Re: [Dots] Signal / Data / Alias / Filter Implementation
kaname nishizuka <kaname@nttv6.jp> Thu, 03 August 2017 10:17 UTC
Return-Path: <kaname@nttv6.jp>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F029313234A for <dots@ietfa.amsl.com>; Thu, 3 Aug 2017 03:17:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.892
X-Spam-Level:
X-Spam-Status: No, score=-1.892 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x4t1T8sjqM0X for <dots@ietfa.amsl.com>; Thu, 3 Aug 2017 03:17:51 -0700 (PDT)
Received: from guri.nttv6.jp (guri.nttv6.jp [115.69.228.140]) by ietfa.amsl.com (Postfix) with ESMTP id 2D163132342 for <dots@ietf.org>; Thu, 3 Aug 2017 03:17:51 -0700 (PDT)
Received: from z.nttv6.jp (z.nttv6.jp [IPv6:2402:c800:ff06:6::f]) by guri.nttv6.jp (NTTv6MTA) with ESMTP id 9FD7725F691; Thu, 3 Aug 2017 19:17:50 +0900 (JST)
Received: from SR2-nishizuka.local (fujiko.nttv6.jp [IPv6:2402:c800:ff06:136::141]) by z.nttv6.jp (NTTv6MTA) with ESMTP id 8A8EC759041; Thu, 3 Aug 2017 19:17:49 +0900 (JST)
To: Jon Shallow <supjps-ietf@jpshallow.com>, dots@ietf.org
References: <035401d30b77$fb3a1da0$f1ae58e0$@jpshallow.com> <628E4313-95D3-42F5-9DDB-00C7B4EBB4D6@arbor.net> <039001d30ba3$7f4290c0$7dc7b240$@jpshallow.com> <B8BBF80E-5A5B-473D-A0B2-B6EFEC21DEBF@arbor.net> <4a158137-5c92-974e-3e4d-6c46fb3e5a52@nttv6.jp> <040101d30c2e$14440f70$3ccc2e50$@jpshallow.com>
From: kaname nishizuka <kaname@nttv6.jp>
Message-ID: <80a371a0-9968-d259-7fca-0765d10a1a10@nttv6.jp>
Date: Thu, 03 Aug 2017 19:17:48 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <040101d30c2e$14440f70$3ccc2e50$@jpshallow.com>
Content-Type: multipart/alternative; boundary="------------B5EE2EAA512BBF9009C407C2"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/V4RovQB6lVTGmD0-Hwp8q881Rw0>
Subject: Re: [Dots] Signal / Data / Alias / Filter Implementation
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 10:17:54 -0000
Hi Jon, On 2017/08/03 16:56, Jon Shallow wrote: > > Hi Kaname, > > So as I read this, you are either extending the ietf-dot-signal definition to include source-* (and icmp, fragmentation and possibly rate-limiting) information or you are using Filters over the data channel (which is what Tiru is referring to). If it is an extension to ietf-dot-signal, then this needs to be formalised for interoperability between different suppliers. > The latter is my intention. I'll check whether the alias mechanism which couples the data-channel and signal-channel works well. > Similarly, ietf-dots-data-channel-identifier needs to be extended – but I do think the naming (e.g. target-ip instead of just ip) needs to be consistent between ietf-dot-signal and ietf-dots-data-channel-identifier. > +1. a consistency of naming is important for readers. thanks, Kaname > “5.3.1” of draft-ietf-dots-signal-channel would also need to reflect the ietf-dot-signal change. “6.” and “10.1.2” of draft-ietf-dots-signal-channel would also need CBOR to be updated with source-* etc. definitions. > > I am of the firm opinion that destination-ip is REQUIRED and MUST be within the mitigation scope of the DOTS Client to prevent taking out someone else’s IP. This is true for ietf-dot-signal, ietf-dots-data-channel-identifier and ietf-dots-access-control-list. > > I do not think fragmentation represented as port=0 is sufficient (and is not necessarily intuitive – it could be read as just take out the subsequent packets of a fragmented sequence if the layer 4 header is not there and hence no port). I think it should have its own ietf-dot-signal definition. > > It is unclear to me the usage of alias in the ietf-dot-signal – is it the DOTS client uses just the alias when requesting mitigation, or if extra parameters are provided (e.g. alias plus target-port-range) are the extra parameters a replacement or in addition to what is in the ietf-dots-data-channel-identifier or are the extra parameters ignored altogether? > > Regards > > Jon > > *From:*Dots [mailto: dots-bounces@ietf.org] *On Behalf Of *kaname nishizuka > *Sent:* 03 August 2017 06:21 > *To:* Dobbins, Roland; Jon Shallow > *Cc:* dots@ietf.org > *Subject:* Re: [Dots] Signal / Data / Alias / Filter Implementation > > Hi Jon, > > I'm implementing the DOTS protocol based on current specifications. > The DOTS protocol can handle source-* information