[Dots] AD evaluation of draft-ietf-dots-signal-filter-control-03

Benjamin Kaduk <bkaduk@akamai.com> Wed, 13 May 2020 02:12 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 131053A0CCE; Tue, 12 May 2020 19:12:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.272
X-Spam-Level:
X-Spam-Status: No, score=-2.272 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.173, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8G_k-gTFBXHU; Tue, 12 May 2020 19:12:33 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0699A3A0CCC; Tue, 12 May 2020 19:12:29 -0700 (PDT)
Received: from pps.filterd (m0122331.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04D23xV6011953; Wed, 13 May 2020 03:12:29 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=date : from : to : cc : subject : message-id : mime-version : content-type; s=jan2016.eng; bh=40YunzrUKgVQPQ+78HZMawqMptGEXrDAKdd62fLvKAA=; b=fAQw8LE3DNDMh5YX/JTBwKJB2DidrscXZd3GKUNOHWFp5olHexfb5Od5HGvqxJK9QXAy wNiMB6PGhWzggEXFCGITu/2CdfHGjRpgXGQyVq+Vnhl4K6RIAU0cfx6d8DwuCQM7ix2m LSZHLtABPaH3L9rIALXiI/7x3kgcqYOJnZ5CM2NxsfPHVP2HDV/Iit/LtJm6yZcnF1nm IZweoMR2GUASLl2ZkpwsGwmdmlWbuKoqZxEFmjyVOLnY8rm6t5+w+rTVEfYDLrU9ScK8 NyzBvp83nZsP5KrduMJLuDLp69jjO1ItguvHkgfRHLTTRBlCnVZQgAs594h6MS6/SXHs QA==
Received: from prod-mail-ppoint5 (prod-mail-ppoint5.akamai.com [184.51.33.60] (may be forged)) by mx0b-00190b01.pphosted.com with ESMTP id 3100wmmx92-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 13 May 2020 03:12:29 +0100
Received: from pps.filterd (prod-mail-ppoint5.akamai.com [127.0.0.1]) by prod-mail-ppoint5.akamai.com (8.16.0.27/8.16.0.27) with SMTP id 04D22RTr020706; Tue, 12 May 2020 19:12:28 -0700
Received: from prod-mail-relay11.akamai.com ([172.27.118.250]) by prod-mail-ppoint5.akamai.com with ESMTP id 31016d9u9t-2; Tue, 12 May 2020 19:12:24 -0700
Received: from akamai.com (sea-lp9yo.kendall.corp.akamai.com [172.19.16.134]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id 9EAE221B83; Wed, 13 May 2020 02:12:23 +0000 (GMT)
Date: Tue, 12 May 2020 19:12:22 -0700
From: Benjamin Kaduk <bkaduk@akamai.com>
To: draft-ietf-dots-signal-filter-control.all@ietf.org, kaduk@mit.edu
Cc: dots@ietf.org
Message-ID: <20200513021222.GY3811@akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.9.4 (2018-02-28)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-12_08:2020-05-11, 2020-05-12 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2004280000 definitions=main-2005130017
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-12_08:2020-05-11, 2020-05-12 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 priorityscore=1501 lowpriorityscore=0 malwarescore=0 adultscore=0 mlxscore=0 phishscore=0 spamscore=0 suspectscore=0 cotscore=-2147483648 impostorscore=0 mlxlogscore=999 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2005130017
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/TYWdRloLP9Ws06ByAI5bspHNHFQ>
Subject: [Dots] AD evaluation of draft-ietf-dots-signal-filter-control-03
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2020 02:12:35 -0000

Hi all,

This one is also generally in good shape, with mostly nit-level comments.
(I didn't find it on github, so those are inline.)

I have a nagging suspicion that I'm repeating some comments I made on
the core protocol documents (having forgotten the response and thus why
the change in question should not be made; my apologies in advance for
my poor memory.

