[Dots] draft-ietf-dots-filter-control: acl updates
<mohamed.boucadair@orange.com> Tue, 14 May 2019 14:44 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BBF41200B3 for <dots@ietfa.amsl.com>; Tue, 14 May 2019 07:44:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M6pmV1uKZwHC for <dots@ietfa.amsl.com>; Tue, 14 May 2019 07:44:21 -0700 (PDT)
Received: from orange.com (mta136.mail.business.static.orange.com [80.12.70.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D95E12011E for <dots@ietf.org>; Tue, 14 May 2019 07:43:58 -0700 (PDT)
Received: from opfednr06.francetelecom.fr (unknown [xx.xx.xx.70]) by opfednr26.francetelecom.fr (ESMTP service) with ESMTP id 453L6N3K0Sz117J for <dots@ietf.org>; Tue, 14 May 2019 16:43:56 +0200 (CEST)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.89]) by opfednr06.francetelecom.fr (ESMTP service) with ESMTP id 453L6M38YMzDq7L for <dots@ietf.org>; Tue, 14 May 2019 16:43:55 +0200 (CEST)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM44.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0439.000; Tue, 14 May 2019 16:43:56 +0200
From: mohamed.boucadair@orange.com
To: "dots@ietf.org" <dots@ietf.org>
Thread-Topic: draft-ietf-dots-filter-control: acl updates
Thread-Index: AdUKY25JElmJGCHmS8ShhhzPTbwDWQ==
Date: Tue, 14 May 2019 14:43:56 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA7DAAF@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B93302EA7DAAFOPEXCAUBMA2corp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/RINqNP3p811mMciX7uW2Es2tMTI>
Subject: [Dots] draft-ietf-dots-filter-control: acl updates
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 May 2019 14:44:24 -0000
Hi all, The current version of the draft allows to include acl attributes in requests with new or existing 'mid's. By "existing mid', we meant an existing request which does not include acl attributes when the request was initially created. For such requests, the activation-type of the same acl can be changed as the attack evolve or even control other ACLs. This is supposed to be covered by this text: When acl-* attributes are to be included in a mitigation request with an existing 'mid', the DOTS client MUST repeat all the other parameters as sent in the original mitigation request (i.e., having that 'mid') apart from a possible change to the lifetime parameter value. For example: T0: R(mid) T1: R(mid, acl1, activation-type=value1) T2: R(mid, acl2, activation-type=value2) T3: R(mid, acl1, activation-type=value2) T4: R(mid) ... Now, if acl attributes are included in a request with a new mid, we need to specify how activation-type (and acl-list in general) can be updated. We do have two options: (1) Update the draft with this NEW text: If 'acl-list', 'acl-name', and 'activation-type' attributes are included in the initial mitigation request (that is, a mitigation request with a new 'mid'), the DOTS client may update the 'acl-list' as an active attack evolves. To do so, the DOTS client MUST repeat all the other parameters as sent in the original mitigation request apart from a possible change to the 'acl-list' and the lifetime parameter values. And the signal channel spec as follows: For a mitigation request to continue beyond the initial negotiated lifetime, the DOTS client has to refresh the current mitigation request by sending a new PUT request. This PUT request MUST use the same 'mid' value, and MUST repeat all the other parameters as sent in the original mitigation request apart from a possible change to the lifetime parameter value or other changes to attributes defined in future extensions. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ For example: T0: R(mid, acl1, activation-type=value1) T1: R(mid, acl2, activation-type=value2) T2: R(mid, acl1, activation-type=value2) .. (2)Require a new mid each time a client has to insert acl attributes. For example: T0: R(mid0) T1: R(mid1, acl1, activation-type=value1) T2: R(mid2, acl2, activation-type=value2) T3: R(mid3, acl1, activation-type=value2) ... Thoughts? Cheers, Med
- [Dots] draft-ietf-dots-filter-control: acl updates mohamed.boucadair
- Re: [Dots] draft-ietf-dots-filter-control: acl up… Konda, Tirumaleswar Reddy
- Re: [Dots] draft-ietf-dots-filter-control: acl up… mohamed.boucadair
- Re: [Dots] draft-ietf-dots-filter-control: acl up… kaname nishizuka
- Re: [Dots] draft-ietf-dots-filter-control: acl up… mohamed.boucadair
- Re: [Dots] draft-ietf-dots-filter-control: acl up… Jon Shallow
- Re: [Dots] draft-ietf-dots-filter-control: acl up… mohamed.boucadair
- Re: [Dots] draft-ietf-dots-filter-control: acl up… Jon Shallow
- Re: [Dots] draft-ietf-dots-filter-control: acl up… mohamed.boucadair
- Re: [Dots] draft-ietf-dots-filter-control: acl up… Jon Shallow
- Re: [Dots] draft-ietf-dots-filter-control: acl up… Konda, Tirumaleswar Reddy
- Re: [Dots] draft-ietf-dots-filter-control: acl up… mohamed.boucadair
- Re: [Dots] draft-ietf-dots-filter-control: acl up… Konda, Tirumaleswar Reddy
- Re: [Dots] draft-ietf-dots-filter-control: acl up… mohamed.boucadair
- Re: [Dots] draft-ietf-dots-filter-control: acl up… Konda, Tirumaleswar Reddy
- Re: [Dots] draft-ietf-dots-filter-control: acl up… mohamed.boucadair
- Re: [Dots] draft-ietf-dots-filter-control: acl up… Konda, Tirumaleswar Reddy
- Re: [Dots] draft-ietf-dots-filter-control: acl up… mohamed.boucadair
- Re: [Dots] draft-ietf-dots-filter-control: acl up… Konda, Tirumaleswar Reddy
- Re: [Dots] draft-ietf-dots-filter-control: acl up… kaname nishizuka
- Re: [Dots] draft-ietf-dots-filter-control: acl up… mohamed.boucadair
- Re: [Dots] draft-ietf-dots-filter-control: acl up… kaname nishizuka
- Re: [Dots] draft-ietf-dots-filter-control: acl up… mohamed.boucadair
- Re: [Dots] draft-ietf-dots-filter-control: acl up… kaname nishizuka
- Re: [Dots] draft-ietf-dots-filter-control: acl up… mohamed.boucadair
- Re: [Dots] draft-ietf-dots-filter-control: acl up… kaname nishizuka