Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt

<mohamed.boucadair@orange.com> Fri, 02 August 2019 11:55 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A83B120096 for <dots@ietfa.amsl.com>; Fri, 2 Aug 2019 04:55:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cLnyj0jqLumX for <dots@ietfa.amsl.com>; Fri, 2 Aug 2019 04:55:42 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8772C120033 for <dots@ietf.org>; Fri, 2 Aug 2019 04:55:42 -0700 (PDT)
Received: from opfednr03.francetelecom.fr (unknown [xx.xx.xx.67]) by opfednr24.francetelecom.fr (ESMTP service) with ESMTP id 460QbJ4Wttz1yYK; Fri, 2 Aug 2019 13:55:40 +0200 (CEST)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.95]) by opfednr03.francetelecom.fr (ESMTP service) with ESMTP id 460QbJ3lZLzDqB8; Fri, 2 Aug 2019 13:55:40 +0200 (CEST)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM24.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0468.000; Fri, 2 Aug 2019 13:55:40 +0200
From: <mohamed.boucadair@orange.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, H Y <yuuhei.hayashi@gmail.com>
CC: tirumal reddy <kondtir@gmail.com>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
Thread-Index: AQHVMzOPnOaVrHF+zEGZ3qoxuOmz7qbYNT+AgAGVHKCAAAbagIAAAf6QgAAE3gCAAAhfgP///5jQgA27AICAAD/vgIAAEHlw
Date: Fri, 2 Aug 2019 11:55:39 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B9330312FBBF3@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <156233245922.21720.2303446065970922340.idtracker@ietfa.amsl.com> <CAFpG3gcgpJRyLSoLkOMuUWY8pZrBPDCCz6-sc8A=1KW3GMpm+g@mail.gmail.com> <CAA8pjUPY+GDGxNhqDCWsh-6aGnYoOL+A5pGaE=2BaE5j8rY41g@mail.gmail.com> <DM5PR16MB17051F8C7697FE7DAF88AEC4EAC60@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312E739F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB17050D182A4BE8C3B7EFDC3EEAC60@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312E73FA@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <CAA8pjUPe8rf6m2xy2S+JzhTN+xMm_9f3+OaBAsAnY7aV43g11A@mail.gmail.com> <DM5PR16MB17055E4630A2413CB7D212DBEAC60@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FB914@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB170543EFE7B366D14F8EE015EAD90@DM5PR16MB1705.namprd16.prod.outlook.com>
In-Reply-To: <DM5PR16MB170543EFE7B366D14F8EE015EAD90@DM5PR16MB1705.namprd16.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/ZgQRV4wBAqm-ZsvQRH-S3gyj9SE>
Subject: Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2019 11:55:46 -0000

Re-,

Fully agree. This is why I was referring to "a local knowledge of an attack". 

We may record such "warnings" in the telemetry I-D. 

Cheers,
Med

> -----Message d'origine-----
> De : Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
> Envoyé : vendredi 2 août 2019 13:11
> À : BOUCADAIR Mohamed TGI/OLN; H Y
> Cc : tirumal reddy; dots@ietf.org
> Objet : RE: [Dots] Fwd: New Version Notification for draft-reddy-dots-
> telemetry-00.txt
> 
> > -----Original Message-----
> > From: mohamed.boucadair@orange.com
> > <mohamed.boucadair@orange.com>;
> > Sent: Friday, August 2, 2019 12:36 PM
> > To: Konda, Tirumaleswar Reddy
> > <TirumaleswarReddy_Konda@McAfee.com>;; H Y
> > <yuuhei.hayashi@gmail.com>;
> > Cc: tirumal reddy <kondtir@gmail.com>;; dots@ietf.org
> > Subject: RE: [Dots] Fwd: New Version Notification for draft-reddy-dots-
> > telemetry-00.txt
> >
> > This email originated from outside of the organization. Do not click
> links or
> > open attachments unless you recognize the sender and know the content is
> > safe.
> >
> > Hi Tiru,
> >
> > These questions are valid ones when it comes to decide which mitigation
> > actions to apply. Nevertheless, the source information is part of the
> > characterization of an attack at given time. This does not mean that we
> > necessarily rely on it to mitigate, but this is not excluded either.
> 
> The use of this top-talkers attribute and it's use to black-list traffic
> (or mitigation) needs to be clearly articulated. It can potentially
> adversely impact the mitigated resource service
> to spoofed top-taker IP addresses.
> 
> -Tiru
> 
> >
> > The source information can be included in the notification use case
> already
> > described by Kaname in this thread, or if the mitigator is enforcing
> policies
> > based on the source information (because of a local knowledge of an
> attack)
> > but reaches a limit, it can delegate the policy to a L3 orchestrator
> (Yuhei case).
