IETF Logo Mail Archive

Re: [Dots] WGLC for draft-ietf-dots-multihoming-07

Valery Smyslov <smyslov.ietf@gmail.com> Fri, 19 November 2021 08:51 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A73C3A0CAB; Fri, 19 Nov 2021 00:51:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sBXVnYFcIw5C; Fri, 19 Nov 2021 00:51:01 -0800 (PST)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B1D63A0D1E; Fri, 19 Nov 2021 00:50:57 -0800 (PST)
Received: by mail-lf1-x12d.google.com with SMTP id bu18so40375912lfb.0; Fri, 19 Nov 2021 00:50:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:content-language :thread-index; bh=saC2cnqDQo3lDSjhD4u1S97BjogwNZwAvGm6P9+zT/4=; b=EMRgQFUBj+ufER3+SGtERrTIoMdmjmArIQ+4DqM5eWeN8D5d9kqXPKh+zMv1uwfaDz FNuU3jfyv8pdVrL+YRjigiY4hT8r1XQ0Gbk7BzHJKhie9dBr6bhcldE8EkHytrv02gMI 3V+hydV/2BVefcv+bo3iSLjQu9BraMDdsaYiDdlPZ2k328pypbZDd25rpWhCpzg1A495 9CR2dgSdoLSyTBdpR3ix7JFLzFFCDmjmLTrZgK2ECmwAiAjvGMdMxJ2tIpi8MFgGruMc zD4zw/sem5j5FEnfk4fDXyL5eb5o5veY60Nt31FbuH8X3o1nNoHoQbeR2NiMI1OP7dge uR/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:content-language :thread-index; bh=saC2cnqDQo3lDSjhD4u1S97BjogwNZwAvGm6P9+zT/4=; b=AcHzaPv1xZeb/BUWq9PhXMK/llaa3aDqHkFXtRxC4aHo1xdwdZkxjcNyQymmTZZ3yj Nxs5DNdjjbyFHRFmBlgh2QYmxboO1VnCJRod0fyihiJqCwxVrM+EhwD1fjOvqmNPiI3T w7eUbvM0rm+h0TqJWkLgyVcauxU4xeSryXnWVHSRTgz1zmv6ua7JfNyGwpzcCOymVm85 YDLjaLYC+YXKO8NEGroQ8GksP1BxJ56iSHeZLQXS5GI6i45GzBUm43pcknPw9FU0FAlT ZBTmgP02R7xyo6VjqDSJ2lH1GNsSDE/9gwOCRQ+HJEwAXnL/2/rnz32bSiukiOwPy3mx YOTg==
X-Gm-Message-State: AOAM533cLAddYTtoFwJoxtHw+COIKi1xUdGpRfPda573VJHn4aa6FfaE KsLaZQKAmYU3zT+td0hie8FWU3hefmE=
X-Google-Smtp-Source: ABdhPJxrAAQzZkYvU4UGy4aXZj1m9aOGyFY728KqA+IcHYeEc7tPOfDLEDEd/R0LuHDP2tU+VxNeyA==
X-Received: by 2002:a2e:bd08:: with SMTP id n8mr23967933ljq.160.1637311850433; Fri, 19 Nov 2021 00:50:50 -0800 (PST)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id v19sm231558ljg.8.2021.11.19.00.50.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 19 Nov 2021 00:50:49 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: mohamed.boucadair@orange.com, 'Valery Smyslov' <valery@smyslov.net>, dots@ietf.org
Cc: dots-chairs@ietf.org, draft-ietf-dots-multihoming@ietf.org
References: <002101d7be93$c890ed10$59b2c730$@smyslov.net> <059501d7ccc8$8ad61390$a0823ab0$@smyslov.net> <29138_1637054139_619376BB_29138_50_1_787AE7BB302AE849A7480A190F8B93303545258E@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <29138_1637054139_619376BB_29138_50_1_787AE7BB302AE849A7480A190F8B93303545258E@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Date: Fri, 19 Nov 2021 11:50:52 +0300
Message-ID: <174101d7dd22$8f6cd5a0$ae4680e0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-Language: ru
Thread-Index: AQH6belXfbSp5MW82qMwT7ehhypeAAIsV0W/Al6AJjuroQQUoA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/ZUE-cPrf6w6CKhpGQCjkPSYjFu4>
Subject: Re: [Dots] WGLC for draft-ietf-dots-multihoming-07
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Nov 2021 08:51:06 -0000

HI Med,

please see inline.

