Re: [Dots] AD review of draft-ietf-dots-requirements-15
"Mortensen, Andrew" <Andrew.Mortensen@netscout.com> Fri, 19 October 2018 16:27 UTC
Return-Path: <prvs=3830b9f79a=andrew.mortensen@netscout.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 540AF130FBB for <dots@ietfa.amsl.com>; Fri, 19 Oct 2018 09:27:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.4
X-Spam-Level:
X-Spam-Status: No, score=-0.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KHOP_DYNAMIC=1.999, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=thescout.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JMxLEoo5Rziv for <dots@ietfa.amsl.com>; Fri, 19 Oct 2018 09:27:16 -0700 (PDT)
Received: from mx0a-00196b01.pphosted.com (mx0b-00196b01.pphosted.com [67.231.157.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D7D3130FF4 for <dots@ietf.org>; Fri, 19 Oct 2018 09:27:16 -0700 (PDT)
Received: from pps.filterd (m0072399.ppops.net [127.0.0.1]) by mx0b-00196b01.pphosted.com (8.16.0.23/8.16.0.23) with SMTP id w9JGLCtl015661; Fri, 19 Oct 2018 12:27:15 -0400
Received: from nam03-co1-obe.outbound.protection.outlook.com (mail-co1nam03lp0019.outbound.protection.outlook.com [216.32.181.19]) by mx0b-00196b01.pphosted.com with ESMTP id 2n3fgkqqya-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 19 Oct 2018 12:27:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thescout.onmicrosoft.com; s=selector1-netscout-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ftm1gIlOL9FfWCdVwzPNFvuY4Pu4Mg4Kd4OFe/u8gTg=; b=XmI18RM4RvgjslSv/zkZSle9hi5jEHvbNEXcdyciujZzqX9oPtovemMielZzATbdOXU+nIGyhCydG4G2pXyHKnTDdau4OMbnlc+dyJtvZz0ZaA3wA9uPx7xEMF/kECkgNqHtiDBlAw1Yn5uQPiteG35xd6MNZhGLsxuONeiJ9Lc=
Received: from SN2PR01MB2063.prod.exchangelabs.com (10.166.208.138) by SN2PR01MB2093.prod.exchangelabs.com (10.166.208.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1228.24; Fri, 19 Oct 2018 16:27:11 +0000
Received: from SN2PR01MB2063.prod.exchangelabs.com ([fe80::b5f3:abc4:9300:4011]) by SN2PR01MB2063.prod.exchangelabs.com ([fe80::b5f3:abc4:9300:4011%7]) with mapi id 15.20.1228.033; Fri, 19 Oct 2018 16:27:11 +0000
From: "Mortensen, Andrew" <Andrew.Mortensen@netscout.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: dots <dots@ietf.org>
Thread-Topic: AD review of draft-ietf-dots-requirements-15
Thread-Index: AQHUZ8iWEDkU2l/x4EChHAJR6qt9CA==
Date: Fri, 19 Oct 2018 16:27:11 +0000
Message-ID: <42BD8BA0-DA0D-4099-9B0F-FE03A84939BA@netscout.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [216.130.192.4]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN2PR01MB2093; 6:MkZHle6YeX+LbF+nxttVFog95PN8dzyY9Q0xbsUzZmul8Lo3bnZexlaPJEpvkac96/iFx+sk4UU0lcuyAuMNqt35n+2UeeAb00dFJnC0usLleAV/ZJaNPLKc6lNkEsEdmj12LOUQvyFuHvOyYXJ1NVZXVFGLqHoxMizq7PAg+vzYCts26UmmhQZWssxo+vwSHqRMXpQunNZCslXWN07mDlnZmuBEcrYV5s/BxFxk4RYFC9/sxLhCUoYi+tZgvJlYriJgpr4bC9B8xFcNvcmsSrQdYNzmBObmNYI1B/6XyQYJ2edmJXQTq7F8aIrWwayvH+LqMGnXlx63pQxAYAt+ZR1wEqo9I71DIT1Rg2wDYufqFfXnpj1KF6g0Kqir4bFQLPR3vzi3p5Ew4fU5PwHsCITI4/dHHggFclT4iP+BRH8D5I0zaqqxn3/VZBqAEkG+zLNZ+JgmALKOA5/1Soxnvg==; 5:tW982xxLw54p4PH8/13zJhBm3wNloJqvCCWgzPUsWK3MS+DWgIcOuLnj0M8Y5XabmbPh958JI8uIcdLdMoovNdAaD1ekYJIVR4ucDUVCS77GXZ7WaIKVA8ETioTnLCbTDxPdhtJC3srTTcoCVQBDLQpS2TpaqNwnzJNnvLhmm/Y=; 7:A2G5owf4mnBXD+WbB5qtHRrOwAcA1pBdLptUToX7LQssX3GMScvbgIZ8M7ydm2DBH1YSaMOOBBwgYC0BfBkESwhqSgNSAvgRYNQIiw1+43Hn9LHaNK3ZEJyD/i71QawZbqkcgz1fuoJwlSX83rUiT7H8W9rlayb0hbA51vpPtWrklTfrn3zHZ8aR+fyaEwjpudXNpbvYJRHzuOzR2Nwh3sia+WofUI2eNnATntYSKEshsGr5G20mtE8Fr+N4MvLJ
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: a092a776-0b89-4124-76a3-08d635dfb8cf
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:SN2PR01MB2093;
