IETF Logo Mail Archive

Re: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Mon, 07 August 2017 10:19 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0092E124217 for <dots@ietfa.amsl.com>; Mon, 7 Aug 2017 03:19:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v492YWNOVaUq for <dots@ietfa.amsl.com>; Mon, 7 Aug 2017 03:19:18 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BB90132017 for <Dots@ietf.org>; Mon, 7 Aug 2017 03:19:17 -0700 (PDT)
Received: from MIVEXAPP1N03.corpzone.internalzone.com (unknown [10.48.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp id 6ddc_9bba_aa05bbf1_f50a_476b_821c_ce7ebed38959; Mon, 07 Aug 2017 05:19:14 -0500
Received: from MIVEXAPP1N03.corpzone.internalzone.com (10.48.48.90) by MIVEXAPP1N03.corpzone.internalzone.com (10.48.48.90) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 7 Aug 2017 06:19:12 -0400
Received: from MIVEX10N02.corpzone.internalzone.com (10.48.48.170) by MIVEXAPP1N03.corpzone.internalzone.com (10.48.48.90) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend Transport; Mon, 7 Aug 2017 06:19:12 -0400
Received: from MIVO365EDGE3.corpzone.internalzone.com (10.48.176.86) by MIVEX10N02.corpzone.internalzone.com (10.48.48.170) with Microsoft SMTP Server (TLS) id 14.3.181.6; Mon, 7 Aug 2017 06:19:12 -0400
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (10.48.176.243) by edge.mcafee.com (10.48.176.86) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 7 Aug 2017 06:19:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.onmicrosoft.com; s=selector1-mcafee-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=SLWDOy3ZG0Ggg2v9p2lCv4IaOqeTNP1OhwQYgejrq90=; b=bFhYjbav6yXZHJRjyiWoIMfo8hqV0gd+YlBTc8BE7DcfysDqt2Q0R2J1yc8D3JyAgrPqr1z1Luq1EIm8c1Z4CSWMrRBFoeaJmSdC8P64pqQOSY67cLFKMKsZd3JYOSXQTQ2kjmr9TRvk2LC/Dcku0nB7JuvyzA1xRp7z+rPefHc=
Received: from DM5PR16MB1788.namprd16.prod.outlook.com (10.172.44.144) by DM5PR16MB1787.namprd16.prod.outlook.com (10.172.44.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1320.16; Mon, 7 Aug 2017 10:19:10 +0000
Received: from DM5PR16MB1788.namprd16.prod.outlook.com ([10.172.44.144]) by DM5PR16MB1788.namprd16.prod.outlook.com ([10.172.44.144]) with mapi id 15.01.1320.018; Mon, 7 Aug 2017 10:19:10 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "Xialiang (Frank)" <frank.xialiang@huawei.com>, "Dots@ietf.org" <Dots@ietf.org>
Thread-Topic: another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?
Thread-Index: AdMPF2QONmutCNOvSwe0CfD0yMkBTgAACUnwAA6poPAABEOgkAAAs7nQ
Date: Mon, 07 Aug 2017 10:19:10 +0000
Message-ID: <DM5PR16MB17888218351CF06BDF691F34EAB50@DM5PR16MB1788.namprd16.prod.outlook.com>
References: <C02846B1344F344EB4FAA6FA7AF481F12BB2D185@DGGEML502-MBX.china.huawei.com> <C02846B1344F344EB4FAA6FA7AF481F12BB2D19B@DGGEML502-MBX.china.huawei.com> <DM5PR16MB17880F012FB44009155ADCA1EAB50@DM5PR16MB1788.namprd16.prod.outlook.com> <C02846B1344F344EB4FAA6FA7AF481F12BB2D39C@DGGEML502-MBX.china.huawei.com>
In-Reply-To: <C02846B1344F344EB4FAA6FA7AF481F12BB2D39C@DGGEML502-MBX.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR16MB1787; 6:JqWDL4IKfjp6GRBvzz7Oni1RQnYlxmAG8HQqvLhIWzH1ZB06Q+DdiISPRzZy9IuGdxQ7m/ejB3staJVZT+nHslK/RBOKnwclCdysTSCC0/0woHUyhlXEAuZ4X0zRLKGT1ig3anoyRpwS2qDcKBJ7R4dQ3EH+dFQztTfzLAXBOBr6PMa3VdeB2XwvqCR7DSri77DX3sAySTav1CYJk4Ys4OxM/qBAm/m5XIj2A9AY/hOfHGi/rUbHtalahlSm9s5ICQqhT/INnuoyGjUXX5YpcfZECrG7Idis3Hb4NEzdVAc9SSuelXCGe9zXDXWIqOXxLj2PEeYtg8D/r4KtBVeDAw==; 5:ib3chjEep1ckXG1h+EwDU8q7yZQsMavlYuwbIA7VewcHv66fs6bSv2vH/7UBxW5ToxgtxprTuYgTaIh4XmCqSn/XCz13tYWiFGLygAfDDcHlB/aDx5U5gOpm94/sEkX9PPbtFzHZWGJKvRnH3tUKdg==; 24:zwT6RqChColiy6wSYxVXYLpG7e5vRsiuGPy0IXh5qKfp6cN3N15Fyea7RtmTtrucP5GH1DS6FiSazUaHRZwQaj3+1u/EdeCWoM7gEm+8djw=; 7:Ud0zCfm4aDk5mRCeHNNfwQrmFAchWQ7pqC7l1I//OyaNwsh+ZfOcPZS7gs/ANbL5ugc4nsFzNtCV1oULflASA0Eh8JEqzxflO7RLnLvYXxDF2kjtOlxLpEvpBY2Wb5HFMxC0PYFDvTP6ZpkUKq7zkUv34HjR0xwGJgtkTN5iNlz7cGmhbluEIGgdWgN3H0zDUCVtcPgVBROW3kGOVkiGwcWOuvE5tuLlz2d/FTrEOBg=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 0d215953-6685-49f4-c6f2-08d4dd7dbec4
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:DM5PR16MB1787;
x-ms-traffictypediagnostic: DM5PR16MB1787:
x-exchange-antispam-report-test: UriScan:(158342451672863)(50582790962513)(21748063052155)(123452027830198);
x-microsoft-antispam-prvs: <DM5PR16MB1787C59B48488BEBC40499A4EAB50@DM5PR16MB1787.namprd16.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(100000703101)(100105400095)(93006095)(93001095)(6041248)(20161123562025)(20161123564025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123558100)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM5PR16MB1787; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM5PR16MB1787;
x-forefront-prvs: 0392679D18
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39410400002)(39400400002)(39450400003)(39840400002)(377454003)(199003)(189002)(32952001)(53936002)(2900100001)(229853002)(6506006)(53546010)(478600001)(3846002)(77096006)(102836003)(6116002)(790700001)(2950100002)(80792005)(68736007)(8936002)(50986999)(76176999)(54356999)(966005)(81166006)(81156014)(72206003)(99286003)(55016002)(14454004)(54896002)(6306002)(74316002)(86362001)(2906002)(106356001)(3660700001)(2501003)(3280700002)(236005)(66066001)(101416001)(9686003)(33656002)(224303003)(105586002)(6436002)(189998001)(7696004)(6246003)(7736002)(97736004)(606006)(38730400002)(93886004)(25786009)(5660300001)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB1787; H:DM5PR16MB1788.namprd16.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR16MB17888218351CF06BDF691F34EAB50DM5PR16MB1788namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Aug 2017 10:19:10.6049 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB1787
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.9
X-NAI-Spam-Version: 2.3.0.9418 : core <6087> : inlines <6011> : streams <1757540> : uri <2478148>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/UmTOZmNMXsSF-jkFYgXoUpTbhNQ>
Subject: Re: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2017 10:19:20 -0000

