IETF Logo Mail Archive

Re: [Dots] draft-ietf-dots-filter-control: acl updates

kaname nishizuka <kaname@nttv6.jp> Fri, 17 May 2019 01:42 UTC

Return-Path: <kaname@nttv6.jp>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B46BF12033B for <dots@ietfa.amsl.com>; Thu, 16 May 2019 18:42:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nttv6.jp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mQQFzLRgWaLB for <dots@ietfa.amsl.com>; Thu, 16 May 2019 18:42:19 -0700 (PDT)
Received: from guri.nttv6.jp (guri.nttv6.jp [IPv6:2402:c800:ff06:136::140]) by ietfa.amsl.com (Postfix) with ESMTP id DF265120341 for <dots@ietf.org>; Thu, 16 May 2019 18:42:18 -0700 (PDT)
Received: from z.nttv6.jp (z.nttv6.jp [192.168.8.15]) by guri.nttv6.jp (NTTv6MTA) with ESMTP id DAF9B25F6BE; Fri, 17 May 2019 10:42:15 +0900 (JST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nttv6.jp; s=20180820; t=1558057335; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MDZ96lHco+C/ohKzC7++zVpSlUM8AQ38qvHntBppGgw=; b=T03AqfrvS0qDJMr48RIwpfVUA5FPwrdJnxkF86sAjj065HQnpgy4jv3LPJXrNwwHUkGxCH 0D0Dz+ht25STWKbWKDHbdwX6VtBFk1VfcUzReRlrLxnzrrD7Ma6kb7fbvO4G95kopR2O4r Kgk9pmPUyRnwQtKbZI2UQU5Ya5DVPYY=
Received: from MacBook-Pro-17.local (fujiko.nttv6.jp [IPv6:2402:c800:ff06:136::141]) by z.nttv6.jp (NTTv6MTA) with ESMTP id 9D301763508; Fri, 17 May 2019 10:42:15 +0900 (JST)
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Jon Shallow <supjps-ietf@jpshallow.com>, "dots@ietf.org" <dots@ietf.org>
References: <787AE7BB302AE849A7480A190F8B93302EA7DAAF@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <787AE7BB302AE849A7480A190F8B93302EA7E684@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <01b401d50b2c$f8deb870$ea9c2950$@jpshallow.com> <BYAPR16MB2790B812CB96CAE3AD9E990DEA0A0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA7EF08@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB279042E222FE4283F29B481EEA0A0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA7F0A0@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790B54D8F7D30E568FFF227EA0A0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA7F1B6@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB27907B0D4C86DD91DE91D833EA0A0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA7F207@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB27904AB4A38318DFE9066A51EA0A0@BYAPR16MB2790.namprd16.prod.outlook.com>
From: kaname nishizuka <kaname@nttv6.jp>
Message-ID: <8eb4385c-5966-24d5-751e-1a72a72b7d5c@nttv6.jp>
Date: Fri, 17 May 2019 10:42:15 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <BYAPR16MB27904AB4A38318DFE9066A51EA0A0@BYAPR16MB2790.namprd16.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------AFBDE60C35D1F513EB009F22"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/Vy-aKsR35jMlCvd6BoFdx5W54O0>
Subject: Re: [Dots] draft-ietf-dots-filter-control: acl updates
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 May 2019 01:42:25 -0000

I'm okay with the proposed text because "NOT RECOMMENDED" is covering the issue raised here.
However error code would be 4.22 as Tiru said.

4.22 error is also at the server side, please see https://tools.ietf.org/html/rfc8132
Unprocessable request:  This situation occurs when the payload of a
       FETCH request is determined to be valid (i.e., well-formed and
       supported) but the server is unable to or is incapable of
       processing the request.  The server can return a 4.22
       (Unprocessable Entity) CoAP error.

Regards,
Kaname

On 2019/05/16 22:38, Konda, Tirumaleswar Reddy wrote:
>
> Okay, proposed text looks good to me.
>
> -Tiru
>
> *From:*mohamed.boucadair@orange.com <mohamed.boucadair@orange.com>
> *Sent:* Thursday, May 16, 2019 6:18 PM
> *To:* Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; Jon Shallow <supjps-ietf@jpshallow.com>; dots@ietf.org
> *Subject:* RE: [Dots] draft-ietf-dots-filter-control: acl updates
>
> *CAUTION*:External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Re-,
>
> It can:
>
> During an attack time, DOTS clients may include 'acl-list', 'acl-
>
> name', and 'activation-type' attributes in a mitigation request.
