Re: [Dots] WGLC for draft-dots-use-cases-19
<mohamed.boucadair@orange.com> Tue, 06 August 2019 12:53 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0C47120183 for <dots@ietfa.amsl.com>; Tue, 6 Aug 2019 05:53:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jJP5yf4cmDLU for <dots@ietfa.amsl.com>; Tue, 6 Aug 2019 05:53:19 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 975BC120170 for <dots@ietf.org>; Tue, 6 Aug 2019 05:53:19 -0700 (PDT)
Received: from opfednr07.francetelecom.fr (unknown [xx.xx.xx.71]) by opfednr22.francetelecom.fr (ESMTP service) with ESMTP id 462vgy1sxwz10Rq; Tue, 6 Aug 2019 14:53:18 +0200 (CEST)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.51]) by opfednr07.francetelecom.fr (ESMTP service) with ESMTP id 462vgy0ksJzFpX0; Tue, 6 Aug 2019 14:53:18 +0200 (CEST)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM22.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0468.000; Tue, 6 Aug 2019 14:53:14 +0200
From: mohamed.boucadair@orange.com
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, Valery Smyslov <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>
CC: "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>
Thread-Topic: [Dots] WGLC for draft-dots-use-cases-19
Thread-Index: AdVMHvzhmt/V33ByRr+d368GCi1ExgABDh/gAAA/2oAAAmsFAAAApBygAAFk76AAAGXy8AAALP6QAAB9ubAAA9IiYAABiL4AAABR/TAAAPXKAA==
Date: Tue, 06 Aug 2019 12:53:14 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B9330312FDE6B@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <00b001d54c1f$d57799e0$8066cda0$@smyslov.net> <DM5PR16MB17050571BAD70FACA597FA6CEAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDB17@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB170555606E26709FC5C54AA4EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDBC8@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB17050DF869BABA8B3670DC85EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDC3B@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB1705E573DE3E7482115B9FE0EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDC6C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB170551C20908654A0F6428D7EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDDC9@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB1705CBD6DF992D7FB9178B29EAD50@DM5PR16MB1705.namprd16.prod.outlook.com>
In-Reply-To: <DM5PR16MB1705CBD6DF992D7FB9178B29EAD50@DM5PR16MB1705.namprd16.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/QGn__6iKBUDhTFfGNF1YHdjWEPw>
Subject: Re: [Dots] WGLC for draft-dots-use-cases-19
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 12:53:22 -0000
Re-, Please see inline. Cheers, Med > -----Message d'origine----- > De : Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com] > Envoyé : mardi 6 août 2019 14:31 > À : BOUCADAIR Mohamed TGI/OLN; Valery Smyslov; dots@ietf.org > Cc : Xialiang (Frank, Network Standard & Patent Dept) > Objet : RE: [Dots] WGLC for draft-dots-use-cases-19 > > > -----Original Message----- > > From: mohamed.boucadair@orange.com > > <mohamed.boucadair@orange.com> > > Sent: Tuesday, August 6, 2019 5:46 PM > > To: Konda, Tirumaleswar Reddy > > <TirumaleswarReddy_Konda@McAfee.com>; Valery Smyslov > > <valery@smyslov.net>; dots@ietf.org > > Cc: Xialiang (Frank, Network Standard & Patent Dept) > > <frank.xialiang@huawei.com> > > Subject: RE: [Dots] WGLC for draft-dots-use-cases-19 > > > > > > > > Re-, > > > > Please see inline. > > > > Cheers, > > Med > > > > > -----Message d'origine----- > > > De : Konda, Tirumaleswar Reddy > > > [mailto:TirumaleswarReddy_Konda@McAfee.com] > > > Envoyé : mardi 6 août 2019 13:52 > > > À : BOUCADAIR Mohamed TGI/OLN; Valery Smyslov; dots@ietf.org Cc : > > > Xialiang (Frank, Network Standard & Patent Dept) Objet : RE: [Dots] > > > WGLC for draft-dots-use-cases-19 > > > > > > > -----Original Message----- > > > > From: mohamed.boucadair@orange.com > > > > <mohamed.boucadair@orange.com> > > > > Sent: Tuesday, August 6, 2019 3:15 PM > > > > To: Konda, Tirumaleswar