IETF Logo Mail Archive

Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)

<mohamed.boucadair@orange.com> Thu, 21 February 2019 14:40 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D84D112D7F8; Thu, 21 Feb 2019 06:40:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X9lPKxP16sjY; Thu, 21 Feb 2019 06:40:02 -0800 (PST)
Received: from orange.com (mta136.mail.business.static.orange.com [80.12.70.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F9A81279E6; Thu, 21 Feb 2019 06:40:02 -0800 (PST)
Received: from opfednr00.francetelecom.fr (unknown [xx.xx.xx.64]) by opfednr22.francetelecom.fr (ESMTP service) with ESMTP id 444xvg6vpsz10Lp; Thu, 21 Feb 2019 15:39:59 +0100 (CET)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.86]) by opfednr00.francetelecom.fr (ESMTP service) with ESMTP id 444xvg5N8MzDq7h; Thu, 21 Feb 2019 15:39:59 +0100 (CET)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBMA4.corporate.adroot.infra.ftgroup ([fe80::4538:d7b0:3c64:8ed3%22]) with mapi id 14.03.0435.000; Thu, 21 Feb 2019 15:39:59 +0100
From: mohamed.boucadair@orange.com
To: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
CC: "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "frank.xialiang@huawei.com" <frank.xialiang@huawei.com>, "dots@ietf.org" <dots@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-dots-requirements@ietf.org" <draft-ietf-dots-requirements@ietf.org>
Thread-Topic: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)
Thread-Index: AQHUyevO1gebaU+aZ0KlHgwWkSlAwKXqUDqA
Date: Thu, 21 Feb 2019 14:39:58 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA2346F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <155068522853.31498.10686203344983870104.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93302EA23122@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <66BB8E3D-DEB6-43AC-AAEB-B6EB1A248865@kuehlewind.net> <787AE7BB302AE849A7480A190F8B93302EA232A6@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <6EFF6377-02A4-4D0B-BCF2-313FDB3B18B8@kuehlewind.net>
In-Reply-To: <6EFF6377-02A4-4D0B-BCF2-313FDB3B18B8@kuehlewind.net>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/TvOYWq7xPmW0oCpvmk2F03IrMUI>
Subject: Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2019 14:40:05 -0000

Re-,

My point is that combining RFC8085 and deployments where timers can be controlled/discovered is sufficient to fulfill the requirement. 

Of course, this does not guarantee that bindings are kept active if a NAT/FW assigns timers of less than 15 seconds...which is fair. The requirement does not ask for such guarantee. 

