Re: [Dots] Opsdir last call review of draft-ietf-dots-signal-filter-control-04
mohamed.boucadair@orange.com Tue, 16 June 2020 15:42 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A2D83A0D9B; Tue, 16 Jun 2020 08:42:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fl-19I-59Hp8; Tue, 16 Jun 2020 08:42:05 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.41]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47A383A0D3B; Tue, 16 Jun 2020 08:42:05 -0700 (PDT)
Received: from opfedar01.francetelecom.fr (unknown [xx.xx.xx.2]) by opfedar27.francetelecom.fr (ESMTP service) with ESMTP id 49mXWH4ztlz2xr5; Tue, 16 Jun 2020 17:42:03 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1592322123; bh=LmxD1YQdZKlu5+YXm+eQBtq3/z7Mm2dQYCYrQQDAq8g=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=bnVBWBbWTOsIWwgs5jyqUEB1CaHKHlzv+CdVFTEosJymJzU0WqATPz/Oqq6VjyxDW KkoX4eJRZIlBnEHLhUh/v55NICiJK6/+wFv/0qdGyYpm7ZHfhMmEbnLl5MhK+Rr7Rn 1BGAjzuAIL3jk2v7AEezVuZZ7erpDQdW8WEMogjZa4EzvhenJe+rz3/VGC8WTkvo3H APgL6bDmWJmHUQp8orQSpqvdQp1te6y3sV3bcCYw+R3iqoQazweW13VHDDv04CBOzT Toaxs8wv6bx/hrkqVs2Q0xf+UlVDzCLYhbG1IZ23W1ttzbPqLLqo8ZWA6cspwJV0J0 0C2r8geEIq+WA==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.70]) by opfedar01.francetelecom.fr (ESMTP service) with ESMTP id 49mXWH3TgSzBrLS; Tue, 16 Jun 2020 17:42:03 +0200 (CEST)
From: mohamed.boucadair@orange.com
To: Tim Chown <Tim.Chown@jisc.ac.uk>
CC: "ops-dir@ietf.org" <ops-dir@ietf.org>, "draft-ietf-dots-signal-filter-control.all@ietf.org" <draft-ietf-dots-signal-filter-control.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: Opsdir last call review of draft-ietf-dots-signal-filter-control-04
Thread-Index: AQHWQ6ItV3xb5NwsSUGnm/P7ToH/p6jbVZaAgAACojA=
Date: Tue, 16 Jun 2020 15:42:02 +0000
Message-ID: <18279_1592322123_5EE8E84B_18279_81_11_787AE7BB302AE849A7480A190F8B9330314DF1BF@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <159223370986.12685.10672338283953567887@ietfa.amsl.com> <11378_1592286685_5EE85DDD_11378_313_1_787AE7BB302AE849A7480A190F8B9330314DEC67@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <0006AA12-CF04-49CC-AEED-35D2B5EA6BD0@jisc.ac.uk>
In-Reply-To: <0006AA12-CF04-49CC-AEED-35D2B5EA6BD0@jisc.ac.uk>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/SP8rH8p0gUlOsBhaLiwP7lVasAI>
Subject: Re: [Dots] Opsdir last call review of draft-ietf-dots-signal-filter-control-04
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2020 15:42:07 -0000
Re-, Please see inline. Cheers, Med > -----Message d'origine----- > De : Tim Chown [mailto:Tim.Chown@jisc.ac.uk] > Envoyé : mardi 16 juin 2020 16:57 > À : BOUCADAIR Mohamed TGI/OLN > Cc : ops-dir@ietf.org; draft-ietf-dots-signal-filter-control.all@ietf.org; > last-call@ietf.org; dots@ietf.org > Objet : Re: Opsdir last call review of draft-ietf-dots-signal-filter- > control-04 > > Hi, > > Some comments on your comments in line…. > > > On 16 Jun 2020, at 06:51, mohamed.boucadair@orange.com wrote: > > > > Hi Tim, > > > > Thank you for the review. Much appreciated. > > > > A candidate version that takes into account your review is available at: > > > > https://github.com/boucadair/filter-control/blob/master/draft-ietf-dots- > signal-filter-control-05.txt > > [TC] what would be great is a diff to the version I reviewed. > [Med] Here it is: https://github.com/boucadair/filter-control/blob/master/diff-review-Tim-Chown.pdf The changes includes your comments on the proposed new introduction text. > > Please see inline. > > > > Cheers, > > Med > > > >> -----Message d'origine----- > >> De : Tim Chown via Datatracker [mailto:noreply@ietf.org] > >> Envoyé : lundi 15 juin 2020 17:08 > >> À : ops-dir@ietf.org > >> Cc : draft-ietf-dots-signal-filter-control.all@ietf.org; last- > >> call@ietf.org; dots@ietf.org > >> Objet : Opsdir last call review of draft-ietf-dots-signal-filter- > control-04 > >> > >> Reviewer: Tim Chown > >> Review result: Has Nits > >> > >> Hi, > >> > >> I have reviewed this document as part of the Operational directorate's > >> ongoing > >> effort to review all IETF documents being processed by the IESG. These > >> comments were written