> >
> > Cheers,
> > Med
> >
> > > -----Message d'origine-----
> > > De : Konda, Tirumaleswar Reddy
> > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > Envoyé : mercredi 24 juillet 2019 15:35 À : H Y; BOUCADAIR Mohamed
> > > TGI/OLN Cc : tirumal reddy; dots@ietf.org Objet : RE: [Dots] Fwd: New
> > > Version Notification for draft-reddy-dots- telemetry-00.txt
> > >
> > > Hi Yuhei,
> > >
> > > What is stopping the attacker to frequently change the IP address
> > > (especially with IPv6) ?
> > > What kind of attack traffic is generated by the top talkers and what
> > > happens if the top talkers are spoofed IP addresses (e.g.
> > > amplification
> > > attack) ?
> > >
> > > Cheers,
> > > -Tiru
> > >
> > > > -----Original Message-----
> > > > From: H Y <yuuhei.hayashi@gmail.com>;
> > > > Sent: Wednesday, July 24, 2019 6:57 PM
> > > > To: Mohamed Boucadair <mohamed.boucadair@orange.com>;
> > > > Cc: Konda, Tirumaleswar Reddy
> > <TirumaleswarReddy_Konda@McAfee.com>;;
> > > > tirumal reddy <kondtir@gmail.com>;; dots@ietf.org
> > > > Subject: Re: [Dots] Fwd: New Version Notification for
> > > > draft-reddy-dots- telemetry-00.txt
> > > >
> > > >
> > > >
> > > > Hi Med,
> > > >
> > > > > [Med] Yes. My point is if one has to return a list of top-talkers
> > > > > in
> > > terms of
> > > > pps, another list of top-talkers in terms of second_criteria, or
> > > > other information relying on source-prefix dedicated attributes will
> > > > be needed because this cannot be inferred from the current
> > > > source-prefix
> > > attribute.
> > > > [hayashi] +1. This top-talker information is helpful for the
> > > orchestrator to
> > > > decide which attack traffic should be blocked preferentially in
> network.
> > > The
> > > > criteria information is also needed.
> > > >
> > > > Thanks,
> > > > Yuhei
> > > >
> > > > 2019年7月24日(水) 8:56 <mohamed.boucadair@orange.com>;:
> > > > >
> > > > > Re-,
> > > > >
> > > > > Please see inline.
> > > > >
> > > > > Cheers,
> > > > > Med
> > > > >
> > > > > > -----Message d'origine-----
> > > > > > De : Konda, Tirumaleswar Reddy
> > > > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > > > Envoyé : mercredi 24 juillet 2019 14:45 À : BOUCADAIR Mohamed
> > > > > > TGI/OLN; H Y; tirumal reddy Cc : dots@ietf.org Objet : RE:
> > > > > > [Dots]
> > > > > > Fwd: New Version Notification for draft-reddy-dots-
> > > > > > telemetry-00.txt
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: mohamed.boucadair@orange.com
> > > > <mohamed.boucadair@orange.com>;
> > > > > > > Sent: Wednesday, July 24, 2019 6:02 PM
> > > > > > > To: Konda, Tirumaleswar Reddy
> > > > > > > <TirumaleswarReddy_Konda@McAfee.com>;; H Y
> > > > > > > <yuuhei.hayashi@gmail.com>;; tirumal reddy <kondtir@gmail.com>;
> > > > > > > Cc: dots@ietf.org
> > > > > > > Subject: RE: [Dots] Fwd: New Version Notification for
> > > > > > > draft-reddy-dots- telemetry-00.txt
> > > > > > >
> > > > > > > This email originated from outside of the organization. Do not
> > > > > > > click
> > > > > > links or
> > > > > > > open attachments unless you recognize the sender and know the
> > > > > > > content is safe.
> > > > > > >
> > > > > > > Hi Tiru,
> > > > > > >
> > > > > > > That’s true...but fragmentation is a general issue each time
> > > > > > > we need to supply more telemetry information in the signal
> channel.
> > > > > > > As already
> > > > > > noted in
> > > > > > > the draft, we will need to figure out when it is better to
> > > > > > > provide some telemetry information using data channel.
> > > > > >
> > > > > > Yes, normal traffic baseline attributes can be conveyed in the
> > > > > > DOTS data channel and traffic from top talkers can also be
> > > > > > blocked/rate-limited using the DOTS data channel during peace
> time.
> > > > > >
> > > > > > >
> > > > > > > BTW, "top talker" can already be supplied using source-prefix
> > > attribute.
> > > > > > > Whether top-talker needs to be defined as a separated
> > > > > > > attribute, but structured as a list of source-prefixes is a
> > > > > > > design details (if the WG
> > > > > > agrees to
> > > > > > > include it in the telemetry information).
> > > > > >
> > > > > > Source-prefix is already a list/array.
