[Dots] AD evaluation of draft-ietf-dots-signal-filter-control-03
Benjamin Kaduk <bkaduk@akamai.com> Wed, 13 May 2020 02:12 UTC
Return-Path: <bkaduk@akamai.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 131053A0CCE; Tue, 12 May 2020 19:12:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.272
X-Spam-Level:
X-Spam-Status: No, score=-2.272 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.173, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8G_k-gTFBXHU; Tue, 12 May 2020 19:12:33 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0699A3A0CCC; Tue, 12 May 2020 19:12:29 -0700 (PDT)
Received: from pps.filterd (m0122331.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04D23xV6011953; Wed, 13 May 2020 03:12:29 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=date : from : to : cc : subject : message-id : mime-version : content-type; s=jan2016.eng; bh=40YunzrUKgVQPQ+78HZMawqMptGEXrDAKdd62fLvKAA=; b=fAQw8LE3DNDMh5YX/JTBwKJB2DidrscXZd3GKUNOHWFp5olHexfb5Od5HGvqxJK9QXAy wNiMB6PGhWzggEXFCGITu/2CdfHGjRpgXGQyVq+Vnhl4K6RIAU0cfx6d8DwuCQM7ix2m LSZHLtABPaH3L9rIALXiI/7x3kgcqYOJnZ5CM2NxsfPHVP2HDV/Iit/LtJm6yZcnF1nm IZweoMR2GUASLl2ZkpwsGwmdmlWbuKoqZxEFmjyVOLnY8rm6t5+w+rTVEfYDLrU9ScK8 NyzBvp83nZsP5KrduMJLuDLp69jjO1ItguvHkgfRHLTTRBlCnVZQgAs594h6MS6/SXHs QA==
Received: from prod-mail-ppoint5 (prod-mail-ppoint5.akamai.com [184.51.33.60] (may be forged)) by mx0b-00190b01.pphosted.com with ESMTP id 3100wmmx92-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 13 May 2020 03:12:29 +0100
Received: from pps.filterd (prod-mail-ppoint5.akamai.com [127.0.0.1]) by prod-mail-ppoint5.akamai.com (8.16.0.27/8.16.0.27) with SMTP id 04D22RTr020706; Tue, 12 May 2020 19:12:28 -0700
Received: from prod-mail-relay11.akamai.com ([172.27.118.250]) by prod-mail-ppoint5.akamai.com with ESMTP id 31016d9u9t-2; Tue, 12 May 2020 19:12:24 -0700
Received: from akamai.com (sea-lp9yo.kendall.corp.akamai.com [172.19.16.134]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id 9EAE221B83; Wed, 13 May 2020 02:12:23 +0000 (GMT)
Date: Tue, 12 May 2020 19:12:22 -0700
From: Benjamin Kaduk <bkaduk@akamai.com>
To: draft-ietf-dots-signal-filter-control.all@ietf.org, kaduk@mit.edu
Cc: dots@ietf.org
Message-ID: <20200513021222.GY3811@akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.9.4 (2018-02-28)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-12_08:2020-05-11, 2020-05-12 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2004280000 definitions=main-2005130017
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-12_08:2020-05-11, 2020-05-12 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 priorityscore=1501 lowpriorityscore=0 malwarescore=0 adultscore=0 mlxscore=0 phishscore=0 spamscore=0 suspectscore=0 cotscore=-2147483648 impostorscore=0 mlxlogscore=999 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2005130017
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/TYWdRloLP9Ws06ByAI5bspHNHFQ>
Subject: [Dots] AD evaluation of draft-ietf-dots-signal-filter-control-03
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2020 02:12:35 -0000
Hi all, This one is also generally in good shape, with mostly nit-level comments. (I didn't find it on github, so those are inline.) I have a nagging suspicion that I'm repeating some comments I made on the core protocol documents (having forgotten the response and thus why the change in question should not be made; my apologies in advance for my poor memory. Section 1.1 The DOTS data channel protocol [I-D.ietf-dots-data-channel] is used for bulk data exchange between DOTS agents to improve the coordination of parties involved in the response to the Distributed nit: s/the/a/ the inbound link to the DOTS client domain. In other words, the DOTS client cannot use the DOTS data channel protocol to withdraw the accept-list filters when a DDoS attack is in progress. This assumes that this DOTS client is the owner of the filtering rule. nit: the last sentence feels a little disconnected from the previous discussion at the moment; I'd suggest adding at the end ", since otherwise this DOTS client would not be authorized to modify it anyway" or similar. Section 1.2 This specification addresses the problems discussed in Section 1.1 by adding the capability of managing filtering rules using the DOTS signal channel protocol, which enables a DOTS client to request the activation (or deactivation) of filtering rules during