Re: [Dots] Dots Digest, Vol 45, Issue 3
kaname nishizuka <kaname@nttv6.jp> Mon, 05 November 2018 16:48 UTC
Return-Path: <kaname@nttv6.jp>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CF89127133 for <dots@ietfa.amsl.com>; Mon, 5 Nov 2018 08:48:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nttv6.jp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PvLqJ0D7EXZr for <dots@ietfa.amsl.com>; Mon, 5 Nov 2018 08:47:57 -0800 (PST)
Received: from guri.nttv6.jp (guri.nttv6.jp [IPv6:2402:c800:ff06:136::140]) by ietfa.amsl.com (Postfix) with ESMTP id 0C6A8124408 for <dots@ietf.org>; Mon, 5 Nov 2018 08:47:57 -0800 (PST)
Received: from z.nttv6.jp (z.nttv6.jp [IPv6:2402:c800:ff06:6::f]) by guri.nttv6.jp (NTTv6MTA) with ESMTP id 2A47325F6BD; Tue, 6 Nov 2018 01:47:55 +0900 (JST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nttv6.jp; s=20180820; t=1541436475; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=y1xrYbvvSCgLkVdCOgF0HJDicZh2ZUc7yBQsjRAF5Lw=; b=cS3sMWiodDGEDovPWzsSZy7gOT0N7ZejGpoK0gyqjClE8YfzO19Rne3CyxcERCNR7+uBUQ AGwwdWzwnopNipj1gT1nYzKiC3teo9IKOzGHZdUPyVzq4c9/CkBeboaF+7DLkT7Ti8rw7D II8HfgZf7jt4BvQilsujk3O09ck6iOc=
Received: from dhcp-9ab0.meeting.ietf.org (fujiko.nttv6.jp [IPv6:2402:c800:ff06:136::141]) by z.nttv6.jp (NTTv6MTA) with ESMTP id C70E6763508; Tue, 6 Nov 2018 01:47:54 +0900 (JST)
To: Yuhei Hayashi <hayashi.yuhei@lab.ntt.co.jp>, dots@ietf.org
References: <mailman.84.1541271619.8736.dots@ietf.org> <f3a508b0-1ff0-4d77-2023-2263dd7db78f@lab.ntt.co.jp>
From: kaname nishizuka <kaname@nttv6.jp>
Message-ID: <ae9412d9-4268-43ac-c93e-5433564388dd@nttv6.jp>
Date: Tue, 06 Nov 2018 01:47:54 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <f3a508b0-1ff0-4d77-2023-2263dd7db78f@lab.ntt.co.jp>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Authentication-Results: guri.nttv6.jp; spf=pass smtp.mailfrom=kaname@nttv6.jp
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/XXl9bFZa5npL9cQCcVCYES0nMus>
Subject: Re: [Dots] Dots Digest, Vol 45, Issue 3
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 16:48:01 -0000
Hi Yuhei, I'd advise you to keep the thread of discussions for readability and traceability (don't mix replies in one mail). I can't see you're replying to whom. Then, here is my comment: The proposal of this draft is adding source IP address information in the signal channel. Sometimes source IP address information is important, sometimes not. I'd like to list up the cases source IP address information is useful (or not). # useful protection with source IP address Given source IP addresses of an attack is clear from a vantage point of an ISP: 1. The attack is coming from a few number of specific source IP addresses - call home usecase can be classified here? 2. The attack is coming from a particular group of source IP addresses - there could be some bias in distribution of attack sources of an AMP attack. # the cases a protection with source IP address is not useful 1. source IP addresses are spoofed(randomize) - source IP addresses are time varying 2. widely distributed AMP attack with thousands of amplifying devices - stopping only a few of them is not effective thanks, Kaname On 2018/11/05 11:12, Yuhei Hayashi wrote: > Hi, all > > Thank you for comments and feedback. > >> ** After the telemetry system makes the mitigation request in (1), will the orchestrator block on a response awaiting for action from the network administrator (as the text notes that the 'network administrator' will confirm the request)? > [Yuhei] > It's just my mistake. > I want to express that request (1) or (2) can be selected by the network's policy as below. > > <alt> [triggered by telemetry/monitoring system] > (1)[telemetry system]->[orchestrator]: DOTS Mitigation Request > [triggered by network administrator] > (2)[network admin]->[orchestrator]: DOTS Mitigation Request > >> ** Is there an implicit out-of-band channel between the orchestrator and network admins to enable (2)? > [Yuhei] > Yes. > >> Why does the network admin have to be a DOTS client rather