Reddy > > > > <TirumaleswarReddy_Konda@McAfee.com>; Valery Smyslov > > > > <valery@smyslov.net>; dots@ietf.org > > > > Cc: Xialiang (Frank, Network Standard & Patent Dept) > > > > <frank.xialiang@huawei.com> > > > > Subject: RE: [Dots] WGLC for draft-dots-use-cases-19 > > > > > > > > > > > > > > > > Re-, > > > > > > > > Please see inline. > > > > > > > > Cheers, > > > > Med > > > > > > > > > -----Message d'origine----- > > > > > De : Konda, Tirumaleswar Reddy > > > > > [mailto:TirumaleswarReddy_Konda@McAfee.com] > > > > > Envoyé : mardi 6 août 2019 11:29 > > > > > À : BOUCADAIR Mohamed TGI/OLN; Valery Smyslov; dots@ietf.org Cc : > > > > > Xialiang (Frank, Network Standard & Patent Dept) Objet : RE: > > > > > [Dots] WGLC for draft-dots-use-cases-19 > > > > > > > > > > > -----Original Message----- > > > > > > From: mohamed.boucadair@orange.com > > > > > > <mohamed.boucadair@orange.com> > > > > > > Sent: Tuesday, August 6, 2019 2:50 PM > > > > > > To: Konda, Tirumaleswar Reddy > > > > > > <TirumaleswarReddy_Konda@McAfee.com>; Valery Smyslov > > > > > > <valery@smyslov.net>; dots@ietf.org > > > > > > Cc: Xialiang (Frank, Network Standard & Patent Dept) > > > > > > <frank.xialiang@huawei.com> > > > > > > Subject: RE: [Dots] WGLC for draft-dots-use-cases-19 > > > > > > > > > > > > This email originated from outside of the organization. Do not > > > > > > click > > > > > links or > > > > > > open attachments unless you recognize the sender and know the > > > > > > content is safe. > > > > > > > > > > > > Re-, > > > > > > > > > > > > Please see inline. > > > > > > > > > > > > Cheers, > > > > > > Med > > > > > > > > > > > > > -----Message d'origine----- > > > > > > > De : Konda, Tirumaleswar Reddy > > > > > > > [mailto:TirumaleswarReddy_Konda@McAfee.com] > > > > > > > Envoyé : mardi 6 août 2019 11:15 À : BOUCADAIR Mohamed > > > > > > > TGI/OLN; Valery Smyslov; dots@ietf.org Cc : > > > > > > > Xialiang (Frank, Network Standard & Patent Dept) Objet : RE: > > > > > > > [Dots] WGLC for draft-dots-use-cases-19 > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: mohamed.boucadair@orange.com > > > > > > > > <mohamed.boucadair@orange.com> > > > > > > > > Sent: Tuesday, August 6, 2019 2:00 PM > > > > > > > > To: Konda, Tirumaleswar Reddy > > > > > > > > <TirumaleswarReddy_Konda@McAfee.com>; Valery Smyslov > > > > > > > > <valery@smyslov.net>; dots@ietf.org > > > > > > > > Cc: Xialiang (Frank, Network Standard & Patent Dept) > > > > > > > > <frank.xialiang@huawei.com> > > > > > > > > Subject: RE: [Dots] WGLC for draft-dots-use-cases-19 > > > > > > > > > > > > > > > > This email originated from outside of the organization. Do > > > > > > > > not click > > > > > > > links or > > > > > > > > open attachments unless you recognize the sender and know > > > > > > > > the content is safe. > > > > > > > > > > > > > > > > Re-, > > > > > > > > > > > > > > > > Please see inline. > > > > > > > > > > > > > > > > Cheers, > > > > > > > > Med > > > > > > > > > > > > > > > > > -----Message d'origine----- De : Konda, Tirumaleswar Reddy > > > > > > > > > [mailto:TirumaleswarReddy_Konda@McAfee.com] > > > > > > > > > Envoyé : mardi 6 août 2019 10:14 À : BOUCADAIR Mohamed > > > > > > > > > TGI/OLN; Valery Smyslov; dots@ietf.org Cc : > > > > > > > > > Xialiang (Frank, Network Standard & Patent Dept) Objet : > RE: > > > > > > > > > [Dots] WGLC for draft-dots-use-cases-19 > > > > > > > > > > > > > > > > > > Hi Med, > > > > > > > > > > > > > > > > > > No, the orchestrator is not ignoring the mitigation hints. > > > > > > > > > > > > > > > > [Med] Why? The text is clear the orchestrator acts as DOTS > > > server. > > > > > > > > As > > > > > > > such, it > > > > > > > > can ignore/accept hints. > > > > > > > > > > > > > > > > It is sending > > > > > > > > > filtering rules to block or rate-limit traffic to routers > > > > > > > > > (last but one line in the new paragraph). > > > > > > > > > > > > > > > > [Med] Yes. That filtering rule is that would be applied by > > > > > > > > the DMS if it > > > > > > > has > > > > > > > > sufficient resources. > > > > > > > > > > > > > > > > The adverse impact is legitimate users whose > > > > > > > > > IP addresses were spoofed > > > > > > > > > cannot access the services of the target server. > > > > > > > > > > > > > > > > [Med] This is a check at the DMS side. This check applies > > > > > > > > independently > > > > > > > of ** > > > > > > > > where ** the filters are applied. This is not specific to > > > > > > > > this NEW > > > > > text. > > > > > > > > > > > > > > If the orchestrator is sending filtering rules to block > > > > > > > traffic, checks are required to ensure spoofed IP address are > > > > > > > not conveyed by > > > > > the > > > > > > DMS. > > > > > > > > > > > > [Med] Yes, but the current text describes the case where the DMS > > > > > supplies > > > > > > "its blocked traffic information": > > > > > > > > > > > > the DDoS mitigation system can send mitigation requests > > > > > > with additional hints such as its blocked traffic information > > > > > > to > > > the > > > > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > > > orchestrator. > > > > > > > > > > > > So, the DMS has already done that check. > > > > > > > > > > The blocked traffic information will include attack traffic from > > > > > both spoofed and attacker IP addresses. > > > > > > > > > > > > > [Med] If you are saying that there is an issue if the DMS does not > > > check, you > > > > are right. But, again, this is not specific to the NEW text. This is > > > > a > > > general > > > > problem (that is outside DOTS, BTW). > > > > > > No, DMS will anyway check and try not block legitimate traffic from > > > users whose IP addresses have been spoofed. > > > > > > > [Med] What I'm saying is that the DMS will then follow the same logic > when > > providing the hints to the orchestrator. > > No, the hints should include both spoofed and non-spoofed IP addresses > used to attack the target. > [Med] Why? A DMS may decide to offload only filtering rules its checked. Even if we assume that the check is at the orchestrator side, this is not a new threat vector. > > > > > > > > > > > > > > > > > > > > > > If > > > > > > > the orchestrator delegates the mitigation to a separate domain > > > > > > > (recursive signaling), the attack information provided by DMS > > > > > > > can include spoofed IP addresses (so the new mitigator in the > > > > > > > separate domain learns the attack traffic is coming from > > > > > > > spoofed IP > > > addresses). > > > > > > > > > > > > [Med] This is not specific to this case, but applies each time > > > > > > there is > > > > > recursive > > > > > > signaling. > > > > > > > > > > My comment is to using the attack information of spoofed IP > > > > > addresses to filter traffic would penalize legitimate users, and > > > > > the text is not clear me. I suggest adding a line for clarity, DMS > > > > > may supply both spoofed and attacker IP addresses in the attack > > > > > information to the orchestrator. The orchestrator will only use > > > > > the non-spoofed IP addresses to enforce filtering rules on > routers. > > > > > > > > [Med] I was assuming this is already done by the DMS to generate > > > > "its blocked traffic information", but if you prefer the text to be > > > > explicit, > > > it will > > > > need to be generic: > > > > > > > > the check is not specific to the NEW text but applies also in the > > > general DMS > > > > case (without offloading). > > > > > > When DMS generates the attack traffic information it should include > > > both spoofed and attacker IP addresses (tagged with whether the IP > > > address is spoofed or not). > > > > [Med] Why it should not check? > > It checks and includes both type of IP addresses. [Med] Why it has to include both if it has done the check? > > > > > If the orchestrator is delegating the mitigation to a > > > separate domain, it can propagate the attack information so the > > > mitigator in the separate domain has knowledge that the attacker is > > > using spoofed IP addresses and the mitigator can optionally use the > > > attack information to determine the mitigation strategy. > > > > [Med] The recursive case is not covered in the current text. I don't > think we > > need to elaborate on this further. > > I don't understand why recursive case should be excluded in the current > text ? [Med] Because the use-case draft does not cover this: It only covers the case of an orchestrator talking to local routers. > > > > > However If orchestrator is enforcing > > > filtering rules on routers, it should create the black-list rules > > > based on the non-spoofed attacker IP address and not use the spoofed > > > victim IP addresses. > > > > > > > [Med] Agree. Whether the check is done at the orchestrator or by the > DMS, > > is not a new concern. The DMS has to proceed with these checks, anyway. > I > > fail to see what is NEW and SPECIFIC to the offload scenario. > > In this case the check has to be done by orchestrator when enforcing > black-list rules not to penalize the spoofed victim IP addresses and > should be discussed in the new use case. [Med] This requirement has to be followed by the DMS, anyway. This is not a new issue, Tiru. I don't see any other use case in > the specification discussing offload scenario with propagating the attack > information and I recommend updating the text discussing the above > scenarios. [Med] We don't have a similar text for the DMS case because mitigation is out of scope. I'm expecting to follow the some rationale for the offload. > > Cheers, > -Tiru
- [Dots] WGLC for draft-dots-use-cases-19 Valery Smyslov
- Re: [Dots] WGLC for draft-dots-use-cases-19 mohamed.boucadair
- Re: [Dots] WGLC for draft-dots-use-cases-19 Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for draft-dots-use-cases-19 mohamed.boucadair
- Re: [Dots] WGLC for draft-dots-use-cases-19 Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for draft-dots-use-cases-19 Töma Gavrichenkov
- Re: [Dots] WGLC for draft-dots-use-cases-19 mohamed.boucadair
- Re: [Dots] WGLC for draft-dots-use-cases-19 Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for draft-dots-use-cases-19 Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for draft-dots-use-cases-19 mohamed.boucadair
- Re: [Dots] WGLC for draft-dots-use-cases-19 Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for draft-dots-use-cases-19 mohamed.boucadair
- Re: [Dots] WGLC for draft-dots-use-cases-19 H Y
- Re: [Dots] WGLC for draft-dots-use-cases-19 Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for draft-dots-use-cases-19 mohamed.boucadair
- Re: [Dots] WGLC for draft-dots-use-cases-19 Jon Shallow
- Re: [Dots] WGLC for draft-dots-use-cases-19 Töma Gavrichenkov
- Re: [Dots] WGLC for draft-dots-use-cases-19 Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for draft-dots-use-cases-19 Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for draft-dots-use-cases-19 Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for draft-dots-use-cases-19 mohamed.boucadair
- Re: [Dots] WGLC for draft-dots-use-cases-19 mohamed.boucadair
- Re: [Dots] WGLC for draft-dots-use-cases-19 Töma Gavrichenkov
- Re: [Dots] WGLC for draft-dots-use-cases-19 H Y
- Re: [Dots] WGLC for draft-dots-use-cases-19 Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for draft-dots-use-cases-19 Töma Gavrichenkov
- Re: [Dots] WGLC for draft-dots-use-cases-19 mohamed.boucadair
- Re: [Dots] WGLC for draft-dots-use-cases-19 mohamed.boucadair
- Re: [Dots] WGLC for draft-dots-use-cases-19 Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for draft-dots-use-cases-19 mohamed.boucadair
- Re: [Dots] WGLC for draft-dots-use-cases-19 Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for draft-dots-use-cases-19 Valery Smyslov
- Re: [Dots] WGLC for draft-dots-use-cases-19 Töma Gavrichenkov
- Re: [Dots] WGLC for draft-dots-use-cases-19 H Y