IETF Logo Mail Archive

Re: [Dots] draft-h-dots-mitigation-offload-expansion-00: Reasons why we want to standardize between DMS and orchestrator using DOTS

Yuhei Hayashi <hayashi.yuhei@lab.ntt.co.jp> Wed, 12 December 2018 10:12 UTC

Return-Path: <hayashi.yuhei@lab.ntt.co.jp>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69FC412777C for <dots@ietfa.amsl.com>; Wed, 12 Dec 2018 02:12:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SRK3w-X-BExD for <dots@ietfa.amsl.com>; Wed, 12 Dec 2018 02:12:28 -0800 (PST)
Received: from tama500.ecl.ntt.co.jp (tama500.ecl.ntt.co.jp [129.60.39.148]) by ietfa.amsl.com (Postfix) with ESMTP id 46C0812F18C for <dots@ietf.org>; Wed, 12 Dec 2018 02:12:27 -0800 (PST)
Received: from vc2.ecl.ntt.co.jp (vc2.ecl.ntt.co.jp [129.60.86.154]) by tama500.ecl.ntt.co.jp (8.13.8/8.13.8) with ESMTP id wBCACR9V003091 for <dots@ietf.org>; Wed, 12 Dec 2018 19:12:27 +0900
Received: from vc2.ecl.ntt.co.jp (localhost [127.0.0.1]) by vc2.ecl.ntt.co.jp (Postfix) with ESMTP id 74AAE638D99 for <dots@ietf.org>; Wed, 12 Dec 2018 19:12:27 +0900 (JST)
Received: from jcms-pop21.ecl.ntt.co.jp (jcms-pop21.ecl.ntt.co.jp [129.60.87.134]) by vc2.ecl.ntt.co.jp (Postfix) with ESMTP id 69766638D91 for <dots@ietf.org>; Wed, 12 Dec 2018 19:12:27 +0900 (JST)
Received: from [IPv6:::1] (unknown [129.60.13.46]) by jcms-pop21.ecl.ntt.co.jp (Postfix) with ESMTPSA id 65347400A71 for <dots@ietf.org>; Wed, 12 Dec 2018 19:12:27 +0900 (JST)
References: <60792ae9-9e70-bfda-cd2c-a1112c7dbb29@lab.ntt.co.jp> <BN6PR16MB14259B2A1F59C56414853489EAA90@BN6PR16MB1425.namprd16.prod.outlook.com> <71e1c3d0-16a2-c7d2-3ed8-aa4ab303e9f3@lab.ntt.co.jp> <BN6PR16MB14257571D49FBD871E784300EAA50@BN6PR16MB1425.namprd16.prod.outlook.com>
From: Yuhei Hayashi <hayashi.yuhei@lab.ntt.co.jp>
Message-ID: <5c0baa90-1cc2-2fb2-5542-29f37ce9bf32@lab.ntt.co.jp>
Date: Wed, 12 Dec 2018 19:11:13 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1
MIME-Version: 1.0
In-Reply-To: <BN6PR16MB14257571D49FBD871E784300EAA50@BN6PR16MB1425.namprd16.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-CC-Mail-RelayStamp: 1
To: "dots@ietf.org" <dots@ietf.org>
X-TM-AS-MML: disable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/Z82bcZ8XhfNsQWTKbzFl64l6hAE>
Subject: Re: [Dots] draft-h-dots-mitigation-offload-expansion-00: Reasons why we want to standardize between DMS and orchestrator using DOTS
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Dec 2018 10:12:31 -0000

Hi Tiru,

>> If the DOTS data channel is capable of doing the job, Why do you see the need to extend the signal channel protocol ?
Through this discussion, I get the feeling that it's not necessary to expand signal channel if the data channel can do the job about intra-domain DDoS offload usecase.
I will check whether the data channel can do the job or not through test of the usecase.

>>>From a protocol perspective, do you see any differences b/w "intra-domain" and "inter-domain" DDoS offload use cases ?
>> The new use cases is interesting to signal the attacker information when the mitigation is in progress, and the link b/w the DMS and Orchestrator won't be congested, so DOTS data channel can be used
>> to convey the drop-listed filtering rules.

So far, I consider inter-domain DDoS offload usecase like as below.
- Downstream NW has in-line DMS and upstream NW has Orchestrator.
- When downstream NW is attacked and the DMS is saturated, the downstream NW sends offload request with target and attacker information to the Orchestrator in upstream NW via link b/w the downstream NW and the upstream NW.
- In upstream NW, orchestrator orders routers to block the attack traffic using the target and attacker information.

