Re: [Dots] AD review of draft-ietf-dots-data-channel-25

<mohamed.boucadair@orange.com> Thu, 28 February 2019 09:29 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC0BA130E5B; Thu, 28 Feb 2019 01:29:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EDD0WLZUXJel; Thu, 28 Feb 2019 01:29:09 -0800 (PST)
Received: from orange.com (mta241.mail.business.static.orange.com [80.12.66.41]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CDB3130E25; Thu, 28 Feb 2019 01:29:09 -0800 (PST)
Received: from opfedar02.francetelecom.fr (unknown [xx.xx.xx.4]) by opfedar25.francetelecom.fr (ESMTP service) with ESMTP id 4496gl51q4z8v1Z; Thu, 28 Feb 2019 10:29:07 +0100 (CET)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.73]) by opfedar02.francetelecom.fr (ESMTP service) with ESMTP id 4496gl4GVWzCqks; Thu, 28 Feb 2019 10:29:07 +0100 (CET)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM23.corporate.adroot.infra.ftgroup ([fe80::9108:27dc:3496:8db3%21]) with mapi id 14.03.0435.000; Thu, 28 Feb 2019 10:29:07 +0100
From: mohamed.boucadair@orange.com
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, Benjamin Kaduk <kaduk@mit.edu>
CC: "dots@ietf.org" <dots@ietf.org>, "draft-ietf-dots-data-channel@ietf.org" <draft-ietf-dots-data-channel@ietf.org>
Thread-Topic: AD review of draft-ietf-dots-data-channel-25
Thread-Index: AQHUxRIUb7c2dDIvj0uWD4RT8wY9CqXgsiOQgAAV9gCAEoE9oIABuMSw
Date: Thu, 28 Feb 2019 09:29:07 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA26902@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <20190213164622.GX56447@kduck.mit.edu> <787AE7BB302AE849A7480A190F8B93302EA1F03D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190214191707.GM56447@kduck.mit.edu> <787AE7BB302AE849A7480A190F8B93302EA1FCF6@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB279099DF23F40CF46280EEE2EA600@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA1FEC0@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790FF9AA5D6C22037F62B54EA740@BYAPR16MB2790.namprd16.prod.outlook.com>
In-Reply-To: <BYAPR16MB2790FF9AA5D6C22037F62B54EA740@BYAPR16MB2790.namprd16.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/UJIRQ7a1JzHX3XDl6kU3Wv602kY>
Subject: Re: [Dots] AD review of draft-ietf-dots-data-channel-25
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2019 09:29:11 -0000

Re-,

I added this note to my local copy: 

   How a DOTS client synchronizes its configuration with the one
   maintained by its DOTS server(s) is implementation-specific.  For
   example, a DOTS client can send a GET message before and/or after each
   configuration change request.

Cheers,
Med

> -----Message d'origine-----
> De : Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
> Envoyé : mercredi 27 février 2019 07:59
> À : BOUCADAIR Mohamed TGI/OLN; Benjamin Kaduk
> Cc : dots@ietf.org; draft-ietf-dots-data-channel@ietf.org
> Objet : RE: AD review of draft-ietf-dots-data-channel-25
> 
> > -----Original Message-----
> > From: mohamed.boucadair@orange.com <mohamed.boucadair@orange.com>
> > Sent: Friday, February 15, 2019 5:53 PM
> > To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
> > Benjamin Kaduk <kaduk@mit.edu>
> > Cc: dots@ietf.org; draft-ietf-dots-data-channel@ietf.org
> > Subject: RE: AD review of draft-ietf-dots-data-channel-25
> >
> > This email originated from outside of the organization. Do not click links
> or
> > open attachments unless you recognize the sender and know the content is
> safe.
> >
> > Hi Tiru,
> >
> > Please see inline.
> >
> > Cheers,
> > Med
> >
> > > -----Message d'origine-----
> > > De : Konda, Tirumaleswar Reddy
> > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > Envoyé : vendredi 15 février 2019 12:06 À : BOUCADAIR Mohamed TGI/OLN;
> > > Benjamin Kaduk Cc : dots@ietf.org;
> > > draft-ietf-dots-data-channel@ietf.org
> > > Objet : RE: AD review of draft-ietf-dots-data-channel-25
> > >
> > > I am catching up with the discussion, couple of points:
> > >
> > > 1)
> > >       *  If a network resource (DOTS client) detects a potential DDoS
> > >          attack from a set of IP addresses, the DOTS client informs its
> > >          servicing DOTS gateway of all suspect IP addresses that need to
> > >          be drop- or accept-listed for further investigation.
> > >
> > > Comment> I don't see why suspect IP addresses will be accept-listed ?
> > >                     We may want to remove "or accept-listed" from the
> > > above line.
> > >
> >
> > [Med] Ack.
> >
> > > [Med] The dots client will know if its request is successfully delivered.
> > > When an attack is ongoing, the dots client should not use it data
> > > channel because it is likely to be perturbed.
> > >
> > > Comment> If the HTTP response from the server did not reach the client
> > > because of a volumetric attack saturating the incoming the link, the
> > > DOTS client will not know whether the configuration is successfully
> > > updated or not. After the attack is mitigated, the client will have to
> > > re-establish the TLS session and retrieve the configuration to check
> > > if its last request was successfully applied or not before updating
> > > the configuration.
> > >
> >
> > [Med] Agree. Still, how the client syncs its config with the one maintained
> by
> > the server is implementation-specific. A client can send a GET before
> and/or
> > after a configuration change request, in regular intervals, after attack
> > mitigation, etc.
> 
> Adding a Implementation Note looks useful to me.
> 
> -Tiru
> 
> >
> > > Cheers,
> > > -Tiru