Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt

kaname nishizuka <kaname@nttv6.jp> Tue, 23 July 2019 12:07 UTC

Return-Path: <kaname@nttv6.jp>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D62BC120071 for <dots@ietfa.amsl.com>; Tue, 23 Jul 2019 05:07:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nttv6.jp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8u-Dxg3OKuZD for <dots@ietfa.amsl.com>; Tue, 23 Jul 2019 05:07:04 -0700 (PDT)
Received: from guri.nttv6.jp (guri.nttv6.jp [IPv6:2402:c800:ff06:136::140]) by ietfa.amsl.com (Postfix) with ESMTP id 9D6F712015A for <dots@ietf.org>; Tue, 23 Jul 2019 05:07:03 -0700 (PDT)
Received: from z.nttv6.jp (z.nttv6.jp [IPv6:2402:c800:ff06:6::f]) by guri.nttv6.jp (NTTv6MTA) with ESMTP id 8AF0725F6BB; Tue, 23 Jul 2019 21:07:02 +0900 (JST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nttv6.jp; s=20180820; t=1563883622; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ssTJes+NuwM2WWtR9J3VMcjK9AMTKiPkj9kKlRKg71I=; b=YfNVyobVEGQkU9DMaM+m2qxD9f6m9OcJwtszkHNGqJwMFwFw5HCZZMccNwLC+HnbAlPaJe l28aq1ErWEe7MdSwPWWRE73H9iQdTk2AOK4grMlL0GCoF77QKmhZuCSuXz3+Hkltxuq74z F4fuZD19LqpfKmarMQE0TTBwi8LCsMo=
Received: from MacBook-Pro-17.local (fujiko.nttv6.jp [IPv6:2402:c800:ff06:136::141]) by z.nttv6.jp (NTTv6MTA) with ESMTP id D25F675907E; Tue, 23 Jul 2019 21:07:01 +0900 (JST)
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, tirumal reddy <kondtir@gmail.com>, "dots@ietf.org" <dots@ietf.org>
References: <156233245922.21720.2303446065970922340.idtracker@ietfa.amsl.com> <CAFpG3gcgpJRyLSoLkOMuUWY8pZrBPDCCz6-sc8A=1KW3GMpm+g@mail.gmail.com> <9401a258-5a32-b612-450b-10d3452777ac@nttv6.jp> <DM5PR16MB17054921F8CC3C2C90CB6A4BEAC40@DM5PR16MB1705.namprd16.prod.outlook.com> <a70c3aad-8b41-3d3c-7cd9-88d681e888b6@nttv6.jp> <MWHPR16MB171185CA2F151A9A5C9AAB78EAC70@MWHPR16MB1711.namprd16.prod.outlook.com>
From: kaname nishizuka <kaname@nttv6.jp>
Message-ID: <ee9ac5c7-45c8-3c5d-85cc-f719d53e98c7@nttv6.jp>
Date: Tue, 23 Jul 2019 21:07:01 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <MWHPR16MB171185CA2F151A9A5C9AAB78EAC70@MWHPR16MB1711.namprd16.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------292F98C05E71C71144BA72B9"
Content-Language: en-US
Authentication-Results: guri.nttv6.jp; spf=pass smtp.mailfrom=kaname@nttv6.jp
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/_oOGnE5H2h9jqv1D2Z2zo8YpbcQ>
Subject: Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 12:07:08 -0000

Hi Tiru,


On 2019/07/23 16:04, Konda, Tirumaleswar Reddy wrote:
>
> Thanks for the clarification.
>
Welcome :)

> I don’t think any of the DOTS use cases documents discuss this deployment.
>
Also, no for me.

> DOTS signal channel looks more suitable for these Pre-mitigation DOTS Telemetry Attributes than the DOTS data channel.
>
Yes, I agree.

thanks,
Kaname
>
> Cheers,
>
> -Tiru
>
> *From:*kaname nishizuka <kaname@nttv6.jp>;
> *Sent:* Monday, July 22, 2019 8:26 PM
> *To:* Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;; tirumal reddy <kondtir@gmail.com>;; dots@ietf.org
> *Subject:* Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
>
> *CAUTION*:External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Hi Tiru,
>
> Let me explain it.
> There is a service by several transit providers such as detection capabilities to notify clients of potential attacks.
> It is assumed that they have a DDoS mitigation system and a DDoS detection system (for example, a flow collector) separately.
> It is a realistic deployment that the DOTS server is integrated with the flow collector.
>
> When an attack occur, the DDoS detection system will notice that the customer is under attack, then the pre-mitigation DOTS telemetry(= attack details) can be signaled from the DOTS server to the (associated) DOTS client.
>
> Here is one of the traffic anomaly detection notification example (threshold basis) quoted from some actual service.
> Organization:       XXX
> Attack ID:          13227
> Start Time:         2019/06/05 22:52:30 JST+0900
> Level:              1
> Traffic Amount:     4.02k pps
> Threshold:          4.00k pps
> Direction:          incoming
> Victim IP Address:  x.x.x.x/32
> Attack Type:        TCP SYN
>
> It says like "it seems you're under attack, what will you do? (We can offer some protection)"
>
> regards,
> Kaname
>
> On 2019/07/22 23:11, Konda, Tirumaleswar Reddy wrote:
>
>     Thanks Kaname for the support. I did not get the comment. what type of pre-mitigation DOTS telemetry attributes can be signaled from the DOTS server to the DOTS client ?
>
>     And How will the DOTS server know the pre-mitigation DOTS telemetry attributes relevant or associated with a DOTS client ?
>
>     Cheers,
>
>     -Tiru
>
>     *From:*Dots <dots-bounces@ietf.org>; <mailto:dots-bounces@ietf.org> *On Behalf Of *kaname nishizuka
>     *Sent:* Monday, July 22, 2019 6:44 PM
>     *To:* tirumal reddy <kondtir@gmail.com>; <mailto:kondtir@gmail.com>; dots@ietf.org <mailto:dots@ietf.org>
>     *Subject:* Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
>
>     *CAUTION*:External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>     ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>     I support this draft.
>
>     I'd like to mention about the telemetry attributes from a DOTS server to a DOTS client.
>     Currently, several transit ISPs are providing DDoS detection and protection services.
>     In such a service, they send a DDoS detection notification via e-mail when they noticed that their customer is under attack.
>     The mail includes the telemetry information such as 4.1.5. Attack Details.
>     This info can be used for further decision of protection strategy by the customer's security operators.
>     I think it should be covered by the DOTS telemetry specification.
>
>     One suggestion to the draft:
>     Pre-mitigation DOTS Telemetry Attributes can also be signaled from the DOTS server to the DOTS client.
>
>     thanks,
>     Kaname
>
>
>
>     On 2019/07/05 22:20, tirumal reddy wrote:
>
>         Hi all,
>
>         https://tools.ietf.org/html/draft-reddy-dots-telemetry-00 aims to enrich DOTS protocols with various telemetry attributes allowing optimal DDoS attack mitigation. This document specifies the normal traffic baseline and attack traffic telemetry attributes a DOTS client can convey to its DOTS server in the mitigation request, the mitigation status telemetry attributes a DOTS server can communicate to a DOTS client, and the mitigation efficacy telemetry attributes a DOTS client can communicate to a DOTS server.  The telemetry attributes can assist the mitigator to choose the DDoS mitigation techniques and perform optimal DDoS attack mitigation.
>
>         Comments, suggestions, and questions are more than welcome.
>
>
>         Cheers,
>
>         -Tiru
>
>         ---------- Forwarded message ---------
>         From: <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>>
>         Date: Fri, 5 Jul 2019 at 18:44
>         Subject: New Version Notification for draft-reddy-dots-telemetry-00.txt
>         To: Tirumaleswar Reddy <kondtir@gmail.com <mailto:kondtir@gmail.com>>, Ehud Doron <ehudd@radware.com <mailto:ehudd@radware.com>>, Mohamed Boucadair <mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com>>
>
>
>
>
>         A new version of I-D, draft-reddy-dots-telemetry-00.txt
>         has been successfully submitted by Tirumaleswar Reddy and posted to the
>         IETF repository.
>
>         Name:           draft-reddy-dots-telemetry
>         Revision:       00
>         Title:          Distributed Denial-of-Service Open Threat Signaling (DOTS) Telemetry
>         Document date:  2019-07-05
>         Group:          Individual Submission
>         Pages:          13
>         URL: https://www.ietf.org/internet-drafts/draft-reddy-dots-telemetry-00.txt
>         Status: https://datatracker.ietf.org/doc/draft-reddy-dots-telemetry/
>         Htmlized: https://tools.ietf.org/html/draft-reddy-dots-telemetry-00
>         Htmlized: https://datatracker.ietf.org/doc/html/draft-reddy-dots-telemetry
>
>
>         Abstract:
>            This document aims to enrich DOTS signal channel protocol with
>            various telemetry attributes allowing optimal DDoS attack mitigation.
>            This document specifies the normal traffic baseline and attack
>            traffic telemetry attributes a DOTS client can convey to its DOTS
>            server in the mitigation request, the mitigation status telemetry
>            attributes a DOTS server can communicate to a DOTS client, and the
>            mitigation efficacy telemetry attributes a DOTS client can
>            communicate to a DOTS server.  The telemetry attributes can assist
>            the mitigator to choose the DDoS mitigation techniques and perform
>            optimal DDoS attack mitigation.
>
>
>
>
>         Please note that it may take a couple of minutes from the time of submission
>         until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org>;.
>
>         The IETF Secretariat
>
>
>
>
>         _______________________________________________
>
>         Dots mailing list
>
>         Dots@ietf.org  <mailto:Dots@ietf.org>
>
>         https://www.ietf.org/mailman/listinfo/dots
>
>
>
>     _______________________________________________
>
>     Dots mailing list
>
>     Dots@ietf.org  <mailto:Dots@ietf.org>
>
>     https://www.ietf.org/mailman/listinfo/dots
>