Re: [Dots] WGLC for draft-dots-use-cases-19

H Y <yuuhei.hayashi@gmail.com> Tue, 06 August 2019 13:06 UTC

Return-Path: <yuuhei.hayashi@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAE4E120182 for <dots@ietfa.amsl.com>; Tue, 6 Aug 2019 06:06:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nHmjtkTOUFMC for <dots@ietfa.amsl.com>; Tue, 6 Aug 2019 06:06:26 -0700 (PDT)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 128C1120170 for <dots@ietf.org>; Tue, 6 Aug 2019 06:06:26 -0700 (PDT)
Received: by mail-lf1-x130.google.com with SMTP id h28so61010865lfj.5 for <dots@ietf.org>; Tue, 06 Aug 2019 06:06:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Y/RHhzDzmS9mHBStpsuoJ9b2yMBuYfA+/BsPwPOuQkg=; b=QjOvEi4ribLBYmOyEhRIAl1x7k4qr3Tqvs9Yp5uKKu+HVcpeLw0AaAxQ7NJFD2Q4bM JYJYExvgw4/xmE0/t2xAlhhotcorNm5FtajnpuvDJNUnZQJ4ZkZU//S4ywq4K7wtuL8k 3XUsjLIDs8wXAWfR/rv3IIElK1lLgSxngVD8SuXseVM8AeaIc9FVoaI/AiDLKsljj9Lq LGtju3nDnlJ0YiE7rUraVA2kvGg53/jbRL+AVvgasQ2U9k+Hz3GZNztaM0P2EQ/vitej 0E4YenyWVN+jy78JSyJAQEVW/icu0PHUa8M7GF9GlY6eQOdPUYl1SecWKKTN98CvZmFj Ra5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Y/RHhzDzmS9mHBStpsuoJ9b2yMBuYfA+/BsPwPOuQkg=; b=mKVSojEGc/8tQfJdH/vnxVDbWi0SPjQciWabSdOjYSMLmNQle/ntKd35ky9jxC/Dh/ Q/3Oz4iBadcRUBJ1F1r/v55CcyWzodVt+du4WHRpxgazbiUm66M9BWlTQNmhBBAUIjPU farT8avxSRGAV1PYsz/lZWE0Jl3EIRBHVj8aHE5zNxeeNylHlJ19TxpTtcCuml6Y9zgH dJojTu2IW+03RPNbzdOixRTi5+vJ93v5vqaqJq+TvWJMtZII0bwzrnOWL63oFmEkCLji 3NM8DWJBozO5z+dfWDmQhPHtHyPI0LBdAoRjj+esJr48XyVzK/Sd8aMAAXRjbPcVTNFk 2CMw==
X-Gm-Message-State: APjAAAVhxB3s8SSX1ODF4YjugRM4gVMLDHX91LcBVNW82hY0QcahI6wj 6kRMixOsBvdgiqjQN1nDpeTOqKJiHpe69ulaiQk=
X-Google-Smtp-Source: APXvYqyRH2ptaqNfXcy/ygdgAxSbisY2HZR0Xtqh2BQELnKsyNMQgnSeQQG1hukchj50tIpyl8nzDQxVybuhcJaPwQg=
X-Received: by 2002:ac2:5104:: with SMTP id q4mr2524381lfb.56.1565096784172; Tue, 06 Aug 2019 06:06:24 -0700 (PDT)
MIME-Version: 1.0
References: <00b001d54c1f$d57799e0$8066cda0$@smyslov.net> <DM5PR16MB17050571BAD70FACA597FA6CEAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDB17@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB170555606E26709FC5C54AA4EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDBC8@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB17050DF869BABA8B3670DC85EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDC3B@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB1705E573DE3E7482115B9FE0EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDC6C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB170551C20908654A0F6428D7EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDDC9@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B9330312FDDC9@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
From: H Y <yuuhei.hayashi@gmail.com>
Date: Tue, 6 Aug 2019 22:06:10 +0900
Message-ID: <CAA8pjUMpZUtd_au+UTcB0N7sS-hySddSD_18Dhn=9kGd=o_7aA@mail.gmail.com>
To: Mohamed Boucadair <mohamed.boucadair@orange.com>
Cc: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>, Valery Smyslov <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>, "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/OGIsNXQqHqYH22l0JxhnsjSEEls>
Subject: Re: [Dots] WGLC for draft-dots-use-cases-19
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 13:06:29 -0000

Hi

Please see inline.