> Hi Valery,
> 
> Many thanks for the detailed review.
> 
> Please see inline.
> 
> Cheers,
> Med
> 
> > Hi,
> >
> > here is my review of the draft (sorry for delay).
> >
> > [chair hat on]
> >
> > First, I'm a bit confused why this is a Standards Track document.
> > draft explicitly states that it defines no new protocol, it only contains
> > recommendations how applications should deal with multihomed scenarios.
> >
> > Isn't Informational or BCP status more appropriate for this document?
> 
> [Med] Informational is just OK as the intent is to complement the DOTS arch. Fixed.

Good.

> > A related issue - the draft has a normative reference to RFC 8811, which
> > is an Informational RFC and is not listed in the downref registry.
> > If this draft persists as Standards Track document, this should be worked
> > around.
> 
> [Med] 8811 is cited as normative as we built on that reference architecture.

That's OK if you changed intended status to Informational.

> > [chair hat off]
> >
> > Section 4.
> >
> > I might be missing something very obvious, but from my reading of the
> > scenarios I have an impression that only those situations when upstream
> > network providers are also the DDoS mitigation providers are considered.
> > What if you have multiple ISPs and a single independent DDOS mitigation
> > provider?
> 
> [Med] This is a subcase of the ones that are discussed in the draft. Each of multiple ISPs will provision that
> independent DDoS server to the CE. The key assumption is that a DOTS server is unambiguously associated
> with the interconnection link over which it can be used.

Well, what if the independent DOTS server is configured manually, not provisioned by ISPs?
Is it possible (and how) to use it with only subset of ISPs?

>  Or you have several DDOS mitigation providers, and some of them
> > are provided by ISPs and some are independent?
> 
> [Med] This is also allowed in the current draft as we don't make an assumption of the provisioned DOTS
> server's name nor wither the same/distinct one are provisioned over each interconnection link:
> 
>    *  Each of these provisioning domains assigns IP addresses/prefixes
>       to the CPE and provides additional configuration information such
>       as a list of DNS servers, DNS suffixes associated with the
>       network, default gateway address, and DOTS server's name
>                                             ^^^^^^^^^^^^^^^^^^
>       [RFC8973].  These addresses/prefixes are assumed to be Provider-
>       ^^^^^^^^
>       Aggregatable (PA).
> 
> Please let me know if you think that an explicit statement is needed to the draft to further clarify the
> rationale.

I think it's worth to to clarify situation with manually configured independent DOTS servers,
when some of them can be used with only a subset of ISPs. 

> > Section 5.1.
> >
> >    For each provisioning domain, the DOTS client MUST resolve the DOTS
> >    server's name provided by a provisioning domain ([RFC8973]) using the
> >    DNS servers learned from the respective provisioning domain.
> >
> > What if explicit configuration (RFC8973, Section 4, item 1) is used?
> > If this case this recommendation is unnecessary.
> 
> [Med] This text refers to the DOTS server's name, that is also mentioned in (RFC8973, Section 4, item 1):
> 
>           "These may be
>           specified either as a list of IP addresses or the DNS name of
>           a DOTS server."

That's what my concern is. The draft says that you MUST resolve DOTS server's name provided by a PD
using the DNS servers from the same PD. So, what if DOTS server's name was configured manually,
not learned from PD - what DNS server to use to resolve it? Any? Should this be more explicit in the text?

> > Then, it seems to be implied that all network attachments have provided
> > CPE with DOTS servers. In this case how can happen what is described
> > earlier:
> >
> >   This implies that if no appropriate DOTS server is found,
> >    the DOTS client MUST NOT send the mitigation request to any other
> >    available DOTS server.
> >
> > I think that this situation is only possible when some network attachments
> > don't provide CPE with DOTS servers.
> 
> [Med] Agree. This is to echo this part from the introduction:
> 
>    2.  Identify DOTS deployment schemes in a multi-homing context, where
>        DOTS services can be offered by all or a subset of upstream
>                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^
>        providers.
> 
> I added this NEW sentence to the intro text of Section 4:
> 
> "In the following subsections, all or a subset of interconnection links are associated with DOTS servers."

OK.

> > Section 5.1.
> >
> >    DOTS signaling session to a
> >    given DOTS server must be established using the interface from which
> >    the DOTS server was provisioned.
> >
> > What about explicit configuration, when DOTS server IP is not associated
> > with a network interface?
> 
> [Med] An interface can also be indicated when explicit configuration is used. If no such information is
> provided, this means that the address applies for any active interface.

Please, add this clarification.

