IETF Logo Mail Archive

Re: [Dots] DOTS telemetry questions

kaname nishizuka <kaname@nttv6.jp> Wed, 11 March 2020 10:30 UTC

Return-Path: <kaname@nttv6.jp>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DE883A1679 for <dots@ietfa.amsl.com>; Wed, 11 Mar 2020 03:30:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nttv6.jp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9mUDst2yFEzx for <dots@ietfa.amsl.com>; Wed, 11 Mar 2020 03:30:31 -0700 (PDT)
Received: from guri.nttv6.jp (guri.nttv6.jp [115.69.228.140]) by ietfa.amsl.com (Postfix) with ESMTP id 489D33A1677 for <dots@ietf.org>; Wed, 11 Mar 2020 03:30:30 -0700 (PDT)
Received: from z.nttv6.jp (z.nttv6.jp [IPv6:2402:c800:ff06:6::f]) by guri.nttv6.jp (NTTv6MTA) with ESMTP id 724AB25F6B8; Wed, 11 Mar 2020 19:30:29 +0900 (JST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nttv6.jp; s=20180820; t=1583922629; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=N8vMl+aB5Hdz/3Xn7zzbCk72IpsVFIYKQBotgy2VKmo=; b=CHkPfD1d+WHhUxiaTCbIDn2PG/njctUijEwig+Z/GYtFUlxTkCg3q/Dx9soBl6SJk6bCau 2KtupMgjuFbfgcRrmS2EROQV5DeFVaXoBJxLAJ+5MF3CUbwgwBwSFEfq6bzJV7LFLO0IxO lonKa30Gn+PfGE/tCVpTKSk3j6u+r1g=
Received: from MacBook-Pro-17.local (fujiko.nttv6.jp [IPv6:2402:c800:ff06:136::141]) by z.nttv6.jp (NTTv6MTA) with ESMTP id 581AA75900F; Wed, 11 Mar 2020 19:30:29 +0900 (JST)
To: Jon Shallow <supjps-ietf@jpshallow.com>, mohamed.boucadair@orange.com, "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>, dots@ietf.org
References: <188801d5e830$635d97d0$2a18c770$@jpshallow.com> <787AE7BB302AE849A7480A190F8B93303143DAF8@OPEXCAUBMA2.corporate.adroot.infra.ftgroup><191b01d5e8a8$886d1e60$99475b20$@jpshallow.com> <787AE7BB302AE849A7480A190F8B93303143DE2E@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <197301d5e8cd$f31384a0$d93a8de0$@jpshallow.com>
From: kaname nishizuka <kaname@nttv6.jp>
Message-ID: <559c1aa6-255d-4f1a-c513-87944995774f@nttv6.jp>
Date: Wed, 11 Mar 2020 19:30:28 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <197301d5e8cd$f31384a0$d93a8de0$@jpshallow.com>
Content-Type: multipart/alternative; boundary="------------8347B590A9C0DADAF41070C3"
Content-Language: en-US
Authentication-Results: guri.nttv6.jp; spf=pass smtp.mailfrom=kaname@nttv6.jp
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/Pem-Xp_GnwF7L4e9Syq4uukAVPQ>
Subject: Re: [Dots] DOTS telemetry questions
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2020 10:30:36 -0000

Hi,

With regard to 4)

Proposal: change MUST to SHOULD here.
```
DOTS agents MUST bind pre-mitigation telemetry data with mitigation
    requests relying upon the target clause.
(snip)
  An example illustrating requests correlation by means of 'target-prefix'
    is shown in Figure 22.
```

It is acceptable to relax this bind especially in the case of Figure 22 from operational perspective.
In this case, Pre-mitigation telemetry from the DOTS server to the client can be a hint to the upcoming mitigation request.
But it's not necessary to use the same prefix if an operator of the DOTS client wanted to do so.
Like that, it's not necessary to correlate this pre-mitigation telemetry and the mitigation request from the view point of the DOTS server because acknowledging there is the correlation will not affect the behavior of the DOTS server.