>
> This request may be the initial mitigation request for a given
>
> mitigation scope or a new one overriding an existing request.  In
>
> both cases, a new 'mid' MUST be used.
>
> But in order to avoid delays to start a mitigation because of acl failures, it makes sense to recommend clients to send first the request without ACLs followed by a new one with acl included. We may add the following:
>
> Nevertheless, it is NOT
>
> RECOMMENDED to include ACL attributes in an initial mitigation
>
> request for a given mitigation scope or in a mitigation request
>
> adjusting the mitigation scope.
>
> The server does not care whether a request including acl is an initial request or not; the same processing is followed:
>
>    If, for some reason, the DOTS server
>
> fails to apply the filter update, it MUST respond with 5.03 (Service
>
> Unavailable) error response code and include the failed 'acl-name'
>
> update in the diagnostic payload of the response.  Else, the DOTS
>
> server replies with the appropriate response code defined in
>
> Section 4.4.1 of [I-D.ietf-dots-signal-channel].
>
> Cheers,
>
> Med
>
> *De :*Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
> *Envoyé :* jeudi 16 mai 2019 14:28
> *À :* BOUCADAIR Mohamed TGI/OLN; Jon Shallow; dots@ietf.org <mailto:dots@ietf.org>
> *Objet :* RE: [Dots] draft-ietf-dots-filter-control: acl updates
>
> Failure scenarios to activate/de-active the ACL look rare (or uncommon). Why not let the client convey the mitigation request with the ACL and if the server returns 5.03, based on the diagnostic payload, re-send the mitigation request without the ACL ?
>
> Cheers,
>
> -Tiru
>
> *From:*mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com> <mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com>>
> *Sent:* Thursday, May 16, 2019 5:06 PM
> *To:* Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com <mailto:TirumaleswarReddy_Konda@McAfee.com>>; Jon Shallow <supjps-ietf@jpshallow.com <mailto:supjps-ietf@jpshallow.com>>; dots@ietf.org <mailto:dots@ietf.org>
> *Subject:* RE: [Dots] draft-ietf-dots-filter-control: acl updates
>
> *CAUTION*:External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Re-,
>
> Overall, the same behavior as with mitigation without acls will be followed in that case. For example, the client can infer from the diagnostic payload that the server is unavailable and a redirect is provided. Isn’t it?
>
> In case of a failure due to acl update, we can be explicit that the server to return the failed acl update in the 5.03 response. A client which receives a 5.03 with failed acl, should immediately send a new request without acl attributes so that the mitigation starts, and waits Max-Age before retrying with the same acl update.
>
> Cheers,
>
> Med
>
> *De :*Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
> *Envoyé :* jeudi 16 mai 2019 12:33
> *À :* BOUCADAIR Mohamed TGI/OLN; Jon Shallow; dots@ietf.org <mailto:dots@ietf.org>
> *Objet :* RE: [Dots] draft-ietf-dots-filter-control: acl updates
>
> What if the server service is really unavailable when the second mitigation request with the ACL is conveyed ?
>
> -Tiru
>
> *From:*mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com> <mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com>>
> *Sent:* Thursday, May 16, 2019 3:12 PM
> *To:* Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com <mailto:TirumaleswarReddy_Konda@McAfee.com>>; Jon Shallow <supjps-ietf@jpshallow.com <mailto:supjps-ietf@jpshallow.com>>; dots@ietf.org <mailto:dots@ietf.org>
> *Subject:* RE: [Dots] draft-ietf-dots-filter-control: acl updates
>
> *CAUTION*:External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Re-,
>
> The signal channel spec says the following:
>
> “CoAP 4.xx codes are some sort of invalid requests (client errors).”
>
> and
>
> “The error response code 5.03 (Service Unavailable) is
>
>    returned if the DOTS server has erred or is incapable of performing
>
>    the mitigation.”
>
> The main concern is the unfairness for rejecting a mitigation because of acls. This is problematic for initial requests with acls as rightfully mentioned by Jon.
>
> I do think this is solved with the proposal below. 5.03 will be OK, then.
>
> Cheers,
>
> Med
>
> *De :*Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
> *Envoyé :* jeudi 16 mai 2019 11:20
> *À :* BOUCADAIR Mohamed TGI/OLN; Jon Shallow; dots@ietf.org <mailto:dots@ietf.org>
> *Objet :* RE: [Dots] draft-ietf-dots-filter-control: acl updates
>
> No, 4.22 error is also at the server side, please see https://tools.ietf.org/html/rfc8132
>
> Unprocessable request:  This situation occurs when the payload of a
>
>       FETCH request is determined to be valid (i.e., well-formed and
>
>       supported) but the server is unable to or is incapable of
>
>       processing the request.  The server can return a 4.22
>
> (Unprocessable Entity) CoAP error.
