IETF Logo Mail Archive

Re: [Dots] FW: New Version Notification for draft-reddy-dots-transport-05.txt

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Mon, 08 August 2016 06:46 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ED9F127058 for <dots@ietfa.amsl.com>; Sun, 7 Aug 2016 23:46:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.768
X-Spam-Level:
X-Spam-Status: No, score=-15.768 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id upTjiptxtOFG for <dots@ietfa.amsl.com>; Sun, 7 Aug 2016 23:46:09 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1C57120727 for <dots@ietf.org>; Sun, 7 Aug 2016 23:46:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5753; q=dns/txt; s=iport; t=1470638769; x=1471848369; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=BKQDPLhSSQnGGFIzHkybDIo/KU5YzS16V2kjULZbbSM=; b=KBM4VQ5QQ4IkTRpn7dqmgF52P58e9MSXiJDnmHhUPVnSF9+QcOKj0802 hVSh06pzxamd5fqk88mcscV4/wTd65A9WEokP3UlfTvVHwLsZx5i6PhtM Gh0Yq2GY3V6yx2QNUmz8UjRVJjmxejw90+qzbZw+/lhgcJC+thM4i/BC+ A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BXAgCQKahX/4YNJK1dg0VWfAe5CIF9JIV5AoExOBQBAQEBAQEBXSeEXgEBBAEBATg0CQcHBAIBCBEEAQEBHgkHJwsUCAEIAgQBEgiIIQgOwlYBAQEBAQEBAQEBAQEBAQEBAQEBAQEchiqETYQcAQ2FcQWOGIVdhUQBhhyIZoFyToQNiH2GZIVQg3cBHjaCEhyBTG6FegElIH8BAQE
X-IronPort-AV: E=Sophos;i="5.28,488,1464652800"; d="scan'208";a="137387763"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Aug 2016 06:46:08 +0000
Received: from XCH-ALN-020.cisco.com (xch-aln-020.cisco.com [173.36.7.30]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id u786k8Hb023518 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 8 Aug 2016 06:46:08 GMT
Received: from xch-rcd-017.cisco.com (173.37.102.27) by XCH-ALN-020.cisco.com (173.36.7.30) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 8 Aug 2016 01:46:07 -0500
Received: from xch-rcd-017.cisco.com ([173.37.102.27]) by XCH-RCD-017.cisco.com ([173.37.102.27]) with mapi id 15.00.1210.000; Mon, 8 Aug 2016 01:46:07 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: kaname nishizuka <kaname@nttv6.jp>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] FW: New Version Notification for draft-reddy-dots-transport-05.txt
Thread-Index: AQHR11jVVEDsCwAAOkiBthaVHADSf6ALBdQQgBlqbACAGkrkcA==
Date: Mon, 08 Aug 2016 06:46:07 +0000
Message-ID: <f00f640674e24663ac738f759898bc2e@XCH-RCD-017.cisco.com>
References: <20160706073427.7900.59549.idtracker@ietfa.amsl.com> <50de5af611944788898536433cc1dfbd@XCH-RCD-017.cisco.com> <e5c1665f-4a5b-dc52-602f-66aab2e310d6@nttv6.jp>
In-Reply-To: <e5c1665f-4a5b-dc52-602f-66aab2e310d6@nttv6.jp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.65.93.112]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/Y9RVgzeBarZoIWr9CFSJ-CdW-58>
Subject: Re: [Dots] FW: New Version Notification for draft-reddy-dots-transport-05.txt
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Aug 2016 06:46:11 -0000

Hi Kaname,

Yes, DOTS data channel should also cover pre-provisioning. As per our discussion at IETF, will remove DOTS channel from this draft, and create a new draft and pick specific sections and JSON attributes from draft-nishizuka-dots-inter-domain-mechanism and include pre-provisioning. 

Please see inline

> -----Original Message-----
> From: kaname nishizuka [mailto:kaname@nttv6.jp]
> Sent: Friday, July 22, 2016 12:22 PM
> To: Tirumaleswar Reddy (tireddy) <tireddy@cisco.com>; dots@ietf.org
> Subject: Re: [Dots] FW: New Version Notification for draft-reddy-dots-
> transport-05.txt
> 
> Hi Tiru,
> 
> I have a comment on section 6.  DOTS Data Channel.
> 
>   * Data channel is for bulk data exchanges
>   * Rough Consensus @ Design Team Meeting: Data channel is for pre-
> provisioning

Yup.