> > > > >
> > > > > [Med] Yes. My point is if one has to return a list of top-talkers
> > > > > in
> > > terms of
> > > > pps, another list of top-talkers in terms of second_criteria, or
> > > > other information relying on source-prefix dedicated attributes will
> > > > be needed because this cannot be inferred from the current
> > > > source-prefix
> > > attribute.
> > > > >
> > > > > >
> > > > > > >
> > > > > > > Anyway, let's continue collecting candidate telemetry
> > > > > > > information and
> > > > > > then
> > > > > > > make a selection in a second phase.
> > > > > >
> > > > > > Sure.
> > > > > >
> > > > > > Cheers,
> > > > > > -Tiru
> > > > > >
> > > > > > >
> > > > > > > Cheers,
> > > > > > > Med
> > > > > > >
> > > > > > > > -----Message d'origine-----
> > > > > > > > De : Dots [mailto:dots-bounces@ietf.org] De la part de
> > > > > > > > Konda, Tirumaleswar Reddy Envoyé : mercredi 24 juillet 2019
> > > > > > > > 14:18 À : H Y; tirumal reddy Cc : dots@ietf.org Objet : Re:
> > > > > > > > [Dots] Fwd: New Version Notification for draft-reddy-dots-
> > > > > > > > telemetry-00.txt
> > > > > > > >
> > > > > > > > Hi Yuhei,
> > > > > > > >
> > > > > > > > Thanks for the support. The problem is fragmentation of the
> > > > > > > > DOTS telemetry message, DOTS Telemetry is sent over the DOTS
> > > > > > > > signal channel using UDP and the message size cannot exceed
> > PMTU.
> > > > > > > >
> > > > > > > > Cheers,
> > > > > > > > -Tiru
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: Dots <dots-bounces@ietf.org>; On Behalf Of H Y
> > > > > > > > > Sent: Tuesday, July 23, 2019 5:28 PM
> > > > > > > > > To: tirumal reddy <kondtir@gmail.com>;
> > > > > > > > > Cc: dots@ietf.org
> > > > > > > > > Subject: Re: [Dots] Fwd: New Version Notification for
> > > > > > > > > draft-reddy-dots- telemetry-00.txt
> > > > > > > > >
> > > > > > > > > This email originated from outside of the organization. Do
> > > > > > > > > not click
> > > > > > > > links or
> > > > > > > > > open attachments unless you recognize the sender and know
> > > > > > > > > the content is safe.
> > > > > > > > >
> > > > > > > > > Hi Tiru,
> > > > > > > > >
> > > > > > > > > I read the draft and I also support this draft.
> > > > > > > > > Sending detail information about attack traffic helps my
> > > > > > > > > dms offload
> > > > > > > > scenario
> > > > > > > > > because the orchestrator can decide what to do based on
> > > > > > > > > the detail information.
> > > > > > > > >
> > > > > > > > > IMO, "top talker" attribute defined in my previous draft
> > > > > > > > > is also
> > > > > > > > feasible to
> > > > > > > > > send and effective to mitigate attack correctly.
> > > > > > > > > https://datatracker.ietf.org/doc/draft-h-dots-mitigation-o
> > > > > > > > > fflo
> > > > > > > > > ad-
> > > > > > > > expansion/
> > > > > > > > > What do you think about including the top talker attribute
> > > > > > > > > to the
> > > > > > > > telemetry?
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > > Yuhei
> > > > > > > > >
> > > > > > > > > 2019年7月5日(金) 9:21 tirumal reddy <kondtir@gmail.com>;:
> > > > > > > > > >
> > > > > > > > > > Hi all,
> > > > > > > > > >
> > > > > > > > > > https://tools.ietf.org/html/draft-reddy-dots-telemetry-0
> > > > > > > > > > 0
> > > > > > > > > > aims to
> > > > > > > > enrich
> > > > > > > > > DOTS protocols with various telemetry attributes allowing
> > > > > > > > > optimal DDoS attack mitigation. This document specifies
> > > > > > > > > the normal traffic baseline
> > > > > > > > and
> > > > > > > > > attack traffic telemetry attributes a DOTS client can
> > > > > > > > > convey to its DOTS
> > > > > > > > server
> > > > > > > > > in the mitigation request, the mitigation status telemetry
> > > > > > > > > attributes a
> > > > > > > > DOTS
> > > > > > > > > server can communicate to a DOTS client, and the
> > > > > > > > > mitigation efficacy telemetry attributes a DOTS client can
> > > > > > > > > communicate to
> > > a
> > > > DOTS server.
> > > > > > > > The
> > > > > > > > > telemetry attributes can assist the mitigator to choose
> > > > > > > > > the DDoS
> > > > > > > > mitigation
> > > > > > > > > techniques and perform optimal DDoS attack mitigation.