>
> Cheers,
>
> -Tiru
>
> *From:*mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com> <mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com>>
> *Sent:* Thursday, May 16, 2019 12:51 PM
> *To:* Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com <mailto:TirumaleswarReddy_Konda@McAfee.com>>; Jon Shallow <supjps-ietf@jpshallow.com <mailto:supjps-ietf@jpshallow.com>>; dots@ietf.org <mailto:dots@ietf.org>
> *Subject:* RE: [Dots] draft-ietf-dots-filter-control: acl updates
>
> *CAUTION*:External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Hi Tiru, all,
>
> The error is at the server side, so 4.22 is not appropriate here.
>
> What about recommending against including acl attributes in an initial request or when the client adjusts the mitigation scope? Once a mitigation without acls is successfully placed, the client can then send a new request with the same mitigation scope but with acl attributes. Any failure reported by the server will be then linked to the acl instructions.
>
> 5.03 will be returned if a failure is encountered to process a request with acls.
>
> Cheers,
>
> Med
>
> *De :*Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
> *Envoyé :* jeudi 16 mai 2019 06:43
> *À :* Jon Shallow; BOUCADAIR Mohamed TGI/OLN; dots@ietf.org <mailto:dots@ietf.org>
> *Objet :* RE: [Dots] draft-ietf-dots-filter-control: acl updates
>
> DOTS signal channel protocol does not support handling of partial failures because of the complexity. If the filtering rules cannot be updated, the request should be rejected with appropriate error message (e.g. 4.22 (Unprocessable Entity), https://tools.ietf.org/html/rfc8132 <https://tools.ietf.org/html/rfc8132>)
>
> Cheers,
>
> -Tiru
>
> *From:*Dots <dots-bounces@ietf.org <mailto:dots-bounces@ietf.org>> *On Behalf Of *Jon Shallow
> *Sent:* Wednesday, May 15, 2019 8:16 PM
> *To:* mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com>; dots@ietf.org <mailto:dots@ietf.org>
> *Subject:* Re: [Dots] draft-ietf-dots-filter-control: acl updates
>
> *CAUTION*:External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Hi Med,
>
> Interesting question – certainly the DOTS signal server should be properly communicating with the DOTS data server, but I guess there can be a failure here.
>
> I think to reject a PUT that is the first mitigation request, but includes an Acl-List with a 5.03 could be unfair – the DOTS client would need to get taught that it needs to send a new PUT (+mid) without the Acl-List if it gets a 5.03 – which could be for a whole host of reasons.
>
> Could we send back some sort of conflict code (i.e. failure code) in this case to be a bit more flexible?
>
> Regards
>
> Jon
>
> *From:*Dots [mailto: dots-bounces@ietf.org <mailto:dots-bounces@ietf.org>] *On Behalf Of *mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com>
> *Sent:* 15 May 2019 15:37
> *To:* Jon Shallow; dots@ietf.org <mailto:dots@ietf.org>
> *Subject:* Re: [Dots] draft-ietf-dots-filter-control: acl updates
>
> Re-,
>
> The draft does not include any text about the response to a PUT because we assume that we don’t change the base spec.
>
> One related point, we may need to be specific about the behavior of the server, e.g., when it can do the mitigation but fails (for some reason) to apply the filter update. Should we discard the request with 5.03 or should we allow for some flexibility by accepting the mitigation but without the filter update?
>
> Cheers,
>
> Med
>
> *De :*Jon Shallow [mailto:supjps-ietf@jpshallow.com <mailto:supjps-ietf@jpshallow.com>]
> *Envoyé :* mercredi 15 mai 2019 15:52
> *À :* BOUCADAIR Mohamed TGI/OLN; dots@ietf.org <mailto:dots@ietf.org>
> *Objet :* RE: [Dots] draft-ietf-dots-filter-control: acl updates
>
> Hi Med,
>
> I think that covers it.  Now I have access to my emails, it was the PUT that I was thinking about, not the GET.
