IETF Logo Mail Archive

Re: [Dots] Suggestions about draft-nishizuka-dots-signal-control-filtering

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Fri, 23 November 2018 08:07 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A446712EB11 for <dots@ietfa.amsl.com>; Fri, 23 Nov 2018 00:07:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.75
X-Spam-Level:
X-Spam-Status: No, score=-5.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AQyP4qKF2pON for <dots@ietfa.amsl.com>; Fri, 23 Nov 2018 00:07:24 -0800 (PST)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4391412D4ED for <dots@ietf.org>; Fri, 23 Nov 2018 00:07:23 -0800 (PST)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1542960450; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-microsoft-antispam-prvs:x-ms-exchange-senderadcheck: x-exchange-antispam-report-cfa-test:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=maLoeEX6I/XiWV+9CLWxZP8+fugJ/N2ivfh+Of v3h9A=; b=Al0nsV6yw1SGJnGNjyDLxX5K0j5naMYEsFYF540P C3bVR5gb3939618sWVUwmIlL3fkcMTjWPwwfcvkNscKrDVLksI 1v3wXXRPfPa+CrUOydy0cfA0bFWB7hivvRaeUN+m08BVgK0nmW Hk8/WThJr5EBFe0t7RdHLqDUehbLnpo=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (unknown [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 37fd_3319_6e0dcfe2_2fb2_4a98_bae6_b6fab744321f; Fri, 23 Nov 2018 02:07:29 -0600
Received: from DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 23 Nov 2018 01:07:10 -0700
Received: from DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) by DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 23 Nov 2018 01:07:09 -0700
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Fri, 23 Nov 2018 01:07:09 -0700
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (10.44.176.243) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 23 Nov 2018 01:07:09 -0700
Received: from BN6PR16MB1425.namprd16.prod.outlook.com (10.172.207.19) by BN6PR16MB1698.namprd16.prod.outlook.com (10.172.28.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1361.16; Fri, 23 Nov 2018 08:07:06 +0000
Received: from BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::b8de:7bb:cfa3:22ee]) by BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::b8de:7bb:cfa3:22ee%7]) with mapi id 15.20.1339.031; Fri, 23 Nov 2018 08:07:06 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "Panwei (William)" <william.panwei@huawei.com>, kaname nishizuka <kaname@nttv6.jp>
CC: "dots@ietf.org" <dots@ietf.org>
Thread-Topic: Suggestions about draft-nishizuka-dots-signal-control-filtering
Thread-Index: AdSC2Ej8DSdTqLnvSrCjmhwDCo0iGAAGppVQAAH4AWA=
Date: Fri, 23 Nov 2018 08:07:06 +0000
Message-ID: <BN6PR16MB1425B54BBE4A0C328CA52EB5EAD40@BN6PR16MB1425.namprd16.prod.outlook.com>
References: <30E95A901DB42F44BA42D69DB20DFA6A608D444A@nkgeml513-mbx.china.huawei.com> <787AE7BB302AE849A7480A190F8B93302E04C4D0@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302E04C4D0@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.0.500.52
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR16MB1698; 6:mHja1LotcUElQeHmmaOSo4NtyydBclvodMBuPF9ja3lLM124EBT3XSUj0yiMw/t9otgUwl9qQeDYUr4tUJZodZt/n/Dco4njagKNQBr3wxK8+++2kvwpxyV7MP60SuVHAAi8QtqO4xmzzeCyoHi8SJIlTq2D9VXMn6SxGtAasbKg5uvX8kMgBynjkTWYadIeu0USOus+8EJozQKZbeefX6DhI/7wuetHMNNZSHxXdTAcozQnx+IQKyMvWYQgNezhtq77J2PHg1Ah5kdaDMaUaj0MklSx+Pz+Y1G46THH+IhT9iIWVavRCndufiEKiMQ0UZU36kl9fvQJtImtBgm0aaCFdUM0Oln+fxuW97inrQ5gTbRnwWrnXkNP8zoQi0pPnFfupQu0EMndokon974U0TehuFz/1JD0edO3hHD1FnXDx8La+I5xHHOwMKTtoZLW0crAuN+DMTDocykfljQFbA==; 5:3KLqqq+5pf0If3akjfwfhTnEIGbeIPUwcYqGnjruSrWsUXjSO2VtpInyNlJkEMkLiyz+pdRFPOYw5JU3w0H6trobZA8/9gI/ROpXjMSY6yRdA7b0HX1kZ7qlZCNR3kVVlD+CbWCnnjAh1y1/p3pV/EEdatm2gGnaGTqv6q78gp8=; 7:jHzoeqcVgvBS6R4GUh07aX0nd8NqK5af+e2KgpeB3KiywX8ETViv6Jw0TwLm+7VadCAOjXPXvVd5TThuDbIe5UNB+MZwAqVEjRaEUkZYlPLwKHEQF9XmDUCW2mujbwPFfRdTJISB/83YKYRWG7ThvQ==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: d4fb4e86-035c-410d-b3e4-08d6511aa8d9
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:BN6PR16MB1698;
x-ms-traffictypediagnostic: BN6PR16MB1698:
x-microsoft-antispam-prvs: <BN6PR16MB1698701BF47F47B04B48128BEAD40@BN6PR16MB1698.namprd16.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3231442)(944501410)(4982022)(52105112)(3002001)(148016)(149066)(150057)(6041310)(20161123560045)(20161123558120)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:BN6PR16MB1698; BCL:0; PCL:0; RULEID:; SRVR:BN6PR16MB1698;
x-forefront-prvs: 086597191B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(136003)(396003)(346002)(366004)(376002)(199004)(189003)(32952001)(97736004)(256004)(14444005)(5024004)(486006)(21615005)(476003)(606006)(6246003)(53936002)(2900100001)(66066001)(102836004)(186003)(71200400001)(71190400001)(99286004)(4326008)(25786009)(72206003)(966005)(2501003)(5660300001)(478600001)(14454004)(68736007)(236005)(9686003)(55016002)(54896002)(86362001)(6306002)(53946003)(790700001)(3846002)(6116002)(229853002)(81156014)(81166006)(8676002)(316002)(8936002)(2906002)(33656002)(110136005)(11346002)(4001150100001)(446003)(105586002)(106356001)(76176011)(26005)(7696005)(80792005)(6506007)(53546011)(74316002)(6436002)(7736002)(85282002)(579004); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR16MB1698; H:BN6PR16MB1425.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: efzQ0ibiZPkl2NDJasPM0eR24NRfTmvh6sAFC+qv9QQdR4UTTDEGil6vh6ruxDiHGmFUX2KxP7/hN643x4CzG43NTdriSYevDICOAP5vF8ZMSt8aEXFnzzY5djtjxyW+lPt9pb/HCHKEsiCF6dk0s76vn/NZ/lc2OAeu3i8o7HcGNLuyXXUPDJU56XJ3AQpmkt518P2spTggL3X0eWPO76VPa25YSijK3AyjwC778wUmRvs7UFNwh5f79LJtreE9wXQug4rLAwcqjieS7KNtHOptlZazh+GLKoOjq4QesVs/kRdk9UAETuPN4P4ln+cLcXuB6AQvGA+pQd/1d4Pz1YK7X+3z6EPDXGByrjAMfMA=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN6PR16MB1425B54BBE4A0C328CA52EB5EAD40BN6PR16MB1425namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d4fb4e86-035c-410d-b3e4-08d6511aa8d9
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Nov 2018 08:07:06.1780 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR16MB1698
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6424> : inlines <6970> : streams <1805081> : uri <2754262>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/YAjoKd6dFKWIRyihKQHMt0fGHhU>
Subject: Re: [Dots] Suggestions about draft-nishizuka-dots-signal-control-filtering
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2018 08:07:28 -0000