> As a reminder, RFC8973 says the following:
> 
>    The results of the discovery procedure are a function of the
>                                               ^^^^^^^^^^^^^^^^
>    interface/address family.  Contacting a discovered DOTS server via an
>    ^^^^^^^^^^
>    interface to which it is not bound may exacerbate the delay required
>    to establish a DOTS channel.  Moreover, such behavior may reveal that
>    a DOTS service is enabled by a DOTS client domain and exposes the
>    identity of the DOTS service provider (which can be inferred from the
>    name and the destination IP address) to external networks.
> 
> >
> > Section 5.2.
> >
> >    Each DOTS client SHOULD be provided with policies (e.g., a prefix
> >    filter that will be against DDoS detection alarms) that will trigger
> >    DOTS communications with the DOTS servers.  Such policies will help
> >    the DOTS client to select the appropriate destination DOTS server.
> >
> > It's unclear for me to which scenario this recommendation applies.
> > In Figure 8 each DOTS client may communicate only with a single DOTS
> > server.
> 
> [Med] It applies to both figure 7/8. Clients in Figure 8 may still receive detection alarms on resources that are
> not handled by their peer DOTS server.

It is not clear. Previously the draft says:

   Another deployment approach is to enable many DOTS clients; each of
   them is responsible for handling communications with a specific DOTS
                                                                                                           ^^^^^^^
   server (see Figure 8).

Probably some clarification is needed.

> > Related question - why SHOULD (and not MUST)?.  What if clients are not
> > provided with these policies?
> 
> [Med] SHOULD is used because in Figure 8 some filters may be applied when directing alarms to DOTS clients.

I read the sentence "Each DOTS client SHOULD be provided with policies..."
that under some conditions it's OK to not provide clients with policies (filters) at all,
that's why my question. My understanding, that they MUST be provided
always, but the policies may differ. Am I missing something?

> > Section 5.2.
> >
> >    The CPE MUST select the appropriate source IP address when forwarding
> >    DOTS messages received from an internal DOTS client.  If anycast
> >    addresses are used to reach multiple DOTS servers, the CPE may not be
> >    able to select the appropriate provisioning domain to which the
> >    mitigation request should be forwarded.  As a consequence, the
> >    request may not be forwarded to the appropriate DOTS server.
> >
> > I'm confused. What to do in this case? Using anycast addresses is NOT
> > RECOMMENDED (earlier), but is not prohibited.
> > I believe better recommendations should be given for this case.
> >
> 
> [Med] The risk here is that the mitigation request will be rejected by the DOTS server to which the CPE
> decided to froward the request. If the CPE embeds a DOTS gateways, the situation can be better as it may use
> a sequential mode. I think that NOT RECOMMENDED is appropriate.

So it's just an explanation why using anycast is not recommended?
Then, can you move it closer to the recommendation not to use anycast?

> > Section 5.3.
> >
> >    The use of anycast addresses
> >    to establish DOTS sessions between DOTS clients and DOTS gateways is
> >    not an option.
> >
> > What does "is not an option" mean?
> 
> [Med] It means that it is not a valid technical solution to fulfil the "MUST contact all" requirement, as by
> definition, only one will be selected.
> 
>  MUST NOT be used? Or impossible to use?

"Cannot be used, because <explanation>" ?

> > Section 6.
> >
> >    In particular, if a DOTS client maintains DOTS
> >    associations with specific DOTS servers per interconnection link, the
> >    DOTS client SHOULD NOT leak information specific to a given link to
> >    DOTS servers on different interconnection links that are not
> >    authorized to mitigate attacks for that given link.
> >
> > How this rule can be followed when DOTS clients send requests to all
> > available DOTS servers (with PI scenarios)?
> 
> [Med] In such case, the "information specific to a given link" will point to the target (PI@) that is authorized to
> be revealed to all servers.

OK.

Regards,
Valery.

> > Regards,
> > Valery.
> >
> >
> > > Hi,
> > >
> > > this message starts a two-week working group last call for draft-ietf-
> > dots-multihoming-07.
> > > The WGLC will end on Monday, October 25. Please, review the draft and
> > > send your comments to the mailing list.
> > >
> > > Regards,
> > > Frank & Valery.
> > >
> > > _______________________________________________
> > > Dots mailing list
> > > Dots@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dots
> 
> 
> ____________________________________________________________________________________________
> _____________________________
> 
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne
> doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le
> signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles
> d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
> 
> This message and its attachments may contain confidential or privileged information that may be protected
> by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email