>
> Regards
>
> Jon
>
> *From:*Dots [mailto: dots-bounces@ietf.org <mailto:dots-bounces@ietf.org>] *On Behalf Of *mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com>
> *Sent:* 15 May 2019 12:22
> *To:* Jon Shallow; dots@ietf.org <mailto:dots@ietf.org>
> *Subject:* Re: [Dots] draft-ietf-dots-filter-control: acl updates
>
> Re-,
>
> Noted. Thanks.
>
> With regards to your second point, we do have the following in the draft:
>
>    If, during an active mitigation, the 'activation-type' is changed at
>
>    the DOTS server (e.g., as a result of an external action) for an ACL
>
>    bound to a DOTS client, the DOTS server notifies that DOTS client
>
>    with the change by including the corresponding ACL parameters in an
>
>    asynchronous notification (the DOTS client is observing the active
>
>    mitigation) or in a response to a polling request (Section 4.4.2.2 of
>
> [I-D.ietf-dots-signal-channel]).
>
> Do we need to say more?
>
> Cheers,
>
> Med
>
> *De :*Jon Shallow [mailto:supjps-ietf@jpshallow.com]
> *Envoyé :* mercredi 15 mai 2019 11:56
> *À :* BOUCADAIR Mohamed TGI/OLN; kaname nishizuka; Konda, Tirumaleswar Reddy; dots@ietf.org <mailto:dots@ietf.org>
> *Objet :* RE: [Dots] draft-ietf-dots-filter-control: acl updates
>
> Hi Guys,
>
> I concur with (2).
>
> I think that we have the ‘mid’ wrap properly covered (more likely to occur now with lots of ‘tweaks’ to the mitigation when trying out different acl-lists).
>
> With (2) changing the activation-types, it is possible that some packets may not get through, and so an activation-type may be in an unexpected state.  I know  that we encourage regular monitor of the status of a mitigation (by signal channel observing), but  am unable to find as to whether acl-list etc. is returned on signal channel GET response (there are no GET signal channel response examples).  There was discussion about this on the mailing list, but it did not get a final resolution.
>
> Regards
>
> Jon
>
> *From:*Dots [mailto: dots-bounces@ietf.org <mailto:dots-bounces@ietf.org>] *On Behalf Of *mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com>
> *Sent:* 15 May 2019 09:05
> *To:* kaname nishizuka; Konda, Tirumaleswar Reddy; dots@ietf.org <mailto:dots@ietf.org>
> *Subject:* Re: [Dots] draft-ietf-dots-filter-control: acl updates
>
> Re-,
>
> Thank you for sharing your thoughts.
>
> -00 allows to use both a new or existing ‘mid’. With (2) taken into account, we need the following change:
>
> OLD:
>
>    A DOTS client may include acl-* attributes in a mitigation request
>
>    having a new or an existing 'mid'.  When acl-* attributes are to be
>
>    included in a mitigation request with an existing 'mid', the DOTS
>
>    client MUST repeat all the other parameters as sent in the original
>
>    mitigation request (i.e., having that 'mid') apart from a possible
>
>    change to the lifetime parameter value.
>
> NEW:
>
>    During an attack time, DOTS clients may include 'acl-list', 'acl-
>
>    name', and 'activation-type' attributes in a mitigation request.
>
>    This request may be the initial mitigation request for a given
>
>    mitigation scope or a new one overriding an existing request.  In
>
>    both case, a new 'mid' MUST be used.
>
>    As the attack evolves, DOTS clients can adjust the 'activation-type'
>
>    of an ACL conveyed in a mitigation request or control other filters
>
>    as necessary. This can be achieved by sending a PUT request with a
>
>    new 'mid' value.
>
> Cheers,
>
> Med
>
> *De :*kaname nishizuka [mailto:kaname@nttv6.jp]
> *Envoyé :* mercredi 15 mai 2019 09:59
> *À :* BOUCADAIR Mohamed TGI/OLN; Konda, Tirumaleswar Reddy; dots@ietf.org <mailto:dots@ietf.org>
> *Objet :* Re: [Dots] draft-ietf-dots-filter-control: acl updates
>
> Hi Tiru, Med,
>
> I agree with Tiru.
>
> > FWIW, the changes to implement (2) can be seen at:
> >
> > https://github.com/boucadair/filter-control/blob/master/wdiff%20draft-ietf-dots-signal-filter-control-00.txt%20draft-ietf-dots-signal-filter-control-01.pdf
> >
> Could you specify where it is?
> (2) is taken account as the current version of the draft allows to include acl attributes in requests with new ‘mid’s.