If accept-listed sources are attacking the target, the DOTS server cannot turn-off the accept-list filtering rules without the consent from the DOTS client. DOTS server can inform the DOTS client of the conflict and/or the DOTS client with DDoS detection capability can identify the attack, and using the signal channel de-activate the accept-list filtering rules.

“accept-list” does not mean only the traffic matching the accept-list will be allowed to reach the target.

Cheers,
-Tiru

From: Dots <dots-bounces@ietf.org> On Behalf Of mohamed.boucadair@orange.com
Sent: Friday, November 23, 2018 12:04 PM
To: Panwei (William) <william.panwei@huawei.com>; kaname nishizuka <kaname@nttv6.jp>
Cc: dots@ietf.org
Subject: Re: [Dots] Suggestions about draft-nishizuka-dots-signal-control-filtering


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi Wei,

Please see inline.

Cheers,
Med

De : Dots [mailto:dots-bounces@ietf.org] De la part de Panwei (William)
Envoyé : vendredi 23 novembre 2018 04:09
À : kaname nishizuka
Cc : dots@ietf.org<mailto:dots@ietf.org>
Objet : [Dots] Suggestions about draft-nishizuka-dots-signal-control-filtering

Hi Kaname,

I have read your draft recently, and I have two suggestions about it.

1.      I’d like to suggest using “whitelist” or “DDoS detection whitelist” instead of “accept-list” in the typical case.

[Med] accept-list means white-list. accept-list is already used in DOTS requirements and data channel. The signal channel will make use of that term too. FWIW, that change is made because of what was reported by hrpc.

A typical case is a DOTS client which configures during peace time
filtering rules using data channel to permit traffic from accept-
listed sources, but during the volumetric DDoS attack the DDoS
mitigator identifies the source addresses/prefixes in the accept-
listed filtering rules are attacking the target. For example, an
attacker can spoof the IP addresses of accept-listed sources to
generate attack traffic or the attacker can compromise the accept-
listed sources and program them to launch DDoS attack.
In this typical case, when you use “accept-list”, it sounds like that only the traffic which match the accept-list can reach the target. I don’t know if you mean so, but if YES, I feel like the extension may not be essentially needed in such case. Because if a DDoS attack occurs in such situation, the attacker must have been included in the accept-list. The DOTS server can get this conclusion as the DOTS client can, so the DOTS server can de-activate the accept-list by its own without DOTS client’s request of filtering rules.
In my opinion, “whitelist” or “DDoS detection whitelist” is more suitable than  “accept-list”. Because it indicates that the traffic which doesn’t match the DDoS whitelist can also reach the target, as long as it passes the detection. And if a DDoS attack happens, the DOTS server can’t know if the attacker is in the whitelist. If DOTS client find that the attacker is included in the DDoS whitelist, it must request the DOTS server to de-activate the whitelist.