in a mitigation signal request. > For example, the DOTS server can enable BGP Flowspec from 5-tuple information derived from mitigation request message from DOTS client, that is actually we are planning to add to our software. > Destination information is used to validate whether the mitigation-scope is really the property of the DOTS client's organization or not. > So, if the request is only including source-* information, how to validate the request is another problem because it can cause unintended side effect to other customers/services (but could be implementation specific) > > * How do we handle specific ICMP types in a mitigation signal request? > > Tiru wrote: > > Thanks for the review. Fixed comments 1 and 2 in my local copy. To support filtering rules based on ICMP type and code, and filtering based on fragments, the base ACL model defined in https://tools.ietf.org/html/draft-ietf-netmod-acl-model-06 needs to be extended in this draft using augmentation (see https://tools.ietf.org/html/rfc6020#section-4.2.8). > > I will extend the ACL YANG model in the next revision. > > And the latest version of draft-ietf-netmod-acl-model (-11) includes ICMP-ACL (type, code,,) > I think we should update the draft. > > * How do we handle fragmentation in a mitigation signal request? > fragmentation can be represented as port=0. Is this a sufficient representation? > > thanks, > Kaname > > > On 2017/08/03 3:27, Dobbins, Roland wrote: > > On Aug 2, 2017, at 22:25, Jon Shallow <supjps-ietf@jpshallow.com <mailto:supjps-ietf@jpshallow.com>> wrote: > > In draft-ietf-dots-use-cases-07 > 3.1.6. End-customer operating a CPE network infrastructure device with > an integrated DOTS client > > 3.1.6 from idraft-ietf-dots-use-cases-07 in full: > > 3.1.6. End-customer operating a CPE network infrastructure device with > > an integrated DOTS client > > Similar to the above use-case featuring applications or services with > > built-in DDoS attack detection/classification and DOTS client > > capabilities, in this scenario, an end-customer network > > infrastructure CPE device such as a router, layer-3 switch, firewall, > > or load-balance incorporates both the functionality required to > > detect and classify incoming DDoS attacks as well as DOTS client > > functionality. > > The subsequent DOTS communications dialogue and resultant DDoS > > mitigation initiation and termination activities take place in the > > same manner as the use-cases described above. > > ----------------------------------- > > Roland Dobbins <rdobbins@arbor.net <mailto:rdobbins@arbor.net>> > > > > > _______________________________________________ > > Dots mailing list > > Dots@ietf.org <mailto:Dots@ietf.org> > > https://www.ietf.org/mailman/listinfo/dots > > > > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots
- [Dots] Signal / Data / Alias / Filter Implementat… Jon Shallow
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Roland Dobbins
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Jon Shallow
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Dobbins, Roland
- Re: [Dots] Signal / Data / Alias / Filter Impleme… kaname nishizuka
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Jon Shallow
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Konda, Tirumaleswar Reddy
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Roland Dobbins
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Roland Dobbins
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Konda, Tirumaleswar Reddy
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Jon Shallow
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Konda, Tirumaleswar Reddy
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Jon Shallow
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Konda, Tirumaleswar Reddy
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Jon Shallow
- Re: [Dots] Signal / Data / Alias / Filter Impleme… kaname nishizuka
- Re: [Dots] Signal / Data / Alias / Filter Impleme… kaname nishizuka
- Re: [Dots] Signal / Data / Alias / Filter Impleme… kaname nishizuka
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Roland Dobbins
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Jon Shallow
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Konda, Tirumaleswar Reddy