Re: [Dots] 答复: Hi, authors. 3 comments:

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 06 March 2019 09:42 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A4E1130EC0; Wed, 6 Mar 2019 01:42:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.29
X-Spam-Level:
X-Spam-Status: No, score=-4.29 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P1kviL9_fPxa; Wed, 6 Mar 2019 01:42:11 -0800 (PST)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3AD4130DF1; Wed, 6 Mar 2019 01:42:10 -0800 (PST)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1551865141; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-exchange-diagnostics: x-microsoft-antispam-prvs:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=gGlYwT0tMVBq6TUt/PB6BPFzHigWxlqfUptCE5 qwmXo=; b=iis2d7PsX5dMlT5eMkBgdOJZlGEP9PVK58JMbHRb UZZufHwU34UxgJCnD5n/ePdem84aDQewRz/YJu/71J8506DzEe f/pzo50seTh0CLGuukQ8SqEtiAvPcUINnHIjRpoWTS0SBv4dKu 9/z9Xt8oaSZzSIoT625aLwgaetTPB1c=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (unknown [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 1475_5971_58d5dd52_1606_4bb5_9be6_c5bbfb8aed80; Wed, 06 Mar 2019 02:39:01 -0700
Received: from DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 6 Mar 2019 02:41:26 -0700
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Wed, 6 Mar 2019 02:41:26 -0700
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (10.44.176.241) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 6 Mar 2019 02:41:25 -0700
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2597.namprd16.prod.outlook.com (20.177.226.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1665.18; Wed, 6 Mar 2019 09:41:24 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::9c48:452b:e39c:ef39]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::9c48:452b:e39c:ef39%2]) with mapi id 15.20.1686.016; Wed, 6 Mar 2019 09:41:24 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>, kaname nishizuka <kaname@nttv6.jp>, "draft-nishizuka-dots-signal-control-filtering.authors@ietf.org" <draft-nishizuka-dots-signal-control-filtering.authors@ietf.org>
CC: "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] 答复: Hi, authors. 3 comments:
Thread-Index: AQHU00Ah5CPMIOlBWE2bR1sZTjFXVKX+JvMAgAARgWCAACFhwA==
Date: Wed, 06 Mar 2019 09:41:24 +0000
Message-ID: <BYAPR16MB2790BE0170815A6AB7AE65E7EA730@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <C02846B1344F344EB4FAA6FA7AF481F12C9D756B@dggemm511-mbx.china.huawei.com> <21e92c8d-8df0-576a-db08-3163c74bba59@nttv6.jp> <787AE7BB302AE849A7480A190F8B93302EA287D5@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <C02846B1344F344EB4FAA6FA7AF481F12C9D76C2@dggemm511-mbx.china.huawei.com> <BYAPR16MB2790365CF9FAEB543CB34EB1EA730@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA29424@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA29424@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 65e2d4bc-67d3-428f-2e11-08d6a217e60a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:BYAPR16MB2597;
x-ms-traffictypediagnostic: BYAPR16MB2597:
x-ms-exchange-purlcount: 1