than a function in the orchestrator (out of scope for DOTS)? > [Yuhei] > I referred the current use-case draft, and it describes use case (fig. 4) where network admin has DOTS client functionality. > https://www.ietf.org/id/draft-ietf-dots-use-cases-16.txt > > Hence, I described so, however, I also think it can be a function of orchestrator. > >> ** Will the mitigation status requests back to the telemetry system and network admins in (1) and (2) be the same? > [Yuhei] > Yes. > >> ** Is the traffic examined by the DMS the same as seen by the telemetry systems? > [Yuhei] > Yes. > >> How was the DMS tasked to examine the traffic -- was that an implicit communication channel from the orchestrator >> ** If the orchestrator tasked the routers/switches per (3) to handle the attack traffic, how did the DMS get involved in the mitigation? What's the difference between the attack traffic handled by (3) and the DMS? How is that coordination happening? > [Yuhei] > Töma's opinion is correct for me. >> Actually, the orchestrator doesn't ask for handling the *attack* >> traffic during the step 3. At this point, routers still have no clue >> about what's the attack traffic is (they only know who's the target, >> as reported by the telemetry system), so they just start routing *all* >> of the inbound traffic (including legitimate one) coming towards the >> target IP address or IP prefix, via the DMS. > > After request (3), DMS examines the suspicious traffic redirected by the routers, with information of target IP address or IP prefix reported by DOTS client. > >> This draft is a) [imperfectly] duplicative of existing functionality such as flowspec > [Yuhei] > What I'd like to propose is to use DOTS protocol, not flowspec, in "(4) [DMS]->[orchestrator]: DOTS Mitigation Request". > And I'd like DOTS client to send attacker information at the time to filter attack traffic correctly at "(5) [orchestrator]->[routers/switch]". > > In the current DOTS specification, sending attacker information is out of scope, so I’d like to expand it. > >> and b) in need of further consideration and refinement, IMHO. >> Suggest strongly that additional contributors with relevant technical and operational experience should be involved in re-working this draft from a conceptual level onwards. > [Yuhei] > I'm searching those who has same concepts or requirements that DOTS client send attacker information by signal channel. > > We are looking for more proponents of this draft, and are under discussion with some DOTS folks. > Actually, I received some positive feedback and I believe that this proposal useful for further work of DOTS-WG. > > Thanks, > Yuhei > > > On 2018/11/04 4:00, dots-request@ietf.org wrote: >> Send Dots mailing list submissions to >> dots@ietf.org >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://www.ietf.org/mailman/listinfo/dots >> or, via email, send a message with subject or body 'help' to >> dots-request@ietf.org >> >> You can reach the person managing the list at >> dots-owner@ietf.org >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Dots digest..." >> >> >> >> Today's Topics: >> >> 1. Workflow question about >> draft-h-dots-mitigation-offload-expansion-00 (Roman Danyliw) >> 2. Re: Workflow question about >> draft-h-dots-mitigation-offload-expansion-00 (T?ma Gavrichenkov) >> 3. Re: Workflow question about >> draft-h-dots-mitigation-offload-expansion-00 (Dobbins, Roland) >> >> >> >> _______________________________________________ >> Dots mailing list >> Dots@ietf.org >> https://www.ietf.org/mailman/listinfo/dots >> > ----------------------------------------- > Nippon Telegraph and Telephone Corporation > Network Service Systems Laboratories > Transport Service Platform Innovation Project > Transport Service Systems Development Project > Yuhei Hayashi > 0422-59-3485 > hayashi.yuhei@lab.ntt.co.jp > > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots
- Re: [Dots] Dots Digest, Vol 45, Issue 3 Yuhei Hayashi
- Re: [Dots] Dots Digest, Vol 45, Issue 3 kaname nishizuka