with the intent of improving the operational > aspects > >> of > >> the IETF drafts. Comments that are not addressed in last call may be > >> included > >> in AD reviews during the IESG review. Document editors and WG chairs > >> should > >> treat these comments just like any other last call comments. > >> > >> This document is one of a set of documents produced by the DDoS Open > Threat > >> Signalling (DOTS) working group, and builds on previously published RFCs > >> (RFC > >> 8782, 8783). It describes a mechanism by which the DOTS signalling > channel > >> defined in RFC 8782 can be used to allow a DOTS client that is under > attack > >> to > >> change the filtering rules and thus the mitigation behaviour being > applied > >> to > >> it via a DOTS server, even when the downstream to it may be saturated. > >> > >> The text is well-written with a good structure and a healthy number of > >> examples. I would asses its current state as Ready with Nits. The new > >> capability seems very useful. > >> > >> General comments: > >> > >> I am not wholly clear about some terms, e.g. “idle time” seems to be > when > >> no > >> mitigation is in place, but does this mean no filtering rules are > active, > >> or no > >> anti-DDoS rules are active? Or are all DOTS rules there for mitigation > >> rather > >> than general protection? > > > > [Med] Idle time refers to when there is no active mitigation. This is > mentioned in Section 1.1: > > > > A typical case is a DOTS client which configures during 'idle' time > > (i.e., no mitigation is active) ... > > > > Filtering can be activated even if no mitigation is active. This is > controlled by the DOTS client by setting "activation-type" to "immediate". > > > > I updated the abstract as follows: > > > > OLD: > > Particularly, this extension allows a DOTS client to activate or de- > > activate existing filtering rules during a DDoS attack. The > > characterization of these filtering rules is supposed to be conveyed > > by a DOTS client during an idle time by means of the DOTS data > > channel protocol. > > > > NEW: > > Particularly, this extension allows a DOTS client to activate or de- > > activate existing filtering rules during a DDoS attack. The > > characterization of these filtering rules is supposed to be conveyed > > by a DOTS client during an idle time (i.e., no mitigation is active) > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > by means of the DOTS data channel protocol. > > [TC] I think the problem (for me) here is I don’t understand how the client > knows whether there is active mitigation; [Med] Mitigations can be initiated by the client or triggered by a signal loss. In both cases, the client is aware whether a mitigation is ongoing. All these details are supposed to be covered in the base specs. That's said, and for the reader's convenience, we have now a sentence that recalls that a client sends a mitigation request. does the client have a state > stable of which filters it has requested the server to activate? [Med] Yes. > > Is there a difference between filters being active, and mitigation being > active? [Med] Yes. Mitigation is said to be active if there is a mitigation request received from the client or when a pre-configured mitigation is triggered upon signal loss. Filters can be active even if no attack is detected. Are all filters mitigation against a current attack? [Med] No. see above. > > >> If I understand correctly, this extension allows new filter rules to be > >> added, > >> such as rate limits, so it’s not just that the signal channel can be > used > >> to > >> control (activate and deactivate) existing filters. > > _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [Dots] Opsdir last call review of draft-ietf-dots… Tim Chown via Datatracker
- Re: [Dots] Opsdir last call review of draft-ietf-… mohamed.boucadair
- Re: [Dots] Opsdir last call review of draft-ietf-… Tim Chown
- Re: [Dots] Opsdir last call review of draft-ietf-… Benjamin Kaduk
- Re: [Dots] Opsdir last call review of draft-ietf-… mohamed.boucadair
- Re: [Dots] Opsdir last call review of draft-ietf-… Tim Chown