x-microsoft-exchange-diagnostics: 1;BYAPR16MB2597;23:aNukbr1p5bs5IBWyhmW8pHelsN2yNT2GF251D7rLMnn6zLXqIk04AUYEnR68eCJLy5j/Ti3LaJ8W9f5vFjcrZZW6lndTLzYdn7uIf1KwuyzuyOierHtfTJjaRSVEy2n38CK0ZJJmUrjKAKXWZIOFzuFKOdx1i9TsSub1Il+c8ekh2j0lmbQk7g9WkcCVBATL0jkcDnq31hM5dHq1BVRRb0K9YkPNblAVLtit7AcZoFWYmfuVwpRI9x71K0m+aVGXDe88wxFJB+wgtX5PS/KixZfMnQNuV4MbH9pHkd9ZTbtgvj8HmAoKljVMsKNN0Se2QPe+0px2Mn8mEJpaQOfYu6a+FXg5W4HkWErvv/ZF43DjgKgDVT84NU8tL2wmgD448NiG4SBGPsqZgHba6ceOmj8ukd2hfMZOQeFyZp9zflDm0Y0ZLOXlaeqmgVtFqQv7Pi0h6yDlMERCTVXlFj044IwlcurAYATaJg0YNdNIIi3ppqYgh5cSK264LFVqggFil4bO6X7NKCro8DOvibqmVdx6TnAW9xbH9jR/36GcBPR/46hMYWfcUkqIwDRVg2DRgM6mdDZIkAiDKt4PVUbJpvtr+hO7mG6DGvwOUOdaS3Wp63kPEZ1m8aUJjupEJSRyNDwUmNtV4ek4GBiCuest9PqPhOqnFj4PGZ7bnQJy1TnLwO+La7bT4lb561b4GUyQaA45LtfBUQuVpIrylbA277Gs2iR+QPdm3Ey/ALFT0xZMiINmi1CK3j9j0XI7Fx+xESI5A3NatTYvnDK/3qdkOXg7saPMWe9nMdUKcN4nvBOuBgh93eRRPQzkSdjaOJqEMLzFTzpDQVJYmC/JWzIGB8F79fmhp5E2Zu+ds6MynqrrCbDwFMPLkQf9G2zjvVOWllG7hIJ+r3URRKpd8sp94NuSggLGKffMQTv8/b2znVawd9GPkddCHidB/srEB7mCMZfqUZOMcvQ/fDHjrkl8QchaDLUwNHb9eL/4GHNZpqppLzij0JziYfX3MGe7hQhS89I9l/uYlht8prxNyqac4Atv5hKUjpym4M0MuIFLtCPAjBqUVEHnA45fYuZGpSvCavkurTfXtd+nY4VHYa97+VAgMyu2IkRiJOdm+a8Oh+KeP3kFMmzjBY5K7SdTifVS8AG2FfM7cNpR1FzKa8wxCcjmwZ0+Z7ezAkjto2SeZgy4eWJBsnq2kD7nELQ/vhxYn9bkYvYNAsVEdZP2GRT//6y9aiLpMZUXsFZuDVgSNJelqOq0Js97BdmQDMslCYHu8df8EvLbFNoGTiiz7hPcRNWLC3oh4x3v0b7GLlhfw+42llDmgIDzr31yn4Tp3hoow9duyQ4zkpCmMgW7ybIajsQJ1Uw/kQILu+0x+Iy+1V1FK6pjEo+tqHaEpBRvWaycPM+q7pvTFwsb+cQ5BqiPctwiiwmeR2owComgD2UbQRRPNz8eQuR5FdlSicweiuLpOr8EGmF+vP7o3C+ouZzg5xazyK5F1lF1zXvN6Bf4fu4xZsqFLy19bEyMWDOQlOXh
x-microsoft-antispam-prvs: <BYAPR16MB259782E8561A1E2B2DEAF84AEA730@BYAPR16MB2597.namprd16.prod.outlook.com>
x-forefront-prvs: 0968D37274
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(366004)(376002)(39860400002)(136003)(396003)(199004)(51914003)(189003)(32952001)(25786009)(224303003)(105586002)(55016002)(53936002)(68736007)(81166006)(81156014)(236005)(93886005)(476003)(6506007)(54896002)(6306002)(9686003)(9326002)(5660300002)(4326008)(446003)(478600001)(14454004)(6246003)(99286004)(11346002)(229853002)(606006)(7696005)(2906002)(76176011)(110136005)(316002)(2501003)(106356001)(97736004)(7736002)(486006)(5024004)(14444005)(256004)(6436002)(8936002)(86362001)(72206003)(52536013)(53546011)(71200400001)(33656002)(71190400001)(102836004)(26005)(80792005)(53946003)(74316002)(3846002)(6116002)(66066001)(790700001)(186003)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2597; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: u6Ye33aFcOXbILdsXnH6XAZ+I0N8DoHnBw9dQnhGTg1SCm8XuFsVR/kvbrElsQpslMak2lkYqp287XwnxYWxpg6oi7zPZjH3cntwZXdOnIXc6xNHCbSDViF933TrG7mgBoEbNIxff1km8YWy7FPoXvfhLhY2lUgc1IRB7q1ji/HdmvPGDxA9HXlGLK0DurJ8hvNmpb2COzU1L0Y+fmmWmkOKDmPgQl6KZo+glIFhPZ9Gjtyf6j2jqsKSRqP4j1ekW9ghcJKXRwboeXedS86PZw6aWTh9NnWP5kfLVfvCT0Mv10ntJuH7VXLwzApv+Gpt/Y3pbPlC8RaEn45VyhkwZ3MO7rTc9mhYUhz/SH61Avm0vwgkhaYSuELRPVhcw1pBYWQFN/pigE7TBoRbKOj+xWwGt0nCvfUMfR5E2AXsI3M=
Content-Type: multipart/alternative; boundary="_000_BYAPR16MB2790BE0170815A6AB7AE65E7EA730BYAPR16MB2790namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 65e2d4bc-67d3-428f-2e11-08d6a217e60a
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2019 09:41:24.4986 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2597
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.3
X-NAI-Spam-Version: 2.3.0.9418 : core <6496> : inlines <7027> : streams <1814906> : uri <2807581>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/UL97hdtXBJnVLgp2aYq5wPeQsmw>
Subject: Re: [Dots] 答复: Hi, authors. 3 comments:
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 09:42:15 -0000

