Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-signal-channel-31: (with DISCUSS and COMMENT)

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Sat, 29 June 2019 12:11 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91FAD120108; Sat, 29 Jun 2019 05:11:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PkTE7nyZyOpM; Sat, 29 Jun 2019 05:11:03 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4276B1200DE; Sat, 29 Jun 2019 05:11:03 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1561809663; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: Content-Transfer-Encoding:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-CrossTenant-userprincipalname: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=QZ0PDfH0MFXAEPF9qDezpUNaq6EkRHGOI0hXTz 2lnFQ=; b=BTyRBxOyI7HSyrdz0fmCiUjEU7tza1GfHXdtKVsX OoA1cf8e6CMLBPNtPInbS5f7UdPNw1zBZlzciU5VkN7T342YT2 w2KwNyu+jWAglRpLMW4WNxPzXN1chDQl6ZoQ/LgMeA/umn98Ms CojgixT+f7w3p2MfnfL69gmr/2y2GPY=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (unknown [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 221b_562f_cd36f95b_9507_432a_b691_46d2a41565d8; Sat, 29 Jun 2019 06:01:02 -0600
Received: from DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sat, 29 Jun 2019 06:10:48 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Sat, 29 Jun 2019 06:10:48 -0600
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (10.44.176.243) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sat, 29 Jun 2019 06:10:46 -0600
Received: from DM5PR16MB1705.namprd16.prod.outlook.com (10.172.44.147) by DM5PR16MB2151.namprd16.prod.outlook.com (52.132.142.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2032.20; Sat, 29 Jun 2019 12:10:46 +0000
Received: from DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::89e6:d84d:9681:1065]) by DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::89e6:d84d:9681:1065%5]) with mapi id 15.20.2008.018; Sat, 29 Jun 2019 12:10:46 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Benjamin Kaduk <kaduk@mit.edu>, =?utf-8?B?TWlyamEgS8O8aGxld2luZA==?= <ietf@kuehlewind.net>
CC: "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>, "frank.xialiang@huawei.com" <frank.xialiang@huawei.com>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, The IESG <iesg@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: =?utf-8?B?W0RvdHNdICBNaXJqYSBLw7xobGV3aW5kJ3MgRGlzY3VzcyBvbiBkcmFmdC1p?= =?utf-8?B?ZXRmLWRvdHMtc2lnbmFsLWNoYW5uZWwtMzE6ICh3aXRoIERJU0NVU1MgYW5k?= =?utf-8?Q?_COMMENT)?=
Thread-Index: AQHVLf/4fK5/Kpc8U06ofujg6QywKaayhBOA
Date: Sat, 29 Jun 2019 12:10:46 +0000
Message-ID: <DM5PR16MB1705ABD7DD4CB93E065006E4EAFF0@DM5PR16MB1705.namprd16.prod.outlook.com>
References: <155672175129.924.6789867477696592350.idtracker@ietfa.amsl.com> <20190628222124.GB10013@kduck.mit.edu>
In-Reply-To: <20190628222124.GB10013@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.3.0.8
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [49.37.206.28]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 73c3f54c-a9fa-4a88-9087-08d6fc8ad13b
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR16MB2151;
x-ms-traffictypediagnostic: DM5PR16MB2151:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <DM5PR16MB2151DA51B0F13E9E639A8A41EAFF0@DM5PR16MB2151.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0083A7F08A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(376002)(366004)(396003)(39860400002)(136003)(13464003)(199004)(189003)(32952001)(55016002)(6306002)(9686003)(186003)(80792005)(478600001)(7696005)(76176011)(5660300002)(6436002)(71190400001)(71200400001)(4326008)(68736007)(54906003)(224303003)(229853002)(66556008)(256004)(14444005)(7736002)(66446008)(64756008)(33656002)(2906002)(11346002)(446003)(14454004)(66946007)(74316002)(66476007)(81156014)(81166006)(8936002)(73956011)(476003)(305945005)(66574012)(966005)(110136005)(76116006)(25786009)(3846002)(6116002)(86362001)(102836004)(53936002)(52536014)(486006)(72206003)(26005)(99286004)(6246003)(66066001)(316002)(6506007)(53546011)(2171002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB2151; H:DM5PR16MB1705.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ZqhRzUU3kORuhMRrMQH+TP3fJdkcwD+3sea4HwqtLucIYrjx7qtXp0Gzb1kvpmgsbbtVfJlM/M/IQddeovUZlxnIqjZgE/gNV4LvQhaLb89we461wBCe/XuxeoUjf2LoS9O9zLZUXEXnm3jf4tsRB6vezxVbyRzWtxbLbBYpYjRg0RhYyv/VxW+Yk3Mr+rSYg2NVpHLT3EGhU1GI3S3MdseYUNaiwJEO3c2iCc0gW93zu4L0/HK+A7RugJK9zfNhJbhiL/0lhPX7XXc4xmwOo+hURiTEuB+DRTK95IVavJbUXDXRUsH/V8aO8fQ70MQxqOyaIBegJs5JL80BvnmMqFw2G0nHkDXPKh+O/DF4qriOoAY1fe2We4Tju3HwUh/DQzJGDal8LsCj9tZbxloWoAoulU90g/gyseIylhUMP3Q=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 73c3f54c-a9fa-4a88-9087-08d6fc8ad13b
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jun 2019 12:10:46.4811 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TirumaleswarReddy_Konda@McAfee.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB2151
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.4
X-NAI-Spam-Version: 2.3.0.9418 : core <6579> : inlines <7113> : streams <1825894> : uri <2861734>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/Pz964UnsjehOZnhgJ_eHQN6iY9w>
Subject: Re: [Dots] =?utf-8?q?Mirja_K=C3=BChlewind=27s_Discuss_on_draft-ietf-?= =?utf-8?q?dots-signal-channel-31=3A_=28with_DISCUSS_and_COMMENT=29?=
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jun 2019 12:11:07 -0000