> 
> I think we need 2 types of filtering.
> 1. filtering which limit the scope of mitigation
>   * example
>       - if an organization have other sites from which only legitimate traffic in
> coming and is afraid of false positive, the sites should be treated as a
> exception of mitigation with white-list.

Yes, white-list rules can also be created using the DOTS data channel discussed in the draft (see traffic-rate attribute defined in DOTS data channel). 

>       - if a service is working only on port 80, traffic destined to other port can
> be dropped without any consideration.

Yes, the above rule can also be provisioned during peacetime using the DOTS data channel proposed in the draft.

>   * this type of filtering may be installed in pre-provisioning phase (on data
> channel)
>        - can be changed even while it is under attack

What is the use case for changing these type of filters during the attack ?

> 
>   Also there should be a limitation on a request
>   * requests from DOTS clients should be limited

It's an implementation detail, what do you suggest needs to be discussed in this draft ?

>       - request for blocking, rate-limiting, etc.. can be another attack vector if the
> request is spoofed.

DOTS client has to authenticate to the DOTS server, how will DOTS requests be spoofed ?

>       - limitation on possible range of target (=IP addresses/prefixes) should be
> pre-defined per customer basis.
>       - installed in pre-provisioning phase (on data channel)

Agreed.

> 
>   [note]:this filtering is required without regard to protection methods

I did not get the above line, please clarify.

> 
> 2. filtering instruction for mitigation
>   * filtering of traffic is one of protection methods taken by mitigators

Okay.

>   * DOTS client can request filtering of traffic with desired action (blocking,
> rate-limiting...)
>   * instructed while it is under attack (on signaling channel)

DOTS signaling channel does not signal filtering rules, it's the job of DOTS data channel.

> 
> Data model of Filtering Rules described in section 6 (DOTS Data Channel)
> looks like type 2 of filtering.

No, Filtering rules can be provisioned either before or during the attack.
I will update the draft to clarify, currently the draft is only high-lighting the example of black-list rules provisioned during an attack.

-Tiru

> So I think it looks like for signaling channel.
> 
> 
> best regards,
> kaname nishizuka
> 
> 
> On 2016/07/06 9:46, Tirumaleswar Reddy (tireddy) wrote:
> > Added new section https://tools.ietf.org/html/draft-reddy-dots-transport-
> 05#section-8 to discuss about mutual authentication of DOTS Agents &
> authorization of DOTS clients. Comments and suggestions are welcome.
> >
> > Cheers,
> > -Tiru
> >
> > -----Original Message-----
> > From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]
> > Sent: Wednesday, July 06, 2016 1:04 PM
> > To: Prashanth Patil (praspati); Dan Wing (dwing); Mike Geller
> > (mgeller); Robert Moskowitz; Mohamed Boucadair; Tirumaleswar Reddy
> > (tireddy)
> > Subject: New Version Notification for
> > draft-reddy-dots-transport-05.txt
> >
> >
> > A new version of I-D, draft-reddy-dots-transport-05.txt has been
> > successfully submitted by Tirumaleswar Reddy and posted to the IETF
> > repository.
> >
> > Name:		draft-reddy-dots-transport
> > Revision:	05
> > Title:		Co-operative DDoS Mitigation
> > Document date:	2016-07-06
> > Group:		Individual Submission
> > Pages:		26
> > URL:            https://www.ietf.org/internet-drafts/draft-reddy-dots-transport-
> 05.txt
> > Status:         https://datatracker.ietf.org/doc/draft-reddy-dots-transport/
> > Htmlized:       https://tools.ietf.org/html/draft-reddy-dots-transport-05
> > Diff:           https://www.ietf.org/rfcdiff?url2=draft-reddy-dots-transport-05
> >
> > Abstract:
> >     This document specifies a mechanism that a DOTS client can use to
> >     signal that a network is under a Distributed Denial-of-Service (DDoS)
> >     attack to an upstream DOTS server so that appropriate mitigation
> >     actions are undertaken (including, blackhole, drop, rate-limit, or
> >     add to watch list) on the suspect traffic.  The document specifies
> >     both DOTS signal and data channels.  Happy Eyeballs considerations
> >     for the DOTS signal channel are also elaborated.
> >
> >
> >
> >
> > Please note that it may take a couple of minutes from the time of
> > submission until the htmlized version and diff are available at tools.ietf.org.
> >
> > The IETF Secretariat
> >
> > _______________________________________________
> > Dots mailing list
> > Dots@ietf.org
> > https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email