Hi Med,

Please see inline [TR2]

From: mohamed.boucadair@orange.com <mohamed.boucadair@orange.com>
Sent: Wednesday, March 6, 2019 1:17 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; Xialiang (Frank, Network Standard & Patent Dept) <frank.xialiang@huawei.com>; kaname nishizuka <kaname@nttv6.jp>; draft-nishizuka-dots-signal-control-filtering.authors@ietf.org
Cc: dots@ietf.org
Subject: RE: [Dots] 答复: Hi, authors. 3 comments:


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi Tiru,

Please see inline.

Cheers,
Med

De : Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
Envoyé : mercredi 6 mars 2019 07:47
À : Xialiang (Frank, Network Standard & Patent Dept); BOUCADAIR Mohamed TGI/OLN; kaname nishizuka; draft-nishizuka-dots-signal-control-filtering.authors@ietf.org<mailto:draft-nishizuka-dots-signal-control-filtering.authors@ietf.org>
Cc : dots@ietf.org<mailto:dots@ietf.org>
Objet : RE: [Dots] 答复: Hi, authors. 3 comments:

Hi Kaname,

Please see inline

When a DOTS client noticed that a system in its domain is being attacked, it will try to ask for help to a DOTS server in its transit provider (or somewhere in upstream networks).
Sometimes it is hard to get any information from the DOTS server if the upstream is saturated by attack traffic.

[TR] Agreed, but once the DDoS Mitigator starts scrubbing incoming traffic, attack traffic will be dropped and mitigation updates from the DOTS server will reach the DOTS client.
[Med] Agree.

It is good strategy to enable ACL(set by data-channel) immediately first via signal-channel. Especially if it is rate-limit ACL, it will make a room for further communication over signal-channel.

[TR] If all of the incoming traffic is rate-limited, both good and bad traffic will be dropped and may not be acceptable.
[Med] Only the traffic matching the ACL will be rate-limited. Of course, that acl may be defined to cover all the traffic. This scenario is basically as follows:

·         Detect suspicious traffic in a client domain

·         Send a first mitigation with a wide scope + activate some ACLs. Which acls to activate is deployment-specific.

·         Later, send a second mitigation request with an adjusted scope.

[TR2] If the DOTS client knows the target resource, why send the mitigation request for wide scope ?
           If the DOTS client does not know the target resource, how can it adjust the scope in the second mitigation request ?
            I don’t understand how the rate-limit ACL is useful in this case ?

-Tiru

Then, it will send mitigation request to the DOTS server.

[TR] The mitigation request can also enable the ACL (set by data-channel), I don’t get the reason to send the mitigation request again.
[Med] This is required to adjust the scope. A new request is needed.