> > > > > > > > > >
> > > > > > > > > > Comments, suggestions, and questions are more than
> > welcome.
> > > > > > > > > >
> > > > > > > > > > Cheers,
> > > > > > > > > > -Tiru
> > > > > > > > > >
> > > > > > > > > > ---------- Forwarded message ---------
> > > > > > > > > > From: <internet-drafts@ietf.org>;
> > > > > > > > > > Date: Fri, 5 Jul 2019 at 18:44
> > > > > > > > > > Subject: New Version Notification for
> > > > > > > > > > draft-reddy-dots-telemetry-00.txt
> > > > > > > > > > To: Tirumaleswar Reddy <kondtir@gmail.com>;, Ehud Doron
> > > > > > > > > > <ehudd@radware.com>;, Mohamed Boucadair
> > > > > > > > > <mohamed.boucadair@orange.com>;
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > A new version of I-D, draft-reddy-dots-telemetry-00.txt
> > > > > > > > > > has been successfully submitted by Tirumaleswar Reddy
> > > > > > > > > > and posted to the IETF repository.
> > > > > > > > > >
> > > > > > > > > > Name:           draft-reddy-dots-telemetry
> > > > > > > > > > Revision:       00
> > > > > > > > > > Title:          Distributed Denial-of-Service Open
> Threat
> > > > > > Signaling
> > > > > > > > (DOTS)
> > > > > > > > > Telemetry
> > > > > > > > > > Document date:  2019-07-05
> > > > > > > > > > Group:          Individual Submission
> > > > > > > > > > Pages:          13
> > > > > > > > > > URL:            https://www.ietf.org/internet-
> drafts/draft-
> > > reddy-
> > > > > > dots-
> > > > > > > > > telemetry-00.txt
> > > > > > > > > > Status:         https://datatracker.ietf.org/doc/draft-
> > > reddy-dots-
> > > > > > > > telemetry/
> > > > > > > > > > Htmlized:       https://tools.ietf.org/html/draft-reddy-
> > > dots-
> > > > > > > > telemetry-00
> > > > > > > > > > Htmlized:
> https://datatracker.ietf.org/doc/html/draft-
> > > reddy-
> > > > > > > > dots-
> > > > > > > > > telemetry
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Abstract:
> > > > > > > > > >    This document aims to enrich DOTS signal channel
> > > > > > > > > > protocol
> > > with
> > > > > > > > > >    various telemetry attributes allowing optimal DDoS
> > > > > > > > > > attack
> > > > > > > > mitigation.
> > > > > > > > > >    This document specifies the normal traffic baseline
> > > > > > > > > > and
> > > attack
> > > > > > > > > >    traffic telemetry attributes a DOTS client can convey
> > > > > > > > > > to its
> > > > > > DOTS
> > > > > > > > > >    server in the mitigation request, the mitigation
> > > > > > > > > > status
> > > > > > telemetry
> > > > > > > > > >    attributes a DOTS server can communicate to a DOTS
> > > > > > > > > > client, and
> > > > > > the
> > > > > > > > > >    mitigation efficacy telemetry attributes a DOTS
> > > > > > > > > > client
> > > can
> > > > > > > > > >    communicate to a DOTS server.  The telemetry
> > > > > > > > > > attributes can
> > > > > > assist
> > > > > > > > > >    the mitigator to choose the DDoS mitigation
> > > > > > > > > > techniques and
> > > > > > perform
> > > > > > > > > >    optimal DDoS attack mitigation.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Please note that it may take a couple of minutes from
> > > > > > > > > > the time of submission until the htmlized version and
> > > > > > > > > > diff are available at
> > > > > > > > tools.ietf.org.
> > > > > > > > > >
> > > > > > > > > > The IETF Secretariat
> > > > > > > > > >
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Dots mailing list
> > > > > > > > > > Dots@ietf.org
> > > > > > > > > > https://www.ietf.org/mailman/listinfo/dots
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > ----------------------------------
> > > > > > > > > Yuuhei HAYASHI
> > > > > > > > > 08065300884
> > > > > > > > > yuuhei.hayashi@gmail.com
> > > > > > > > > iehuuy_0220@docomo.ne.jp
> > > > > > > > > ----------------------------------
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > Dots mailing list
> > > > > > > > > Dots@ietf.org
> > > > > > > > > https://www.ietf.org/mailman/listinfo/dots
> > > > > > > > _______________________________________________
> > > > > > > > Dots mailing list
> > > > > > > > Dots@ietf.org
> > > > > > > > https://www.ietf.org/mailman/listinfo/dots
> > > >
> > > >
> > > >
> > > > --
> > > > ----------------------------------
> > > > Yuuhei HAYASHI
> > > > 08065300884
> > > > yuuhei.hayashi@gmail.com
> > > > iehuuy_0220@docomo.ne.jp
> > > > ----------------------------------