Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)
<mohamed.boucadair@orange.com> Thu, 21 February 2019 14:40 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D84D112D7F8; Thu, 21 Feb 2019 06:40:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X9lPKxP16sjY; Thu, 21 Feb 2019 06:40:02 -0800 (PST)
Received: from orange.com (mta136.mail.business.static.orange.com [80.12.70.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F9A81279E6; Thu, 21 Feb 2019 06:40:02 -0800 (PST)
Received: from opfednr00.francetelecom.fr (unknown [xx.xx.xx.64]) by opfednr22.francetelecom.fr (ESMTP service) with ESMTP id 444xvg6vpsz10Lp; Thu, 21 Feb 2019 15:39:59 +0100 (CET)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.86]) by opfednr00.francetelecom.fr (ESMTP service) with ESMTP id 444xvg5N8MzDq7h; Thu, 21 Feb 2019 15:39:59 +0100 (CET)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBMA4.corporate.adroot.infra.ftgroup ([fe80::4538:d7b0:3c64:8ed3%22]) with mapi id 14.03.0435.000; Thu, 21 Feb 2019 15:39:59 +0100
From: mohamed.boucadair@orange.com
To: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
CC: "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "frank.xialiang@huawei.com" <frank.xialiang@huawei.com>, "dots@ietf.org" <dots@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-dots-requirements@ietf.org" <draft-ietf-dots-requirements@ietf.org>
Thread-Topic: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)
Thread-Index: AQHUyevO1gebaU+aZ0KlHgwWkSlAwKXqUDqA
Date: Thu, 21 Feb 2019 14:39:58 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA2346F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <155068522853.31498.10686203344983870104.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93302EA23122@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <66BB8E3D-DEB6-43AC-AAEB-B6EB1A248865@kuehlewind.net> <787AE7BB302AE849A7480A190F8B93302EA232A6@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <6EFF6377-02A4-4D0B-BCF2-313FDB3B18B8@kuehlewind.net>
In-Reply-To: <6EFF6377-02A4-4D0B-BCF2-313FDB3B18B8@kuehlewind.net>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/TvOYWq7xPmW0oCpvmk2F03IrMUI>
Subject: Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2019 14:40:05 -0000
Re-, My point is that combining RFC8085 and deployments where timers can be controlled/discovered is sufficient to fulfill the requirement. Of course, this does not guarantee that bindings are kept active if a NAT/FW assigns timers of less than 15 seconds...which is fair. The requirement does not ask for such guarantee. Cheers, Med > -----Message d'origine----- > De : Mirja Kuehlewind (IETF) [mailto:ietf@kuehlewind.net] > Envoyé : jeudi 21 février 2019 14:46 > À : BOUCADAIR Mohamed TGI/OLN > Cc : dots-chairs@ietf.org; frank.xialiang@huawei.com; dots@ietf.org; The > IESG; draft-ietf-dots-requirements@ietf.org > Objet : Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements- > 18: (with DISCUSS and COMMENT) > > Hi Med, > > please see below. > > > Am 21.02.2019 um 13:17 schrieb mohamed.boucadair@orange.com: > > > >>>> 2) Also on this text in SIG-004: > >>>> "The heartbeat interval during active mitigation could be > >>>> negotiable, but MUST be frequent enough to maintain any on-path > >>>> NAT or Firewall bindings during mitigation. When TCP is used as > >>>> transport, the DOTS signal channel heartbeat messages need to be > >>>> frequent enough to maintain the TCP connection state." > >>>> > >>>> As Joe commented already, different heartbeats at different layers can > be > >>>> used > >>>> at the same time for different purposes. You can use heartbeats at the > >>>> application layer to check service availability while e.g. using a > higher > >>>> frequent heartbeat at the transport layer to maintain firewall and NAT > >> state. > >>> > >>> [Med] Please note that the text you quoted is about "during active > >> mitigation". When no attack is ongoing, we do have the following behavior > >> which covers your comment: > >>> > >>> When DOTS agents are exchanging heartbeats and no > >>> mitigation request is active, either agent MAY request changes to > >>> the heartbeat rate. For example, a DOTS server might want to > >>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > >>> reduce heartbeat frequency or cease heartbeat exchanges when an > >>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > >>> active