This kind of procedure is really used by manual operation. Combination of ACL-based filtering and mitigation appliance is cost effective.
The proposed draft (signal-control-filtering) enable automation of it.

Cheers,
-Tiru

From: Dots <dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>> On Behalf Of Xialiang (Frank, Network Standard & Patent Dept)
Sent: Tuesday, March 5, 2019 4:09 PM
To: mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>; kaname nishizuka <kaname@nttv6.jp<mailto:kaname@nttv6.jp>>; draft-nishizuka-dots-signal-control-filtering.authors@ietf.org<mailto:draft-nishizuka-dots-signal-control-filtering.authors@ietf.org>
Cc: dots@ietf.org<mailto:dots@ietf.org>
Subject: [Dots] 答复: Hi, authors. 3 comments:


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi Med,
Thanks for the clarification, we are on the same page now.

B.R.
Frank

发件人: mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> [mailto:mohamed.boucadair@orange.com]
发送时间: 2019年3月5日 18:30
收件人: kaname nishizuka <kaname@nttv6.jp<mailto:kaname@nttv6.jp>>; Xialiang (Frank, Network Standard & Patent Dept) <frank.xialiang@huawei.com<mailto:frank.xialiang@huawei.com>>; draft-nishizuka-dots-signal-control-filtering.authors@ietf.org<mailto:draft-nishizuka-dots-signal-control-filtering.authors@ietf.org>
抄送: dots@ietf.org<mailto:dots@ietf.org>
主题: RE: [Dots] Hi, authors. 3 comments:

Hi Frank, Kaname,

Please see inline.

Cheers,
Med

De : Dots [mailto:dots-bounces@ietf.org] De la part de kaname nishizuka
Envoyé : mardi 5 mars 2019 09:01
À : Xialiang (Frank, Network Standard & Patent Dept); draft-nishizuka-dots-signal-control-filtering.authors@ietf.org<mailto:draft-nishizuka-dots-signal-control-filtering.authors@ietf.org>
Cc : dots@ietf.org<mailto:dots@ietf.org>
Objet : Re: [Dots] Hi, authors. 3 comments:

Hi Frank,
On 2019/03/05 15:26, Xialiang (Frank, Network Standard & Patent Dept) wrote:
Hi authors,
I have 3 general comments as below:

1.       Can you clarify the DOTS server administrative domain a little bit? What is the goal we define it?
We'll clarify it and update the draft.


[Med] This is what is called “DOTS server domain” in DOTS drafts. The notion of “administrative domain” is already used/discussed in the arch I-D.



2.       Will this document open a door to make signal channel to cover the functions of data channel more and more?

[Med] No. We do already have this text:



   A DOTS client MUST NOT use the filtering control over DOTS signal

   channel if no attack (mitigation) is active; such requests MUST be

   discarded by the DOTS server with 4.00 (Bad Request).  By default,

   ACL-related operations are achieved using the DOTS data channel

   [I-D.ietf-dots-data-channel<https://tools.ietf.org/html/draft-nishizuka-dots-signal-control-filtering-04#ref-I-D.ietf-dots-data-channel>] when no attack is ongoing.



The draft focuses only on tweaking the status of **existing** filters.



3.       I can accept the situation of changing the accept-list to the “deactivate” status, but is it a common use case we need to change a deny-list to the “immediate” status?
Regarding with 2 and 3, I can add one usecase to the draft.
When a DOTS client noticed that a system in its domain is being attacked, it will try to ask for help to a DOTS server in its transit provider (or somewhere in upstream networks).
Sometimes it is hard to get any information from the DOTS server if the upstream is saturated by attack traffic.
It is good strategy to enable ACL(set by data-channel) immediately first via signal-channel. Especially if it is rate-limit ACL, it will make a room for further communication over signal-channel.
Then, it will send mitigation request to the DOTS server.
This kind of procedure is really used by manual operation. Combination of ACL-based filtering and mitigation appliance is cost effective.
The proposed draft (signal-control-filtering) enable automation of it.

regards,
Kaname


Thanks!


B.R.
Frank