IETF Logo Mail Archive

Re: [Dots] Signal / Data / Alias / Filter Implementation

kaname nishizuka <kaname@nttv6.jp> Thu, 03 August 2017 09:57 UTC

Return-Path: <kaname@nttv6.jp>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B8FE131CFE for <dots@ietfa.amsl.com>; Thu, 3 Aug 2017 02:57:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.892
X-Spam-Level:
X-Spam-Status: No, score=-1.892 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UXfLoUCq8qzL for <dots@ietfa.amsl.com>; Thu, 3 Aug 2017 02:57:17 -0700 (PDT)
Received: from guri.nttv6.jp (guri.nttv6.jp [115.69.228.140]) by ietfa.amsl.com (Postfix) with ESMTP id 90CCF131D2C for <dots@ietf.org>; Thu, 3 Aug 2017 02:57:17 -0700 (PDT)
Received: from z.nttv6.jp (z.nttv6.jp [IPv6:2402:c800:ff06:6::f]) by guri.nttv6.jp (NTTv6MTA) with ESMTP id EDE5025F691; Thu, 3 Aug 2017 18:57:14 +0900 (JST)
Received: from SR2-nishizuka.local (fujiko.nttv6.jp [IPv6:2402:c800:ff06:136::141]) by z.nttv6.jp (NTTv6MTA) with ESMTP id DB14B759041; Thu, 3 Aug 2017 18:57:14 +0900 (JST)
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, "Dobbins, Roland" <rdobbins@arbor.net>, Jon Shallow <supjps-ietf@jpshallow.com>
Cc: "dots@ietf.org" <dots@ietf.org>
References: <035401d30b77$fb3a1da0$f1ae58e0$@jpshallow.com> <628E4313-95D3-42F5-9DDB-00C7B4EBB4D6@arbor.net> <039001d30ba3$7f4290c0$7dc7b240$@jpshallow.com> <B8BBF80E-5A5B-473D-A0B2-B6EFEC21DEBF@arbor.net> <4a158137-5c92-974e-3e4d-6c46fb3e5a52@nttv6.jp> <DM5PR16MB17887F73606FE7D920125FC2EAB10@DM5PR16MB1788.namprd16.prod.outlook.com>
From: kaname nishizuka <kaname@nttv6.jp>
Message-ID: <a617e322-8067-5927-2272-c32fd3a05b1d@nttv6.jp>
Date: Thu, 03 Aug 2017 18:57:14 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <DM5PR16MB17887F73606FE7D920125FC2EAB10@DM5PR16MB1788.namprd16.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------EA2E36C19ADD4C7DAEBB7C34"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/UQY1kK8lOQ6Vs2X0pKdZJ7bPxOY>
Subject: Re: [Dots] Signal / Data / Alias / Filter Implementation
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 09:57:20 -0000

Hi Tiru,

I see draft-ietf-dots-data-channel-02 includes appropriate reference to the latest draft-ietf-netmod-acl-model.

thank you,
Kaname


On 2017/08/03 17:06, Konda, Tirumaleswar Reddy wrote:
>
> draft-ietf-dots-data-channel-02 extends the base ACL model defined in draft-ietf-netmod-acl-model to support filtering based on fragments. Filtering rules based on ICMP type and code is supported in latest revision of draft-ietf-netmod-acl-model.
>
> I don’t see a need to update the DOTS data channel draft.
>
> -Tiru
>
> *From:*Dots [mailto:dots-bounces@ietf.org] *On Behalf Of *kaname nishizuka
> *Sent:* Thursday, August 3, 2017 10:51 AM
> *To:* Dobbins, Roland <rdobbins@arbor.net>; Jon Shallow <supjps-ietf@jpshallow.com>
> *Cc:* dots@ietf.org
> *Subject:* Re: [Dots] Signal / Data / Alias / Filter Implementation
>
> Hi Jon,
>
> I'm implementing the DOTS protocol based on current specifications.
> The DOTS protocol can handle source-* information in a mitigation signal request.
> For example, the DOTS server can enable BGP Flowspec from 5-tuple information derived from mitigation request message from DOTS client, that is actually we are planning to add to our software.
> Destination information is used to validate whether the mitigation-scope is really the property of the DOTS client's organization or not.
> So, if the request is only including source-* information, how to validate the request is another problem because it can cause unintended side effect to other customers/services (but could be implementation specific)
>
> * How do we handle specific ICMP types  in a mitigation signal request?
>
> Tiru wrote:
> > Thanks for the review. Fixed comments 1 and 2 in my local copy. To support filtering rules based on ICMP type and code, and filtering based on fragments, the base ACL model defined in https://tools.ietf.org/html/draft-ietf-netmod-acl-model-06 needs to be extended in this draft using augmentation (see https://tools.ietf.org/html/rfc6020#section-4.2.8).
> > I will extend the ACL YANG model in the next revision.
>
> And the latest version of draft-ietf-netmod-acl-model (-11) includes ICMP-ACL (type, code,,)
> I think we should update the draft.
>
> * How do we handle fragmentation in a mitigation signal request?
> fragmentation can be represented as port=0. Is this a sufficient representation?
>
> thanks,
> Kaname
>
>
> On 2017/08/03 3:27, Dobbins, Roland wrote:
>
>     On Aug 2, 2017, at 22:25, Jon Shallow <supjps-ietf@jpshallow.com <mailto:supjps-ietf@jpshallow.com>> wrote:
>
>         In draft-ietf-dots-use-cases-07
>         3.1.6.  End-customer operating a CPE network infrastructure device with
>                an integrated DOTS client
>
>     3.1.6 from idraft-ietf-dots-use-cases-07 in full:
>
>     3.1.6.  End-customer operating a CPE network infrastructure device with
>
>             an integrated DOTS client
>
>        Similar to the above use-case featuring applications or services with
>
>        built-in DDoS attack detection/classification and DOTS client
>
>        capabilities, in this scenario, an end-customer network
>
>        infrastructure CPE device such as a router, layer-3 switch, firewall,
>
>        or load-balance incorporates both the functionality required to
>
>        detect and classify incoming DDoS attacks as well as DOTS client
>
>        functionality.
>
>        The subsequent DOTS communications dialogue and resultant DDoS
>
>        mitigation initiation and termination activities take place in the
>
>        same manner as the use-cases described above.
>
>     -----------------------------------
>
>     Roland Dobbins <rdobbins@arbor.net <mailto:rdobbins@arbor.net>>
>
>
>
>
>     _______________________________________________
>
>     Dots mailing list
>
>     Dots@ietf.org <mailto:Dots@ietf.org>
>
>     https://www.ietf.org/mailman/listinfo/dots
>
>
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email