Re: [Dots] WGLC for draft-dots-use-cases-19

<mohamed.boucadair@orange.com> Tue, 06 August 2019 12:53 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0C47120183 for <dots@ietfa.amsl.com>; Tue, 6 Aug 2019 05:53:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jJP5yf4cmDLU for <dots@ietfa.amsl.com>; Tue, 6 Aug 2019 05:53:19 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 975BC120170 for <dots@ietf.org>; Tue, 6 Aug 2019 05:53:19 -0700 (PDT)
Received: from opfednr07.francetelecom.fr (unknown [xx.xx.xx.71]) by opfednr22.francetelecom.fr (ESMTP service) with ESMTP id 462vgy1sxwz10Rq; Tue, 6 Aug 2019 14:53:18 +0200 (CEST)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.51]) by opfednr07.francetelecom.fr (ESMTP service) with ESMTP id 462vgy0ksJzFpX0; Tue, 6 Aug 2019 14:53:18 +0200 (CEST)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM22.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0468.000; Tue, 6 Aug 2019 14:53:14 +0200
From: <mohamed.boucadair@orange.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, "Valery Smyslov" <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>
CC: "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>
Thread-Topic: [Dots] WGLC for draft-dots-use-cases-19
Thread-Index: AdVMHvzhmt/V33ByRr+d368GCi1ExgABDh/gAAA/2oAAAmsFAAAApBygAAFk76AAAGXy8AAALP6QAAB9ubAAA9IiYAABiL4AAABR/TAAAPXKAA==
Date: Tue, 6 Aug 2019 12:53:14 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B9330312FDE6B@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <00b001d54c1f$d57799e0$8066cda0$@smyslov.net> <DM5PR16MB17050571BAD70FACA597FA6CEAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDB17@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB170555606E26709FC5C54AA4EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDBC8@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB17050DF869BABA8B3670DC85EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDC3B@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB1705E573DE3E7482115B9FE0EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDC6C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB170551C20908654A0F6428D7EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDDC9@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB1705CBD6DF992D7FB9178B29EAD50@DM5PR16MB1705.namprd16.prod.outlook.com>
In-Reply-To: <DM5PR16MB1705CBD6DF992D7FB9178B29EAD50@DM5PR16MB1705.namprd16.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/QGn__6iKBUDhTFfGNF1YHdjWEPw>
Subject: Re: [Dots] WGLC for draft-dots-use-cases-19
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 12:53:22 -0000

