IETF Logo Mail Archive

Re: [Dots] Adoption call for draft-reddy-dots-home-network-04

Daniel Migault <daniel.migault@ericsson.com> Mon, 15 April 2019 16:04 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74BDF1203E6; Mon, 15 Apr 2019 09:04:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w1qBMhsRhjGh; Mon, 15 Apr 2019 09:04:23 -0700 (PDT)
Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20C7E1203DE; Mon, 15 Apr 2019 09:04:20 -0700 (PDT)
Received: by mail-lf1-f42.google.com with SMTP id j20so649173lfh.2; Mon, 15 Apr 2019 09:04:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HyF4XMW2oJvZGvmfg8vkBLtvl4sZbVZlcI49Q77PG2g=; b=IiIl/XPdUkcEKdzhv4jWzTDe9VgrKvVxxb+AbMkCE5Kx83Setr797vQ743jI1p73rl 4D6hE0wPJUKkZoYuotZp2W2BpDJTL1voX69/DuE/dw/UVw/y2v5vQ543CS9vW+2/bU6a 2aRKUCVgP15/HAsjut68RDNBTlnlEdH36h7KLQvQXBdFK3+1XOLu3JOE9x2duwKK8cG5 EYcQ80GTZNXx8I94TCd0ZlxX4QBrKSh9Y88KVDdpj5BmnfWuzIqAlxSub2FPdGYeV/s4 Nhll/qq6piVMe2qEefoAFZf5ltzUs3f/qN2A7LA9xm8JQCNGK6eP33e5DpBCEuDwuvrv /sWQ==
X-Gm-Message-State: APjAAAVH1Znaf6z9rUVbDDAY7chVefAJmCkSsLLSjX7GQw/zwxZSv7HK kyrQ8sGFci36YecOfR3w+h49c5lHiqrzn8jKm38=
X-Google-Smtp-Source: APXvYqxQDeE5uicAag08QlUmbVcaKCC+rHiF831qoW863eUh3jwfaFallAswkV7b4T9CBWqNDD+kfhY0KhzMP94wHvU=
X-Received: by 2002:ac2:50d5:: with SMTP id h21mr7105704lfm.44.1555344258168; Mon, 15 Apr 2019 09:04:18 -0700 (PDT)
MIME-Version: 1.0
References: <023d01d4ee1f$c2bcb190$483614b0$@smyslov.net> <30E95A901DB42F44BA42D69DB20DFA6A69F3A581@nkgeml513-mbx.china.huawei.com>
In-Reply-To: <30E95A901DB42F44BA42D69DB20DFA6A69F3A581@nkgeml513-mbx.china.huawei.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Mon, 15 Apr 2019 12:04:07 -0400
Message-ID: <CADZyTkmtyO25-JiHMicZDUL2F+5RXpnFPsYHmyn67yfHTns5fA@mail.gmail.com>
To: "Panwei (William)" <william.panwei@huawei.com>
Cc: Valery Smyslov <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "kaduk@mit.edu" <kaduk@mit.edu>
Content-Type: multipart/alternative; boundary="00000000000002fbcd058693ce74"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/_9vhWHZ6-fCALz8HAx3wpPm9NFY>
Subject: Re: [Dots] Adoption call for draft-reddy-dots-home-network-04
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2019 16:04:26 -0000

I support the adoption of the draft, please see my comments on the current
version. None of them should be considered as preventing the adoption.

Yours,
Daniel

Some random comments:


Section 1:

"""
   Some of the DDoS attacks like spoofed RST or FIN packets, Slowloris,
   and TLS re-negotiation are difficult to detect on the home network
   devices without adversely affecting its performance.  The reason is
   typically home routers have fast path to boost the throughput.  For
   every new TCP/UDP flow, only the first few packets are punted through
   the slow path.  Hence, it is not possible to detect various DDoS
   attacks in the slow path, since the attack payload is sent to the
   target server after the flow is switched to fast path.  Deep packet
   inspection (DPI) of all the packets of a flow would be able to detect
   some of the attacks.  However, a full-fledged DPI to detect these
   type of DDoS attacks is functionally or operationally not possible
   for all the devices attached to the home network owing to the memory
   and CPU limitations of the home routers.  Further, for certain DDoS
   attacks the ability to distinguish legitimate traffic from attacker
   traffic on a per packet basis is complex.  This complexity originates
   from the fact that the packet itself may look "legitimate" and no
   attack signature can be identified.  The anomaly can be identified
   only after detailed statistical analysis.
"""

I understand, the paragraph below as saying that detection at the ISP is
easier than at the homenet level as the ISP aggregates the traffic. This
is correct and I agree with the text. However, if we are going a bit
further, the detection is even easier to the DDoS target. I believe that
the same mechanism could be deployed between a DDoS target, its Cloud
provider major ISPs up to the origin. The example of the Homenet and the
ISP is only one bound but the mechanism can be generalized and actually
help coordination between independent domains.  I believe the draft can
be placed in a larger perspective.


Section 3.1 Procedure:

I am not convinced this is the right approach to switch the roles
between clients and servers. I believe that while the previous dots
signal-channel was foreseeing the relation as asymmetric, we are now
considering DOTS Client and DOTS Server as mostly symmetric. Maybe one
way to see this could be to have a DOTS communication between different
entities, and exchanges can be in both directions. The one initiating
the exchange could be designated as DOTS Initiator, while the receiving
side is the DOTS Responder.

Here is a more concrete example while Client / Server  might be
confusing. When  a server sends an alert when under attach it is designated
as the DOTS Client, while the same client specifying these IP addresses
are detected as belonging to an attacker will be the Server.

It seems also to me that establishment of the (D)TLS channel can be sent
by any other peer, not necessarily the peer sending further
notification/request. Typically the DOTS Client may have set the DOTS
channel protected by (D)TLS, and the DOTS Server may re-use that exact
same channel.

I am also wondering if the support of the extension is agreed or
announced. If so this would ease the negotiation of which peer is able
to handle the requests and be a "Server".


I believe the clarification and comparison with the
"traditional"/"initial" DOTS use cases is useful and needs to stay for
clarification purpose. However, one should make sure also that such
signalling can also be made with a signal dots signalling established in
the initial use cases. Typically, the DOTS client may have set the DOTS
channel and set a DTLS session which could carry the signalling of the
draft.


On Sun, Apr 14, 2019 at 11:06 PM Panwei (William) <william.panwei@huawei.com>
wrote:

> Hi,
>
> I support adoption of this draft.
>
> Best Regards
> Wei Pan
>
> -----Original Message-----
> From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Valery Smyslov
> Sent: Monday, April 08, 2019 11:29 PM
> To: dots@ietf.org
> Cc: dots-chairs@ietf.org; kaduk@mit.edu
> Subject: [Dots] Adoption call for draft-reddy-dots-home-network-04
>
> Hi all,
>
> the chairs recently received an adoption request for
> draft-reddy-dots-home-network-04.
>
> This message starts a two-week adoption call for
> draft-reddy-dots-home-network-04.
> The call ends up on Tuesday, April the 23rd.
>
> Please send your opinion regarding adoption of this document to the list
> before this date.
> If you think the draft should be adopted, please indicate whether you're
> willing to review it/to work on it. If you think the draft should not be
> adopted, please explain why.
>
> Regards,
> Frank & Valery.
>
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots
>

v2.23.0 | Report a Bug | By Email