DOTS client has not requested mitigation, in order to > >>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > >>> control load. > >>> > >>>> The advantage to such an approach is that there is less application > layer > >>>> overhead/load e.g. in scenarios where it might be expensive to wake up > the > >>>> application or a server is already highly loaded. Also note that the > >> time- > >>>> outs > >>>> values of NATs and firewalls on the path are usually unknown, therefore > an > >>>> application can never rely on heartbeats (no matter at which level) and > >> must > >>>> be > >>>> prepared to try to reconnect on the application layer if the connection > >>>> fails. > >>>> Usually, the main reason for using heartbeats to maintain NAT or > firewall > >>>> state > >>>> (vs. reconnect every time) in TCP is if the application is time- > sensitive > >> and > >>>> a > >>>> full TCP handshake takes too long for the desired service. I'm not sure > >> that > >>>> the case for DOTS, however, I understand it may be beneficial to have > >>>> established state if an attack is on-going. > >>> > >>> [Med] This is important to avoid new handshakes when the client has to > >> request a mitigation. > >> > >> This is okay but could be spelled out more explicitly as a requirement, > >> rather than taking about the details of sending heartbeats. > >>> > >>>> > >>>> For UDP I guess it's more complicated in your case. Time-outs are > usually > >>>> very > >>>> short, however, state is created with the first packet of a flow (as > there > >> is > >>>> no handshake in UDP). As you don't see blocking if state is expired as > new > >>>> state is created immediately, it's kind of impossible to measure the > >>>> configured > >>>> time-out values. Only if the firewall is under attack it would start > >> blocking > >>>> UDP traffic that is has no state for yet. So I understand why it is > >> desirable > >>>> to maintain UDP state for you, however, I don't understand how you can > >> know > >>>> that your frequency is high enough to actually keep the state open. Note > >> that > >>>> TCP time-outs are usually in the order of hours, while UDP time-outs are > >>>> usually in range of tens of seconds, and might expire even quicker if a > >>>> system > >>>> is under attack. If that is a scenario that is important for you, and > >>>> assuming > >>>> that not all time-outs values on the path can be known, I guess it would > >> be > >>>> recommendable to use TCP instead. > >>>> > >>>> In any case this can not be a MUST requirement (as timers are usually > not > >>>> known). I would recommend to state something like: > >>>> > >>>> "MAY be frequent enough to maintain NAT or firewall state, if timer > values > >>>> are > >>>> known, or if TCP is used, SHOULD use in addition TCP heartbeats to > >> maintain > >>>> the TCP connection state and reconnect immediately if a failure is > >> detected." > >>>> > >>> > >>> [Med] The original wording is accurate and reflects the requirement of > the > >> WG. How this will be enforced is part of the solution/specification space. > >> > >> My hold point here is that > >> > >> "MUST be frequent enough to maintain any on-path NAT or Firewall bindings > >> during mitigation.“ > >> > >> cannot be a MUST requirement as the network time-out values are not known > by > >> the endpoints. Therefore it is impossible to fulfill this requirement. > > > > [Med] Two comments here: > > * The requirement can be fulfilled by relying RFC8085 recommendations. This > is discussed in the spec documents. > > RFC8085 provide recommended value and limits, however, this does not > guarantee that the proposed values actually match the time-out values as > deployed on the path. > > > * there are deployments in which timers can be discovered (e.g., PCP > (RFC6887)). > > This does not work in all cases and the draft does not seem to require the > usage of anything like this. If a requirement is that the timeout values MUST > be known in the deployed scenario, then that should be spelled out, however, > I assume that is not your intention because that would limit deployment > heavily. > > Mirja >
- [Dots] Mirja Kühlewind's Discuss on draft-ietf-do… Mirja Kühlewind
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Teague, Nik
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)