Section 1.1

   The DOTS data channel protocol [I-D.ietf-dots-data-channel] is used
   for bulk data exchange between DOTS agents to improve the
   coordination of parties involved in the response to the Distributed

nit: s/the/a/

   the inbound link to the DOTS client domain.  In other words, the DOTS
   client cannot use the DOTS data channel protocol to withdraw the
   accept-list filters when a DDoS attack is in progress.  This assumes
   that this DOTS client is the owner of the filtering rule.

nit: the last sentence feels a little disconnected from the previous
discussion at the moment; I'd suggest adding at the end ", since
otherwise this DOTS client would not be authorized to modify it anyway"
or similar.

Section 1.2

   This specification addresses the problems discussed in Section 1.1 by
   adding the capability of managing filtering rules using the DOTS
   signal channel protocol, which enables a DOTS client to request the
   activation (or deactivation) of filtering rules during a DDoS attack.

nit: the grammar here does not quite match up ("capability of" vs.
"using"); perhaps s/the capability of/a capability for/ (though other
fixes are possible).

   Sample examples are provided in Section 4, in particular:

nit: "sample examples" feels redundant; maybe "some examples" or just
"examples"?

   o  Section 4.1 illustrates how the filter control extension is used
      when conflicts with Access Control List (ACLs) are detected and
      reported by a DOTS server.

nit: s/List/Lists/

Section 3.1

   A filtering rule controlled by the DOTS signal channel is identified
   by its ACL name (Section 7.2 of [I-D.ietf-dots-data-channel]).  Note

The referenced section is just an example; the actual YANG definition is
in Section 4.3 thereof.

   The activation or deactivation of an ACL by the DOTS signal channel
   overrides the 'activation-type' (defined in Section 7.2 of
   [I-D.ietf-dots-data-channel]) a priori conveyed with the filtering
   rules using the DOTS data channel protocol.

Is there a way to "cancel" the signal-channel-made changes and revert to
the previous activation-type?  Or do we just make the client remember
the previous status and manually set that status in such a case?

Section 3.2.1

Why is the acl-name an optional attribute?  What would the
interpretation be if it was not provided?

   intended control of configured filtering rules.  Concretely, the DOTS
   client conveys 'acl-list' attribute with the following sub-attributes
   in the CBOR body of a mitigation request (see the YANG-encoded
   structure in Section 3.2.2.1):

nit: YANG is a data description language, not an encoding; perhaps
"YANG-formatted structure" or just "YANG structure" is better.

   As the attack evolves, DOTS clients can adjust the 'activation-type'
   of an ACL conveyed in a mitigation request or control other filters
   as necessary.  This can be achieved by sending a PUT request with a
   new 'mid' value.

This potentially involves a lot of new 'mid' values if many change are
made using signal-channel filtering control over the course of a given
mitigation.  Is this going to cause a noticeable increase in the amount
of state required at the DOTS server?

   If the DOTS client receives a 5.03 (Service Unavailable) with a
   diagnostic payload indicating a failed ACL update as a response to an
   initial mitigation or a mitigation with adjusted scope, the DOTS
   client MUST immediately send a new request which repeats all the
   parameters as sent in the failed mitigation request but without
   including the ACL attributes.  After the expiry of Max-Age returned

Why does this need to be a MUST-level requirement?  What if the
situation has changed in the interim and the mitigation update is no
longer needed?

   in the 5.03 (Service Unavailable) response, the DOTS client retries
   with a new mitigation request (i.e., a new 'mid') that repeats all
   the parameters as sent in the failed mitigation request.

Perhaps mention "including the ACL update" for clarity?

Section 3.2.2.1

       +--rw acl-list* [acl-name] {control-filtering}?

A question for the YANG doctor, no doubt, but is there a need for a
feature indicator that gates the entire content of a given module (as
opposed to just using module-level granularity to indicate support)?

Section 3.2.2.2

     namespace
        "urn:ietf:params:xml:ns:yang:ietf-dots-signal-control";
     prefix signal-control;

Can we think of anything else that might be in scope in the future for
which "signal-control" would be ambiguous or a name conflict?

       list acl-list {
         key "acl-name";

Seeing this reminds me of a shadow of a memory that list keys are
implicitly mandatory, which seems relevant for an earlier comment.