But, It IS necessary to correlate the mitigation request by mid with further telemetry information from DOTS server (maybe namely "post-mitigation" telemetry).

regards,
Kaname

On 2020/02/22 0:45, Jon Shallow wrote:
>
> Hi,
>
> See inline Jon1>
>
> Regards
>
> Jon
>
> *From:*Dots [mailto: dots-bounces@ietf.org] *On Behalf Of *mohamed.boucadair@orange.com
> *Sent:* 21 February 2020 13:32
> *To:* Jon Shallow; Konda, Tirumaleswar Reddy; kaname nishizuka; dots@ietf.org
> *Subject:* Re: [Dots] DOTS telemetry questions
>
> Re-,
>
> Please see inline.
>
> Cheers,
>
> Med
>
> *De :*Jon Shallow [mailto:supjps-ietf@jpshallow.com]
> *Envoyé :* vendredi 21 février 2020 12:18
> *À :* BOUCADAIR Mohamed TGI/OLN; Konda, Tirumaleswar Reddy; kaname nishizuka; dots@ietf.org
> *Objet :* RE: [Dots] DOTS telemetry questions
>
> Hi Med et al,
>
> See inline Jon>
>
> Regards
>
> Jon
>
> *From:*Dots [mailto: dots-bounces@ietf.org] *On Behalf Of *mohamed.boucadair@orange.com
> *Sent:* 21 February 2020 07:00
> *To:* Jon Shallow; Konda, Tirumaleswar Reddy; kaname nishizuka
> *Cc:* dots@ietf.org
> *Subject:* Re: [Dots] DOTS telemetry questions
>
> Hi Jon,
>
> (ccing the WG to track the changes).
>
> Please see inline.
>
> Cheers,
>
> Med
>
> *De :*Jon Shallow [mailto:supjps-ietf@jpshallow.com]
> *Envoyé :* jeudi 20 février 2020 21:58
> *À :* BOUCADAIR Mohamed TGI/OLN; Konda, Tirumaleswar Reddy; kaname nishizuka
> *Objet :* DOTS telemetry questions
>
> Hi Guys,
>
> 1)For example CBOR mappings
>
>      Header: PUT (Code=0.03)
>
>      Uri-Path: ".well-known"
>
>      Uri-Path: "dots"
>
>      Uri-Path: "mitigate"
>
>      Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
>
>      Uri-Path: "mid=123"
>
>      If-Match:
>
>      Content-Format: "application/dots+cbor"
>
>      {
>
> "ietf-dots-signal-channel:mitigation-scope": {
>
>         "scope": [
>
>           {
>
> "alias-name": [
>
> "myserver"
>
>              ],
>
> "attack-status": "under-attack",
>
>             "*/ietf-dots-telemetry:total-attack-traffic/*": [
>
>               {
>
> "ietf-dots-telemetry:unit": "megabytes-ps",
>
> "ietf-dots-telemetry:mid-percentile-g": "900"
>
>               }
>
>             ]
>
>           }
>
>         ]
>
>       }
>
>      }
>
>     Figure 33: An Example of Mitigation Efficacy Update with Telemetry
>
> Attributes
>
> And yet the mapping table only has (no ietf-dots-telemetry: prefix)
>
> | total-attack-traffic | list        |32794 | 4 array       | Array  |
>
> I appreciate that ietf-dots-telemetry:total-attack-traffic and total-attack traffic are the same CBOR value (or are they?)
>
> */[Med] The same value is used but I didn’t check if there are side effects. /*
>
> Jon> Need to think this through.  My implementation maps the CBOR into JSON and then works on the JSON to do what is necessary and then converts the JSON response back into CBOR.
>
> */[Med] An issue with namespaces will be the encountered if the conversion is the same for the attribute when it is carried in a “pure” telemetry message or in an existing signal channel message./*
>
> Jon1> Correct – I don’t like the concept of having 2 mapping tables for mapping the CBOR value back into JSON.
>
> Jon> We  have the same naming issues in draft-ietf-dots-signal-filter-control-00 where we do not have the ietf-dots-signal-control: prefix in the JSON examples (Fig 10)
> */[Med] Fig 10 is a “normal” mitigation request. Why should it need to include “ietf-dots-signal-control:” prefix?/*
>
> Jon1> My bad – I was looking at draft-ietf-dots-signal-filter-control-00, not draft-ietf-dots-signal-filter-control-02. However, https://tools.ietf.org/html/draft-ietf-dots-signal-filter-control-02#section-5.1 only defines “activation-type” without the prefix, and acl-list and acl-name have the incorrect prefix: added to, for example, Figure 1.
