[Dots] 2-way heartbeats RE: Mirja Kühlewind's Discuss on draft-ietf-dots-signal-channel-31: (with DISCUSS and COMMENT)

<mohamed.boucadair@orange.com> Wed, 03 July 2019 08:50 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9997A1201DD; Wed, 3 Jul 2019 01:50:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uU-QOaG-a2lV; Wed, 3 Jul 2019 01:50:06 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.35]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04AF61201D7; Wed, 3 Jul 2019 01:50:06 -0700 (PDT)
Received: from opfednr04.francetelecom.fr (unknown [xx.xx.xx.68]) by opfednr24.francetelecom.fr (ESMTP service) with ESMTP id 45dvtz6cryz20VX; Wed, 3 Jul 2019 10:50:03 +0200 (CEST)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.76]) by opfednr04.francetelecom.fr (ESMTP service) with ESMTP id 45dvtz4pvhz1xpB; Wed, 3 Jul 2019 10:50:03 +0200 (CEST)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM7E.corporate.adroot.infra.ftgroup ([fe80::54f9:a664:e400:452a%21]) with mapi id 14.03.0439.000; Wed, 3 Jul 2019 10:50:03 +0200
From: <mohamed.boucadair@orange.com>
To: Mirja Kuehlewind <ietf@kuehlewind.net>
CC: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, "Benjamin Kaduk" <kaduk@mit.edu>, "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>, "frank.xialiang@huawei.com" <frank.xialiang@huawei.com>, "dots@ietf.org" <dots@ietf.org>, The IESG <iesg@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>
Thread-Topic: =?utf-8?B?Mi13YXkgaGVhcnRiZWF0cyBSRTogW0RvdHNdICBNaXJqYSBLw7xobGV3aW5k?= =?utf-8?B?J3MgRGlzY3VzcyBvbiBkcmFmdC1pZXRmLWRvdHMtc2lnbmFsLWNoYW5uZWwt?= =?utf-8?Q?31:_(with_DISCUSS_and_COMMENT)?=
Thread-Index: AdUxfEqQgcRLIqPLRvG88uSsmkXW0w==
Date: Wed, 3 Jul 2019 08:50:02 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EAB2B51@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/Opi-nEhxXdGXj41zSO0Icip5Z_Y>
Subject: [Dots] =?utf-8?q?2-way_heartbeats_RE=3A___Mirja_K=C3=BChlewind?= =?utf-8?q?=27s_Discuss_on_draft-ietf-dots-signal-channel-31=3A_=28with_DI?= =?utf-8?q?SCUSS_and_COMMENT=29?=
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2019 08:50:08 -0000

Mirja, 

Your initial DISCUSS point was: 

(1) "heartbeat should only be send in one direction (as the
Other end will send an ack)"

We clarified that we need both HBs because there are cases where the DOTS server needs to determine if the incoming link to the DOTS client is saturated (due to an ongoing DDoS attack). It can conclude so because it receives HBs from the client but no replies to its own HBs. The server uses that information to tweak its mitigation strategy (in case a mitigation is already in place). It also can conclude that the client didn't detected an attack.

To which you suggested the following:

(2) "what you described implies that the server should send the ping and client sends the pong. This is fine."

We clarified that pings from the server may be discarded by on path NATs/FWs. The HBs from the client are also meant to maintain a state alive in those functions.

We also reminded that 8085 recommends "to ** independently ** check both directions" for long-lived association. We are adhering to that recommendation. 

Can you please let us know how we can achieve the above with one single HB direction? Thank you.  

Cheers,
Med

> -----Message d'origine-----
> De : Mirja Kuehlewind [mailto:ietf@kuehlewind.net]
> Envoyé : mardi 2 juillet 2019 16:00
> À : BOUCADAIR Mohamed TGI/OLN
> Cc : Konda, Tirumaleswar Reddy; Benjamin Kaduk; draft-ietf-dots-signal-
> channel@ietf.org; frank.xialiang@huawei.com; dots@ietf.org; The IESG;
> dots-chairs@ietf.org
> Objet : Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-signal-
> channel-31: (with DISCUSS and COMMENT)
> 
> 
> >
> >>
> >>>
> >>>>
> >>>>> 6) Section 4.7: "the DOTS
> >>>>>  agent sends a heartbeat over the signal channel to maintain its
> half
> >>>>>  of the channel.  The DOTS agent similarly expects a heartbeat from
> >>>>>  its peer DOTS agent"
> >>>>> and
> >>>>> "DOTS servers MAY trigger their heartbeat requests immediately after
> >>>>>  receiving heartbeat probes from peer DOTS clients."
> >>>>> Actually heartbeat should only be send in one direction (as the
> other
> >>>>> end will send an ack) and the protocol should clearly specify which
> >>>>> endpoint is responsible for triggering the ping.
> >>>>
> >>>> I'm not sure I see resolution on this; do the authors still need to
> >> answer why
> >>>> the "pong" reply cannot serve as a reverse-path heartbeat?
> >>>
> >>> If the DOTS client domain is subjected to volumetric DDoS attack and
> the
> >> incoming link is saturated, the pong response from the server will not
> >> reach the client. DOTS server gets traffic from the client but receives
> no
> >> responses to its ping requests indicating the client has not detected
> the
> >> attack or, if an attack mitigation is in progress, it implies the
> applied
> >> DDoS mitigation actions are not yet effective to handle the DDoS attack
> >> volume.
> >>
> >> Yes, I understand what heartbeat are used for. However, what you
> described
> >> implies that the server should send the ping and client sends the pong.
> >> This is fine.
> >
> > [Med] Choosing the other way around may be problematic because of
> NAT/FWs. This is why the heartbeats from the server will fly right after
> the one from the client so that we can use the warm mappings. Having both
> directions allows to accommodate the scenario described by Tiru.
> >
> > As you know, RFC4787 mandates the NAT outbound refresh behavior (packets
> go from the internal side of the NAT to the external side of the NAT to
> refresh the timer value) but not the NAT inbound refresh behavior.
> >
> > The text however seems to imply that both server and client
> >> test their have connection separately and both send pings and pongs.
> That
> >> doesn’t seem to be need.
> >
> > [Med] In addition to the clarification above, we have also added a
> pointer to this part of 8085:
> >
> > ==
> >   A UDP application with a long-lived association between the sender
> >   and receiver, ought to be designed so that the sender periodically
> >   checks that the receiver still wants ("consents") to receive traffic
> >   and need to be designed to stop if there is no explicit confirmation
> >   of this [RFC7675].  Applications that require communications in two
> >   directions to implement protocol functions (such as reliability or
> >   congestion control) will need to independently check both directions
> >                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >   of communication, and may have to exchange keep-alive messages to
> >   ^^^^^^^^^^^^^^^^
> >   traverse middleboxes (see Section 3.5).
> > ==
> 
> Yes, you use keep-alive messages here. A ping on one direction and a
> pong/ack as reply in the direction. I’m not we are maybe talking past each
> other… I think the following is sufficient
> 
> 
> Client ping —————>
>             <———— server pong
> 
> 
> While what I read from the document is that you do this:
> 
> Client ping —————>
>             <———— server pong
> 
>             <———— server ping
> Client pong —————>
> 
> If that is not what your are doing you need to clarify this in the
> document.
> 
> If you actually want to have two different ping/pong’s you need to explain
> me why you need both.