Please see inline

> -----Original Message-----
> From: Dots <dots-bounces@ietf.org>; On Behalf Of Benjamin Kaduk
> Sent: Saturday, June 29, 2019 3:51 AM
> To: Mirja Kühlewind <ietf@kuehlewind.net>;
> Cc: draft-ietf-dots-signal-channel@ietf.org; frank.xialiang@huawei.com;
> dots-chairs@ietf.org; The IESG <iesg@ietf.org>;; dots@ietf.org
> Subject: Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-signal-
> channel-31: (with DISCUSS and COMMENT)
> 
> 
> 
> Hi Mirja,
> 
> I wanted to check in with the status of the remaining Discuss points for this
> document.  I tried to go through the previous discussions and have made my
> own analysis of where things stand, so hopefully we can compare notes.
> 
> On Wed, May 01, 2019 at 07:42:31AM -0700, Mirja Kühlewind via Datatracker
> wrote:
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > 1) Port usage (see section 3):
> > The port request for DOTS was reviewed by the port expert team. Some
> > members of the team were concerned about the assignment of a separate
> > port number for DOTS as Coap is used and already has a designated port
> > number. I believe that Coap is used as a transport in the case and
> > DOTS provides a separate service compared to what Coap is usually used
> > for, however, it is not clear why DOTS needs a designated port.
> > Section 3 says that the port can either be preconfigured or
> > dynamically detected, therefore it is not clear why a fixed port is
> > needed (see also section 7.1. of RFC7605). In the port review process
> > the authored argued that a port is needed to differentiate the DOTS
> > service in the network. However, this is not an endorsed usage for
> > port numbers (see section 6.2. of RFC7605). Further, I believe
> > assigning a fixed port might actually add an attack vector for DOTS,
> > either by DDoSing the respective port at the DOTS server, or any attempt
> to block DOTS traffic on the network from the DOTS client to the DOTS server.
> 
> If I understand correctly you were supporting a port allocation, but wanted
> the document to be more clear about its usage and necessity.
> 
> There were some text changes, so that we now have:
> 
>    In some cases, a DOTS client and server may have mutual agreement to
>    use a specific port number, such as by explicit configuration or
>    dynamic discovery [I-D.ietf-dots-server-discovery].  Absent such
>    mutual agreement, the DOTS signal channel MUST run over port number
>    TBD as defined in Section 9.1, for both UDP and TCP.  In order to use
>    a distinct port number (as opposed to TBD), DOTS clients and servers
>    SHOULD support a configurable parameter to supply the port number to
>    use.  The rationale for not using the default port number 5684
>    ((D)TLS CoAP) is to allow for differentiated behaviors in
>    environments where both a DOTS gateway and an IoT gateway (e.g.,
>    Figure 3 of [RFC7452]) are present.
> 
> Does that address your concerns?
> 
> > 2) Section 4.3 says:
> > "In reference to Figure 4, the DOTS client sends two TCP SYNs and two
> >    DTLS ClientHello messages at the same time over IPv6 and IPv4."
> > However, RFC8305 explicitly states that connection attempts SHOULD NOT
> > be made simultaneously (see sec 5).
> >
> > Further Figure 4 shows a different order of request as recommended in
> > the text (text says: "UDP over IPv6, UDP over IPv4, TCP over IPv6, and
> > finally TCP over IPv4"). Also why are the UDP connection attempts
> > repeated? I guess that is meant to be the retransmission of the DTLS
> > Hello? However, usually you should receive the TCP SYNACK before you
> > retransmit or in the best case even before you start the next
> > connection attempt. Therefore that should be not displayed like this in the
> figure or needs further explanation.
> 
> We changed this behavior to be sequential and adhere to 8305 most of the
> time, but allow dropping the connection attempt delay to 100ms during
> (congestive) attacks.
> 
> > 3) Why are these statements SHOULDs and not MUSTs (see section 4.4)?
> >   "DOTS agents SHOULD follow the data transmission guidelines discussed
> >    in Section 3.1.3 of [RFC8085] and control transmission behavior by
> >    not sending more than one UDP datagram per round-trip time (RTT) to
> >    the peer DOTS agent on average."
> > and
> >   "If the DOTS client cannot maintain an RTT estimate, it
> >    SHOULD NOT send more than one Non-confirmable request every 3
> >    seconds"
> > as well as in section 4.4.2.1:
> >   "If the DOTS server cannot maintain an RTT
> >    estimate, it SHOULD NOT send more than one asynchronous notification
> >    every 3 seconds"
> > and again in section 4.4.2.2:
> >  "The frequency of polling the DOTS server to get the
> >    mitigation status SHOULD follow the transmission guidelines in
> >    Section 3.1.3 of [RFC8085].
> 
> These changes made, except for the last one, IIUC.
> 
> > However, most of the communication pattern used by DOTS rely on a
> > request/reply pattern and Coap specifies for this case that only one
> > request can be outstanding at a time (until the reply is received or
> > message is assumed to be
> > lost) (see section 4.7 and 4.2 of RFC7252) which therefore will be
> > used in this case. Only migration updates are send without reply, and
> > here a MUST would be more appropriate.
> >
> > Please also note that if there can only be one request outstanding
> > (before a reply is received) it is also not possible that requests are
> > received out of order (see e.g. 4.4.3: "If UDP is used as transport,
> > CoAP requests may arrive out-of-order.").
> 
> We did get some pointers to cases in which requests may well arrive out of
> order.
> 
> > 4) draft-ietf-core-hop-limit is used in section 10:
> > "The presence of DOTS gateways may lead to infinite forwarding loops,
> >    which is undesirable.  To prevent and detect such loops, this
> >    document uses the Hop-Limit Option."
> > This sounds like it should be required (and normative language should
> > be used) and therefore draft-ietf-core-hop-limit should also be a
> normative reference.
> > Also draft-ietf-core-comi should probably another normative reference.
> 
> hop-limit is now normative, and per Alexey's suggestion the comi usage has
> been described inline.
> 
> > 5)Section 4.5.2: You give recommendations for min and max in a note,
> > however, these values should be specified normatively and in best with a
> MUST.
> 
> It got changed to RECOMMENDED.  (I do see you asked why there was a
> need for a maximum at all, which I don't remember seeing an answer to.)

