IETF Logo Mail Archive

Re: [Dots] DOTS Telemetry: URI Path

<mohamed.boucadair@orange.com> Fri, 31 January 2020 07:41 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66491120059 for <dots@ietfa.amsl.com>; Thu, 30 Jan 2020 23:41:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.687
X-Spam-Level:
X-Spam-Status: No, score=-2.687 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S9aba5Nv0i0Y for <dots@ietfa.amsl.com>; Thu, 30 Jan 2020 23:41:11 -0800 (PST)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.35]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9898C12001E for <dots@ietf.org>; Thu, 30 Jan 2020 23:41:10 -0800 (PST)
Received: from opfednr05.francetelecom.fr (unknown [xx.xx.xx.69]) by opfednr20.francetelecom.fr (ESMTP service) with ESMTP id 4888Kc5w92z1y9y; Fri, 31 Jan 2020 08:41:08 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1580456468; bh=mpUuFQXz7SiXouenN5sTfWj/o1pSgN3VRkXk63c5So8=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=uZZLvkRtEiRAHUzAH9uv5vlgm6TkubskB4xeb66O/1rfeUay3xgFs6QYtk3fM4DZ+ 0OXrP7+dnVB9aW3ebgKl26uBVi3iAAA9QLQZwU43PELlvR5V/eJgyyE46tO0VY+Ws8 Uf+MnQNZXOxN/QM5lsDjdD0vKWG8/vrqmPtTeje0XRQgXZJGY7yBK/hf5NNDg/CsRQ UyJ53n8UIhzx/6FdkdThfq3s0RaKR9l/JydpNRjuuS8JnFopfrB5GrsQJ/IL+5mZw7 7ATgkP3A9gBlHeWdXymNd5dTPXOHrCBzah9i3m8BfykcHPqFHWMAFCF7YmbPu/Yk1h XLdz76MbLuvww==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.86]) by opfednr05.francetelecom.fr (ESMTP service) with ESMTP id 4888Kc4x4JzyQ5; Fri, 31 Jan 2020 08:41:08 +0100 (CET)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBMA4.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0468.000; Fri, 31 Jan 2020 08:41:08 +0100
From: mohamed.boucadair@orange.com
To: kaname nishizuka <kaname@nttv6.jp>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: DOTS Telemetry: URI Path
Thread-Index: AdXSA4rBzLMvgmnTQFWFKSY1yB+Z8QF2A9exAApgW9A=
Date: Fri, 31 Jan 2020 07:41:08 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B933031414366@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <787AE7BB302AE849A7480A190F8B93303140D0DC@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <787AE7BB302AE849A7480A190F8B93303141357C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <70510b36-aac4-db69-c88c-3204894f92c0@nttv6.jp>
In-Reply-To: <70510b36-aac4-db69-c88c-3204894f92c0@nttv6.jp>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B933031414366OPEXCAUBMA2corp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/Q0KKnmhD59xF8UsgfaIXKqZMYSM>
Subject: Re: [Dots] DOTS Telemetry: URI Path
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2020 07:41:14 -0000

Hi Kaname,

Please see inline.

Cheers,
Med

De : kaname nishizuka [mailto:kaname@nttv6.jp]
Envoyé : vendredi 31 janvier 2020 03:10
À : BOUCADAIR Mohamed TGI/OLN; dots@ietf.org
Objet : Re: DOTS Telemetry: URI Path

Hi Med,

As per the hackathon report of the last IETF, Server to Client telemetry would require another URI in order to convey asynchronous notification of attack-details from a DOTS server.
https://datatracker.ietf.org/meeting/106/materials/slides-106-dots-dots-telemetry-related-hackathon-activity-report-00
slide 9.
I'd like to hear notions whether that is already taken into account or not.
[Med] I confirm that we have recorded that issue. The approach to be published in -01 can be seen at: https://github.com/boucadair/draft-dots-telemetry/blob/master/draft-ietf-dots-telemetry-01.txt. This approach does not require a new uri: a client that is interested to receive pre-mitigation telemetry will enable an attribute called "server-initiated-telemetry". The server can then send telemetry data to the client using the same uri (/tm).
Of course, this design can be challenged. The plan is to work further on that part in -02.

Second, regarding with machine learning capability of DOTS, we've noticed some costomized feature like a ratio of SYN versus ACK in TCP flag is contributing for precise attack detection (in a feature construction process which is for obtaining contributing features from several metrics).
At the last meeting, we've discussed that conveying normal metric is already done by IPFIX.
But should adding this kind of DDoS dedicated metric be done in IPFIX or DOTS?
[Med]If this is about tweaking the detection machinery, I'm afraid this is not part of DOTS. We need more discussion to understand the use case.

thanks,
Kaname
On 2020/01/29 23:47, mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> wrote:
Hi all,

We are currently in the process of updating the draft. I'm afraid that we will finaly need to go with more operation path URIs. See inline for more details.