I’m not object to your case, I just want to make it clear and no misunderstanding.

2. I’d like to suggest adding a guideline or suggestion about using signal channel to control filtering rules.
The purpose of using DOTS signal channel to control filtering rules is trying to help mitigate the DDoS attack when under attack time. This purpose should also be the guideline.
Requests which can help mitigate the attack should be send by the signal channel immediately. Requests which can’t help mitigate the attack should wait for the data channel to be re-established and then be sent by the data channel.
For example, during attack time, de-activating a drop-list (or blacklist) or activating a accept-list (or whitelist) may usually not help mitigate the DDoS attack. So If there is no necessary reason, these two requests should wait for using the data channel.

[Med] Agree. We do have the following in -01:

   A DOTS client relies on the information received from the DOTS server
   and/or local information to the DOTS client domain to trigger a
   filter control request.  Obviously, only filters that are pertinent
   for an ongoing mitigation should be controlled by a DOTS client using
   the DOTS signal channel.

And

   The DOTS client can also decide to send a PUT request to deactivate
   the "an-accept-list" ACL, if suspect traffic is received from an
   accept-listed source (2001:db8:1234::/48).  The structure of that PUT
   is the same as the one shown in Figure 4.


Best Regards
Wei Pan

发件人: Dots [mailto:dots-bounces@ietf.org] 代表 kaname nishizuka
发送时间: 2018年11月21日 9:50
收件人: dots@ietf.org<mailto:dots@ietf.org>
主题: [Dots] Fwd: I-D Action: draft-nishizuka-dots-signal-control-filtering-00.txt

Hi,

Base on the discussion of Bangkok interop: control data channel filtering via signal channel,
we've submitted the new draft for an extension to the DOTS signal channel to control the filtering rules during attack mitigation.

thanks,
Kaname Nishizuka



-------- Forwarded Message --------
Subject:

I-D Action: draft-nishizuka-dots-signal-control-filtering-00.txt

Date:

Tue, 20 Nov 2018 17:42:13 -0800

From:

internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>

Reply-To:

internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>

To:

i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>



A New Internet-Draft is available from the on-line Internet-Drafts directories.





        Title           : Controlling Filtering Rules Using DOTS Signal Channel

        Authors         : Kaname Nishizuka

                          Takahiko Nagata

                          Tirumaleswar Reddy

                          Mohamed Boucadair

    Filename        : draft-nishizuka-dots-signal-control-filtering-00.txt

    Pages           : 11

    Date            : 2018-11-20



Abstract:

   This document specifies an extension to the DOTS signal channel to

   control the filtering rules during attack mitigation.



   This extension allows a DOTS client to activate or de-activate

   filtering rules during a DDoS attack.  The characterization of these

   filters is supposed to be conveyed by a DOTS client during peace time

   by means of DOTS data channel.



Editorial Note (To be removed by RFC Editor)



   Please update these statements within the document with the RFC

   number to be assigned to this document:



   o  "This version of this YANG module is part of RFC XXXX;"



   o  "RFC XXXX: Controlling Filtering Rules Using DOTS Signal Channel";



   o  reference: RFC XXXX



   o  [RFCXXXX]



   Please update these statements with the RFC number to be assigned to

   the following documents:



   o  "RFC SSSS: Distributed Denial-of-Service Open Threat Signaling

      (DOTS) Signal Channel Specification" (used to be

      [I-D.ietf-dots-signal-channel])



   o  "RFC DDDD: Distributed Denial-of-Service Open Threat Signaling

      (DOTS) Data Channel Specification" (used to be

      [I-D.ietf-dots-data-channel])



   Please update the "revision" date of the YANG module.





The IETF datatracker status page for this draft is:

https://datatracker.ietf.org/doc/draft-nishizuka-dots-signal-control-filtering/



There are also htmlized versions available at:

https://tools.ietf.org/html/draft-nishizuka-dots-signal-control-filtering-00

https://datatracker.ietf.org/doc/html/draft-nishizuka-dots-signal-control-filtering-00





Please note that it may take a couple of minutes from the time of submission

until the htmlized version and diff are available at tools.ietf.org.



Internet-Drafts are also available by anonymous FTP at:

ftp://ftp.ietf.org/internet-drafts/



_______________________________________________

I-D-Announce mailing list

I-D-Announce@ietf.org<mailto:I-D-Announce@ietf.org>

https://www.ietf..org/mailman/listinfo/i-d-announce<https://www.ietf.org/mailman/listinfo/i-d-announce>

Internet-Draft directories: http://www.ietf.org/shadow.html

or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

v2.23.0 | Report a Bug | By Email