2019年8月6日(火) 21:16 <mohamed.boucadair@orange.com>;:
>
> Re-,
>
> Please see inline.
>
> Cheers,
> Med
>
> > -----Message d'origine-----
> > De : Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > Envoyé : mardi 6 août 2019 13:52
> > À : BOUCADAIR Mohamed TGI/OLN; Valery Smyslov; dots@ietf.org
> > Cc : Xialiang (Frank, Network Standard & Patent Dept)
> > Objet : RE: [Dots] WGLC for draft-dots-use-cases-19
> >
> > > -----Original Message-----
> > > From: mohamed.boucadair@orange.com
> > > <mohamed.boucadair@orange.com>;
> > > Sent: Tuesday, August 6, 2019 3:15 PM
> > > To: Konda, Tirumaleswar Reddy
> > > <TirumaleswarReddy_Konda@McAfee.com>;; Valery Smyslov
> > > <valery@smyslov.net>;; dots@ietf.org
> > > Cc: Xialiang (Frank, Network Standard & Patent Dept)
> > > <frank.xialiang@huawei.com>;
> > > Subject: RE: [Dots] WGLC for draft-dots-use-cases-19
> > >
> > >
> > >
> > > Re-,
> > >
> > > Please see inline.
> > >
> > > Cheers,
> > > Med
> > >
> > > > -----Message d'origine-----
> > > > De : Konda, Tirumaleswar Reddy
> > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > Envoyé : mardi 6 août 2019 11:29
> > > > À : BOUCADAIR Mohamed TGI/OLN; Valery Smyslov; dots@ietf.org Cc :
> > > > Xialiang (Frank, Network Standard & Patent Dept) Objet : RE: [Dots]
> > > > WGLC for draft-dots-use-cases-19
> > > >
> > > > > -----Original Message-----
> > > > > From: mohamed.boucadair@orange.com
> > > > > <mohamed.boucadair@orange.com>;
> > > > > Sent: Tuesday, August 6, 2019 2:50 PM
> > > > > To: Konda, Tirumaleswar Reddy
> > > > > <TirumaleswarReddy_Konda@McAfee.com>;; Valery Smyslov
> > > > > <valery@smyslov.net>;; dots@ietf.org
> > > > > Cc: Xialiang (Frank, Network Standard & Patent Dept)
> > > > > <frank.xialiang@huawei.com>;
> > > > > Subject: RE: [Dots] WGLC for draft-dots-use-cases-19
> > > > >
> > > > > This email originated from outside of the organization. Do not click
> > > > links or
> > > > > open attachments unless you recognize the sender and know the
> > > > > content is safe.
> > > > >
> > > > > Re-,
> > > > >
> > > > > Please see inline.
> > > > >
> > > > > Cheers,
> > > > > Med
> > > > >
> > > > > > -----Message d'origine-----
> > > > > > De : Konda, Tirumaleswar Reddy
> > > > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > > > Envoyé : mardi 6 août 2019 11:15
> > > > > > À : BOUCADAIR Mohamed TGI/OLN; Valery Smyslov; dots@ietf.org Cc :
> > > > > > Xialiang (Frank, Network Standard & Patent Dept) Objet : RE:
> > > > > > [Dots] WGLC for draft-dots-use-cases-19
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: mohamed.boucadair@orange.com
> > > > > > > <mohamed.boucadair@orange.com>;
> > > > > > > Sent: Tuesday, August 6, 2019 2:00 PM
> > > > > > > To: Konda, Tirumaleswar Reddy
> > > > > > > <TirumaleswarReddy_Konda@McAfee.com>;; Valery Smyslov
> > > > > > > <valery@smyslov.net>;; dots@ietf.org
> > > > > > > Cc: Xialiang (Frank, Network Standard & Patent Dept)
> > > > > > > <frank.xialiang@huawei.com>;
> > > > > > > Subject: RE: [Dots] WGLC for draft-dots-use-cases-19
> > > > > > >
> > > > > > > This email originated from outside of the organization. Do not
> > > > > > > click
> > > > > > links or
> > > > > > > open attachments unless you recognize the sender and know the
> > > > > > > content is safe.
> > > > > > >
> > > > > > > Re-,
> > > > > > >
> > > > > > > Please see inline.
> > > > > > >
> > > > > > > Cheers,
> > > > > > > Med
> > > > > > >
> > > > > > > > -----Message d'origine-----
> > > > > > > > De : Konda, Tirumaleswar Reddy
> > > > > > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > > > > > Envoyé : mardi 6 août 2019 10:14 À : BOUCADAIR Mohamed
> > > > > > > > TGI/OLN; Valery Smyslov; dots@ietf.org Cc :
> > > > > > > > Xialiang (Frank, Network Standard & Patent Dept) Objet : RE:
> > > > > > > > [Dots] WGLC for draft-dots-use-cases-19
> > > > > > > >
> > > > > > > > Hi Med,
> > > > > > > >
> > > > > > > > No, the orchestrator is not ignoring the mitigation hints.
> > > > > > >
> > > > > > > [Med] Why? The text is clear the orchestrator acts as DOTS
> > server.
> > > > > > > As
> > > > > > such, it
> > > > > > > can ignore/accept hints.
> > > > > > >
> > > > > > >  It is sending
> > > > > > > > filtering rules to block or rate-limit traffic to routers
> > > > > > > > (last but one line in the new paragraph).
> > > > > > >
> > > > > > > [Med] Yes. That filtering rule is that would be applied by the
> > > > > > > DMS if it
> > > > > > has
> > > > > > > sufficient resources.
