IETF Logo Mail Archive

Re: [Dots] Comments and feedbacks on draft-reddy-dots-signal-channel-07 and draft-reddy-dots-data-channel-03 .

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Tue, 28 February 2017 09:14 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E390F12706D for <dots@ietfa.amsl.com>; Tue, 28 Feb 2017 01:14:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.512
X-Spam-Level:
X-Spam-Status: No, score=-14.512 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FrC-RKPHf05i for <dots@ietfa.amsl.com>; Tue, 28 Feb 2017 01:14:00 -0800 (PST)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90E6A126D74 for <dots@ietf.org>; Tue, 28 Feb 2017 01:14:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=49384; q=dns/txt; s=iport; t=1488273240; x=1489482840; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=as+LuLANZz+hWwr2MJAElwHyBZ35GwbJx/+++1CfuO8=; b=a5ZaaI90FWXuxeAaqwbytiUXOJniNwuiAFc0F1o3jqT/zlaWEpg8WxN0 MTen6UdWN3I6VAFU/tFl9FNrMV0sfPdIdPDC4d7/hUEdGmzuIf2MzKyaX R0trSg8LfuEE4A4rlQHWFto2M00kDrwktQs1wm/iZ3Ba+lFcQDxUKjsfH 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AXAQD6PrVY/5JdJa1dGQEBAQEBAQEBAQEBBwEBAQEBgm5iYYEJB41ckWOVNYIKAx8BCoV4AoInPxgBAgEBAQEBAQFiKIRwAQEBAwEBARgTQQQHBQsCAQgRBAEBIQECBAcnCxQJCAEBBAENBQgRiVMIDrJRK4sKAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWGTIRvhDABBgEBBR0HHgoChS0FlW+GMgGKGYgHggSFIIl9iDyKdAEfOIEBVBU+hEwDHRmBSHWHawEOF4EKgQ0BAQE
X-IronPort-AV: E=Sophos;i="5.35,218,1484006400"; d="scan'208,217";a="211843115"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Feb 2017 09:13:46 +0000
Received: from XCH-ALN-017.cisco.com (xch-aln-017.cisco.com [173.36.7.27]) by rcdn-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id v1S9DjX3025805 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 28 Feb 2017 09:13:45 GMT
Received: from xch-rcd-017.cisco.com (173.37.102.27) by XCH-ALN-017.cisco.com (173.36.7.27) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 28 Feb 2017 03:13:45 -0600
Received: from xch-rcd-017.cisco.com ([173.37.102.27]) by XCH-RCD-017.cisco.com ([173.37.102.27]) with mapi id 15.00.1210.000; Tue, 28 Feb 2017 03:13:45 -0600
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: kaname nishizuka <kaname@nttv6.jp>, Ehud Doron <EhudD@Radware.com>, 'dots' <dots@ietf.org>
Thread-Topic: [Dots] Comments and feedbacks on draft-reddy-dots-signal-channel-07 and draft-reddy-dots-data-channel-03 .
Thread-Index: AdKCER/slEaaT/pbTQCa8ffUgEh/YgEvK4mgADZ1NNAALTMmUAGLtzkAAMXdMkA=
Date: Tue, 28 Feb 2017 09:13:45 +0000
Message-ID: <5cbbc9aa610c43c28ae7c501ef8da35b@XCH-RCD-017.cisco.com>
References: <E58182C4A35A8E498E553AD3D33FA001011717E1DF@ILMB1.corp.radware.com> <331a77a5ec074db69cf2bc2715a7645e@XCH-RCD-017.cisco.com> <E58182C4A35A8E498E553AD3D33FA001011718BF03@ILMB1.corp.radware.com> <3bab57f083c346cfb491c29c7ff369dd@XCH-RCD-017.cisco.com> <7dcc6611-18f5-7d89-2386-8e5ee22c94b6@nttv6.jp>
In-Reply-To: <7dcc6611-18f5-7d89-2386-8e5ee22c94b6@nttv6.jp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.65.89.55]
Content-Type: multipart/alternative; boundary="_000_5cbbc9aa610c43c28ae7c501ef8da35bXCHRCD017ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/ajFJtXjOLHdG4nguL3YbHo4muJo>
Cc: David Aviv <DavidA@Radware.com>
Subject: Re: [Dots] Comments and feedbacks on draft-reddy-dots-signal-channel-07 and draft-reddy-dots-data-channel-03 .
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2017 09:14:04 -0000

From: kaname nishizuka [mailto:kaname@nttv6.jp]
Sent: Friday, February 24, 2017 10:17 AM
To: Tirumaleswar Reddy (tireddy) <tireddy@cisco.com>; Ehud Doron <EhudD@Radware.com>; 'dots' <dots@ietf.org>
Cc: David Aviv <DavidA@Radware.com>
Subject: Re: [Dots] Comments and feedbacks on draft-reddy-dots-signal-channel-07 and draft-reddy-dots-data-channel-03 .

Hi Tiru,

I'd like to add a comment on lifetime attribute in signal-channel

> 7.       Page 15 Life time attribute: More reasonable to have this attribute in minutes rather than seconds, bigger default can also suggested
> [TR] Changed to minutes

I prefer seconds than minutes because I think granularity of minutes is rough.
If we are to leverage programmable and automated feature of DOTS, lifetime in "seconds" is fine.
Works for me.
Ehud - Any specific reason for suggesting minutes ?
-Tiru



thank you,
Kaname

On 2017/02/16 23:00, Tirumaleswar Reddy (tireddy) wrote:
Hi Ehud,

Please see inline [TR2]

From: Ehud Doron [mailto:EhudD@Radware.com]
Sent: Thursday, February 16, 2017 6:43 PM
To: Tirumaleswar Reddy (tireddy) <tireddy@cisco.com><mailto:tireddy@cisco.com>; 'dots' <dots@ietf.org><mailto:dots@ietf.org>
Cc: David Aviv <DavidA@Radware.com><mailto:DavidA@Radware.com>
Subject: RE: Comments and feedbacks on draft-reddy-dots-signal-channel-07 and draft-reddy-dots-data-channel-03 .

Tiru Hi

Thanks for your response and clarifications.
Please see inline (Followed after [Ehud] )

Thanks,

Ehud Doron |  Senior Architect, Radware CTO office | M: +972-54-7575503 | T: +972-72-3917120



From: Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com]
Sent: Tuesday, February 14, 2017 4:53 PM
To: Ehud Doron <EhudD@Radware.com<mailto:EhudD@Radware.com>>; 'dots' <dots@ietf.org<mailto:dots@ietf.org>>
Cc: David Aviv <DavidA@Radware.com<mailto:DavidA@Radware.com>>
Subject: RE: Comments and feedbacks on draft-reddy-dots-signal-channel-07 and draft-reddy-dots-data-channel-03 .

Hi Ehud,

Thanks for the detailed review, Please see inline (I will respond to data channel comments in a separate mail)

From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Ehud Doron
Sent: Wednesday, February 8, 2017 7:21 PM
To: 'dots' <dots@ietf.org<mailto:dots@ietf.org>>
Cc: David Aviv <DavidA@Radware.com<mailto:DavidA@Radware.com>>
Subject: [Dots] Comments and feedbacks on draft-reddy-dots-signal-channel-07 and draft-reddy-dots-data-channel-03 .

Tiru and authors Hi

Attached please find my comments and feedbacks to draft-reddy-dots-signal-channel-07 and draft-reddy-dots-data-channel-03 .


Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel  draft-reddy-dots-signal-channel-07


1.       General comment: For all signals in the draft, need to add means to allow vendor specific attributes as part of all signals transactions

[TR] Yes, will update draft.


2.       General comment: Just for clarity, need to explicitly mention on each figure when it is an example or the actual API

[TR] Done.


3.       Page 3 second paragraph : DOTS should not be limited to "enterprise network" only

[TR] Agreed, fixed.


4.       Page 4 chapter 4: The overall context of the "happy eyeballs" and its relations (or coexistence) to CoAP is not clear.

[TR] Happy eyeballs mechanism is used to reduce connection delay to setup (D)TLS session with the DOTS server. Happy eyeballs mechanism is not related to CoAP.


5.       Page 7 chapter 5.2.1: The need for YANG model cannot be understood from text. What are the needs for YANG models? What is the relation to the JSONs in the other chapters in the draft

[TR] YANG is a data modeling language used to model configuration and state data;  The configuration and state data defined using YANG can be represented in JSON or CBOR or XML. Since CBOR is binary, JSON is used in the draft but only for illustrative purpose.


6.       Page 14 figure 5: The mitigation request attributes are right but not enough. Need to add more telemetry info about the actual attack that it is required to mitigate, need to consider attributes in draft-doron-dots-telemetry-00 as part of the discussion in the WG.

[TR] Yes, I plan to update the draft with telemetry info based on outcome of draft-doron-dots-telemetry-00.


7.       Page 15 Life time attribute: More reasonable to have this attribute in minutes rather than seconds, bigger default can also suggested

[TR] Changed to minutes


8.       Page 15 last paragraph: Not sure that target port or target protocol can define a protected entity. IP, FQDN, URI are the only "stand alone" attributes , port and protocol are companion attributes. See also figure 9 .

[TR] Good point, fixed.


9.       Page 15 last paragraph: The mitigation request is not clear, to which identifier the text is related ?   "policy ID" ? I think the best is have another attribute to define the priority of mitigation requests
[TR] policy-id is specific to a DOTS client, DOTS server need not compare the policy-id of one customer with the policy-id of another customer. Policy-ids are only compared b/w multiple mitigation requests from the same DOTS client to determine the priority. DOTS signaling channel runs over UDP, and packets may arrive out-of-order; this was also one of the reasons to introduce policy-id.
[Ehud] Consider to update the text in page 15 with your explanations here, mainly regarding the "per customer uniqueness of DOTS".

[TR2] NEW:
The relative order of two mitigation requests from a DOTS client is determined by comparing their respective policy-id values.


10.   Page 21 table: The return status are right but not enough. Need to add more telemetry info about the actual mitigation going on (how much traffic was mitigated) and the attack that are mitigated, need to consider attributes in draft-doron-dots-telemetry-00 as part of the discussion in the WG.

[TR] Same response as 6; for now will update the draft to convey the following telemetry info from the DOTS server : total dropped byte count, average dropped bytes per second, total dropped packet count and average dropped packets per second. The list is not complete, what kind of telemetry info is required for L7 attacks (e.g. attack at TLS, partial HTTP request, garbage request etc.) and how do we deal with new type of DDOS attacks (Do we keep updating the spec as and when a new DDOS attack is discovered) ?
[Ehud] Agreed with the bytes / packets count drop you proposed. For the Layer 7 telemetries and for DDoS attacks list , I think we should first get to an agreement about the needs for this attributes and then figure out the best way to signal this information. Personally I don't believe we should update the spec for each attack, therefor we need to figure out an efficient means to signal this information.

[TR2] Agreed.


11.   Page 15 : Need to find the way to bind the target-ips with target-port-ranges and target-protocols, meaning that the server needs to understand the exact scope of attack, e.g. IP1 TCP port 80, IP2 UDP port 53 and so on so forth.

[TR] Yes, it's possible; create different aliases for IP1 TCP port 80 and IP 2 UDP port 53 using DOTS data channel and convey the aliases in DOTS signal channel.


12.   Page 21 last paragraph: This is very strong point.

[TR] Thanks.


13.   Page 25 : Regarding attack status, same point about telemetry.

[TR] Same response as above.


14.   Page 25 chapter 5.4: I believe it can valuable to add a short high level description about the proposed API flow, same as you did for 5.3 .

[TR] 5.3 gives background how GET, POST, DELETE and PUT will be used, hence did not see a need to add a high level description in Section 5.4.



15.   Page 27:  The necessity of policy_id here is not clear enough, are the "Signal Channel Session Configuration" define only "single" DOTS session or the entire communication between Client and Server for several DOTS request for mitigation?

[TR]  It's for a single DOTS session between DOTS client and server, a single DOTS session can be used for several DOTS requests and responses.


16.   Page 27: Not sure about the reason for "at least one of the attributes heartbeat-interval or max-retransmit or ack-timeout or ack-random-factor MUST be present." Also consider to change to "presented".


[TR] what is the point in conveying a POST request without any configuration parameters/attributes ?

[Ehud] OK, understood. So I think you need to emphasize that in cases not all attributes are defined, need to use default values. In page 26 you wrote something about "need not be default". Consider to re-write.



[TR2] NEW:

The DOTS agents MUST use the negotiated values for message transmission

parameters and default values for non-negotiated message transmission

parameters.  The signaling channel session configuration is

applicable to a single DOTS signal channel session between the DOTS

agents.

-Tiru



17.   Page 30 chapter 5.5: Need to specify the overall scenario, in reaction to which signal (or API transaction POST of Mitigation Request , unidirectional notification from Server as describes in page 23 in page 21 ?) the  redirection occurred ?

[TR] Both, updated draft.

-Tiru

Distributed Denial-of-Service Open Threat Signaling (DOTS) Data Channel  draft-reddy-dots-data-channel-03


1.       General comment: For all signal in the draft, need to add means to allow vendor specific attributes as part of all signals transactions



2.       Page 5 second paragraph: Why it is required to configure the DOTS signal channel session ?


3.       Page 8 chapter 3.2.1 : Any reason for not including these identifiers in the DOTS signal channel draft ?


4.       Page 9 figure 3 : Need to find the way to bind the target-ips with target-port-ranges and target-protocols, meaning that the server needs to understand the exact scope of attack, e.g. IP1 TCP port 80, IP2 UDP port 53 and so on so forth.


5.       Page 13 chapter 3.3 : Need to emphasize that filtering rules are relevant for both client server direct communication and through a DOTS gateway. The chapter is a bit confusing.


6.       Page 14 chapter 3.3 : I am missing the white-list installation, is it by using the permit action ?


7.       Page 15 figure 8: For DDoS it is highly valuable to have rate limit as an action. Consider adding such action (if already defined need to explain where and how).


8.       Page 15 figure 8: Need to consider adding priority to an ACL to support cases when several filtering rules are conflicting.



9.       Page 15 : The action field cannot be optional attribute.


10.   Page 16 chapter 3.3.3: Need to add more telemetry info about the actual traffic that was blocked (bps, pps and so on), but as I believe this might be another issue...



Thanks,

Ehud Doron |  Senior Architect, Radware CTO office | M: +972-54-7575503 | T: +972-72-3917120








_______________________________________________

Dots mailing list

Dots@ietf.org<mailto:Dots@ietf.org>

https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email