You may want to look into https://tools.ietf.org/html/rfc6959#section-7
<snip>
   Even if every Internet-connected network implements source address
   validation at the ultimate network ingress, and assurances exist that
   intermediate devices are to never modify datagram source addresses,
   source addresses cannot be used as an authentication mechanism.

-Tiru

From: Xialiang (Frank) [mailto:frank.xialiang@huawei.com]
Sent: Monday, August 7, 2017 3:28 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; Dots@ietf.org
Subject: 答复: another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

Hi Tiru,
Thanks for your analysis. It makes sense to me~~

To be accurate, IP whitelist does not relax the mutual authentication requirement, but indeed lose the encryption benefits.

B.R.
Frank

发件人: Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
发送时间: 2017年8月7日 17:51
收件人: Xialiang (Frank); Dots@ietf.org<mailto:Dots@ietf.org>
主题: RE: another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

TLS supports pre-shared key based authentication. The other mechanisms are Subject Public Key Info (SPKI) Fingerprint pin set for mutual authentication (self-signed certificates or raw public keys) without having to deal with CA.

I don’t think DOTS should relax the mutual authentication and encryption requirements.

-TIru

From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Xialiang (Frank)
Sent: Monday, August 7, 2017 6:25 AM
To: Dots@ietf.org<mailto:Dots@ietf.org>
Subject: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

In addition to IP whitelist and certificate, pre-share key can also be an option.
Right?

发件人: Dots [mailto:dots-bounces@ietf.org] 代表 Xialiang (Frank)
发送时间: 2017年8月7日 8:52
收件人: Dots@ietf.org<mailto:Dots@ietf.org>
主题: [Dots] Can DOTS protocol support IP whitelist for DOTS client's AA?

Hi,
I think the direct use of IP whitelist on the DOTS server to authenticate and authorize the DOTS client is a simple and effect method, at least in some special use cases, like: DOTS client does not support certificate, an ISP which detects the spoofed source address, etc.

So, should we support this as an optional way for the DOTS client’s AA and add it into the DOTS protocol drafts?

B.R.
Frank

v2.23.0 | Report a Bug | By Email