Re: [Dots] WGLC for use cases draft - until July-1.
"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 19 June 2018 13:12 UTC
Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A89B9130F02 for <dots@ietfa.amsl.com>; Tue, 19 Jun 2018 06:12:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hlrh7Jvxu_C3 for <dots@ietfa.amsl.com>; Tue, 19 Jun 2018 06:12:05 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9531130F1C for <dots@ietf.org>; Tue, 19 Jun 2018 06:07:07 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1529413619; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-microsoft-antispam-prvs:x-exchange-antispam-report-test: x-ms-exchange-senderadcheck:x-exchange-antispam-report-cfa-test: x-forefront-prvs:x-forefront-antispam-report: received-spf:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=4crsYTeGRnBcgAHbUvJOBOIm0bbLfFpKbmquGw Nxx+4=; b=VGYkJhGSpqgBrA6V0s5C/ebQizTj8uW1Z2zSL83Q sA18OZI79VHuP/BqWRjuKIzxzh8XFKtiZ99TyTLFdYcZZRZRcb nNBKnjdtTsmWw/jh7uVuptzOGYHbxRps+/d4RCw2V8bskP9pJL l6L9/7i7dtFO/NaPoFpU9D6+W24XuE4=
Received: from DNVEXAPP1N04.corpzone.internalzone.com (unknown [10.44.48.88]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 38b1_77ec_6d4c6068_4fa6_45aa_8133_a29a2103813b; Tue, 19 Jun 2018 08:06:58 -0500
Received: from DNVEXUSR1N11.corpzone.internalzone.com (10.44.48.84) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 19 Jun 2018 07:06:01 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXUSR1N11.corpzone.internalzone.com (10.44.48.84) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Tue, 19 Jun 2018 07:06:01 -0600
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (10.44.176.240) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 19 Jun 2018 07:05:59 -0600
Received: from BN6PR16MB1425.namprd16.prod.outlook.com (10.172.207.19) by BN6PR16MB1716.namprd16.prod.outlook.com (10.172.28.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.863.16; Tue, 19 Jun 2018 13:05:59 +0000
Received: from BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::1561:ac68:679c:204e]) by BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::1561:ac68:679c:204e%2]) with mapi id 15.20.0863.016; Tue, 19 Jun 2018 13:05:59 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Daniel Migault <daniel.migault@ericsson.com>, Tobias Gondrom <tobias.gondrom@gondrom.org>
CC: Roman Danyliw <rdd@cert.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] WGLC for use cases draft - until July-1.
Thread-Index: AdQDU5QoGIDUdjZqQFagDWUCpdG4HAAIcCuAAOJBbfA=
Date: Tue, 19 Jun 2018 13:05:59 +0000
Message-ID: <BN6PR16MB1425231C027D4C47A70A2B15EA700@BN6PR16MB1425.namprd16.prod.outlook.com>
References: <033d01d40353$ee542d90$cafc88b0$@gondrom.org> <CADZyTk=dquqzKkM5qWiOw=0FvQx0xWfbD-uGhNVg5ZebuxJNhg@mail.gmail.com>
In-Reply-To: <CADZyTk=dquqzKkM5qWiOw=0FvQx0xWfbD-uGhNVg5ZebuxJNhg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.0.300.84
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [185.125.224.32]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR16MB1716; 7:GvJ8bzb/8amWZv7RXnOac6H7gwG4IBnWn3jEBN4i+FnNkNwcSovuJVAu8j9auHSeYk56GZgiwxsHwFpnO+R9UFXXbavw2IxUC62zyxe2lr7BL5dhTGEXLXwPM/H5iY1WlTaYwoW7bJrDjnql3NCO73cEhG42UpLp7SciHz5aRxzC3mTEKmQS//x9b5qWARSEZ7obe6O5Nl8PX5ONTpuxKrn/xGkrn602EGC3UIvVEMgmhm1wA58EidKxI/OXjAAC
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 5f63e1ae-6ba7-40bb-66cf-08d5d5e5670d
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(711020)(2017052603328)(7153060)(7193020); SRVR:BN6PR16MB1716;
x-ms-traffictypediagnostic: BN6PR16MB1716:
x-microsoft-antispam-prvs: <BN6PR16MB171650C8DCDC7BD87E004C74EA700@BN6PR16MB1716.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(211171220733660);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(3231254)(944501410)(52105095)(93006095)(93001095)(3002001)(149027)(150027)(6041310)(20161123564045)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(6072148)(201708071742011)(7699016); SRVR:BN6PR16MB1716; BCL:0; PCL:0; RULEID:; SRVR:BN6PR16MB1716;
x-forefront-prvs: 07083FF734
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(376002)(39380400002)(346002)(396003)(366004)(189003)(199004)(32952001)(7696005)(80792005)(81156014)(81166006)(6116002)(6436002)(76176011)(72206003)(478600001)(4326008)(3660700001)(14454004)(53936002)(99286004)(106356001)(33656002)(66066001)(229853002)(8936002)(105586002)(68736007)(102836004)(316002)(86362001)(6506007)(9686003)(59450400001)(2900100001)(305945005)(6246003)(3280700002)(11346002)(5250100002)(8676002)(7736002)(25786009)(55016002)(54906003)(2906002)(26005)(446003)(186003)(110136005)(486006)(5660300001)(476003)(3846002)(97736004)(74316002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR16MB1716; H:BN6PR16MB1425.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: r/5ApsbA3XWOA6Jmuuy7xYeyR5pr1XtAIsf5xebBb1RZS3AtW9pdmxv6K7Cl5vfEYbVd9ABEbJbW+hmEyMg1N0Ldzfw425tQrYxQjRwt6UjEx+3dE2ZfmhiJJB+kdGxvJig9lBW463iro/usVoF3q30lkpFVumRLu/LCiE3t9a3dYHjF+uXBeKdeTmWuS/OTnKv2Xn8shcl+9se3EhDC/j4dG+UparMhwq060sNgJdKYDqFRx07eeU+GhvlvH7K6EQMCUI0py9nREFMs9gJF2s/K7TOEqM9ACfDQRzrP7wWlGJnfiZcXd1j3ZMGzUPaJMtbBV14eeEM49zVekb85wA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 5f63e1ae-6ba7-40bb-66cf-08d5d5e5670d