a DDoS attack. nit: the grammar here does not quite match up ("capability of" vs. "using"); perhaps s/the capability of/a capability for/ (though other fixes are possible). Sample examples are provided in Section 4, in particular: nit: "sample examples" feels redundant; maybe "some examples" or just "examples"? o Section 4.1 illustrates how the filter control extension is used when conflicts with Access Control List (ACLs) are detected and reported by a DOTS server. nit: s/List/Lists/ Section 3.1 A filtering rule controlled by the DOTS signal channel is identified by its ACL name (Section 7.2 of [I-D.ietf-dots-data-channel]). Note The referenced section is just an example; the actual YANG definition is in Section 4.3 thereof. The activation or deactivation of an ACL by the DOTS signal channel overrides the 'activation-type' (defined in Section 7.2 of [I-D.ietf-dots-data-channel]) a priori conveyed with the filtering rules using the DOTS data channel protocol. Is there a way to "cancel" the signal-channel-made changes and revert to the previous activation-type? Or do we just make the client remember the previous status and manually set that status in such a case? Section 3.2.1 Why is the acl-name an optional attribute? What would the interpretation be if it was not provided? intended control of configured filtering rules. Concretely, the DOTS client conveys 'acl-list' attribute with the following sub-attributes in the CBOR body of a mitigation request (see the YANG-encoded structure in Section 3.2.2.1): nit: YANG is a data description language, not an encoding; perhaps "YANG-formatted structure" or just "YANG structure" is better. As the attack evolves, DOTS clients can adjust the 'activation-type' of an ACL conveyed in a mitigation request or control other filters as necessary. This can be achieved by sending a PUT request with a new 'mid' value. This potentially involves a lot of new 'mid' values if many change are made using signal-channel filtering control over the course of a given mitigation. Is this going to cause a noticeable increase in the amount of state required at the DOTS server? If the DOTS client receives a 5.03 (Service Unavailable) with a diagnostic payload indicating a failed ACL update as a response to an initial mitigation or a mitigation with adjusted scope, the DOTS client MUST immediately send a new request which repeats all the parameters as sent in the failed mitigation request but without including the ACL attributes. After the expiry of Max-Age returned Why does this need to be a MUST-level requirement? What if the situation has changed in the interim and the mitigation update is no longer needed? in the 5.03 (Service Unavailable) response, the DOTS client retries with a new mitigation request (i.e., a new 'mid') that repeats all the parameters as sent in the failed mitigation request. Perhaps mention "including the ACL update" for clarity? Section 3.2.2.1 +--rw acl-list* [acl-name] {control-filtering}? A question for the YANG doctor, no doubt, but is there a need for a feature indicator that gates the entire content of a given module (as opposed to just using module-level granularity to indicate support)? Section 3.2.2.2 namespace "urn:ietf:params:xml:ns:yang:ietf-dots-signal-control"; prefix signal-control; Can we think of anything else that might be in scope in the future for which "signal-control" would be ambiguous or a name conflict? list acl-list { key "acl-name"; Seeing this reminds me of a shadow of a memory that list keys are implicitly mandatory, which seems relevant for an earlier comment. [...] } leaf activation-type { type ietf-data:activation-type; default "activate-when-mitigating"; description "Sets the activation type of an ACL."; This structure seems to bind us to having a single activation-type that applies lto all of the ACLs in the acl-list; furthermore, the global structure of where we augment means that we can only have one (acl-list, activation-type) pair within a given mitigation request. I *believe* that is consistent with the core signal protocol in terms of what's expected to be in a single message, but please confirm. Section 4 (The section heading should probably get the same treatment of "Sample Examples" as was previously used, and the body text here as well.) Section 4.1 Host: {host}:{port} nit(?): the data-channel doc just uses "example.com" for the host header field; it's