> > > > > > >
> > > > > > >  The adverse impact is legitimate users whose
> > > > > > > > IP addresses were spoofed
> > > > > > > > cannot access the services of the target server.
> > > > > > >
> > > > > > > [Med] This is a check at the DMS side. This check applies
> > > > > > > independently
> > > > > > of **
> > > > > > > where ** the filters are applied. This is not specific to this
> > > > > > > NEW
> > > > text.
> > > > > >
> > > > > > If the orchestrator is sending filtering rules to block traffic,
> > > > > > checks are required to ensure spoofed IP address are not conveyed
> > > > > > by
> > > > the
> > > > > DMS.
> > > > >
> > > > > [Med] Yes, but the current text describes the case where the DMS
> > > > supplies
> > > > > "its blocked traffic information":
> > > > >
> > > > >   the DDoS mitigation system can send mitigation requests
> > > > >   with additional hints such as its blocked traffic information to
> > the
> > > > >                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > > >   orchestrator.
> > > > >
> > > > > So, the DMS has already done that check.
> > > >
> > > > The blocked traffic information will include attack traffic from both
> > > > spoofed and attacker IP addresses.
> > > >
> > >
> > > [Med] If you are saying that there is an issue if the DMS does not
> > check, you
> > > are right. But, again, this is not specific to the NEW text. This is a
> > general
> > > problem (that is outside DOTS, BTW).
> >
> > No, DMS will anyway check and try not block legitimate traffic from users
> > whose IP addresses have been spoofed.
> >
>
> [Med] What I'm saying is that the DMS will then follow the same logic when providing the hints to the orchestrator.
>
> > >
> > >
> > > > >
> > > > >  If
> > > > > > the orchestrator delegates the mitigation to a separate domain
> > > > > > (recursive signaling), the attack information provided by DMS can
> > > > > > include spoofed IP addresses (so the new mitigator in the separate
> > > > > > domain learns the attack traffic is coming from spoofed IP
> > addresses).
> > > > >
> > > > > [Med] This is not specific to this case, but applies each time there
> > > > > is
> > > > recursive
> > > > > signaling.
> > > >
> > > > My comment is to using the attack information of spoofed IP addresses
> > > > to filter traffic would penalize legitimate users, and the text is not
> > > > clear me. I suggest adding a line for clarity, DMS may supply both
> > > > spoofed and attacker IP addresses in the attack information to the
> > > > orchestrator. The orchestrator will only use the non-spoofed IP
> > > > addresses to enforce filtering rules on routers.
> > >
> > > [Med] I was assuming this is already done by the DMS to generate "its
> > > blocked traffic information", but if you prefer the text to be explicit,
> > it will
> > > need to be generic:
> > >
> > > the check is not specific to the NEW text but applies also in the
> > general DMS
> > > case (without offloading).
> >
> > When DMS generates the attack traffic information it should include both
> > spoofed and attacker IP addresses (tagged with whether the IP address is
> > spoofed or not).
>
> [Med] Why it should not check?
>
> If the orchestrator is delegating the mitigation to a
> > separate domain, it can propagate the attack information so the mitigator
> > in the separate domain has knowledge that the attacker is using spoofed IP
> > addresses and the mitigator can optionally use the attack information to
> > determine the mitigation strategy.
>
> [Med] The recursive case is not covered in the current text. I don't think we need to elaborate on this further.
>
>  However If orchestrator is enforcing
> > filtering rules on routers, it should create the black-list rules based on
> > the non-spoofed attacker IP address and not use the spoofed victim IP
> > addresses.
> >
>
> [Med] Agree. Whether the check is done at the orchestrator or by the DMS, is not a new concern. The DMS has to proceed with these checks, anyway. I fail to see what is NEW and SPECIFIC to the offload scenario.
[Yuhei]
The NEW point of the offload scenario is that DMS has DOTS client
function in DDoS orchestration usecase, and the orchestrator can take
further actions based on result of DMS's detailed analysis.

Thanks,
Yuhei

> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots



-- 
----------------------------------
Yuuhei HAYASHI
08065300884
yuuhei.hayashi@gmail.com
iehuuy_0220@docomo.ne.jp
----------------------------------