         [...]
       }
       leaf activation-type {
         type ietf-data:activation-type;
         default "activate-when-mitigating";
         description
           "Sets the activation type of an ACL.";

This structure seems to bind us to having a single activation-type that
applies lto all of the ACLs in the acl-list; furthermore, the global
structure of where we augment means that we can only have one (acl-list,
activation-type) pair within a given mitigation request.  I *believe*
that is consistent with the core signal protocol in terms of what's
expected to be in a single message, but please confirm.

Section 4

(The section heading should probably get the same treatment of "Sample
Examples" as was previously used, and the body text here as well.)

Section 4.1

   Host: {host}:{port}

nit(?): the data-channel doc just uses "example.com" for the host header
field; it's not clear that we need to diverge from that style (applies
throughout).

   The DOTS client can also decide to send a PUT request to deactivate
   the "an-accept-list" ACL, if suspect traffic is received from an
   accept-listed source (2001:db8:1234::/48).  The structure of that PUT
   is the same as the one shown in Figure 5.

   [...]
   Uri-Path: "mid=124"

Just as a sanity-check: this "mid" of 124 is consistent with the note in
Section 3.2.1 that adjusting the 'activation-type' "[...] can be
achieved by sending a PUT request with a new 'mid' value", so the 124
(vs. 123) is intentional and correct.

            "ietf-dots-signal-control:acl-list": [
              {
                "ietf-dots-signal-control:acl-name": "an-accept-list",
                "ietf-dots-signal-control:activation-type": "deactivate"
              }
            ]
           "lifetime": 3600

Shouldn't there be a comma after the ']'?
(Have the examples been run through a JSON validator?)

Section 4.3

   Consider a DOTS client that contacts its DOTS server during 'idle'
   time to install an accept-list that rate-limits all (or a part
   thereof) traffic to be forwarded to 2001:db8:123::/48 as a last
   resort countermeasure whenever required.  It does so by sending, for

nit: I could imagine a little confusion as to whether the action
referenced by "it does so" is the installation of the accept-list (my
belief) or the rate-limiting.  Perhaps "Installing the accpe-list can be
done by sending, [...]"?

   example, a PUT request shown in Figure 9.  The DOTS server installs

nit: either "the PUT request shown" or "a PUT request as shown".

                 "actions": {
                   "forwarding": "accept",
                   "rate-limit": "20.00"

20 bytes per second?  That seems rather small.

   For some reason (e.g., the DOTS server, or the mitigator, is lacking
   a capability or capacity), the DOTS client is still receiving the
   attack traffic which saturates available links.  To soften the

nit: I think s/the attack traffic/attack traffic/ is fine grammar.

Section 5.1

   o  Note to the RFC Editor: Please delete (TBA1-TBA2-TBA3) once the
      CBOR key is assigned from the 1-16383 range.  Please update
      Table 1 accordingly.

IIRC the unallocated values in this range include both values with a
2-byte encoding and with a 3-byte encoding; do we have a reason to
prefer one or the other?  Since we're allocating from an "IETF Review"
range, we get to suggest a value to IANA and it's not immediately clear
to me how much say the DEs have in which value gets used.

Section 6

We may get someone asking "this document uses YANG; why aren't you using
the YANG security considerations template?"  I guess the signal-channel
doc made it through without any particular note in that regard, so maybe
we'll be safe for this one, too.

I'd consider mentioning that with both signal and data channels
available for updating ACL activation status, there is potential for
"skew" wherein an update made in one place is ~immediately overridden by
another update.  Fortunately, there was already some degree of
asynchronicity/external-changes possible, so clients should already be
prepared for this sort of situation and will cope properly by
polling/OBSERVE notification.

We could also consider saying something about how the restriction to
only changing activation status over the signal channel (but not
creating new ACLS entirely) means that if a client hasn't prepared
adequately prior to an attack, it can get stuck in a bad place.  This,
of course, is also not really new with this document, but is a pretty
relevant consideration for its use.

Similarly, a reminder that bad things happen when a DOTS server fails to
maintain namespace separation across clients for ACL names could be in
order (but is not required).

   A compromised DOTS client can use the filtering control capability to
   exacerbate an ongoing attack.  Likewise, such compromised DOTS client
   may abstain from reacting to an ACL conflict notification received

nit: singular/plural mismatch "DOTS client"/"such compromised" (so
either "such a compromised" or "DOTS clients").

Thanks,

Ben