal delivery even under the severely constrained network conditions caused by particular attack traffic. [...] The word choice "particular" makes it sound as if there is a specific attack that the author has in mind, leaving the reader wondering what attack that is. It may be better to just remove the word entirely or give some description of what attack type(s) are relevant. GEN-003 Bulk Data Exchange: Infrequent bulk data exchange between DOTS agents can also significantly augment attack response coordination, permitting such tasks as population of black- or white-listed source addresses; address or prefix group aliasing; exchange of incident reports; and other hinting or configuration supplementing attack response. As the resilience requirements for the DOTS signal channel mandate small signal message size, a separate, secure data channel utilizing a reliable transport protocol MUST be used for bulk data exchange. (This could potentially also clarify if it's expected to be useful during attack conditions.) GEN-004 Mitigation Hinting: DOTS clients may have access to attack details which can be used to inform mitigation techniques. Example attack details might include locally collected fingerprints for an on-going attack, or anticipated or active attack focal points based on other threat intelligence. DOTS clients MAY send mitigation hints derived from attack details to DOTS servers, in the full understanding that the DOTS server MAY ignore mitigation hints. Mitigation hints MAY be transmitted across either signal or data channel. [...] My colleagues on the IESG tend to ask questions when there are multiple options permitted but no discussion of why one might prefer one option or the other. (That is, they prefer a single mandatory option for reasons of protocol simplicity.) Section 2.2 SIG-002 Sub-MTU Message Size: To avoid message fragmentation and the consequently decreased probability of message delivery over a congested link, signaling protocol message size MUST be kept under signaling Path Maximum Transmission Unit (PMTU), including the byte overhead of any encapsulation, transport headers, and transport- or message-level security. DOTS agents SHOULD attempt to learn the PMTU through mechanisms such as Path MTU Discovery [RFC1191] or Packetization Layer Path MTU Discovery [RFC4821]. If the PMTU cannot be discovered, DOTS agents SHOULD assume a PMTU of 1280 bytes. If IPv4 support on legacy or otherwise unusual networks is a consideration and PMTU nit: "the PMTU" is unknown, DOTS implementations MAY rely on a PMTU of 576 bytes, as discussed in [RFC0791] and [RFC1122]. SIG-003 Bidirectionality: To support peer health detection, to maintain an active signal channel, and increase the probability of nit: "to increase" signal delivery during an attack, the signal channel MUST be bidirectional, with client and server transmitting signals to each other at regular intervals, regardless of any client request for mitigation. Unidirectional messages MUST be supported within the bidirectional signal channel to allow for unsolicited message delivery, enabling asynchronous notifications between DOTS agents. This sentence about unidirectional messages left me a bit confused on first read, I think just because of the way it was phrased. It's basically just saying that the signal channel is not necessarily request/reply pairs, but can include oneshot notification messages that don't get an application-level reply (but could still get a transport-level ack), right? I don't have any specific text suggestions here, and it's probably okay to leave it as-is. (I have no particular reason to think that other people get confused in the same ways that I do, after all.) SIG-005 Channel Redirection: In order to increase DOTS operational flexibility and scalability, DOTS servers SHOULD be able to redirect DOTS clients to another DOTS server at any time. DOTS clients MUST NOT assume the redirection target DOTS server shares security state with the redirecting DOTS server. DOTS clients are free to attempt abbreviated security negotiation methods supported by the protocol, such as DTLS session resumption, but MUST be prepared to negotiate new security state with the redirection target DOTS server. When redirection occurs, is it always within the same "authentication domain"? There are perhaps additional complications about authenticating the two servers and the redirection action if they are managed by different entities or the client will be using different credentials with them. SIG-006 Mitigation Requests and Status: Authorized DOTS clients MUST [...] The initial active-but-terminating period is implementation- and deployment- specific, but SHOULD be sufficiently long to absorb latency incurred by route propagation. If the client requests mitigation again before the initial active-but-terminating period Just to check my understanding: this new mitigation request serves only to extend the current termination period, and so the client would have to make yet another mitigation request after mitigation terminates? elapses, the DOTS server MAY exponentially increase the active- but-terminating period up to a maximum of 300 seconds (5 minutes). "exponentially" requires specifying an exponent base -- is the period doubling each