IETF Logo Mail Archive

Re: [Dots] draft-fu-dots-ipfix-extension revised into draft-fu-dots-ipfix-tcp-tracking

"Zhenghui (Marvin)" <marvin.zhenghui@huawei.com> Tue, 14 March 2017 03:37 UTC

Return-Path: <marvin.zhenghui@huawei.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40240129C11 for <dots@ietfa.amsl.com>; Mon, 13 Mar 2017 20:37:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.222
X-Spam-Level:
X-Spam-Status: No, score=-4.222 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m_SOAz_NGR19 for <dots@ietfa.amsl.com>; Mon, 13 Mar 2017 20:37:13 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CCCA1293F5 for <dots@ietf.org>; Mon, 13 Mar 2017 20:37:13 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml703-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DIV08315; Tue, 14 Mar 2017 03:37:11 +0000 (GMT)
Received: from SZXEMI412-HUB.china.huawei.com (10.86.210.35) by lhreml703-cah.china.huawei.com (10.201.108.44) with Microsoft SMTP Server (TLS) id 14.3.301.0; Tue, 14 Mar 2017 03:37:10 +0000
Received: from SZXEMI507-MBX.china.huawei.com ([169.254.8.223]) by szxemi412-hub.china.huawei.com ([10.86.210.35]) with mapi id 14.03.0235.001; Tue, 14 Mar 2017 11:37:06 +0800
From: "Zhenghui (Marvin)" <marvin.zhenghui@huawei.com>
To: Roland Dobbins <rdobbins@arbor.net>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] draft-fu-dots-ipfix-extension revised into draft-fu-dots-ipfix-tcp-tracking
Thread-Index: AdKbyycv4ZM58GBcQp6mg2Ssqy0muv//juMA//49WIA=
Date: Tue, 14 Mar 2017 03:37:06 +0000
Message-ID: <F8F4995E43962F4996B280E9678CED000153899F@SZXEMI507-MBX.china.huawei.com>
References: <F8F4995E43962F4996B280E9678CED0001538042@SZXEMI507-MBX.china.huawei.com> <37558C35-4DC6-4FED-BEF0-9E7A6C82E487@arbor.net>
In-Reply-To: <37558C35-4DC6-4FED-BEF0-9E7A6C82E487@arbor.net>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.135.87.2]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020201.58C76567.010D, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.8.223, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: dfe222c9357e57c7cf131af75aa580cd
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/ZTtKOYOmiZbOb2jjcvgWYz324lU>
Subject: Re: [Dots] draft-fu-dots-ipfix-extension revised into draft-fu-dots-ipfix-tcp-tracking
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 03:37:15 -0000

Thanks Roland, your comment is well received.

The description of 'connection sampling' in the previous draft has been removed. In the new draft, currently we are focusing on the concept of TCP connection tracking.

Best Regards,
Zhenghui (Marvin)

-----Original Message-----
From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Roland Dobbins
Sent: Monday, March 13, 2017 4:42 PM
To: dots@ietf.org
Subject: Re: [Dots] draft-fu-dots-ipfix-extension revised into draft-fu-dots-ipfix-tcp-tracking

On 13 Mar 2017, at 14:37, Zhenghui (Marvin) wrote:

> So, we’d like to hear from the WG, is that some pointers can be given 
> on the next step of the draft,

The draft belies a lack of understanding of how current IPFIX capabilities are utilized every day to detect, classify, and traceback DDoS attacks.  It makes factually incorrect statements such as 'not suitable for attack detection, and impractical suggestinos such as 'connection sampling' which a) won't work on routers/layer-3 switches of any size and b) are unnecessary.

It is suggested that the authors of the draft gain operational experience using existing IPFIX implementations and IPFIX collection/analysis systems in order to fully understand the utility of IPFIX as presently defined as well as the full range of capabilities of IPFIX collection/analysis systems.  It would also be a good idea for the authors of the draft to understand the division of labor between IPFIX exporters and IPFIX collectors/analyzers, as well as the capabilities and limitations of hardware-based routing/switching platforms.

> We submitted this draft to DOTS because IPFIX WG had been closed

It is entirely possible to re-open the IPFIX WG, if it is deemed useful to do so.  The authors of the draft should contact the appropriate Area Director in order to discuss.

-----------------------------------
Roland Dobbins <rdobbins@arbor.net>

_______________________________________________
Dots mailing list
Dots@ietf.org
https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email