not clear that we need to diverge from that style (applies throughout). The DOTS client can also decide to send a PUT request to deactivate the "an-accept-list" ACL, if suspect traffic is received from an accept-listed source (2001:db8:1234::/48). The structure of that PUT is the same as the one shown in Figure 5. [...] Uri-Path: "mid=124" Just as a sanity-check: this "mid" of 124 is consistent with the note in Section 3.2.1 that adjusting the 'activation-type' "[...] can be achieved by sending a PUT request with a new 'mid' value", so the 124 (vs. 123) is intentional and correct. "ietf-dots-signal-control:acl-list": [ { "ietf-dots-signal-control:acl-name": "an-accept-list", "ietf-dots-signal-control:activation-type": "deactivate" } ] "lifetime": 3600 Shouldn't there be a comma after the ']'? (Have the examples been run through a JSON validator?) Section 4.3 Consider a DOTS client that contacts its DOTS server during 'idle' time to install an accept-list that rate-limits all (or a part thereof) traffic to be forwarded to 2001:db8:123::/48 as a last resort countermeasure whenever required. It does so by sending, for nit: I could imagine a little confusion as to whether the action referenced by "it does so" is the installation of the accept-list (my belief) or the rate-limiting. Perhaps "Installing the accpe-list can be done by sending, [...]"? example, a PUT request shown in Figure 9. The DOTS server installs nit: either "the PUT request shown" or "a PUT request as shown". "actions": { "forwarding": "accept", "rate-limit": "20.00" 20 bytes per second? That seems rather small. For some reason (e.g., the DOTS server, or the mitigator, is lacking a capability or capacity), the DOTS client is still receiving the attack traffic which saturates available links. To soften the nit: I think s/the attack traffic/attack traffic/ is fine grammar. Section 5.1 o Note to the RFC Editor: Please delete (TBA1-TBA2-TBA3) once the CBOR key is assigned from the 1-16383 range. Please update Table 1 accordingly. IIRC the unallocated values in this range include both values with a 2-byte encoding and with a 3-byte encoding; do we have a reason to prefer one or the other? Since we're allocating from an "IETF Review" range, we get to suggest a value to IANA and it's not immediately clear to me how much say the DEs have in which value gets used. Section 6 We may get someone asking "this document uses YANG; why aren't you using the YANG security considerations template?" I guess the signal-channel doc made it through without any particular note in that regard, so maybe we'll be safe for this one, too. I'd consider mentioning that with both signal and data channels available for updating ACL activation status, there is potential for "skew" wherein an update made in one place is ~immediately overridden by another update. Fortunately, there was already some degree of asynchronicity/external-changes possible, so clients should already be prepared for this sort of situation and will cope properly by polling/OBSERVE notification. We could also consider saying something about how the restriction to only changing activation status over the signal channel (but not creating new ACLS entirely) means that if a client hasn't prepared adequately prior to an attack, it can get stuck in a bad place. This, of course, is also not really new with this document, but is a pretty relevant consideration for its use. Similarly, a reminder that bad things happen when a DOTS server fails to maintain namespace separation across clients for ACL names could be in order (but is not required). A compromised DOTS client can use the filtering control capability to exacerbate an ongoing attack. Likewise, such compromised DOTS client may abstain from reacting to an ACL conflict notification received nit: singular/plural mismatch "DOTS client"/"such compromised" (so either "such a compromised" or "DOTS clients"). Thanks, Ben
- [Dots] AD evaluation of draft-ietf-dots-signal-fi… Benjamin Kaduk
- Re: [Dots] AD evaluation of draft-ietf-dots-signa… mohamed.boucadair
- Re: [Dots] AD evaluation of draft-ietf-dots-signa… kaname nishizuka
- Re: [Dots] AD evaluation of draft-ietf-dots-signa… mohamed.boucadair
- Re: [Dots] AD evaluation of draft-ietf-dots-signa… Jon Shallow
- Re: [Dots] AD evaluation of draft-ietf-dots-signa… mohamed.boucadair
- Re: [Dots] AD evaluation of draft-ietf-dots-signa… Benjamin Kaduk