Re-,

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
> Envoyé : mardi 6 août 2019 14:31
> À : BOUCADAIR Mohamed TGI/OLN; Valery Smyslov; dots@ietf.org
> Cc : Xialiang (Frank, Network Standard & Patent Dept)
> Objet : RE: [Dots] WGLC for draft-dots-use-cases-19
> 
> > -----Original Message-----
> > From: mohamed.boucadair@orange.com
> > <mohamed.boucadair@orange.com>;
> > Sent: Tuesday, August 6, 2019 5:46 PM
> > To: Konda, Tirumaleswar Reddy
> > <TirumaleswarReddy_Konda@McAfee.com>;; Valery Smyslov
> > <valery@smyslov.net>;; dots@ietf.org
> > Cc: Xialiang (Frank, Network Standard & Patent Dept)
> > <frank.xialiang@huawei.com>;
> > Subject: RE: [Dots] WGLC for draft-dots-use-cases-19
> >
> >
> >
> > Re-,
> >
> > Please see inline.
> >
> > Cheers,
> > Med
> >
> > > -----Message d'origine-----
> > > De : Konda, Tirumaleswar Reddy
> > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > Envoyé : mardi 6 août 2019 13:52
> > > À : BOUCADAIR Mohamed TGI/OLN; Valery Smyslov; dots@ietf.org Cc :
> > > Xialiang (Frank, Network Standard & Patent Dept) Objet : RE: [Dots]
> > > WGLC for draft-dots-use-cases-19
> > >
> > > > -----Original Message-----
> > > > From: mohamed.boucadair@orange.com
> > > > <mohamed.boucadair@orange.com>;
> > > > Sent: Tuesday, August 6, 2019 3:15 PM
> > > > To: Konda, Tirumaleswar Reddy
> > > > <TirumaleswarReddy_Konda@McAfee.com>;; Valery Smyslov
> > > > <valery@smyslov.net>;; dots@ietf.org
> > > > Cc: Xialiang (Frank, Network Standard & Patent Dept)
> > > > <frank.xialiang@huawei.com>;
> > > > Subject: RE: [Dots] WGLC for draft-dots-use-cases-19
> > > >
> > > >
> > > >
> > > > Re-,
> > > >
> > > > Please see inline.
> > > >
> > > > Cheers,
> > > > Med
> > > >
> > > > > -----Message d'origine-----
> > > > > De : Konda, Tirumaleswar Reddy
> > > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > > Envoyé : mardi 6 août 2019 11:29
> > > > > À : BOUCADAIR Mohamed TGI/OLN; Valery Smyslov; dots@ietf.org Cc :
> > > > > Xialiang (Frank, Network Standard & Patent Dept) Objet : RE:
> > > > > [Dots] WGLC for draft-dots-use-cases-19
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: mohamed.boucadair@orange.com
> > > > > > <mohamed.boucadair@orange.com>;
> > > > > > Sent: Tuesday, August 6, 2019 2:50 PM
> > > > > > To: Konda, Tirumaleswar Reddy
> > > > > > <TirumaleswarReddy_Konda@McAfee.com>;; Valery Smyslov
> > > > > > <valery@smyslov.net>;; dots@ietf.org
> > > > > > Cc: Xialiang (Frank, Network Standard & Patent Dept)
> > > > > > <frank.xialiang@huawei.com>;
> > > > > > Subject: RE: [Dots] WGLC for draft-dots-use-cases-19
> > > > > >
> > > > > > This email originated from outside of the organization. Do not
> > > > > > click
> > > > > links or
> > > > > > open attachments unless you recognize the sender and know the
> > > > > > content is safe.
> > > > > >
> > > > > > Re-,
> > > > > >
> > > > > > Please see inline.
> > > > > >
> > > > > > Cheers,
> > > > > > Med
> > > > > >
> > > > > > > -----Message d'origine-----
> > > > > > > De : Konda, Tirumaleswar Reddy
> > > > > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > > > > Envoyé : mardi 6 août 2019 11:15 À : BOUCADAIR Mohamed
> > > > > > > TGI/OLN; Valery Smyslov; dots@ietf.org Cc :
> > > > > > > Xialiang (Frank, Network Standard & Patent Dept) Objet : RE:
> > > > > > > [Dots] WGLC for draft-dots-use-cases-19
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: mohamed.boucadair@orange.com
> > > > > > > > <mohamed.boucadair@orange.com>;
> > > > > > > > Sent: Tuesday, August 6, 2019 2:00 PM
> > > > > > > > To: Konda, Tirumaleswar Reddy
> > > > > > > > <TirumaleswarReddy_Konda@McAfee.com>;; Valery Smyslov
> > > > > > > > <valery@smyslov.net>;; dots@ietf.org
> > > > > > > > Cc: Xialiang (Frank, Network Standard & Patent Dept)
> > > > > > > > <frank.xialiang@huawei.com>;
> > > > > > > > Subject: RE: [Dots] WGLC for draft-dots-use-cases-19
> > > > > > > >
> > > > > > > > This email originated from outside of the organization. Do
> > > > > > > > not click
> > > > > > > links or
> > > > > > > > open attachments unless you recognize the sender and know
> > > > > > > > the content is safe.
> > > > > > > >
> > > > > > > > Re-,
> > > > > > > >
> > > > > > > > Please see inline.
> > > > > > > >
> > > > > > > > Cheers,
> > > > > > > > Med
> > > > > > > >
> > > > > > > > > -----Message d'origine----- De : Konda, Tirumaleswar Reddy
> > > > > > > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > > > > > > Envoyé : mardi 6 août 2019 10:14 À : BOUCADAIR Mohamed
> > > > > > > > > TGI/OLN; Valery Smyslov; dots@ietf.org Cc :
> > > > > > > > > Xialiang (Frank, Network Standard & Patent Dept) Objet :
> RE:
> > > > > > > > > [Dots] WGLC for draft-dots-use-cases-19
> > > > > > > > >
> > > > > > > > > Hi Med,
> > > > > > > > >
> > > > > > > > > No, the orchestrator is not ignoring the mitigation hints.
> > > > > > > >
> > > > > > > > [Med] Why? The text is clear the orchestrator acts as DOTS
> > > server.
> > > > > > > > As
> > > > > > > such, it
> > > > > > > > can ignore/accept hints.
> > > > > > > >
> > > > > > > >  It is sending
> > > > > > > > > filtering rules to block or rate-limit traffic to routers
> > > > > > > > > (last but one line in the new paragraph).
> > > > > > > >
> > > > > > > > [Med] Yes. That filtering rule is that would be applied by
> > > > > > > > the DMS if it
> > > > > > > has
> > > > > > > > sufficient resources.
> > > > > > > >
> > > > > > > >  The adverse impact is legitimate users whose
> > > > > > > > > IP addresses were spoofed
> > > > > > > > > cannot access the services of the target server.
> > > > > > > >
> > > > > > > > [Med] This is a check at the DMS side. This check applies
> > > > > > > > independently
> > > > > > > of **
> > > > > > > > where ** the filters are applied. This is not specific to
> > > > > > > > this NEW
> > > > > text.
> > > > > > >
> > > > > > > If the orchestrator is sending filtering rules to block
> > > > > > > traffic, checks are required to ensure spoofed IP address are
> > > > > > > not conveyed by
> > > > > the
> > > > > > DMS.
> > > > > >
> > > > > > [Med] Yes, but the current text describes the case where the DMS
> > > > > supplies
> > > > > > "its blocked traffic information":
> > > > > >
> > > > > >   the DDoS mitigation system can send mitigation requests
> > > > > >   with additional hints such as its blocked traffic information
> > > > > > to
> > > the
> > > > > >                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > > > >   orchestrator.
> > > > > >
> > > > > > So, the DMS has already done that check.
> > > > >
> > > > > The blocked traffic information will include attack traffic from
> > > > > both spoofed and attacker IP addresses.
> > > > >
> > > >
> > > > [Med] If you are saying that there is an issue if the DMS does not
> > > check, you
> > > > are right. But, again, this is not specific to the NEW text. This is
> > > > a
> > > general
> > > > problem (that is outside DOTS, BTW).
> > >
> > > No, DMS will anyway check and try not block legitimate traffic from
> > > users whose IP addresses have been spoofed.
> > >
> >
> > [Med] What I'm saying is that the DMS will then follow the same logic
> when
> > providing the hints to the orchestrator.
> 
> No, the hints should include both spoofed and non-spoofed IP addresses
> used to attack the target.
> 