>
> regards,
> Kaname
>
> On 2019/05/15 16:28, mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com> wrote:
>
>     Hi Tiru,
>
>     Agree.
>
>     Looking forward to hear  more.
>
>     FWIW, the changes to implement (2) can be seen at:
>
>     https://github.com/boucadair/filter-control/blob/master/wdiff%20draft-ietf-dots-signal-filter-control-00.txt%20draft-ietf-dots-signal-filter-control-01.pdf
>
>     Cheers,
>
>     Med
>
>     *De :*Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
>     *Envoyé :* mercredi 15 mai 2019 09:11
>     *À :* BOUCADAIR Mohamed TGI/OLN; dots@ietf.org <mailto:dots@ietf.org>
>     *Objet :* RE: draft-ietf-dots-filter-control: acl updates
>
>     I don’t think approach (1) is a good idea because of out of order delivery of packets. Further, the anti-relay detection technique in DTLS uses sliding windows procedure. An MITM can possibility cache and drop the packets from the client, and replay the cached packets that fall within the sliding window. For instance in the below example, the server could receive packets in the order T0, T4, T1, T2.
>
>     Monotonically increasing ‘mid’ is the only defense against this mechanism, and I don’t think the signal channel draft needs any update.
>
>     Cheers,
>
>     -Tiru
>
>     *From:*Dots <dots-bounces@ietf.org> <mailto:dots-bounces@ietf.org> *On Behalf Of *mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com>
>     *Sent:* Tuesday, May 14, 2019 8:14 PM
>     *To:* dots@ietf.org <mailto:dots@ietf.org>
>     *Subject:* [Dots] draft-ietf-dots-filter-control: acl updates
>
>     *CAUTION*:External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>     ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>     Hi all,
>
>     The current version of the draft allows to include acl attributes in requests with new or existing ‘mid’s. By “existing mid’, we meant an existing request which does not include acl attributes when the request was initially created. For such requests, the activation-type of the same acl can be changed as the attack evolve or even control other ACLs. This is supposed to be covered by this text:
>
>     When acl-* attributes are to be
>
>     included in a mitigation request with an existing 'mid', the DOTS
>
>     client MUST repeat all the other parameters as sent in the original
>
>     mitigation request (i.e., having that 'mid') apart from a possible
>
>     change to the lifetime parameter value.
>
>     For example:
>
>     T0: R(mid)
>
>     T1: R(mid, acl1, activation-type=value1)
>
>     T2: R(mid, acl2, activation-type=value2)
>
>     T3: R(mid, acl1, activation-type=value2)
>
>     T4: R(mid)
>
>     ...
>
>     Now, if acl attributes are included in a request with a new mid, we need to specify how activation-type (and acl-list in general) can be updated. We do have two options:
>
>      1. Update the draft with this NEW text:
>
>        If 'acl-list', 'acl-name', and 'activation-type' attributes are
>
>        included in the initial mitigation request (that is, a mitigation
>
>        request with a new 'mid'), the DOTS client may update the
>
>        'acl-list' as an active attack evolves.  To do so, the DOTS
>
>        client MUST repeat all the other parameters as sent in the original
>
>        mitigation request apart from a possible change to the 'acl-list’
>
>        and the lifetime parameter values.
>
>     And the signal channel spec as follows:
>
>        For a mitigation request to continue beyond the initial negotiated
>
>        lifetime, the DOTS client has to refresh the current mitigation
>
>        request by sending a new PUT request..  This PUT request MUST use the
>
>        same 'mid' value, and MUST repeat all the other parameters as sent in
>
>        the original mitigation request apart from a possible change to the
>
>        lifetime parameter value or other changes to attributes defined in future extensions.
>
>                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>     For example:
>
>     T0: R(mid, acl1, activation-type=value1)
>
>     T1: R(mid, acl2, activation-type=value2)
>
>     T2: R(mid, acl1, activation-type=value2)
>
>     ..
>
>      2. Require a new mid each time a client has to insert acl attributes.
>
>     For example:
>
>     T0: R(mid0)
>
>     T1: R(mid1, acl1, activation-type=value1)
>
>     T2: R(mid2, acl2, activation-type=value2)
>
>     T3: R(mid3, acl1, activation-type=value2)
>
>     ...
>
>     Thoughts?
>
>     Cheers,
>
>     Med
>
>     _______________________________________________
>
>     Dots mailing list
>
>     Dots@ietf.org <mailto:Dots@ietf.org>
>
>     https://www.ietf.org/mailman/listinfo/dots
>
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email