x-ms-traffictypediagnostic: SN2PR01MB2093:
x-netscout-xtra: NETSCOUT to External through ProofPoint
x-microsoft-antispam-prvs: <SN2PR01MB209345B5D98389C9538EF6B7E6F90@SN2PR01MB2093.prod.exchangelabs.com>
x-exchange-antispam-report-test: UriScan:(275740015457677)(166708455590820)(240460790083961)(158342451672863)(20558992708506)(192374486261705)(269456686620040);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(3231355)(944501410)(52105095)(3002001)(93006095)(93001095)(10201501046)(148016)(149066)(150057)(6041310)(20161123558120)(20161123564045)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699051)(76991095); SRVR:SN2PR01MB2093; BCL:0; PCL:0; RULEID:; SRVR:SN2PR01MB2093;
x-forefront-prvs: 0830866D19
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(376002)(396003)(39850400004)(366004)(136003)(53754006)(51914003)(54164003)(199004)(189003)(57704003)(5660300001)(236005)(186003)(6306002)(25786009)(6486002)(54896002)(8676002)(229853002)(8936002)(4326008)(316002)(102836004)(26005)(476003)(68736007)(2900100001)(486006)(81156014)(81166006)(6436002)(606006)(53936002)(6246003)(14454004)(2616005)(6506007)(2906002)(4744004)(14444005)(256004)(478600001)(86362001)(36756003)(83716004)(71190400001)(72206003)(3846002)(99286004)(6116002)(7736002)(71200400001)(82746002)(2171002)(5250100002)(53546011)(6916009)(106356001)(105586002)(33656002)(6512007)(66066001)(97736004); DIR:OUT; SFP:1102; SCL:1; SRVR:SN2PR01MB2093; H:SN2PR01MB2063.prod.exchangelabs.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: netscout.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 8ATnf0b5DmA/I70egts/KzRy4CW0AV7g5ZTEnnBMXdHOFfN9gZRVPdqHmtBzsObl47z60LYeoWkOW4lK0bF+kgY/Z/2XRLNBwSEpjZ2UVtSv6/AdxgB4S8PuNcs69e6CUZPRj/DognrezbOjwFUDYkaJHBIrPnsDkF3VxfVxFRo5mkfG9jPQNgmJW1s6/J2j3iMuBaGGZniazaXWLR4yKUSivzES1bdOXWwCJPKBcQ9S4imd2Wgppeuvg5ZJIpTK5b+230d7jPwnVcTkRbAiLHSBjt0vuRXIYqWaPZHinw+Tn5n0WFtH8YRurzde13cfACUV3e1CB31uPUVs/AWfdKn/TN6CnONwdyZRdjg5I2g=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_42BD8BA0DA0D40999B0FFE03A84939BAnetscoutcom_"
MIME-Version: 1.0
X-OriginatorOrg: netscout.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a092a776-0b89-4124-76a3-08d635dfb8cf
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Oct 2018 16:27:11.2465 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 54f11205-d4aa-4809-bd36-0b542199c5b2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR01MB2093
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-10-19_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810190145
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/MXLG9OwLL5LbLTmHiYRwVJLrFI0>
Subject: Re: [Dots] AD review of draft-ietf-dots-requirements-15
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2018 16:27:29 -0000
Hi Ben. I’ve got a preliminary revision addressing your feedback up on GitHub:
Formatted text:
<https://raw.githubusercontent.com/amortensen/dots-requirements/mortensen_ad_feedback/draft-ietf-dots-requirements.txt>
Diff:
<https://github.com/amortensen/dots-requirements/commit/b58ca2609e79a9d230e94d4b174c82135f6f52be#diff-605866c1e67988414cce30d3d5d4d454>
The one thing I haven’t yet addressed is what to do with the black/whitelist terminology. It’s used *very* lightly in the requirements draft. I think we could quickly alter the text to use the term “filters” everywhere black/whitelist are used, e.g., DATA-004 becomes “Filter management”.
andrew
On Oct 16, 2018, at 1:49 PM, Benjamin Kaduk <kaduk@mit.edu<mailto:kaduk@mit.edu>> wrote:
[EXTERNAL EMAIL]
I had intended to cc the WG list on this; sorry I missed it at the time.