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jun 2018 13:05:59.5301 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR16MB1716
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.5
X-NAI-Spam-Version: 2.3.0.9418 : core <6311> : inlines <6704> : streams <1790137> : uri <2660773>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/Snou2QHiRArLNdlhH1wVux_1Vjw>
Subject: Re: [Dots] WGLC for use cases draft - until July-1.
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 13:12:10 -0000
Hi Daniel, My comments and nits 1) The current scenario describes the case where the DDoS Target is in the enterprise network while the secondary DMS is provided by the upstream ITP. An alternate use case may consider the scenario where the ITP informs the enterprise network it is involved into an ongoing attack or that infected machines have been identified. In this case the DOTS client and DOTS server roles are inverted. The DOTS client is located in the ITP network and the DOTS server is hosted in the enterprise network. The enterprise network is then responsible to perform the DDoS Mitigation. In some case the DDoS Mitigation may be delegated back to the upstream ITP, as described in this section. Comment> If the DMS in the enterprise network is not capable of detecting outgoing DDoS attack, how will the signaling from the DOTS client in the upstream ITP to the DOTS server in the enterprise network help it to detect and mitigate the outgoing DDoS attack ? 2) Once the requesting Enterprise Network is confident that the DDoS attack has either ceased or has fallen to levels of traffic/ complexity which they can handle on their own or that it has received a DOTS DDoS Mitigation termination request from a downstream Enterprise Network or DDoS Mitigation Service Provider, the requesting Enterprise Network DOTS client sends a DOTS DDoS Mitigation termination request to the DDoS Mitigation Service Provider. Comment> In the above line, I don't get "that it has received a DOTS DDoS Mitigation termination request from a downstream Enterprise Network or DDoS Mitigation Service Provider". I think you mean "or notified by the DDoS Mitigation Service Provider that the DDoS attack has stopped" 3) The pre-arrangement typically includes the agreement on the mechanisms used to redirect the traffic to the DDoS Mitigation Service Provider, as well as the mechanism to to re-inject the >>>>>>>>>>>>>>>>>>>>>>>>>>> Remove "to" 4) o DDoS Mitigation Service: designates a DDoS service provided to a customer and which is scoped to mitigate DDoS attacks. Services usually involve Service Level Agreement (SLA) that have to be met. It is the responsibility of the service provider to instantiate the DDoS Mitigation System to meet these SLAs. o DDoS Mitigation System (DMS): A system that performs DDoS mitigation. The DDoS Mitigation System may be composed by a cluster of hardware and/or software resources, but could also involve an orchestrator that may take decisions such as outsourcing partial or more of the mitigation to another DDoS Mitigation System. Nit> For better readability you may want to define "DMS" followed by "DDoS Mitigation Service" 5) DOTS is at risk from three primary attacks: DOTS agent impersonation, traffic injection, and signaling blocking. The DOTS protocol must be designed for minimal data transfer to address the blocking risk. Comment> A MITM attacker can drop all the DOTS signal channel traffic, designing the DOTS signal channel protocol for minimal data transfer will not address the MITM attack. 6) One consideration could be to minimize the security technologies in use at any one time. The more needed, the greater the risk of failures coming from assumptions on one technology providing protection that it does not in the presence of another technology. Comment> The DOTS signal and data channels are using TLS for mutual authentication, confidentiality and data integrity. I don't see the need for the above lines. 7) When the DDoS mitigation is finished on the DMS, the orchestrator indicates to the telemetry systems as well as to the network administrator the DDoS mitigation is finished. Comment> I think you mean the DDoS attack has stopped. You may want to rephrase the line. 8) Upon receiving the DOTS request for DDoS mitigation from the network administrator, the orchestrator coordinates the DDoS mitigation according to a specified strategy. Its status indicates the DDoS mitigation is starting while not effective. Comment> You may want to clarify the DOTS client will later be notified that the DDoS mitigation is effective. 9) If the network administrator decides to start the mitigation, they order through her web interface a DOTS client to send a request for DDoS mitigation. Nit> The above line is not clear, who are "they" in the above line ? 10) This request is expected to be associated with a context that identifies the DDoS mitigation selected. Comment> I don't understand the context of the above line. 11) Upon receiving the DOTS request for DDoS mitigation from the network administrator, the orchestrator coordinates the DDoS mitigation according to a specified strategy. Comment> What is the specified strategy (you may want to give an example) ? 12) The status of the DDoS mitigation indicates the orchestrator is in an analyzing phase. Comment> DOTS signal channel draft does not indicate the mitigation status is in analyzing phase (Please see "Table 2: Values of 'status' Parameter" in the draft). 13) The orchestrator begins collecting various information from various telemetry systems in order to correlate the measurements and provide an analysis of the event. Comment> The orchestrator would anyway be collecting data from various telemetry systems for correlation. 14) These systems are configured so that when an event or some measurement indicators reach a predefined level to report a DOTS mitigation request to the orchestrator. The DOTS mitigation request may be associated with some element such as specific reporting. Comment> what do you mean by "some measurement indicators" and "specific reporting" (looks vague to me) ? 15) Figure 4 (DDoS Orchestration) includes both internal and external DDoS mitigation systems, but the usage of internal and external DDoS mitigation systems in not discussed in section 3.3. 16) Redirection to the DDoS Mitigation Service Provider typically involves BGP prefix announcement eventually combined with DNS redirection, while re- injection may be performed via tunneling mechanisms such as GRE for example. Comment> You may want to clarify the scrubbed traffic is re-directed to the Enterprise network via the tunneling mechanism. 17) Of course, such mechanisms needs to be regularly tested and evaluated. Comment> The above line does not look relevant to this document. 18) Once the requesting Enterprise Network is confident that the DDoS attack has either ceased or has fallen to levels of traffic/ complexity which they can handle on their own or that it has received a DOTS DDoS Mitigation termination request from a downstream Enterprise Network or DDoS Mitigation Service Provider, the requesting Enterprise Network DOTS client sends a DOTS DDoS Mitigation termination request to the DDoS Mitigation Service Provider. Comment> It's not clear how the requesting Enterprise network will learn the DDoS attack has ceased ? -Tiru
- Re: [Dots] WGLC for use cases draft - until July-… Daniel Migault
- Re: [Dots] WGLC for use cases draft - until July-… Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for use cases draft - until July-… Daniel Migault
- Re: [Dots] WGLC for use cases draft - until July-… Daniel Migault
- Re: [Dots] WGLC for use cases draft - until July-… Daniel Migault
- Re: [Dots] WGLC for use cases draft - until July-… Daniel Migault
- Re: [Dots] WGLC for use cases draft - until July-… Artyom Gavrichenkov
- Re: [Dots] WGLC for use cases draft - until July-… Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for use cases draft - until July-… Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for use cases draft - until July-… Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for use cases draft - until July-… Daniel Migault
- [Dots] WGLC for use cases draft - until July-1. Tobias Gondrom
- Re: [Dots] WGLC for use cases draft - until July-… Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for use cases draft - until July-… kaname nishizuka
- Re: [Dots] WGLC for use cases draft - until July-… Daniel Migault
- Re: [Dots] WGLC for use cases draft - until July-… Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for use cases draft - until July-… Daniel Migault
- Re: [Dots] WGLC for use cases draft - until July-… Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for use cases draft - until July-… Daniel Migault
- Re: [Dots] WGLC for use cases draft - until July-… Daniel Migault
- Re: [Dots] WGLC for use cases draft - until July-… Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for use cases draft - until July-… Daniel Migault
- Re: [Dots] WGLC for use cases draft - until July-… kaname nishizuka
- Re: [Dots] WGLC for use cases draft - until July-… Daniel Migault
- Re: [Dots] WGLC for use cases draft - until July-… Konda, Tirumaleswar Reddy
- Re: [Dots] WGLC for use cases draft - until July-… Daniel Migault