IETF Logo Mail Archive

Re: [Dots] Comments and feedbacks on draft-reddy-dots-signal-channel-07 and draft-reddy-dots-data-channel-03 .

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Tue, 14 February 2017 14:58 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24FDA129503 for <dots@ietfa.amsl.com>; Tue, 14 Feb 2017 06:58:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3XXp8Cb5RS0a for <dots@ietfa.amsl.com>; Tue, 14 Feb 2017 06:58:37 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2926412962C for <dots@ietf.org>; Tue, 14 Feb 2017 06:58:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=33856; q=dns/txt; s=iport; t=1487084317; x=1488293917; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=xWlw3Zcp1XpeySsYxknnFP0uaasOcK4ieWtSYR9Px6k=; b=QKdZbt1fyuJrP6pdJlbZPgMS5lLUyQHdKhOxH39R+1G0kaJtIMoUrT14 NiKQZHAnSxWSi7O0FlPXZnOV9feFzrkvSE4CUzQAH0tJ9KAZ1KadRyJ2S 565r9SGPGmm8maNEnIx5klirFOH2fW4mxJptnsoxoYdo4qs4L9WIrDGdJ c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ASAQAgGqNY/4MNJK1eGQEBAQEBAQEBAQEBBwEBAQEBgm9jYYEJB41akhCVNoIMKoV4AoF7PxgBAgEBAQEBAQFiKIRpAQEBBC1FBxACAQgRBAEBIQECBAcyFAkIAQEEAQ0FCBGJUg6xKotcAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWGTIRvhDABDR0HKIUvBZtyAYZuixyCBIUXiXOTFAEfOIEAURU9hEUdGYFIdQGHYwElgQqBDAEBAQ
X-IronPort-AV: E=Sophos;i="5.35,161,1484006400"; d="scan'208,217";a="180410845"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 14 Feb 2017 14:58:35 +0000
Received: from XCH-ALN-019.cisco.com (xch-aln-019.cisco.com [173.36.7.29]) by alln-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id v1EEwZBu021426 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 14 Feb 2017 14:58:35 GMT
Received: from xch-rcd-017.cisco.com (173.37.102.27) by XCH-ALN-019.cisco.com (173.36.7.29) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 14 Feb 2017 08:58:34 -0600
Received: from xch-rcd-017.cisco.com ([173.37.102.27]) by XCH-RCD-017.cisco.com ([173.37.102.27]) with mapi id 15.00.1210.000; Tue, 14 Feb 2017 08:58:34 -0600
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Ehud Doron <EhudD@Radware.com>, 'dots' <dots@ietf.org>
Thread-Topic: Comments and feedbacks on draft-reddy-dots-signal-channel-07 and draft-reddy-dots-data-channel-03 .
Thread-Index: AdKCER/slEaaT/pbTQCa8ffUgEh/YgEwQ2SQ
Date: Tue, 14 Feb 2017 14:58:34 +0000
Message-ID: <bfa74e5a63d2430c80bdfd6b0da0c3b8@XCH-RCD-017.cisco.com>
References: <E58182C4A35A8E498E553AD3D33FA001011717E1DF@ILMB1.corp.radware.com>
In-Reply-To: <E58182C4A35A8E498E553AD3D33FA001011717E1DF@ILMB1.corp.radware.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.65.50.47]
Content-Type: multipart/alternative; boundary="_000_bfa74e5a63d2430c80bdfd6b0da0c3b8XCHRCD017ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/RnuYQMb1kkQCjfx2I2YZmHMVZxk>
Cc: David Aviv <DavidA@Radware.com>
Subject: Re: [Dots] Comments and feedbacks on draft-reddy-dots-signal-channel-07 and draft-reddy-dots-data-channel-03 .
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2017 14:58:40 -0000

Hi Ehud,

Please see inline for responses to comments on draft-reddy-dots-data-channel-03

From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Ehud Doron
Sent: Wednesday, February 8, 2017 7:21 PM
To: 'dots' <dots@ietf.org>
Cc: David Aviv <DavidA@Radware.com>
Subject: [Dots] Comments and feedbacks on draft-reddy-dots-signal-channel-07 and draft-reddy-dots-data-channel-03 .

Tiru and authors Hi

Attached please find my comments and feedbacks to draft-reddy-dots-signal-channel-07 and draft-reddy-dots-data-channel-03 .


Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel  draft-reddy-dots-signal-channel-07


1.       General comment: For all signals in the draft, need to add means to allow vendor specific attributes as part of all signals transactions


2.       General comment: Just for clarity, need to explicitly mention on each figure when it is an example or the actual API


3.       Page 3 second paragraph : DOTS should not be limited to "enterprise network" only
.

4.       Page 4 chapter 4: The overall context of the "happy eyeballs" and its relations (or coexistence) to CoAP is not clear.


