Re: [Dots] Tsvart last call review of draft-ietf-dots-data-channel-27

"Konda, Tirumaleswar Reddy" <> Mon, 18 March 2019 05:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9905F127817; Sun, 17 Mar 2019 22:43:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6DDCi4ZmYyg6; Sun, 17 Mar 2019 22:43:50 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9550F1274A1; Sun, 17 Mar 2019 22:43:49 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s_mcafee; t=1552887607; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:x-originating-ip: x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-forefront-prvs:x-forefront-antispam-report: received-spf:authentication-results:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: Content-Transfer-Encoding:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=X 9o43MtygIEW7y+3tfSjROUrkLIZoYy1QFrjFkKrav Q=; b=QlUTlyoiMUP/BwGcOs9LTHL+4YLPnQAa11eFT9F3JoeF IboVYu4BIPA7QbxWtnjN1Ke+mggIFHjD5djrUwv/Qg2BpruH6i UBwvCMZunhou8/sZaUVi4MBSFlnO9sdZ1q+ZNIAC8hfEnNkTpV 8m8L5MHLtI9Ixp55wF9+Ikx2c0E=
Received: from ( []) by with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 75e9_0607_0efe5a17_1ec3_4213_8930_b2ef1629e57f; Sun, 17 Mar 2019 23:40:07 -0600
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sun, 17 Mar 2019 23:42:34 -0600
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Sun, 17 Mar 2019 23:42:34 -0600
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sun, 17 Mar 2019 23:42:33 -0600
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.13; Mon, 18 Mar 2019 05:42:32 +0000
Received: from ([fe80::9c48:452b:e39c:ef39]) by ([fe80::9c48:452b:e39c:ef39%2]) with mapi id 15.20.1709.015; Mon, 18 Mar 2019 05:42:32 +0000
From: "Konda, Tirumaleswar Reddy" <>
To: Brian Trammell <>, "" <>
CC: "" <>, "" <>, "" <>
Thread-Topic: [Dots] Tsvart last call review of draft-ietf-dots-data-channel-27
Thread-Index: AQHU2+Ll7N28W1ey7UW60/hdaXljoaYQ1O3A
Date: Mon, 18 Mar 2019 05:42:32 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
dlp-product: dlpe-windows
dlp-reaction: no-action
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 802d9130-cbbc-47ba-3c2b-08d6ab648444
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:BYAPR16MB2696;
x-ms-traffictypediagnostic: BYAPR16MB2696:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <>
x-forefront-prvs: 098076C36C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39850400004)(376002)(396003)(346002)(366004)(136003)(13464003)(189003)(199004)(32952001)(14444005)(5024004)(256004)(54906003)(316002)(66574012)(110136005)(2501003)(97736004)(80792005)(3846002)(6116002)(8676002)(81156014)(105586002)(106356001)(7736002)(6436002)(229853002)(8936002)(81166006)(74316002)(68736007)(25786009)(305945005)(53936002)(6246003)(66066001)(55016002)(4326008)(6306002)(26005)(9686003)(86362001)(2906002)(186003)(446003)(7696005)(71200400001)(71190400001)(966005)(52536014)(476003)(33656002)(102836004)(99286004)(5660300002)(486006)(53546011)(76176011)(6346003)(6506007)(478600001)(11346002)(72206003)(14454004)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2696;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is );
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: WlGejJ3rWJtGjZtqdYZ3nP7Wg3faDzB1RiHYcqHrhPCJujUiLPnullm1P4PS7CV3qrqDNRZmKZ+dhvA0tFrehxyK8R1RVjukNPxn+zoQmP0BQsyM4/r/ekR94kPIWzLoQ7BCNze+jgcW7MnLpFcJ2okjxrgXvQU3dfdhDFmVzh+WgG5+6v7z8etek3BcSg4wpfqQRQNS5Yh0HjftRf2VHugaBVq9IqjJ5pX3kMoPvU8eydugACH9N6/MRWhLok7kvrXi61qcCRrmjFCn43jp7lYiJE+subroDDTXIU+dPA+zxwRD+RXhp16zIYGevyFzLMaxdOOjtf2Ytp+gvWoHNsolRIMIF+XRZyLj2YhA4GTfZHgdGOP0RO32nEldZVSpGU8aKybmzlx9EVyCssKw/H3JrmgP6t0X02O75hElhvs=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 802d9130-cbbc-47ba-3c2b-08d6ab648444
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2019 05:42:32.1816 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2696
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: : core <6504> : inlines <7035> : streams <1816034> : uri <2814900>
Archived-At: <>
Subject: Re: [Dots] Tsvart last call review of draft-ietf-dots-data-channel-27
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Mar 2019 05:43:53 -0000

> -----Original Message-----
> From: Dots <> On Behalf Of Brian Trammell via
> Datatracker
> Sent: Saturday, March 16, 2019 3:58 PM
> To:
> Cc:;;
> Subject: [Dots] Tsvart last call review of draft-ietf-dots-data-channel-27
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is safe.
> Reviewer: Brian Trammell
> Review result: Ready with Issues
> This document has been reviewed as part of the transport area review team's
> ongoing effort to review key IETF documents. These comments were written
> primarily for the transport area directors, but are copied to the document's
> authors and WG to allow them to address any issues raised and also to the IETF
> discussion list for information.
> Apologies for missing the last call deadline; however I hope the input is useful.
> This document is basically ready; some issues and questions for the WG below.
> General Considerations, Data Channel Design
> ------------------------------------------------
> On its own this document is okay from a transport considerations standpoint:
> the data channel does not have to operate in a degraded environment (i.e.,. on
> an interface under attack) and makes perfectly reasonable use of RESTCONF.
> The companion signal channel document will require (much) more careful
> attention from the transport directorate.
> Please pay attention to whatever your SECDIR review says anything about the
> use of TLS client authentication (as specified with mutual authentication).
> I suppose the use of mutual auth was inherited from RESTCONF, though?
> I'd be curious to know whether other client authentication schemes were
> considered.

Yes, the TLS protocol profile for DOTS protocols is discussed in 

> The use of cdid as a client rate association token and rate-limiter seems open
> to misconfiguration or misuse. Is there a concept for protecting against this
> beyond log-and-detect?

cdid is generated from the client identity (e.g. hash of the public key in the client certificate), DOTS server can detect if the client 
is frequently changing the 'cdid'.

> Data Model Design
> --------------------
> The target-fqdn element in the alias definition seems prone to cause confusing
> results if used naïvely (indeed the document itself points this out). On the other
> hand, in dynamic service environments it is quite useful for an alias to refer to
> a name as opposed to a set of addresses. Did the working group consider
> including some further context for the resoultion of these into IP addresses (for
> example, by providing a link to a DoT/DoH server to update the resolutions
> periodically)? If not, perhaps some text about doing this out of band would be
> helpful.

Good point. We can add the following text:
DNSSEC must be used to ensure target FQDN resolution is authentic, and DNS privacy protocols (DoT or DoH) must be used to resolve the target FQDN to prevent eavesdroppers 
from possibly identifying the target resources protected by the DDoS mitigation service.


> Thanks, cheers,
> Brian
> _______________________________________________
> Dots mailing list