[Med] Why? A DMS may decide to offload only filtering rules its checked. 

Even if we assume that the check is at the orchestrator side, this is not a new threat vector. 

> >
> > > >
> > > >
> > > > > >
> > > > > >  If
> > > > > > > the orchestrator delegates the mitigation to a separate domain
> > > > > > > (recursive signaling), the attack information provided by DMS
> > > > > > > can include spoofed IP addresses (so the new mitigator in the
> > > > > > > separate domain learns the attack traffic is coming from
> > > > > > > spoofed IP
> > > addresses).
> > > > > >
> > > > > > [Med] This is not specific to this case, but applies each time
> > > > > > there is
> > > > > recursive
> > > > > > signaling.
> > > > >
> > > > > My comment is to using the attack information of spoofed IP
> > > > > addresses to filter traffic would penalize legitimate users, and
> > > > > the text is not clear me. I suggest adding a line for clarity, DMS
> > > > > may supply both spoofed and attacker IP addresses in the attack
> > > > > information to the orchestrator. The orchestrator will only use
> > > > > the non-spoofed IP addresses to enforce filtering rules on
> routers.
> > > >
> > > > [Med] I was assuming this is already done by the DMS to generate
> > > > "its blocked traffic information", but if you prefer the text to be
> > > > explicit,
> > > it will
> > > > need to be generic:
> > > >
> > > > the check is not specific to the NEW text but applies also in the
> > > general DMS
> > > > case (without offloading).
> > >
> > > When DMS generates the attack traffic information it should include
> > > both spoofed and attacker IP addresses (tagged with whether the IP
> > > address is spoofed or not).
> >
> > [Med] Why it should not check?
> 
> It checks and includes both type of IP addresses.

[Med] Why it has to include both if it has done the check? 

> 
> >
> > If the orchestrator is delegating the mitigation to a
> > > separate domain, it can propagate the attack information so the
> > > mitigator in the separate domain has knowledge that the attacker is
> > > using spoofed IP addresses and the mitigator can optionally use the
> > > attack information to determine the mitigation strategy.
> >
> > [Med] The recursive case is not covered in the current text. I don't
> think we
> > need to elaborate on this further.
> 
> I don't understand why recursive case should be excluded in the current
> text ?

[Med] Because the use-case draft does not cover this: It only covers the case of an orchestrator talking to local routers. 

> 
> >
> >  However If orchestrator is enforcing
> > > filtering rules on routers, it should create the black-list rules
> > > based on the non-spoofed attacker IP address and not use the spoofed
> > > victim IP addresses.
> > >
> >
> > [Med] Agree. Whether the check is done at the orchestrator or by the
> DMS,
> > is not a new concern. The DMS has to proceed with these checks, anyway.
> I
> > fail to see what is NEW and SPECIFIC to the offload scenario.
> 
> In this case the check has to be done by orchestrator when enforcing
> black-list rules not to penalize the spoofed victim IP addresses and
> should be discussed in the new use case.

[Med] This requirement has to be followed by the DMS, anyway. This is not a new issue, Tiru.  

 I don't see any other use case in
> the specification discussing offload scenario with propagating the attack
> information and I recommend updating the text discussing the above
> scenarios.

[Med] We don't have a similar text for the DMS case because mitigation is out of scope. I'm expecting to follow the some rationale for the offload. 

> 
> Cheers,
> -Tiru