Based on IETF 103 hackathon report, all of the data-channel communications fail in attack-time.
So I think DOTS data channel can't be used to convey attacker information about the usecase.
https://datatracker.ietf.org/meeting/103/materials/slides-103-dots-interop-report-from-ietf-103-hackathon-00

Thanks,
Yuhei

On 2018/12/10 21:58, Konda, Tirumaleswar Reddy wrote:
>> -----Original Message-----
>> From: Dots <dots-bounces@ietf.org> On Behalf Of Yuhei Hayashi
>> Sent: Monday, December 10, 2018 5:27 PM
>> To: dots@ietf.org
>> Subject: Re: [Dots] draft-h-dots-mitigation-offload-expansion-00: Reasons why
>> we want to standardize between DMS and orchestrator using DOTS
>>
>> This email originated from outside of the organization. Do not click links or
>> open attachments unless you recognize the sender and know the content is safe.
>>
>> Hi Tiru,
>>
>> Thank you for advising!
>> I will consider to use not only expanded signal channel but also data channel to
>> the intra-domain DDoS offload usecase.
> 
> If the DOTS data channel is capable of doing the job, Why do you see the need to extend the signal channel protocol ?
> 
>>
>> I'm considering to add "inter-domain" DDoS offload usecase to my draft.
> 
>>From a protocol perspective, do you see any differences b/w "intra-domain" and "inter-domain" DDoS offload use cases ?
> 
>> I will also consider which channel,expanded signal channel or data channel, is
>> suitable to send attacker information under attack situation.
> 
> The new use cases is interesting to signal the attacker information when the mitigation is in progress, and the link b/w the DMS and Orchestrator won't be congested, so DOTS data channel can be used
> to convey the drop-listed filtering rules.
> 
> Cheers,
> -Tiru
> 
>>
>> Thanks,
>> Yuhei
>>
>> On 2018/12/06 23:20, Konda, Tirumaleswar Reddy wrote:
>>>> -----Original Message-----
>>>> From: Dots <dots-bounces@ietf.org> On Behalf Of Yuhei Hayashi
>>>> Sent: Thursday, November 29, 2018 2:15 PM
>>>> To: dots@ietf.org
>>>> Subject: [Dots] draft-h-dots-mitigation-offload-expansion-00: Reasons
>>>> why we want to standardize between DMS and orchestrator using DOTS
>>>>
>>>> This email originated from outside of the organization. Do not click
>>>> links or open attachments unless you recognize the sender and know the
>> content is safe.
>>>>
>>>> Hi Tiru, Flemming,
>>>>
>>>> Thank you for asking question for my draft
>>>> "draft-h-dots-mitigation-offload- expansion-00" in IETF103.
>>>>
>>>> I'm sorry I'm late for answering the question.
>>>> These questions are similar so I will answer the question in this one thread.
>>>>> Q: (Tiru Reddy) Why the DMS must use DOTS to talk to the orchestrator?
>>>>> Q: (Flemming Andreasen) Is it worthwhile to standardize the
>>>>> communication
>>>> between the DMS with the orchestrator?
>>>> https://datatracker.ietf.org/meeting/103/materials/minutes-103-dots-0
>>>> 0
>>>>
>>>> We want to use various and latest DMS in DDoS Orchestration usecase
>>>> because DDoS attacks evolve day by day.
>>>>
>>>> However, syslog format varies from DMS to DMS.
>>>> There is no standardized IF or API between DMS and Orchestrator, so
>>>> we have to develop IF module on orchestrator for adapting the DMS to the
>> orchestrator.
>>>> I think it is obstacle to use various DMS in DDoS Orchestration usecase.
>>>>
>>>> We are paying attention to DOTS, which is being debated the most as a
>>>> standard for signaling related to DDoS.
>>>
>>> The list of top attackers could be huge, DOTS signal channel is supposed to
>> have small message sizes.
>>> DOTS data channel can be used to managing filters. Why not use DOTS data
>> channel to block the traffic from the top N attackers to the target ?
>>>
>>> Cheers,
>>> -Tiru
>>>
>>>>
>>>> Thanks,
>>>> Yuhei
>>>>
>>>> -----------------------------------------
>>>> Nippon Telegraph and Telephone Corporation
>>>>     Network Service Systems Laboratories
>>>>      Transport Service Platform Innovation Project
>>>>       Transport Service Systems Development Project
>>>>        Yuhei Hayashi
>>>> 0422-59-3485
>>>> hayashi.yuhei@lab.ntt.co.jp
>>>>
>>>> _______________________________________________
>>>> Dots mailing list
>>>> Dots@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dots
>>>
>> -----------------------------------------
>> Nippon Telegraph and Telephone Corporation
>>    Network Service Systems Laboratories
>>     Transport Service Platform Innovation Project
>>      Transport Service Systems Development Project
>>       Yuhei Hayashi
>> 0422-59-3485
>> hayashi.yuhei@lab.ntt.co.jp
>>
>> _______________________________________________
>> Dots mailing list
>> Dots@ietf.org
>> https://www.ietf.org/mailman/listinfo/dots
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots
> 
-----------------------------------------
Nippon Telegraph and Telephone Corporation
  Network Service Systems Laboratories
   Transport Service Platform Innovation Project
    Transport Service Systems Development Project
     Yuhei Hayashi
0422-59-3485
hayashi.yuhei@lab.ntt.co.jp

v2.23.0 | Report a Bug | By Email