request, increasing by a factor of 1.5, ...? After the active-but-terminating period elapses, the DOTS server MUST treat the mitigation as terminated, as the DOTS client is no longer responsible for the mitigation. SIG-008 Mitigation Scope: DOTS clients MUST indicate desired mitigation scope. The scope type will vary depending on the resources requiring mitigation. All DOTS agent implementations MUST support the following required scope types: * IPv4 prefixes in CIDR notation [RFC4632] I don't see why CIDR notation comes into play for the protocol itself; why not just say "IPv4 prefixes" to match the "IPv6 prefixes" below? If there is additional information available narrowing the scope of any requested attack response, such as targeted port range, protocol, or service, DOTS clients SHOULD include that information in client mitigation requests. DOTS clients MAY also include additional attack details. DOTS servers MAY ignore such supplemental information when enabling countermeasures on the mitigator. Is it implicit from this that the signal channel needs to provide some way in which to convey this sort of structured data that makes the semantics clear (as opposed to, say, implementation-defined)? Section 2.3 DATA-002 Data privacy and integrity: Transmissions over the data channel are likely to contain operationally or privacy-sensitive information or instructions from the remote DOTS agent. Theft or modification of data channel transmissions could lead to information leaks or malicious transactions on behalf of the sending agent (see Section 4 below). Consequently data sent over It may be worth mentioning the risk of replay explicitly. the data channel MUST be encrypted and authenticated using current IETF best practices. DOTS servers MUST enable means to prevent Do we need to provide an extensible model or negotiation scheme for the encryption/authentication algorithms, so that implementations can adapt as best practices change? leaking operationally or privacy-sensitive data. Although administrative entities participating in DOTS may detail what data may be revealed to third-party DOTS agents, such considerations are not in scope for this document. DATA-003 Resource Configuration: To help meet the general and signal channel requirements in Section 2.1 and Section 2.2, DOTS server implementations MUST provide an interface to configure resource identifiers, as described in SIG-007. [...] I think this is SIG-008, not SIG-007. Section 2.4 SEC-001 Peer Mutual Authentication: DOTS agents MUST authenticate each other before a DOTS signal or data channel is considered valid. The method of authentication is not specified, but should follow current industry best practices with respect to any cryptographic mechanisms to authenticate the remote peer. Authentication is great. What model is used for making authorization decisions? SEC-002 Message Confidentiality, Integrity and Authenticity: DOTS [...] In order for DOTS protocols to remain secure despite advancements in cryptanalysis and traffic analysis, DOTS agents MUST be able to negotiate the terms and mechanisms of protocol security, subject to the interoperability and signal message size requirements in Section 2.2. I'd probably say "securely negotiate" just to avoid any questions. SEC-004 Authorization: DOTS servers MUST authorize all messages from DOTS clients which pertain to mitigation, configuration, filtering, or status. Are there any message types left (that would not need authorization)? Section 2.5 DM-004 Mitigation Scope Representation: The data model MUST support representation of a requested mitigation's scope. As mitigation scope may be represented in several different ways, per SIG-007 above, the data model MUST be capable of flexible representation of mitigation scope. Is "flexible" intended to encompass a generic extensibility to represent new types of data and new semantics? DM-007 Acceptable Signal Loss Representation: The data model MUST be able to represent the DOTS agent's preference for acceptable signal loss when establishing a signal channel, as described in GEN-002. Is this prefernce expressed as a threshold percentage of packet loss, a timeout for keepalive messages, some other way, or we don't care? Section 4 Impersonation of either DOTS server or DOTS client could have nit: "a DOTS server", "a DOTS client" Blocking communication between DOTS agents has the potential to disrupt the core function of DOTS, which is to request mitigation of active or expected DDoS attacks. The DOTS signal channel is expected to operate over congested inbound links, and, as described in Section 2.2, the signal channel protocol must be designed for minimal data transfer to reduce the incidence of signal blocking. "signal blocking" makes me think of an explicit firewall-like functionality, whereas I think the threat here is more of an accidental dropping of packets due to congestion and network elmeent overload. Hopefully we can get a new rev out quickly and then I can request the IETF Last Call! Thanks to everyone for the good work that went into this document. -Ben
- Re: [Dots] AD review of draft-ietf-dots-requireme… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-requireme… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-requireme… Mortensen, Andrew