Andrew, do you expect to be able to prepare an update?
Thanks,
Ben
On Mon, Oct 08, 2018 at 09:56:01AM -0500, Benjamin Kaduk wrote:
Hi all,
Thanks for the fine document, and sorry for the processing delay -- the
timing interacted poorly with my travel schedule.
I just have some editorial notes that it would be nice to fix before we send
this out for broader review; I'll list them section-by-section.
Section 1.1
A standardized method to coordinate a real-time response among
involved operators will increase the speed and effectiveness of DDoS
attack mitigation, and reduce the impact of these attacks. This
document describes the required characteristics of protocols that
enable attack coordination and mitigation of DDoS attacks.
"protocols that enable attack coordination" can be read as if we are
generating DDoS attacks, which is probably not the intention.
Section 1.2
RFC 8174 has updated BCP 14 boilerplate; proactively changing to use it
will save lots of reviewers from pointing this out.
Mitigator: An entity, typically a network element, capable of
performing mitigation of a detected or reported DDoS attack. The
means by which this entity performs these mitigations and how they
are requested of it are out of scope. The mitigator and DOTS
server receiving a mitigation request are assumed to belong to the
same administrative entity.
It may be best to avoid an unqualified "out of scope" and be clear about if
it's out of scope for this document, for the WG, etc.
DOTS signal: A concise authenticated status/control message
transmitted over the signal channel between DOTS agents, used to
indicate the client's need for mitigation, as well as to convey
the status of any requested mitigation.
Is the message itself authenticated in addition to the authentication
provided by the signal channel? It might be confusing to mention
authentication in both places if it's just the channel providing
authentication.
Also, I would suggest to s/as well as/or/, since (presumably) a single
message can do just one or the other.
Data channel: A bidirectional, mutually authentication communication
channel between two DOTS agents used for infrequent but reliable
bulk exchange of data not easily or appropriately communicated
through the signal channel under attack conditions.
This definition left me wondering whether the data channel is supposed to
function during attack conditions (i.e., if the attack condition rendered
the signal channel unusable for this purpose, so the data channel was
created to still work under attack conditions). The rest of the document
seems to clarify that the data channel is not expected to be useful during
attack conditions, so perhaps this could be clarified here.
Blacklist: A list of filters indicating sources from which traffic
should be blocked, regardless of traffic content.
Whitelist: A list of filters indicating sources from which traffic
should always be allowed, regardless of contradictory data gleaned
in a detected attack.
I note without further comment that there was recently a long thread on
ietf@ietf.org<mailto:ietf@ietf.org> about potentially offensive terminology, which included both
of these words as examples.
Section 2
The DOTS protocol must at a minimum make it possible for a DOTS
client to request aid mounting a defense, coordinated by a DOTS
server, against a suspected attack, signaling within or between
domains as requested by local operators. [...]
This sentence has a lot of commas that breaks up the flow trying to read
it. It could perhaps be split into two, as
% The DOTS protocol must at a minimum make it possible for a DOTS
% client to request aid mounting a defense against a suspected attack.
% This defense could be coordinated by a DOTS server and include signaling
% within or between domains as requested by local operators.
[...]
clients need to justify withdrawing help requests: the decision is
local to the DOTS clients' domain. Multi-homed DOTS clients must be
able to select the appropriate DOTS server(s) to which a mitigation
request is to be sent. The method for selecting the appropriate DOTS
server in a multi-homed environment is out of scope.
(same comment about "out of scope").
DOTS protocol implementations face competing operational goals when
maintaining this bidirectional communication stream. On the one
hand, DOTS must include protections ensuring message confidentiality,
integrity and authenticity to keep the protocols from becoming
additional vectors for the very attacks it is meant to help fight
off. [...]
It's probably worth including freshness/replay protection in this list.
Section 2.1
GEN-001 Extensibility: Protocols and data models developed as part
of DOTS MUST be extensible in order to keep DOTS adaptable to
operational and proprietary DDoS defenses. Future extensions MUST
be backward compatible. DOTS protocols MUST use a version number
system to distinguish protocol revisions. Implementations of
older protocol versions SHOULD ignore information added to DOTS
messages as part of newer protocol versions.
