[Dots] Address scope RE: AD evaluation of draft-ietf-dots-signal-call-home-09: Section 3
mohamed.boucadair@orange.com Fri, 16 October 2020 08:19 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBBED3A0DDA; Fri, 16 Oct 2020 01:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iHvY_MTgaUuO; Fri, 16 Oct 2020 01:19:53 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB5443A0DD8; Fri, 16 Oct 2020 01:19:52 -0700 (PDT)
Received: from opfedar02.francetelecom.fr (unknown [xx.xx.xx.4]) by opfedar24.francetelecom.fr (ESMTP service) with ESMTP id 4CCJwl2NTmz5wwr; Fri, 16 Oct 2020 10:19:51 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1602836391; bh=RphOd5RP1B7yMmxt4ahlk17cDJzexO60tBPFUeOtapU=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=SvIsbRn6lpMF+gGr4d9bhcjh8KUbXgHtE0bTohSRJQ33cnSfgWSxME2tzgFxt3ZX3 SVBatbh94JCZ7bKAkkuturJn0meE/A4ET0c672dtjIfqg+4LBZ8OZi/wwWt8ZVRvh+ bSK7vXDF7/05SUZHhtEPqpB2RXmrgUYKxLe+x9/2ImkfIYRLPCrEmm9Ge2oiy4gstr /h9usvuwgpRx0vEQ4BZpxjrz9Ocb4WJ9sJ3jmQAFcFklCyv0Tkk44e9Csow8GeQWTQ 6B4B+ButhNb2XgeckzKomu/5l4MRkF+krtkRC6OsxxkyGC6bQnkc6pOLStIhvcnL3V RB2DZ3KprSuLA==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.51]) by opfedar02.francetelecom.fr (ESMTP service) with ESMTP id 4CCJwl1JmJzCql9; Fri, 16 Oct 2020 10:19:51 +0200 (CEST)
From: mohamed.boucadair@orange.com
To: Benjamin Kaduk <kaduk@mit.edu>, "supjps-ietf@jpshallow.com" <supjps-ietf@jpshallow.com>
CC: "draft-ietf-dots-signal-call-home.all@ietf.org" <draft-ietf-dots-signal-call-home.all@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: Address scope RE: [Dots] AD evaluation of draft-ietf-dots-signal-call-home-09: Section 3
Thread-Index: AdajlRxgk1r6PozsQFCcA3RAArLPcA==
Date: Fri, 16 Oct 2020 08:19:50 +0000
Message-ID: <32350_1602836391_5F8957A7_32350_116_1_787AE7BB302AE849A7480A190F8B9330315617CA@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/VgQfvyQtmvT_vfSxrnS_WWwFF1M>
Subject: [Dots] Address scope RE: AD evaluation of draft-ietf-dots-signal-call-home-09: Section 3
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2020 08:19:55 -0000
Hi Jon, Ben, > > A bigger challenge that I see is how the Call Home DOTS client > knows (i.e. > > is configured in a trusted way) which Call Home DOTS server is > > responsible for which set of source addresses that the attacks are > actually coming from. > > True, this seems "easy" if the call home client is the ISP but > pretty hard otherwise. Might be worth mentioning as well... > This is not specific to the call home, but applies for the base spec as well. See for example the discussion in 8811: == The exact mechanism for the DOTS servers to validate that the resources are within the scope of the DOTS client domain is deployment specific. For example, if the DOTS client domain uses Provider-Aggregatable prefixes for its resources and leverages the DDoS mitigation service of the Internet Transit Provider (ITP); the ITP knows the prefixes assigned to the DOTS client domain because they are assigned by the ITP itself. However, if the DDoS Mitigation is offered by a third-party DDoS mitigation service provider; it does not know the resources owned by the DOTS client domain. == or 8782: == DOTS servers MUST verify that requesting DOTS clients are entitled to trigger actions on a given IP prefix. That is, only actions on IP resources that belong to the DOTS client's domain MUST be authorized by a DOTS server. The exact mechanism for the DOTS servers to validate that the target prefixes are within the scope of the DOTS client domain is deployment specific. == Means to avoid maintaining "stale" information would also help (e.g., a network that rehome) or detecting a mismatch between the authorized IP prefix as seen by a client vs. what is seen by the server. These issues can be solved if we extend to data channel to register the IP prefixes "owned" by a domain and update them as soon a change occurs. Of course, the procedure to validate a prefix is in the scope of the domain claiming so would still be required, but unlike the signal channel, this will happen during idle time. Cheers, Med _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [Dots] Address scope RE: AD evaluation of draft-i… mohamed.boucadair