IETF Logo Mail Archive

Re: [Dots] FW: Prior discussion about draft-fu-ipfix-network-security-00

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 24 March 2015 13:32 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB6B51A1A1E for <dots@ietfa.amsl.com>; Tue, 24 Mar 2015 06:32:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vg2cYgbPN-aq for <dots@ietfa.amsl.com>; Tue, 24 Mar 2015 06:32:18 -0700 (PDT)
Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA10F1A1B43 for <dots@ietf.org>; Tue, 24 Mar 2015 06:31:47 -0700 (PDT)
Received: by lbcmq2 with SMTP id mq2so30688938lbc.0 for <dots@ietf.org>; Tue, 24 Mar 2015 06:31:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=F4gJruXVHr5cz4z7L++MLBMA3BVFR4Z+HYo43jlADu8=; b=KUV7eadcJWdoKMfC6lH79yUaCA/J4DsioR9qkHHfT3P29Wt2dyTy2STjUxJPvDkOwK i7EJs33a71mULw9LSJ7y3lGiKc2hEdz7sYHr3FS+MWjvFYZn5WsN91mIaMlE3kgjVgAA VLZIPo8A7MeGlU6daAryoe0bXYTL8HPSL9ba0UihJ8/q2UVUpBLJo1BQn/GGVHUfklqs gHedhU29oskTlusQNW3mURxDumOKGQCe/n8GAFwHDQyj1p2j1yT409D9aY4bmvlxDtJ9 ibBGfsleIkbQPdXmRITpYOD24hOjgWHoMF6cCW9HMDM9P9y1wIeotKWvHbOhw35QDGod /w1Q==
MIME-Version: 1.0
X-Received: by 10.152.178.197 with SMTP id da5mr3951897lac.56.1427203906343; Tue, 24 Mar 2015 06:31:46 -0700 (PDT)
Received: by 10.112.167.101 with HTTP; Tue, 24 Mar 2015 06:31:46 -0700 (PDT)
In-Reply-To: <F09C13E1-A644-409A-9AC2-6B83350298B9@arbor.net>
References: <358188D97DBE45F787E97C9E29B1C0A3@takeAsus> <D1360207.B412%nteague@verisign.com> <77FA386512F0D748BC7C02C36EB1106D955C93@szxeml557-mbs.china.huawei.com> <1C9F17D1873AFA47A969C4DD98F98A75153AC9EA@xmb-rcd-x10.cisco.com> <D1364C2B.B4E6%nteague@verisign.com> <0CB8640B8D094438BD4A4793DAD0F3B7@takeAsus> <10B310D1-09A0-4C9F-B01C-F25DFA360981@standardstrack.com> <F09C13E1-A644-409A-9AC2-6B83350298B9@arbor.net>
Date: Tue, 24 Mar 2015 09:31:46 -0400
Message-ID: <CAHbuEH6VUFQWe-WU0a6JLpCviJ=vXZEwMqw=o5CWsn9JCqhpXw@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Andrew Mortensen <amortensen@arbor.net>
Content-Type: multipart/alternative; boundary="001a11340c68dc18ca051208cd56"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dots/Nj_G_irrW74TuUrVA7qaqadjY6I>
Cc: "dots@ietf.org" <dots@ietf.org>
Subject: Re: [Dots] FW: Prior discussion about draft-fu-ipfix-network-security-00
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 13:32:22 -0000

With no hat on...

On Tue, Mar 24, 2015 at 9:20 AM, Andrew Mortensen <amortensen@arbor.net>
wrote:

>
> > On Mar 24, 2015, at 7:39 AM, Eric Burger <eburger@standardstrack.com>
> wrote:
> >
> > Let me take it from a different perspective. If we could use XML, would
> we not just use IODEF and be done with it? My understanding is we cannot
> pay the XML tax and as such need to go a different route.
>
> This gets to the heart of the matter. In the case of
> draft-teague-threat-signaling-00, it is vital to keep the signaling packet
> size to a minimum. When the link is saturated the signaling element needs
> to be able to communicate protection needs in the most compact and most
> reliably delivered form possible. Small UDP packets stand the best chance
> of getting through, and the smaller the better. (Similarly, the HTTPS
> channel will not be a reliable vehicle for upstream acknowledgment of the
> signaling element’s heartbeat/export during attack.)
>
> > A well-defined data model would be very important for this effort. With
> a well-defined data model, one should be able to easily translate from
> IPFIX or some hyper-compressed binary encoding to XML.
>

I agree that this doesn't need an XML format for the signaling proposed.  I
also think it would be important for the barrier for implementation in
devices be low, meaning use of something that may already be implemented
and kept at signaling level.