No change specifically needed, but I'll note that using a version number
mostly precludes using individual per-feature tags to indicate feature
support. It's okay for a WG to be making such a design choice at this
point in the process; I'm just pointing out that it is something of a
design choice.
GEN-002 Resilience and Robustness: The signaling protocol MUST be
designed to maximize the probability of signal delivery even under
the severely constrained network conditions caused by particular
attack traffic. [...]
The word choice "particular" makes it sound as if there is a specific
attack that the author has in mind, leaving the reader wondering what
attack that is. It may be better to just remove the word entirely or give
some description of what attack type(s) are relevant.
GEN-003 Bulk Data Exchange: Infrequent bulk data exchange between
DOTS agents can also significantly augment attack response
coordination, permitting such tasks as population of black- or
white-listed source addresses; address or prefix group aliasing;
exchange of incident reports; and other hinting or configuration
supplementing attack response.
As the resilience requirements for the DOTS signal channel mandate
small signal message size, a separate, secure data channel
utilizing a reliable transport protocol MUST be used for bulk data
exchange.
(This could potentially also clarify if it's expected to be useful during
attack conditions.)
GEN-004 Mitigation Hinting: DOTS clients may have access to attack
details which can be used to inform mitigation techniques.
Example attack details might include locally collected
fingerprints for an on-going attack, or anticipated or active
attack focal points based on other threat intelligence. DOTS
clients MAY send mitigation hints derived from attack details to
DOTS servers, in the full understanding that the DOTS server MAY
ignore mitigation hints. Mitigation hints MAY be transmitted
across either signal or data channel. [...]
My colleagues on the IESG tend to ask questions when there are multiple
options permitted but no discussion of why one might prefer one option or
the other. (That is, they prefer a single mandatory option for reasons of
protocol simplicity.)
Section 2.2
SIG-002 Sub-MTU Message Size: To avoid message fragmentation and the
consequently decreased probability of message delivery over a
congested link, signaling protocol message size MUST be kept under
signaling Path Maximum Transmission Unit (PMTU), including the
byte overhead of any encapsulation, transport headers, and
transport- or message-level security.
DOTS agents SHOULD attempt to learn the PMTU through mechanisms
such as Path MTU Discovery [RFC1191] or Packetization Layer Path
MTU Discovery [RFC4821]. If the PMTU cannot be discovered, DOTS
agents SHOULD assume a PMTU of 1280 bytes. If IPv4 support on
legacy or otherwise unusual networks is a consideration and PMTU
nit: "the PMTU"
is unknown, DOTS implementations MAY rely on a PMTU of 576 bytes,
as discussed in [RFC0791] and [RFC1122].
SIG-003 Bidirectionality: To support peer health detection, to
maintain an active signal channel, and increase the probability of
nit: "to increase"
signal delivery during an attack, the signal channel MUST be
bidirectional, with client and server transmitting signals to each
other at regular intervals, regardless of any client request for
mitigation. Unidirectional messages MUST be supported within the
bidirectional signal channel to allow for unsolicited message
delivery, enabling asynchronous notifications between DOTS agents.
This sentence about unidirectional messages left me a bit confused on first
read, I think just because of the way it was phrased. It's basically just
saying that the signal channel is not necessarily request/reply pairs, but
can include oneshot notification messages that don't get an
application-level reply (but could still get a transport-level ack), right?
I don't have any specific text suggestions here, and it's probably okay to
leave it as-is. (I have no particular reason to think that other people
get confused in the same ways that I do, after all.)
SIG-005 Channel Redirection: In order to increase DOTS operational
flexibility and scalability, DOTS servers SHOULD be able to
redirect DOTS clients to another DOTS server at any time. DOTS
clients MUST NOT assume the redirection target DOTS server shares
security state with the redirecting DOTS server. DOTS clients are
free to attempt abbreviated security negotiation methods supported
by the protocol, such as DTLS session resumption, but MUST be
prepared to negotiate new security state with the redirection
target DOTS server.
When redirection occurs, is it always within the same "authentication
domain"? There are perhaps additional complications about authenticating
the two servers and the redirection action if they are managed by different
entities or the client will be using different credentials with them.
SIG-006 Mitigation Requests and Status: Authorized DOTS clients MUST
[...]
The initial active-but-terminating period is implementation- and
deployment- specific, but SHOULD be sufficiently long to absorb
latency incurred by route propagation. If the client requests
mitigation again before the initial active-but-terminating period
Just to check my understanding: this new mitigation request serves only to
extend the current termination period, and so the client would have to make
yet another mitigation request after mitigation terminates?
elapses, the DOTS server MAY exponentially increase the active-
but-terminating period up to a maximum of 300 seconds (5 minutes).
