Re: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue

"Jon Shallow" <supjps-ietf@jpshallow.com> Thu, 25 April 2019 09:28 UTC

Return-Path: <supjps-ietf@jpshallow.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C59A12007A for <dots@ietfa.amsl.com>; Thu, 25 Apr 2019 02:28:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.099
X-Spam-Level: ***
X-Spam-Status: No, score=3.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_SUMOF=5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cpiwDePrSXeF for <dots@ietfa.amsl.com>; Thu, 25 Apr 2019 02:28:14 -0700 (PDT)
Received: from mail.jpshallow.com (mail.jpshallow.com [217.40.240.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB9F812006D for <dots@ietf.org>; Thu, 25 Apr 2019 02:28:14 -0700 (PDT)
Received: from [127.0.0.1] (helo=N01332) by mail.jpshallow.com with esmtp (Exim 4.91) (envelope-from <jon.shallow@jpshallow.com>) id 1hJafp-0000Gr-O4; Thu, 25 Apr 2019 10:28:09 +0100
From: "Jon Shallow" <supjps-ietf@jpshallow.com>
To: "'kaname nishizuka'" <kaname@nttv6.jp>, <mohamed.boucadair@orange.com>, <dots@ietf.org>
References: <787AE7BB302AE849A7480A190F8B93302EA649B4@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <c3c9614f-908a-c132-cd35-6c627e341f2b@nttv6.jp>
In-Reply-To: <c3c9614f-908a-c132-cd35-6c627e341f2b@nttv6.jp>
Date: Thu, 25 Apr 2019 10:28:07 +0100
Message-ID: <012601d4fb49$3328c000$997a4000$@jpshallow.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJQEGP+1iseERi2OTPcLXp1W/83ywIpkhMbpUUkcMA=
Content-Language: en-gb
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/PNk3HFdPLEactke9u9UntKulsR4>
Subject: Re: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2019 09:28:17 -0000

Hi there,

The advantage of separating out the counters for the different ACLs is that the DOTS client can then determine what is being effective or not.  However, if (signal) data is able to get from the DOTS server to the DOTS client, then it is likely that the data channel will still be operable and can be used to get these numbers so I still do not think that this should be over the signal channel.

I think that that the GET response (or observe response) bytes-dropped etc. should be the total dropped - i.e. the sum of the ACls and what the DMS is otherwise doing as it refers to the mitigation request.

Regards

Jon

> -----Original Message-----
> From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of kaname
> nishizuka
> Sent: 25 April 2019 10:00
> To: mohamed.boucadair@orange.com; dots@ietf.org
> Subject: Re: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue
> 
> Hi Med, all,
> 
> Regarding with the issue, I'm not convinced of the benefit to return the
> activated ACL statistics over signal-channel.
> 
> The idea of this draft is based on this situation (quoted from Jon's
> comment):
> (It is) very unreliable when the inbound pipe is running full.  If the pipe is not
> running full, then this information can be obtained over the data channel.
> 
> ACL stats can be get over the data-channel. I don't see any reason to
> reproduce the same function.
> 
> Further more, I don't think the DOTS server should notify that DOTS client
> with the change by including the corresponding acl-* parameters in an
> asynchronous notification.
> The basic behavior is already written in the draft:
>     This specification does not require any modification to the efficacy
>     update and the withdrawal procedures defined in
>     [I-D.ietf-dots-signal-channel].  In particular, ACL-related clauses
>     are not included in a PUT request used to send an efficacy update and
>     DELETE requests.
> 
> If so, the server need not to store any resource about acl-* per mitigation
> request, which make the function of the signal-filter-control simple enough.
> 
> thanks,
> Kaname
> 
> On 2019/04/24 15:24, mohamed.boucadair@orange.com wrote:
> > Hi all,
> >
> > We do have one pending issue to be resolved for this draft. The issue is
> available at:
> > https://github.com/boucadair/filter-control/issues/1
> >
> > We need your feedback on this.
> >
> > Cheers,
> > Med
> >
> >> -----Message d'origine-----
> >> De : Dots [mailto:dots-bounces@ietf.org] De la part de internet-
> >> drafts@ietf.org
> >> Envoyé : mercredi 24 avril 2019 07:34
> >> À : i-d-announce@ietf.org
> >> Cc : dots@ietf.org
> >> Objet : [Dots] I-D Action: draft-ietf-dots-signal-filter-control-00.txt
> >>
> >>
> >> A New Internet-Draft is available from the on-line Internet-Drafts
> >> directories.
> >> This draft is a work item of the DDoS Open Threat Signaling WG of the
> IETF.
> >>
> >>          Title           : Controlling Filtering Rules Using Distributed
> >> Denial-of-Service Open Threat Signaling (DOTS) Signal Channel
> >>          Authors         : Kaname Nishizuka
> >>                            Mohamed Boucadair
> >>                            Tirumaleswar Reddy
> >>                            Takahiko Nagata
> >> 	Filename        : draft-ietf-dots-signal-filter-control-00.txt
> >> 	Pages           : 23
> >> 	Date            : 2019-04-23
> >>
> >> Abstract:
> >>     This document specifies an extension to the DOTS signal channel so
> >>     that DOTS clients can control their filtering rules when an attack
> >>     mitigation is active.
> >>
> >>     Particularly, this extension allows a DOTS client to activate or de-
> >>     activate existing filtering rules during a DDoS attack.  The
> >>     characterization of these filtering rules is supposed to be conveyed
> >>     by a DOTS client during an idle time by means of the DOTS data
> >>     channel protocol.
> >>
> >> Editorial Note (To be removed by RFC Editor)
> >>
> >>     Please update these statements within the document with the RFC
> >>     number to be assigned to this document:
> >>
> >>     o  "This version of this YANG module is part of RFC XXXX;"
> >>
> >>     o  "RFC XXXX: Controlling Filtering Rules Using Distributed Denial-
> >>        of-Service Open Threat Signaling (DOTS) Signal Channel";
> >>
> >>     o  reference: RFC XXXX
> >>
> >>     o  [RFCXXXX]
> >>
> >>     Please update these statements with the RFC number to be assigned to
> >>     the following documents:
> >>
> >>     o  "RFC SSSS: Distributed Denial-of-Service Open Threat Signaling
> >>        (DOTS) Signal Channel Specification" (used to be
> >>        [I-D.ietf-dots-signal-channel])
> >>
> >>     o  "RFC DDDD: Distributed Denial-of-Service Open Threat Signaling
> >>        (DOTS) Data Channel Specification" (used to be
> >>        [I-D.ietf-dots-data-channel])
> >>
> >>     Please update the "revision" date of the YANG module.
> >>
> >>
> >> The IETF datatracker status page for this draft is:
> >> https://datatracker.ietf.org/doc/draft-ietf-dots-signal-filter-control/
> >>
> >> There are also htmlized versions available at:
> >> https://tools.ietf.org/html/draft-ietf-dots-signal-filter-control-00
> >> https://datatracker.ietf.org/doc/html/draft-ietf-dots-signal-filter-control-
> >> 00
> >>
> >>
> >> Please note that it may take a couple of minutes from the time of
> submission
> >> until the htmlized version and diff are available at tools.ietf.org.
> >>
> >> Internet-Drafts are also available by anonymous FTP at:
> >> ftp://ftp.ietf.org/internet-drafts/
> >>
> >> _______________________________________________
> >> Dots mailing list
> >> Dots@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dots
> > _______________________________________________
> > Dots mailing list
> > Dots@ietf.org
> > https://www.ietf.org/mailman/listinfo/dots
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots