Re: [Dots] New Version Notification for draft-francois-ipv6-dots-signal-option-00.txt
Abdelkader Lahmadi <abdelkader.lahmadi@loria.fr> Thu, 24 March 2016 22:12 UTC
Return-Path: <abdelkader.lahmadi@loria.fr>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F17D12D92E for <dots@ietfa.amsl.com>; Thu, 24 Mar 2016 15:12:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pa9OepX8HMYN for <dots@ietfa.amsl.com>; Thu, 24 Mar 2016 15:12:57 -0700 (PDT)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D10412D7BF for <dots@ietf.org>; Thu, 24 Mar 2016 15:12:56 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.24,387,1454972400"; d="scan'208,217";a="210059310"
Received: from zmbs2.inria.fr ([128.93.142.15]) by mail2-relais-roc.national.inria.fr with ESMTP; 24 Mar 2016 23:12:47 +0100
Date: Thu, 24 Mar 2016 23:12:47 +0100
From: Abdelkader Lahmadi <abdelkader.lahmadi@loria.fr>
To: 🔓Dan Wing <dwing@cisco.com>
Message-ID: <1171392464.13152849.1458857567927.JavaMail.zimbra@loria.fr>
In-Reply-To: <104639888.13150956.1458856266578.JavaMail.zimbra@loria.fr>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_13152848_1426146033.1458857567925"
X-Originating-IP: [88.163.251.98]
X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - GC48 (Mac)/8.0.9_GA_6191)
Thread-Topic: New Version Notification for draft-francois-ipv6-dots-signal-option-00.txt
Thread-Index: z9E0bgY3ph9gGBEFygDbl8cmjuOrMQ==
Archived-At: <http://mailarchive.ietf.org/arch/msg/dots/QYfBwcALsg8GVGKekv39ELaAWqo>
Cc: Jérôme François <jerome.francois@inria.fr>, Giovane Moura <giovane.moura@sidn.nl>, dots@ietf.org, "Marco Davids (SIDN)" <marco.davids@sidn.nl>
Subject: Re: [Dots] New Version Notification for draft-francois-ipv6-dots-signal-option-00.txt
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2016 22:12:59 -0000
Hi, Thanks for the feedback. Comments inline: IPv6 Extensions Headers, themselves, are often rate-limited or dropped entirely, reference https://tools.ietf.org/html/draft-gont-v6ops-ipv6-ehs-packet-drops https://tools.ietf.org/html/draft-ietf-v6ops-ipv6-ehs-in-real-world http://www.iepg.org/2014-03-02-ietf89/fgont-iepg-ietf89-eh-update.pdf Thanks for the references, we will go through them and clarify this issue in the draft. <blockquote> While there might be agreement to not drop such packets over a link or over an ISP access network, some DOTS deployment models have the DOTS server on the Internet (e.g., cloud-based DDoS mitigation) where such agreements don't (can't) exist. </blockquote> If the DOTS server (or a Relay) and client are located in the same administrative domain, piggybacking the proposed option in the packets could be done in a straight forward way, while considering that an agreement exists to avoid dropping or rate limiting of IPv6 extension headers. However, yes it becomes more difficult when the server is on the Internet. Such deployment model needs more thought. We will clarify and discuss the different deployment models when updating the draft. <blockquote> While using v6 for this sort of piggybacked DOTS message is admirable, it is limited to networks where the DOTS client, DOTS server, intervening network, and user traffic (on which to piggyback) are all using IPv6 during the attack. </blockquote> We mainly consider that an IPv6 traffic exists during the attack (it could be any type of IPv6 packets since the proposed mechanism is opportunistic) to be able to make use of the proposed piggybacking mechanism. <blockquote> Finally, such piggybacked messages seem difficult to authenticate. </blockquote> We are also looking to this issue to make use of an authentication token in the piggybacked option. We will detail and make a proposition to tackle this issue. Best, <blockquote> -d <blockquote> Thanks, Jérôme -------- Message transféré -------- Sujet : New Version Notification for draft-francois-ipv6-dots-signal-option-00.txt Date : Mon, 21 Mar 2016 10:55:51 -0700 De : internet-drafts@ietf.org Pour : Jerome Francois <jerome.francois@inria.fr> , Abdelkader Lahmadi <abdelkader.lahmadi@loria.fr> A new version of I-D, draft-francois-ipv6-dots-signal-option-00.txt has been successfully submitted by Jerome Francois and posted to the IETF repository. Name: draft-francois-ipv6-dots-signal-option Revision: 00 Title: IPv6 DOTS Signal Option Document date: 2016-03-21 Group: Individual Submission Pages: 13 URL: https://www.ietf.org/internet-drafts/draft-francois-ipv6-dots-signal-option-00.txt Status: https://datatracker.ietf.org/doc/draft-francois-ipv6-dots-signal-option/ Htmlized: https://tools.ietf.org/html/draft-francois-ipv6-dots-signal-option-00 Abstract: This document describes a delivery mechanism based on the IPv6 Hop- by-Hop options extension header type to carry a DOTS client signal message over a congested network due to a DDoS attack. The specified mechanism allows the DOTS client signal message to be included using an opportunistic way in outgoing IPv6 packets traveling then through the network to reach a DOTS server or relay. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org . The IETF Secretariat _______________________________________________ Dots mailing list Dots@ietf.org https://www.ietf.org/mailman/listinfo/dots </blockquote> </blockquote>
- [Dots] Fwd: New Version Notification for draft-fr… Jérôme François
- Re: [Dots] New Version Notification for draft-fra… 🔓Dan Wing
- Re: [Dots] New Version Notification for draft-fra… Roland Dobbins
- Re: [Dots] New Version Notification for draft-fra… Abdelkader Lahmadi