Cheers,
Med

> -----Message d'origine-----
> De : Mirja Kuehlewind (IETF) [mailto:ietf@kuehlewind.net]
> Envoyé : jeudi 21 février 2019 14:46
> À : BOUCADAIR Mohamed TGI/OLN
> Cc : dots-chairs@ietf.org; frank.xialiang@huawei.com; dots@ietf.org; The
> IESG; draft-ietf-dots-requirements@ietf.org
> Objet : Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements-
> 18: (with DISCUSS and COMMENT)
> 
> Hi Med,
> 
> please see below.
> 
> > Am 21.02.2019 um 13:17 schrieb mohamed.boucadair@orange.com:
> >
> >>>> 2) Also on this text in SIG-004:
> >>>> "The heartbeat interval during active mitigation could be
> >>>>     negotiable, but MUST be frequent enough to maintain any on-path
> >>>>     NAT or Firewall bindings during mitigation.  When TCP is used as
> >>>>     transport, the DOTS signal channel heartbeat messages need to be
> >>>>     frequent enough to maintain the TCP connection state."
> >>>>
> >>>> As Joe commented already, different heartbeats at different layers can
> be
> >>>> used
> >>>> at the same time for different purposes. You can use heartbeats at the
> >>>> application layer to check service availability while e.g. using a
> higher
> >>>> frequent heartbeat at the transport layer to maintain firewall and NAT
> >> state.
> >>>
> >>> [Med] Please note that the text you quoted is about "during active
> >> mitigation". When no attack is ongoing, we do have the following behavior
> >> which covers your comment:
> >>>
> >>>     When DOTS agents are exchanging heartbeats and no
> >>>     mitigation request is active, either agent MAY request changes to
> >>>     the heartbeat rate.  For example, a DOTS server might want to
> >>>                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>>     reduce heartbeat frequency or cease heartbeat exchanges when an
> >>>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>>     active DOTS client has not requested mitigation, in order to
> >>>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>>     control load.
> >>>
> >>>> The advantage to such an approach is that there is less application
> layer
> >>>> overhead/load e.g. in scenarios where it might be expensive to wake up
> the
> >>>> application or a server is already highly loaded. Also note that the
> >> time-
> >>>> outs
> >>>> values of NATs and firewalls on the path are usually unknown, therefore
> an
> >>>> application can never rely on heartbeats (no matter at which level) and
> >> must
> >>>> be
> >>>> prepared to try to reconnect on the application layer if the connection
> >>>> fails.
> >>>> Usually, the main reason for using heartbeats to maintain NAT or
> firewall
> >>>> state
> >>>> (vs. reconnect every time) in TCP is if the application is time-
> sensitive
> >> and
> >>>> a
> >>>> full TCP handshake takes too long for the desired service. I'm not sure
> >> that
> >>>> the case for DOTS, however, I understand it may be beneficial to have
> >>>> established state if an attack is on-going.
> >>>
> >>> [Med] This is important to avoid new handshakes when the client has to
> >> request a mitigation.
> >>
> >> This is okay but could be spelled out more explicitly as a requirement,
> >> rather than taking about the details of sending heartbeats.
> >>>
> >>>>
> >>>> For UDP I guess it's more complicated in your case. Time-outs are
> usually
> >>>> very
> >>>> short, however, state is created with the first packet of a flow (as
> there
> >> is
> >>>> no handshake in UDP). As you don't see blocking if state is expired as
> new
> >>>> state is created immediately, it's kind of impossible to measure the
> >>>> configured
> >>>> time-out values. Only if the firewall is under attack it would start
> >> blocking
> >>>> UDP traffic that is has no state for yet. So I understand why it is
> >> desirable
> >>>> to maintain UDP state for you, however, I don't understand how you can
> >> know
> >>>> that your frequency is high enough to actually keep the state open. Note
> >> that
> >>>> TCP time-outs are usually in the order of hours, while UDP time-outs are
> >>>> usually in range of tens of seconds, and might expire even quicker if a
> >>>> system
> >>>> is under attack. If that is a scenario that is important for you, and
> >>>> assuming
> >>>> that not all time-outs values on the path can be known, I guess it would
> >> be
> >>>> recommendable to use TCP instead.
> >>>>
> >>>> In any case this can not be a MUST requirement (as timers are usually
> not
> >>>> known). I would recommend to state something like:
> >>>>
> >>>> "MAY be frequent enough to maintain NAT or firewall state, if timer
> values
> >>>> are
> >>>> known, or if TCP is used, SHOULD use in addition TCP heartbeats  to
> >> maintain
> >>>> the TCP connection state and reconnect immediately if a failure is
> >> detected."
> >>>>
> >>>
> >>> [Med] The original wording is accurate and reflects the requirement of
> the
> >> WG. How this will be enforced is part of the solution/specification space.
> >>
> >> My hold point here is that
> >>
> >> "MUST be frequent enough to maintain any on-path NAT or Firewall bindings
> >> during mitigation.“
> >>
> >> cannot be a MUST requirement as the network time-out values are not known
> by
> >> the endpoints. Therefore it is impossible to fulfill this requirement.
> >
> > [Med] Two comments here:
> > * The requirement can be fulfilled by relying RFC8085 recommendations. This
> is discussed in the spec documents.
> 
> RFC8085 provide recommended value and limits, however, this does not
> guarantee that the proposed values actually match the time-out values as
> deployed on the path.
> 
> > * there are deployments in which timers can be discovered (e.g., PCP
> (RFC6887)).
> 
> This does not work in all cases and the draft does not seem to require the
> usage of anything like this. If a requirement is that the timeout values MUST
> be known in the deployed scenario, then that should be spelled out, however,
> I assume that is not your intention because that would limit deployment
> heavily.
> 
> Mirja
>

v2.23.0 | Report a Bug | By Email