5.       Page 7 chapter 5.2.1: The need for YANG model cannot be understood from text. What are the needs for YANG models? What is the relation to the JSONs in the other chapters in the draft


6.       Page 14 figure 5: The mitigation request attributes are right but not enough. Need to add more telemetry info about the actual attack that it is required to mitigate, need to consider attributes in draft-doron-dots-telemetry-00 as part of the discussion in the WG.


7.       Page 15 Life time attribute: More reasonable to have this attribute in minutes rather than seconds, bigger default can also suggested


8.       Page 15 last paragraph: Not sure that target port or target protocol can define a protected entity. IP, FQDN, URI are the only "stand alone" attributes , port and protocol are companion attributes. See also figure 9 .


9.       Page 15 last paragraph: The mitigation request is not clear, to which identifier the text is related ?   "policy ID" ? I think the best is have another attribute to define the priority of mitigation requests


10.   Page 21 table: The return status are right but not enough. Need to add more telemetry info about the actual mitigation going on (how much traffic was mitigated) and the attack that are mitigated, need to consider attributes in draft-doron-dots-telemetry-00 as part of the discussion in the WG.


11.   Page 15 : Need to find the way to bind the target-ips with target-port-ranges and target-protocols, meaning that the server needs to understand the exact scope of attack, e.g. IP1 TCP port 80, IP2 UDP port 53 and so on so forth.


12.   Page 21 last paragraph: This is very strong point.


13.   Page 25 : Regarding attack status, same point about telemetry.


14.   Page 25 chapter 5.4: I believe it can valuable to add a short high level description about the proposed API flow, same as you did for 5.3 .


15.   Page 27:  The necessity of policy_id here is not clear enough, are the "Signal Channel Session Configuration" define only "single" DOTS session or the entire communication between Client and Server for several DOTS request for mitigation?


16.   Page 27: Not sure about the reason for "at least one of the attributes heartbeat-interval or max-retransmit or ack-timeout or ack-random-factor MUST be present." Also consider to change to "presented".



17.   Page 30 chapter 5.5: Need to specify the overall scenario, in reaction to which signal (or API transaction POST of Mitigation Request , unidirectional notification from Server as describes in page 23 in page 21 ?) the  redirection occurred ?


Distributed Denial-of-Service Open Threat Signaling (DOTS) Data Channel  draft-reddy-dots-data-channel-03


1.       General comment: For all signal in the draft, need to add means to allow vendor specific attributes as part of all signals transactions

[TR] Agreed, updated draft.



2.       Page 5 second paragraph: Why it is required to configure the DOTS signal channel session ?

[TR] No need to configure DOTS signal channel session, fixed second paragraph.


3.       Page 8 chapter 3.2.1 : Any reason for not including these identifiers in the DOTS signal channel draft ?

[TR] Identifiers created for resources in DOTS data channel are used in DOTS signal channel to request DDOS mitigation. It's the responsibility of DOTS data channel to create aliases for resources (see https://tools.ietf.org/html/draft-ietf-dots-requirements-03#section-2.3). The main reason for DOTS signal channel not creating identifiers is the message size may exceed Path MTU.



4.       Page 9 figure 3 : Need to find the way to bind the target-ips with target-port-ranges and target-protocols, meaning that the server needs to understand the exact scope of attack, e.g. IP1 TCP port 80, IP2 UDP port 53 and so on so forth.

[TR] Yes, it is possible; create different aliases for IP1 TCP port 80 and IP2 UDP port 53.



5.       Page 13 chapter 3.3 : Need to emphasize that filtering rules are relevant for both client server direct communication and through a DOTS gateway. The chapter is a bit confusing.

[TR] Thanks, fixed chapter 3.3.



6.       Page 14 chapter 3.3 : I am missing the white-list installation, is it by using the permit action ?

[TR]  Yes, "permit" action is used for white-list installation; it's defined in https://tools.ietf.org/html/draft-ietf-netmod-acl-model-09



7.       Page 15 figure 8: For DDoS it is highly valuable to have rate limit as an action. Consider adding such action (if already defined need to explain where and how).

[TR] Done, updated draft.


8.       Page 15 figure 8: Need to consider adding priority to an ACL to support cases when several filtering rules are conflicting.

[TR]  We are not doing anything new to ACL, ACL an ordered list of Access List Entries (ACE) based on priority.




9.       Page 15 : The action field cannot be optional attribute.

[TR] As per https://tools.ietf.org/html/draft-ietf-netmod-acl-model-09 if the action field not specified then "deny" is the default action.


10.   Page 16 chapter 3.3.3: Need to add more telemetry info about the actual traffic that was blocked (bps, pps and so on), but as I believe this might be another issue...

[TR] Chapter 3.3.3 only discusses telemetry details of number of matches for the installed filtering rules.

-Tiru

Thanks,

Ehud Doron |  Senior Architect, Radware CTO office | M: +972-54-7575503 | T: +972-72-3917120

v2.23.0 | Report a Bug | By Email