>
> */Please note that we have this note is section 10:/*
>
> *//*
>
> */==/*
>
>    o  Some of these attributes should be prepended with "ietf-dots-
>
> telemetry:"
>
> */==/*
>
> *//*
>
> but when mapping the CBOR back to JSON the variant of JSON parameter is context (Uri-Path: mitigate or tm) dependent.
>
> 2)why do we not have a “enum megabit-ps” in “typedef unit” in the YANG Module?
> */[Med]  This can be added to the list as ‘units()’ are negotiated. *-bytes are more used for aggregates, but let’s be consistent and have both bit/bytes in the units./*
> Jon> Megabytes works with aggregates, megabits works with pipes.
> */[Med] I added the unit to the module. BTW, in order to easily define new units, I updated the module so that units are defined as identities, not enumerations. The updated mapping table is: https://github.com/boucadair/draft-dots-telemetry/blob/master/mapping-table.txt (or https://github.com/boucadair/draft-dots-telemetry/blob/master/draft-ietf-dots-telemetry-03.txt) /*
> Jon1> Typo in megabite-ps
> Jon1> I am not sure about the usage of identityref. https://tools.ietf.org/html/rfc7951#section-6.8 states that the value is represented as a string (currently the CBOR mapping entry says it is an integer), and furthermore it is likely that the namespace-qualified form is required. This is a huge increase in the number of bytes needed whenever unit (and measurement-interval Etc.) are used.  I think that this is a bad change.*//*
> 3)I think that I have worked out that server-originated-telemetry if set allows telemetry included in the mitigation status rather than only returned using Uri-path: tm – correct?
> */[Med] I confirm. Note that including pre-mitigation returned using “Uri-path:tm” is controlled by PUT/GET (Section 7.3)./*
> Jon> Agreed.
>
> 4)I am confused by “pre-mitigation” which can be transmitted pre any mitigation taking place, or actually during when mitigation is taking place (or so I think) and would simply be better described as “attack-details” – especially with a statement such as
>
>     DOTS agents MUST bind pre-mitigation telemetry data with mitigation
>     requests relying upon the target clause.
> *//*
> */[Med] That’s an option but the current design allows to have the telemetry in // in order to supply more data ** without impacting the placement of a mitigation request ** hence the need to bind both (if any). If telemetry attributes are defined as mandatory (discussed in another thread), this would mean that the server will reject a mitigation that includes such attributes. With the current design, we have a functionality that can be safely enabled independently of the decision that we will make about whether telemetry attributes are mandatory to be supported or not./*
> Jon> My primary point here was the use of the term “pre-mitigation” – this telemetry is also needs during a mitigation and the attack keeps on morphing into something else.
> */[Med] I see your point. We will see if we can find a better term./**//*
> Jon1> Agreed – it is the “pre” that certainly does not work for me.  Something like “attack information” ?
> *//*
> *//*
> */Another point we can check to ease correlation between a mitigation request and pre-mitigation telemetry is to signal the “mid” in the telemetry message./*
> Jon> could be – need to think this through
> */[Med] Let’s think about this one further./*
> Jon1> Sure – this may come out in the wash as we try to implement this stuff.
> Regards
> Jon

v2.23.0 | Report a Bug | By Email