Re: [Dots] Dots Digest, Vol 45, Issue 3
Yuhei Hayashi <hayashi.yuhei@lab.ntt.co.jp> Mon, 05 November 2018 02:13 UTC
Return-Path: <hayashi.yuhei@lab.ntt.co.jp>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEBB2127333 for <dots@ietfa.amsl.com>; Sun, 4 Nov 2018 18:13:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29atf6NAhKgv for <dots@ietfa.amsl.com>; Sun, 4 Nov 2018 18:13:28 -0800 (PST)
Received: from tama500.ecl.ntt.co.jp (tama500.ecl.ntt.co.jp [129.60.39.148]) by ietfa.amsl.com (Postfix) with ESMTP id 0CF73126BED for <dots@ietf.org>; Sun, 4 Nov 2018 18:13:27 -0800 (PST)
Received: from vc1.ecl.ntt.co.jp (vc1.ecl.ntt.co.jp [129.60.86.153]) by tama500.ecl.ntt.co.jp (8.13.8/8.13.8) with ESMTP id wA52DKET031360 for <dots@ietf.org>; Mon, 5 Nov 2018 11:13:20 +0900
Received: from vc1.ecl.ntt.co.jp (localhost [127.0.0.1]) by vc1.ecl.ntt.co.jp (Postfix) with ESMTP id D4C31EA87D2 for <dots@ietf.org>; Mon, 5 Nov 2018 11:13:20 +0900 (JST)
Received: from jcms-pop21.ecl.ntt.co.jp (jcms-pop21.ecl.ntt.co.jp [129.60.87.134]) by vc1.ecl.ntt.co.jp (Postfix) with ESMTP id C7274EA87D0 for <dots@ietf.org>; Mon, 5 Nov 2018 11:13:20 +0900 (JST)
Received: from [IPv6:::1] (unknown [129.60.13.46]) by jcms-pop21.ecl.ntt.co.jp (Postfix) with ESMTPSA id B26D4400904 for <dots@ietf.org>; Mon, 5 Nov 2018 11:13:20 +0900 (JST)
From: Yuhei Hayashi <hayashi.yuhei@lab.ntt.co.jp>
References: <mailman.84.1541271619.8736.dots@ietf.org>
Message-ID: <f3a508b0-1ff0-4d77-2023-2263dd7db78f@lab.ntt.co.jp>
Date: Mon, 05 Nov 2018 11:12:06 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <mailman.84.1541271619.8736.dots@ietf.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-CC-Mail-RelayStamp: 1
To: dots@ietf.org
X-TM-AS-MML: disable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/_dBTTNaYm0gAo0jZmFPkuTZ45Po>
Subject: Re: [Dots] Dots Digest, Vol 45, Issue 3
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 02:13:31 -0000
Hi, all
Thank you for comments and feedback.
> ** After the telemetry system makes the mitigation request in (1), will the orchestrator block on a response awaiting for action from the network administrator (as the text notes that the 'network administrator' will confirm the request)?
[Yuhei]
It's just my mistake.
I want to express that request (1) or (2) can be selected by the network's policy as below.
<alt> [triggered by telemetry/monitoring system]
(1)[telemetry system]->[orchestrator]: DOTS Mitigation Request
[triggered by network administrator]
(2)[network admin]->[orchestrator]: DOTS Mitigation Request
> ** Is there an implicit out-of-band channel between the orchestrator and network admins to enable (2)?
[Yuhei]
Yes.
> Why does the network admin have to be a DOTS client rather than a function in the orchestrator (out of scope for DOTS)?
[Yuhei]
I referred the current use-case draft, and it describes use case (fig. 4) where network admin has DOTS client functionality.
https://www.ietf.org/id/draft-ietf-dots-use-cases-16.txt
Hence, I described so, however, I also think it can be a function of orchestrator.
> ** Will the mitigation status requests back to the telemetry system and network admins in (1) and (2) be the same?
[Yuhei]
Yes.
> ** Is the traffic examined by the DMS the same as seen by the telemetry systems?
[Yuhei]
Yes.
> How was the DMS tasked to examine the traffic -- was that an implicit communication channel from the orchestrator
> ** If the orchestrator tasked the routers/switches per (3) to handle the attack traffic, how did the DMS get involved in the mitigation? What's the difference between the attack traffic handled by (3) and the DMS? How is that coordination happening?
[Yuhei]
Töma's opinion is correct for me.
> Actually, the orchestrator doesn't ask for handling the *attack*
> traffic during the step 3. At this point, routers still have no clue
> about what's the attack traffic is (they only know who's the target,
> as reported by the telemetry system), so they just start routing *all*
> of the inbound traffic (including legitimate one) coming towards the
> target IP address or IP prefix, via the DMS.
After request (3), DMS examines the suspicious traffic redirected by the routers, with information of target IP address or IP prefix reported by DOTS client.
> This draft is a) [imperfectly] duplicative of existing functionality
> such as flowspec
[Yuhei]
What I'd like to propose is to use DOTS protocol, not flowspec, in "(4) [DMS]->[orchestrator]: DOTS Mitigation Request".
And I'd like DOTS client to send attacker information at the time to filter attack traffic correctly at "(5) [orchestrator]->[routers/switch]".
In the current DOTS specification, sending attacker information is out of scope, so I’d like to expand it.
> and b) in need of further consideration and refinement,
> IMHO.
> Suggest strongly that additional contributors with relevant technical
> and operational experience should be involved in re-working this draft
> from a conceptual level onwards.
[Yuhei]
I'm searching those who has same concepts or requirements that DOTS client send attacker information by signal channel.
We are looking for more proponents of this draft, and are under discussion with some DOTS folks.
Actually, I received some positive feedback and I believe that this proposal useful for further work of DOTS-WG.
Thanks,
Yuhei
On 2018/11/04 4:00, dots-request@ietf.org wrote:
> Send Dots mailing list submissions to
> dots@ietf.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.ietf.org/mailman/listinfo/dots
> or, via email, send a message with subject or body 'help' to
> dots-request@ietf.org
>
> You can reach the person managing the list at
> dots-owner@ietf.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Dots digest..."
>
>
>
> Today's Topics:
>
> 1. Workflow question about
> draft-h-dots-mitigation-offload-expansion-00 (Roman Danyliw)
> 2. Re: Workflow question about
> draft-h-dots-mitigation-offload-expansion-00 (T?ma Gavrichenkov)
> 3. Re: Workflow question about
> draft-h-dots-mitigation-offload-expansion-00 (Dobbins, Roland)
>
>
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots
>
-----------------------------------------
Nippon Telegraph and Telephone Corporation
Network Service Systems Laboratories
Transport Service Platform Innovation Project
Transport Service Systems Development Project
Yuhei Hayashi
0422-59-3485
hayashi.yuhei@lab.ntt.co.jp
- Re: [Dots] Dots Digest, Vol 45, Issue 3 Yuhei Hayashi
- Re: [Dots] Dots Digest, Vol 45, Issue 3 kaname nishizuka