Cheers,
Med

De : Dots [mailto:dots-bounces@ietf.org] De la part de mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>
Envoyé : jeudi 23 janvier 2020 16:41
À : dots@ietf.org<mailto:dots@ietf.org>; 'kaname nishizuka'
Objet : [Dots] DOTS Telemetry: URI Path

Hi all,

In the current version of the telemetry draft, we are using '/telemetry' for telemetry-related operations. Kaname suggested to define three operation suffixes for that. I do think that two are sufficient as indicated below:

         +-------------------------+----------------+
         | Operation               | Operation Path |
         +-------------------------+----------------+
         | Telemetry Setup         | /tm-setup      |
         +-------------------------+----------------+
         | Telemetry               | /tm            |
         +-------------------------+----------------+

A dedicated uri (/tm-setup) will be used for telemetry setup operations (baseline, configuration): see the excerpt below:

  augment /ietf-signal:dots-signal/ietf-signal:message-type:
    +--:(telemetry-setup) {dots-telemetry}?
    |  +--rw telemetry* [cuid tsid]
    |     +--rw cuid                string
    |     +--rw cdid?               string
    |     +--rw tsid                uint32
    |     +--rw telemetry-config
    |     |  +--rw low-percentile?    percentile
    |     |  +--rw mid-percentile?    percentile
    |     |  +--rw high-percentile?   percentile
    |     |  +--rw unit-config* [unit]
    |     |     +--rw unit           unit
    |     |     +--rw unit-status?   Boolean
            ...
    |     +--rw baseline
    |        +--rw total-pipe-capability* [unit]
    |        |  +--rw unit    unit
    |        |  +--rw pipe?   uint64
    |        +--rw total-traffic-normal-baseline* [unit protocol]
    |        |  +--rw unit                 unit
    |        |  +--rw protocol             uint8
    |        |  +--rw low-percentile-g?    yang:gauge64
    |        |  +--rw mid-percentile-g?    yang:gauge64
    |        |  +--rw high-percentile-g?   yang:gauge64
    |        |  +--rw peak-g?              yang:gauge64
    |        +--rw total-connection-capacity* [protocol]
    |           +--rw protocol                     uint8
      ...
[Med] The current updated tree structure is as follows:

  augment /ietf-signal:dots-signal/ietf-signal:message-type:
    +--:(telemetry-setup) {dots-telemetry}?
    |  +--rw telemetry* [cuid tsid]
    |     +--rw cuid                   string
    |     +--rw cdid?                  string
    |     +--rw tsid                   uint32
    |     +--rw telemetry-config
    |     |  +--rw measurement-interval?   interval
    |     |  +--rw measurement-sample?     sample
    |     |  +--rw low-percentile?         percentile
    |     |  +--rw mid-percentile?         percentile
    |     |  +--rw high-percentile?        percentile
    |     |  +--rw unit-config* [unit]
    |     |     +--rw unit           unit
    |     |     +--rw unit-status?   boolean
    |     +--rw total-pipe-capacity* [link-id unit]
    |     |  +--rw link-id    nt:link-id
    |     |  +--rw unit       unit
    |     |  +--rw pipe?      uint64
    |     +--rw baseline
    |        +--rw target-prefix*                   inet:ip-prefix
    |        +--rw target-port-range* [lower-port]
    |        |  +--rw lower-port    inet:port-number
    |        |  +--rw upper-port?   inet:port-number
    |        +--rw target-protocol*                 uint8
    |        +--rw target-fqdn*                     inet:domain-name
    |        +--rw target-uri*                      inet:uri
    |        +--rw total-traffic-normal-baseline* [unit protocol]
    |        |  +--rw unit                 unit
    |        |  +--rw protocol             uint8
    |        |  +--rw low-percentile-g?    yang:gauge64
    |        |  +--rw mid-percentile-g?    yang:gauge64
    |        |  +--rw high-percentile-g?   yang:gauge64
    |        |  +--rw peak-g?              yang:gauge64
    |        +--rw total-connection-capacity* [protocol]
    |           +--rw protocol                     uint8
    |           +--rw connection?                  uint64
    |           +--rw connection-client?           uint64
    |           +--rw embryonic?                   uint64
    |           +--rw embryonic-client?            uint64
    |           +--rw connection-ps?               uint64
    |           +--rw connection-client-ps?        uint64
    |           +--rw request-ps?                  uint64
    |           +--rw request-client-ps?           uint64
    |           +--rw partial-request-ps?          uint64
    |           +--rw partial-request-client-ps?   uint64

The new structure is designed with the following objectives:

·         Allow a multi-homed client domain to signal the capacity of each interconnection link.