"exponentially" requires specifying an exponent base -- is the period
doubling each request, increasing by a factor of 1.5, ...?
After the active-but-terminating period elapses, the DOTS server
MUST treat the mitigation as terminated, as the DOTS client is no
longer responsible for the mitigation.
SIG-008 Mitigation Scope: DOTS clients MUST indicate desired
mitigation scope. The scope type will vary depending on the
resources requiring mitigation. All DOTS agent implementations
MUST support the following required scope types:
* IPv4 prefixes in CIDR notation [RFC4632]
I don't see why CIDR notation comes into play for the protocol itself; why
not just say "IPv4 prefixes" to match the "IPv6 prefixes" below?
If there is additional information available narrowing the scope
of any requested attack response, such as targeted port range,
protocol, or service, DOTS clients SHOULD include that information
in client mitigation requests. DOTS clients MAY also include
additional attack details. DOTS servers MAY ignore such
supplemental information when enabling countermeasures on the
mitigator.
Is it implicit from this that the signal channel needs to provide some way
in which to convey this sort of structured data that makes the semantics
clear (as opposed to, say, implementation-defined)?
Section 2.3
DATA-002 Data privacy and integrity: Transmissions over the data
channel are likely to contain operationally or privacy-sensitive
information or instructions from the remote DOTS agent. Theft or
modification of data channel transmissions could lead to
information leaks or malicious transactions on behalf of the
sending agent (see Section 4 below). Consequently data sent over
It may be worth mentioning the risk of replay explicitly.
the data channel MUST be encrypted and authenticated using current
IETF best practices. DOTS servers MUST enable means to prevent
Do we need to provide an extensible model or negotiation scheme for the
encryption/authentication algorithms, so that implementations can adapt as
best practices change?
leaking operationally or privacy-sensitive data. Although
administrative entities participating in DOTS may detail what data
may be revealed to third-party DOTS agents, such considerations
are not in scope for this document.
DATA-003 Resource Configuration: To help meet the general and signal
channel requirements in Section 2.1 and Section 2.2, DOTS server
implementations MUST provide an interface to configure resource
identifiers, as described in SIG-007. [...]
I think this is SIG-008, not SIG-007.
Section 2.4
SEC-001 Peer Mutual Authentication: DOTS agents MUST authenticate
each other before a DOTS signal or data channel is considered
valid. The method of authentication is not specified, but should
follow current industry best practices with respect to any
cryptographic mechanisms to authenticate the remote peer.
Authentication is great. What model is used for making authorization
decisions?
SEC-002 Message Confidentiality, Integrity and Authenticity: DOTS
[...]
In order for DOTS protocols to remain secure despite advancements
in cryptanalysis and traffic analysis, DOTS agents MUST be able to
negotiate the terms and mechanisms of protocol security, subject
to the interoperability and signal message size requirements in
Section 2.2.
I'd probably say "securely negotiate" just to avoid any questions.
SEC-004 Authorization: DOTS servers MUST authorize all messages from
DOTS clients which pertain to mitigation, configuration,
filtering, or status.
Are there any message types left (that would not need authorization)?
Section 2.5
DM-004 Mitigation Scope Representation: The data model MUST support
representation of a requested mitigation's scope. As mitigation
scope may be represented in several different ways, per SIG-007
above, the data model MUST be capable of flexible representation
of mitigation scope.
Is "flexible" intended to encompass a generic extensibility to represent
new types of data and new semantics?
DM-007 Acceptable Signal Loss Representation: The data model MUST be
able to represent the DOTS agent's preference for acceptable
signal loss when establishing a signal channel, as described in
GEN-002.
Is this prefernce expressed as a threshold percentage of packet loss, a
timeout for keepalive messages, some other way, or we don't care?
Section 4
Impersonation of either DOTS server or DOTS client could have
nit: "a DOTS server", "a DOTS client"
Blocking communication between DOTS agents has the potential to
disrupt the core function of DOTS, which is to request mitigation of
active or expected DDoS attacks. The DOTS signal channel is expected
to operate over congested inbound links, and, as described in
Section 2.2, the signal channel protocol must be designed for minimal
data transfer to reduce the incidence of signal blocking.
"signal blocking" makes me think of an explicit firewall-like
functionality, whereas I think the threat here is more of an accidental
dropping of packets due to congestion and network elmeent overload.
Hopefully we can get a new rev out quickly and then I can request the IETF
Last Call!
Thanks to everyone for the good work that went into this document.
-Ben
- Re: [Dots] AD review of draft-ietf-dots-requireme… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-requireme… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-requireme… Mortensen, Andrew