IETF Logo Mail Archive

Re: [Dots] FW: Prior discussion about draft-fu-ipfix-network-security-00

"Takeshi Takahashi" <takeshi_takahashi@nict.go.jp> Tue, 24 March 2015 12:46 UTC

Return-Path: <takeshi_takahashi@nict.go.jp>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74D001A0046 for <dots@ietfa.amsl.com>; Tue, 24 Mar 2015 05:46:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.58
X-Spam-Level: *
X-Spam-Status: No, score=1.58 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7vwF2rj9v_qE for <dots@ietfa.amsl.com>; Tue, 24 Mar 2015 05:46:34 -0700 (PDT)
Received: from ns1.nict.go.jp (ns1.nict.go.jp [IPv6:2001:df0:232:300::1]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAF1B1A0019 for <dots@ietf.org>; Tue, 24 Mar 2015 05:46:34 -0700 (PDT)
Received: from gw1.nict.go.jp (gw1.nict.go.jp [133.243.18.250]) by ns1.nict.go.jp with ESMTP id t2OCkQoZ023314; Tue, 24 Mar 2015 21:46:26 +0900 (JST)
Received: from takeAsus (ssh.nict.go.jp [133.243.3.49]) by gw1.nict.go.jp with SMTP id t2OCkKWC023300; Tue, 24 Mar 2015 21:46:22 +0900 (JST)
Message-ID: <1B74E9D1ED594F8AA7B10CE1C5A4D969@takeAsus>
From: Takeshi Takahashi <takeshi_takahashi@nict.go.jp>
To: Robert Moskowitz <rgm-sec@htt-consult.com>, Eric Burger <eburger@standardstrack.com>, dots@ietf.org
References: <358188D97DBE45F787E97C9E29B1C0A3@takeAsus> <D1360207.B412%nteague@verisign.com> <77FA386512F0D748BC7C02C36EB1106D955C93@szxeml557-mbs.china.huawei.com> <1C9F17D1873AFA47A969C4DD98F98A75153AC9EA@xmb-rcd-x10.cisco.com> <D1364C2B.B4E6%nteague@verisign.com> <0CB8640B8D094438BD4A4793DAD0F3B7@takeAsus> <10B310D1-09A0-4C9F-B01C-F25DFA360981@standardstrack.com> <55115149.2070700@htt-consult.com>
In-Reply-To: <55115149.2070700@htt-consult.com>
Date: Tue, 24 Mar 2015 07:46:03 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_034E_01D06606.944BFFF0"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
X-Virus-Scanned: clamav-milter 0.98.5 at zenith1
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/dots/Rk4UCEz2vzdPdNBhLA1vP_Y9AII>
Subject: Re: [Dots] FW: Prior discussion about draft-fu-ipfix-network-security-00
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 12:46:42 -0000

Hi Eric,

I agree on your comments, but let me remind you that we need a documented schema to use external XML via IODEF/IODEF-SCI.

> Let me take it from a different perspective. If we could use XML, would we not just use IODEF and be done with it? My understanding is we cannot pay the XML tax and as such need to go a different route. 

Yes, I understand the same for the use cases that require prompt and automated actions.
I think this is true, though I haven’t done evaluation by myself. 

> A well-defined data model would be very important for this effort. 

I also agree on this point.

And I believe the outpuf these works will provide specific and practical data model.
I think we could consider how to reuse the output.
One example was IODEF; it can convey XML data if the schema is defined.

> With a well-defined data model, one should be able to easily translate from IPFIX or some hyper-compressed binary encoding to XML.

Yes, but we need a spec that defines a schema in order to list it in the IANA table of IODEF-SCI.
Even more, if these draft defines a schema, that can be used by non-IODEF techniques as well.

I am wondering if there is any negative effects of preparing a schema for the draft except the workload.
I have listened some discussion on XML vs JSON vs... etc. until now, but all of these works should be able to cope with each other regarding information model, I guess.

