Re: [Dots] clarification questions from the hackathon
<mohamed.boucadair@orange.com> Tue, 02 April 2019 05:15 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98CC4120086 for <dots@ietfa.amsl.com>; Mon, 1 Apr 2019 22:15:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSxJrLtHCGVC for <dots@ietfa.amsl.com>; Mon, 1 Apr 2019 22:14:57 -0700 (PDT)
Received: from orange.com (mta240.mail.business.static.orange.com [80.12.66.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29A6A12001E for <dots@ietf.org>; Mon, 1 Apr 2019 22:14:57 -0700 (PDT)
Received: from opfedar02.francetelecom.fr (unknown [xx.xx.xx.4]) by opfedar25.francetelecom.fr (ESMTP service) with ESMTP id 44YHTB6kTMz8tKV; Tue, 2 Apr 2019 07:14:54 +0200 (CEST)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.57]) by opfedar02.francetelecom.fr (ESMTP service) with ESMTP id 44YHTB5YXszCqkt; Tue, 2 Apr 2019 07:14:54 +0200 (CEST)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM6D.corporate.adroot.infra.ftgroup ([fe80::4c24:f1ba:2b1:e490%21]) with mapi id 14.03.0439.000; Tue, 2 Apr 2019 07:14:54 +0200
From: mohamed.boucadair@orange.com
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, Jon Shallow <supjps-ietf@jpshallow.com>, kaname nishizuka <kaname@nttv6.jp>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] clarification questions from the hackathon
Thread-Index: AdTliGx+SHuMyqAwQXGIbxMDIEwnuAAFAkKAALfbG4AABL07wAAAeoKgAAOXWlAAHPOt0A==
Date: Tue, 02 Apr 2019 05:14:54 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA50DA9@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <108a01d4e588$72f886b0$58e99410$@jpshallow.com> <787AE7BB302AE849A7480A190F8B93302EA4F27E@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <787AE7BB302AE849A7480A190F8B93302EA50720@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB279064CD877BD1FEF041DE88EA550@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA5092C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790507E1356AA360777DAEDEA550@BYAPR16MB2790.namprd16.prod.outlook.com>
In-Reply-To: <BYAPR16MB2790507E1356AA360777DAEDEA550@BYAPR16MB2790.namprd16.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/X9fGwC578N2UZ4uyELUIFkDw9e4>
Subject: Re: [Dots] clarification questions from the hackathon
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2019 05:15:01 -0000
Hi Tiru, I entered a new issue for the ACL stats: https://github.com/boucadair/filter-control/issues/1 Cheers, Med > -----Message d'origine----- > De : Dots [mailto:dots-bounces@ietf.org] De la part de Konda, Tirumaleswar > Reddy > Envoyé : lundi 1 avril 2019 17:27 > À : BOUCADAIR Mohamed TGI/OLN; Jon Shallow; kaname nishizuka; dots@ietf.org > Objet : Re: [Dots] clarification questions from the hackathon > > > > > -----Original Message----- > > From: mohamed.boucadair@orange.com > > <mohamed.boucadair@orange.com> > > Sent: Monday, April 1, 2019 7:32 PM > > To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; > > Jon Shallow <supjps-ietf@jpshallow.com>; kaname nishizuka > > <kaname@nttv6.jp>; dots@ietf.org > > Subject: RE: [Dots] clarification questions from the hackathon > > > > This email originated from outside of the organization. Do not click links > or > > open attachments unless you recognize the sender and know the content is > > safe. > > > > Hi Tiru, > > > > Please see inline. > > > > Cheers, > > Med > > > > > -----Message d'origine----- > > > De : Konda, Tirumaleswar Reddy > > > [mailto:TirumaleswarReddy_Konda@McAfee.com] > > > Envoyé : lundi 1 avril 2019 15:31 > > > À : BOUCADAIR Mohamed TGI/OLN; Jon Shallow; kaname nishizuka; > > > dots@ietf.org Objet : RE: [Dots] clarification questions from the > > > hackathon > > > > > > Update looks good, couple of points to consider: > > > > > > 1> when the mitigation request is successfully applied, the response > > > 1> must > > > include the acl-* attributes conveyed in the request (as per RFC7252 > > > 5.9.1.1). > > > > [Med] I hesitated to add this one. What is the purpose of returning the > acl-* > > in the response given that 2.01/2.04 are explicit that the type was > > successfully updated. Receiving a response such as the one in Figure 10 of > > the signal channel is straightforward. > > Yup. > > > > > > 2> It looks useful to return the activated ACL statistics, for example > > > 2> If the > > > client activates a rate-limit ACL, the ACL could be applied at the PE > > > router (because the DMS is not capable of handling the attack volume). > > > The rate- limit ACL will rate-limit both legitimate and attack > > > traffic, and the DMS will scrub the rate-limited traffic and drop the > > > attack traffic. The client may want to know the statistics of the > > > traffic dropped because of the rate- limit ACL. > > > > [Med] This one needs more discussion, IMO. I suggest to leave this one open > > for future revisions. > > Sure, please add to github issues for tracking purpose. > > -Tiru > > > > > > > > > -Tiru > > > > > > > -----Original Message----- > > > > From: Dots <dots-bounces@ietf.org> On Behalf Of > > > > mohamed.boucadair@orange.com > > > > Sent: Monday, April 1, 2019 4:43 PM > > > > To: Jon Shallow <supjps-ietf@jpshallow.com>; kaname nishizuka > > > > <kaname@nttv6.jp>; dots@ietf.org > > > > Subject: Re: [Dots] clarification questions from the hackathon > > > > > > > > This email originated from outside of the organization. Do not click > > > > links > > > or > > > > open attachments unless you recognize the sender and know the > > > > content is safe. > > > > > > > > Jon, Kaname, all, > > > > > > > > FWIW, a proposal to integrate the interop comments is available at: > > > > https://github.com/boucadair/filter-control/blob/master/wdiff%20draf > > > > t- > > > > nishizuka-dots-signal-control-filtering-05.txt%20draft-nishizuka-dot > > > > s- > > > signal- > > > > control-filtering-06.pdf > > > > > > > > Cheers, > > > > Med > > > > > > > > > > > > > > > > > > > -----Message d'origine----- > > > > > > > > De : Dots [mailto:dots-bounces@ietf.org] De la part de > > > > > > > > kaname nishizuka Envoyé : jeudi 28 mars 2019 11:38 À : > > > > > > > > dots@ietf.org Objet : [Dots] clarification questions from > > > > > > > > the hackathon > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > I'd like to continue discussion of these topics in the ML. > > > > > > > > > > > > > > > > #1: Questions about signal-control-filtering > > > > > > > > 1. Should a mitigation request create a mitigation before > > > > > > > > doing a PUT > > > > > + > > > > > > > > acl-list [{acl-name, activation-type}] against the active > > > > > > > > mitigation, > > > > > or > > > > > > is a > > > > > > > > ‘PUT + acl-list [{acl-name, activation-type}]’ allowed to > > > > > > > > create a new mitigation? > > > > > > > > > > > > > > [Med] Both are currently allowed in the draft. I don't still a > > > > > > > valid > > > > > reason > > > > > > to > > > > > > > restrict this. > > > > > > > > > > > > [Jon] As per draft > > > > > > A DOTS client MUST NOT use the filtering control over DOTS > signal > > > > > > channel if no attack (mitigation) is active; > > > > > > > > > > > > > > > > [Med] What is meant actually is: > > > > > > > > > > A DOTS client MUST NOT use the filtering control over DOTS signal > > > > > channel in 'idle' time; > > > > > > > > > > Will update the text. > > > > > > > > > > > [Jon] then needs to be reworded as there is no active mitigation > > > > > > until the PUT is done... > > > > > > I believe that both cases should be supported. > > > > > > > > > > > > > > > 2. Should the response to a GET (or Observed GET) include > > > > > > > > the > > > > > > > > acl- > > > > > list > > > > > > > > [{acl-name, activation-type}] if the PUT included it? > > > > > > > > > > > > > > [Med] The current spec says "no". That's said, what would be > > > > > > > the value in returning it? Then, why not allowing to return > > > > > > > the references to all ACLs > > > > > > that > > > > > > > are enabled during the mitigation time? > > > > > > > > > > > > > [Jon] When observing the mitigation request, if the > > > > > > activation-type is changed externally, the client will then know > about > > the change. > > > > > > Assuming > > > > > the > > > > > > response got back to the client, this is effectively an ACK to > > > > > > the fact > > > > > that > > > > > > the ACL change got through. > > > > > > > > > > [Med] The observe case makes sense, indeed. > > > > > > > > > > > > > > > > > Interesting concept about knowing about all the relevant ACLs as > > > > > > returned over the signal channel. More work for the server to > > > > > > do in determining > > > > > which > > > > > > ACLs are valid for, say, a specific IP address that is being > mitigated. > > > > > Not > > > > > > entirely convinced of the benefit of this as this generally is > > > > > > available > > > > > over > > > > > > the data channel. > > > > > > > > > > > > > > > > [Med] I'm not convinced, either. > > > > > > > > > _______________________________________________ > > > > Dots mailing list > > > > Dots@ietf.org > > > > https://www.ietf.org/mailman/listinfo/dots > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots
- [Dots] clarification questions from the hackathon kaname nishizuka
- Re: [Dots] clarification questions from the hacka… Olli Vanhoja
- Re: [Dots] clarification questions from the hacka… mohamed.boucadair
- Re: [Dots] clarification questions from the hacka… mohamed.boucadair
- Re: [Dots] clarification questions from the hacka… Jon Shallow
- Re: [Dots] clarification questions from the hacka… Konda, Tirumaleswar Reddy
- Re: [Dots] clarification questions from the hacka… Jon Shallow
- Re: [Dots] clarification questions from the hacka… Konda, Tirumaleswar Reddy
- Re: [Dots] clarification questions from the hacka… mohamed.boucadair
- Re: [Dots] clarification questions from the hacka… kaname nishizuka
- Re: [Dots] clarification questions from the hacka… mohamed.boucadair
- Re: [Dots] clarification questions from the hacka… mohamed.boucadair
- Re: [Dots] clarification questions from the hacka… Jon Shallow
- Re: [Dots] clarification questions from the hacka… Konda, Tirumaleswar Reddy
- Re: [Dots] clarification questions from the hacka… mohamed.boucadair
- Re: [Dots] clarification questions from the hacka… Konda, Tirumaleswar Reddy
- Re: [Dots] clarification questions from the hacka… mohamed.boucadair