·         The normal traffic base line can be provided for the overall domain (an aggregated prefix, or no target-clause included at all) or for specific targets (IP addresses, prefixes)

·         These parameters can be communicated using the same or distinct request. Checks on overlapping targets and links are covered.

Nevertheless, this design brings some complexity if a request overlaps with an existing pipe request but a new baseline traffic. We may either go for an additional uri or maintain one single uri but go with the following design (which is my favorite):

  augment /ietf-signal:dots-signal/ietf-signal:message-type:
    +--:(telemetry-setup) {dots-telemetry}?
    |  +--rw telemetry* [cuid tsid]
    |     +--rw cuid                          string
    |     +--rw cdid?                         string
    |     +--rw tsid                          uint32
    |     +--rw (setup-type)?
    |        +--:(telemetry-config)
    |        |  +--rw measurement-interval?   interval
    |        |  +--rw measurement-sample?     sample
    |        |  +--rw low-percentile?         percentile
    |        |  +--rw mid-percentile?         percentile
    |        |  +--rw high-percentile?        percentile
    |        |  +--rw unit-config* [unit]
    |        |     +--rw unit           unit
    |        |     +--rw unit-status?   boolean
    |        +--:(pipe)
    |        |  +--rw total-pipe-capacity* [link-id unit]
    |        |     +--rw link-id    nt:link-id
    |        |     +--rw unit       unit
    |        |     +--rw pipe?      uint64
    |        +--:(baseline)
    |           +--rw baseline
    |              +--rw target-prefix*                   inet:ip-prefix
    |              +--rw target-port-range* [lower-port]
    |              |  +--rw lower-port    inet:port-number
    |              |  +--rw upper-port?   inet:port-number
    |              +--rw target-protocol*                 uint8
    |              +--rw target-fqdn*                     inet:domain-name
    |              +--rw target-uri*                      inet:uri
    |              +--rw total-traffic-normal-baseline* [unit protocol]
    |              |  +--rw unit                 unit
    |              |  +--rw protocol             uint8
    |              |  +--rw low-percentile-g?    yang:gauge64
    |              |  +--rw mid-percentile-g?    yang:gauge64
    |              |  +--rw high-percentile-g?   yang:gauge64
    |              |  +--rw peak-g?              yang:gauge64
    |              +--rw total-connection-capacity* [protocol]
    |                 +--rw protocol                     uint8
    |                 +--rw connection?                  uint64
    |                 +--rw connection-client?           uint64
    |                 +--rw embryonic?                   uint64
    |                 +--rw embryonic-client?            uint64
    |                 +--rw connection-ps?               uint64
    |                 +--rw connection-client-ps?        uint64
    |                 +--rw request-ps?                  uint64
    |                 +--rw request-client-ps?           uint64
    |                 +--rw partial-request-ps?          uint64
Thoughts?

While '/tm' can be used for sharing pre-mitigation telemetry data (an excerpt of the tree is shown below).

    +--:(telemetry) {dots-telemetry}?
       +--rw pre-mitigation* [cuid telemetry-id]
          +--rw cuid                       string
          +--rw cdid?                      string
          +--rw telemetry-id               uint32
          +--rw target
          |  +--rw target-prefix*       inet:ip-prefix
          |  +--rw target-port-range* [lower-port]
          |  |  +--rw lower-port    inet:port-number
          |  |  +--rw upper-port?   inet:port-number
          |  +--rw target-protocol*     uint8
          |  +--rw target-fqdn*         inet:domain-name
          |  +--rw target-uri*          inet:uri
          +--ro total-attack-traffic* [unit protocol]
          |  +--ro unit                 unit
          |  +--ro protocol             uint8
          |  +--ro low-percentile-g?    yang:gauge64
          |  +--ro mid-percentile-g?    yang:gauge64
          |  +--ro high-percentile-g?   yang:gauge64
          |  +--ro peak-g?              yang:gauge64
          +--ro total-traffic* [unit protocol]
          ...
          +--ro attack-detail
             +--ro vendor-id?         uint32
             +--ro attack-id?         string
             +--ro attack-name?       string
             +--ro attack-severity?   attack-severity
             +--ro start-time?        uint64
             +--ro end-time?          uint64
             +--ro source-count
             |  +--ro low-percentile-g?    yang:gauge64
             |  +--ro mid-percentile-g?    yang:gauge64
             |  +--ro high-percentile-g?   yang:gauge64
             |  +--ro peak-g?              yang:gauge64
             +--ro top-talker
                +--ro source-prefix* [source-prefix]
                   +--ro spoofed-status?            boolean
                   +--ro source-prefix              inet:ip-prefix
                ...

Unless there are objections, we will implement this change in the next iteration of the draft.

Cheers,
Med

v2.23.0 | Report a Bug | By Email