For the device types being discussed, how many of them already have IPFIX
implemented?

However, creating relationships with IODEF to embed such content either
through the mechanism to attach a file or packet in RecordData or through a
schema extending IODEF via SCI could work.  I see these efforts as
complimentary in that the proposals in DOTS don't rise to the level of
incidents and the associated analysis, but rather provide data for analysis
that could result in incident/indicator identification.

Thanks,
Kathleen



> Agreed.
>
> andrew
>
>
>
>
> >
> >> On Mar 24, 2015, at 6:57 AM, Takeshi Takahashi <
> takeshi_takahashi@nict.go.jp> wrote:
> >>
> >> Hi,
> >>
> >> Thank you for the replies; I think I got the idea better than before.
> >>
> >>> more pliable for UDP export.  I think we could obviously examine how
> DOTS
> >>> and IODEF etc. may interoperate as we proceed but was beyond the scope
> of
> >>> the initial 00 draft.  This list is a great place to have that
> discussion.
> >>
> >> It would be great if we could have such a discussion.
> >>
> >> Below are comments on why I would like to see the XML representation in
> the drafts.
> >> IODEF is just one spec of many other specs that defines XML-based
> information model; there are lots more that haven't been brought to IETF
> (e.g., stix).
> >> If you do not provide any XML schema (in the appendix of the drafts) on
> this issue, the same kind of work would be taken again in the future from
> the XML-based community.
> >> I think that is a waste.
> >> I know that XML-representation is off the context of these drafts and
> thus authors are not that happy to cope with that, but I believe it is
> worth saying that here :)
> >> It could be that Nik's draft can gain little benefit by defining xml
> schema since it does not need further analytics, but I feel that it is
> useful for Ana's draft since it expects further analysis such as big data
> analysis.
> >>
> >> Thank you.
> >> Take
> >>
> >>
> >> -----Original Message----- From: Teague, Nik
> >> Sent: Tuesday, March 24, 2015 12:20 AM
> >> To: Panos Kampanakis (pkampana) ; Hedanping (Ana) ; Takeshi Takahashi ;
> Roman D. Danyliw ; dots@ietf.org
> >> Cc: tt2@rc5.so-net.ne.jp
> >> Subject: Re: [Dots] FW: Prior discussion about
> draft-fu-ipfix-network-security-00
> >>
> >> Hi,
> >>
> >> On 23/03/2015 22:54, "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
> >> wrote:
> >>
> >>> Hello,
> >>>
> >>> It seems to me that the "signaling in order to mitigate DDoS" problem
> has
> >>> been solved already by BGP FlowSpec. I am not sure if defining more
> >>> verbose and detailed communications between network elements would add
> >>> much value, since these devices cannot do more than signalling and
> >>> mitigate.
> >>>
> >>> Panos
> >>
> >> Flowspec is very effective within the bounds of its capabilities - if a
> >> bad actor is hammering my network with an ntp reflection attack or my
> web
> >> server with a whole swathe of large udp packets then I can easily build
> >> filters to handle that - if the bad actor is hitting my web server with
> a
> >> syn flood from a massively random source pool then I have to consider
> rate
> >> limiting as probably my best, but maybe not ideal, option.  If I try and
> >> generate more than 12k flow route filters to push to either my equipment
> >> or my service providers (depending upon whether they support Flowspec)
> >> then things can get a little hairy.  DDoS mitigation CPE and DDoS
> >> mitigation providers exist because the need is there - The DOTS proposal
> >> is that effective signaling is necessary between these elements, not
> >> specifically generic network elements, but actual elements that are
> >> concerned with often complex attacks that a flow route filter is unable
> to
> >> deal with.  If my ingress links are saturated then signaling via a tcp
> >> oriented session can potentially result in more cycles being spent
> trying
> >> to initiate and maintain a session than actual information transferŠ and
> >> if the connection drops then the whole thing has to start again.
> >>
> >> Thanks,
> >>
> >> -Nik
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Dots mailing list
> >> Dots@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dots
> >> _______________________________________________
> >> Dots mailing list
> >> Dots@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dots
> >
> > _______________________________________________
> > Dots mailing list
> > Dots@ietf.org
> > https://www.ietf.org/mailman/listinfo/dots
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots
>



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email