All the configuration parameters have min, current and max values.

> 
> > 6) Section 4.7: "the DOTS
> >    agent sends a heartbeat over the signal channel to maintain its half
> >    of the channel.  The DOTS agent similarly expects a heartbeat from
> >    its peer DOTS agent"
> > and
> > "DOTS servers MAY trigger their heartbeat requests immediately after
> >    receiving heartbeat probes from peer DOTS clients."
> > Actually heartbeat should only be send in one direction (as the other
> > end will send an ack) and the protocol should clearly specify which
> > endpoint is responsible for triggering the ping.
> 
> I'm not sure I see resolution on this; do the authors still need to answer why
> the "pong" reply cannot serve as a reverse-path heartbeat?

If the DOTS client domain is subjected to volumetric DDoS attack and the incoming link is saturated, the pong response from the server will not reach the client. DOTS server gets traffic from the client but receives no responses to its ping requests indicating the client has not detected the attack or, if an attack mitigation is in progress, it implies the applied DDoS mitigation actions are not yet effective to handle the DDoS attack volume.  

Cheers,
-Tiru

> 
> > 7) sec 7.3:"To avoid DOTS signal message fragmentation and the
> subsequent
> >    decreased probability of message delivery, DOTS agents MUST ensure
> >    that the DTLS record MUST fit within a single datagram."
> > This should be handled by the DTLS record layer and not by DOTS that
> > works on top of DTLS (actually Coap), therefor it seems straight to
> > have a normative requirement here in the DOTS spec. Also note that the
> > calculation provided is not valid for early data (0-RTT) as the hello
> > messages could be transmitted in the same datagram.
> 
> There was some clarifying discussion here; do you still see an issue?
> 
> > 8) Also sec 7.3: "If the path
> >    MTU is not known to the DOTS server, an IP MTU of 1280 bytes SHOULD
> >    be assumed."
> >   Actually this is only true for IPv6. The later note mentions that the
> >   situation is different from IPV4, however, it should probably be made
> clear
> >   from the beginning that 1280 can only be assumed for IPv6.
> 
> Currently we're at a MAY-level limit of 576 bytes when it's known that IPv4
> systems are present.
> 
> > 9) sec 9.6: What's the registration policy for the newly created registries?
> 
> Standards Action, as indicated.
> 
> > 10) The document should more explicitly provide more guidance about
> > when a client should start a session and what should be done (from the
> > client side) if a session is detected as inactive (other than during
> > migration which is discussed a bit in 4.7). Is the assumption to have
> > basically permanently an active session or connect for migration and
> > configuration requests separately at a time?
> 
> I think there was some clarifying text added, but please confirm if you think it
> is sufficient.
> 
> Thanks,
> 
> Ben
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots