IETF Logo Mail Archive

Re: [Dots] Questions about draft-doron-dots-telemetry-00

Ehud Doron <EhudD@Radware.com> Thu, 17 November 2016 15:04 UTC

Return-Path: <EhudD@Radware.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6777812948E for <dots@ietfa.amsl.com>; Thu, 17 Nov 2016 07:04:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nPn0KppDQpsB for <dots@ietfa.amsl.com>; Thu, 17 Nov 2016 07:04:30 -0800 (PST)
Received: from mailout1.radware.com (mailout1.radwarecloud.com [192.115.180.130]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FD4E129583 for <dots@ietf.org>; Thu, 17 Nov 2016 07:04:30 -0800 (PST)
Received: from ILMB1.corp.radware.com ([169.254.1.134]) by ILCAS2.corp.radware.com ([176.200.120.122]) with mapi id 14.03.0210.002; Thu, 17 Nov 2016 17:04:28 +0200
From: Ehud Doron <EhudD@Radware.com>
To: Susan Hares <shares@ndzh.com>, 'Roland Dobbins' <rdobbins@arbor.net>, 'dots' <dots@ietf.org>, "fandreas@cisco.com" <fandreas@cisco.com>
Thread-Topic: [Dots] Questions about draft-doron-dots-telemetry-00
Thread-Index: AdI7wYm473OfPCFJSFe1ONIXj1qG/gCjJvCA///tvYD//O378IAHIDcA//7oJWA=
Date: Thu, 17 Nov 2016 15:04:28 +0000
Message-ID: <E58182C4A35A8E498E553AD3D33FA00101170E43F9@ILMB1.corp.radware.com>
References: <359EC4B99E040048A7131E0F4E113AFC0104EAE8B8@marathon> <E58182C4A35A8E498E553AD3D33FA00101170E0067@ILMB1.corp.radware.com> <14E9BCB6-D522-4877-84E5-4589472B3CEC@arbor.net> <E58182C4A35A8E498E553AD3D33FA00101170E325A@ILMB1.corp.radware.com> <01a301d2405c$e2e541d0$a8afc570$@ndzh.com>
In-Reply-To: <01a301d2405c$e2e541d0$a8afc570$@ndzh.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [176.200.121.200]
x-tm-as-product-ver: SMEX-11.0.0.4179-8.000.1202-22704.007
x-tm-as-result: No--61.226100-0.000000-31
x-tm-as-user-approved-sender: Yes
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/SxhbTmDZUxkuYXgZomkAbv-zylI>
Subject: Re: [Dots] Questions about draft-doron-dots-telemetry-00
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2016 15:04:33 -0000

Susan

I believe the telemetry needs by DOTS is not relates to "flow based" information, the DOTS telemetry is more "higher" and mainly describes the ongoing attacks and their attributes.

Thanks, Ehud 

-----Original Message-----
From: Susan Hares [mailto:shares@ndzh.com] 
Sent: Thursday, November 17, 2016 12:58 AM
To: Ehud Doron <EhudD@Radware.com>; 'Roland Dobbins' <rdobbins@arbor.net>; 'dots' <dots@ietf.org>; fandreas@cisco.com
Subject: RE: [Dots] Questions about draft-doron-dots-telemetry-00

Ehud:

Can you indicate what additional features the telemetry that you propose for DOTS needs over the telemetry provided by IPFIX? 

Sue 

-----Original Message-----
From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Ehud Doron
Sent: Wednesday, November 16, 2016 11:31 AM
To: Roland Dobbins; dots; fandreas@cisco.com
Cc: Ehud Doron
Subject: Re: [Dots] Questions about draft-doron-dots-telemetry-00

Ronald, Flemming and all

Thanks for your comments. 

I appreciate the standpoints you present in your comments, however I really believe the DOTS WG must also look and consider others views of the
challenges DOTS has with regards to DOTS telemetry.   

No doubt that for the world of DDoS services the "security visibility" is a major concern to both the anti-DoS service providers and consumers. In all cases where the DOTS Client will be implemented in an organizations with a sustainable SOC/NOC teams, the ability to have "customer portal" with visibility into the on-going attacks is a critical part of the service.
Likewise, anti-DoS service providers need visibility into their customers view on the on-going attacks and other sort of views relates to the service and its fulfillments. These are critical parts of the service. 

Getting deeper, having comprehensive telemetry about the ongoing attacks will improve the overall mitigation accomplished, in terms of time to mitigate, accuracy, false-negative, false-positive, and other measures. We must keep in our minds the value gained here.  

I see all these as a major points and really want to get your view on that, as well as the view of others at the WG.

Obviously, I agree with your points that there are many cases where telemetry is with less relevance, mainly since DOTS agents will be integrated in " radically different paradigms, capabilities, and 'worldviews'...." (which for my opinion is the right architecture). Having say all that, we must consider environments where DOTS Client has DoS/DDoS detection and mitigation capabilities and can practically signal valuable telemetry. These are definitely not rear use cases that must be considered as well. 

For my mind, after we will get to a consensus about WG view on the needs for telemetry, we can define the best way to standardize it (in which doc and
how) and also consider the right time to do. Then we can define the baseline set of telemetry we believe are adequate, or the bare minimum, to standardize.  

I am looking forward to continue this discussion with you and the entire the WG.

Please see also my comments inline. 

Best wishes,
Ehud Doron |  Senior Architect, Radware CTO office | M: +972-54-7575503 |
T: +972-72-3917120



-----Original Message-----
From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Roland Dobbins
Sent: Monday, November 14, 2016 11:02 AM
To: dots <dots@ietf.org>
Subject: Re: [Dots] Questions about draft-doron-dots-telemetry-00

On 14 Nov 2016, at 15:14, Ehud Doron wrote:

> Essentially we would like to build a "Telemetry" extension standard to 
> the basic DOTS protocol, and this document would define that.

This may make sense at some future date; initially, since we're dealing with devices/software/systems which have radically different paradigms, capabilities, and 'worldviews', the initial focus of DOTS should be on signaling and status only, as the ins are universal functions which are readily understood by most any type of node/service/application which could participate in DOTS.
[ED] See my view in the body of the mail.

> Keeping the telemetry specification in a separate draft is good 
> approach for future extensibility.

> For this goal, we as the DOTS WG first need to better understand (and 
> agree in the group) what we see as baseline mandatory capabilities 
> other DOTS draft should benefit the DOTS Telemetry.

We've already held extensive discussions on this topic; initially, we need a minimum viable capability to allow signaling and status information to be passed between DOTS participants.
[ED] I was not part of this discussions, sorry for that. For my mind, we need to truly define (or re-define...) the needs for DOTS Telemetry for the actual users (SP, MSSP, Enterprises, carrier and so on) of DOTS, and also the baseline set of this telemetry. 


> (1) Is there an undocumented telemetry use case that needs to be added 
> to the use case WG document?  Section 4.0 suggests that.
>      Yes. We want to DOTS use cases, the existing and maybe new 
> others, to be enriched with Telemetry related items.

This can come at a later state, if the group believes it to be important.

It's sub-optimal to duplicate the work done on IPFIX, I2NSF, I2RS, et. 
al. in DOTS.  By leaving mitigation technique specifics and telemetry specifics to one side, we can concentrate on signaling and status, which is all that's actually required for successful inter- and intra-domain DOTS-enabled DDoS mitigation assistance and provisioning.

[ED] Agree, we shouldn't duplicate any work done at IPFIX, I2NSF.

It's important to get to an initial operating capability with the requisite baseline capability before we expand the scope of DOTS itself, IMHO.

[ED] Agree, we just need to define and get to the mutual understanding about the " baseline capability" in term of telemetry. Mainly for the users and customers of the actual anti-DoS service.
 
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>

_______________________________________________
Dots mailing list
Dots@ietf.org
https://www.ietf.org/mailman/listinfo/dots

_______________________________________________
Dots mailing list
Dots@ietf.org
https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email