Kind regards,
Take


From: Robert Moskowitz 
Sent: Tuesday, March 24, 2015 6:58 AM
To: Eric Burger ; dots@ietf.org 
Subject: Re: [Dots] FW: Prior discussion about draft-fu-ipfix-network-security-00




On 03/24/2015 06:39 AM, Eric Burger wrote:

Let me take it from a different perspective. If we could use XML, would we not just use IODEF and be done with it? My understanding is we cannot pay the XML tax and as such need to go a different route.

A well-defined data model would be very important for this effort. With a well-defined data model, one should be able to easily translate from IPFIX or some hyper-compressed binary encoding to XML.
I almost hate to say it, but if we can develop (or there already is) a Binary Encoding Rule(s) for XML to a very compressed format, then we can do the data modeling in XML, but transmit in this BER format.


On Mar 24, 2015, at 6:57 AM, Takeshi Takahashi mailto:takeshi_takahashi@nict.go.jp wrote:

Hi,

Thank you for the replies; I think I got the idea better than before.

more pliable for UDP export.  I think we could obviously examine how DOTS
and IODEF etc. may interoperate as we proceed but was beyond the scope of
the initial 00 draft.  This list is a great place to have that discussion.
It would be great if we could have such a discussion.

Below are comments on why I would like to see the XML representation in the drafts.
IODEF is just one spec of many other specs that defines XML-based information model; there are lots more that haven't been brought to IETF (e.g., stix).
If you do not provide any XML schema (in the appendix of the drafts) on this issue, the same kind of work would be taken again in the future from the XML-based community.
I think that is a waste.
I know that XML-representation is off the context of these drafts and thus authors are not that happy to cope with that, but I believe it is worth saying that here :)
It could be that Nik's draft can gain little benefit by defining xml schema since it does not need further analytics, but I feel that it is useful for Ana's draft since it expects further analysis such as big data analysis.

Thank you.
Take


-----Original Message----- From: Teague, Nik
Sent: Tuesday, March 24, 2015 12:20 AM
To: Panos Kampanakis (pkampana) ; Hedanping (Ana) ; Takeshi Takahashi ; Roman D. Danyliw ; dots@ietf.org
Cc: tt2@rc5.so-net.ne.jp
Subject: Re: [Dots] FW: Prior discussion about draft-fu-ipfix-network-security-00

Hi,

On 23/03/2015 22:54, "Panos Kampanakis (pkampana)" mailto:pkampana@cisco.com
wrote:

Hello,

It seems to me that the "signaling in order to mitigate DDoS" problem has
been solved already by BGP FlowSpec. I am not sure if defining more
verbose and detailed communications between network elements would add
much value, since these devices cannot do more than signalling and
mitigate.

Panos
Flowspec is very effective within the bounds of its capabilities - if a
bad actor is hammering my network with an ntp reflection attack or my web
server with a whole swathe of large udp packets then I can easily build
filters to handle that - if the bad actor is hitting my web server with a
syn flood from a massively random source pool then I have to consider rate
limiting as probably my best, but maybe not ideal, option.  If I try and
generate more than 12k flow route filters to push to either my equipment
or my service providers (depending upon whether they support Flowspec)
then things can get a little hairy.  DDoS mitigation CPE and DDoS
mitigation providers exist because the need is there - The DOTS proposal
is that effective signaling is necessary between these elements, not
specifically generic network elements, but actual elements that are
concerned with often complex attacks that a flow route filter is unable to
deal with.  If my ingress links are saturated then signaling via a tcp
oriented session can potentially result in more cycles being spent trying
to initiate and maintain a session than actual information transferŠ and
if the connection drops then the whole thing has to start again.

Thanks,

-Nik




_______________________________________________
Dots mailing list
Dots@ietf.org
https://www.ietf.org/mailman/listinfo/dots
_______________________________________________
Dots mailing list
Dots@ietf.org
https://www.ietf.org/mailman/listinfo/dots

   

_______________________________________________
Dots mailing list
Dots@ietf.org
https://www.ietf.org/mailman/listinfo/dots




--------------------------------------------------------------------------------
_______________________________________________
Dots mailing list
Dots@ietf.org
https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email