Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dots-architecture-16: (with COMMENT)
"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Thu, 06 February 2020 11:08 UTC
Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73709120918 for <dots@ietfa.amsl.com>; Thu, 6 Feb 2020 03:08:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xxGnrbYPyUZr for <dots@ietfa.amsl.com>; Thu, 6 Feb 2020 03:08:50 -0800 (PST)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [63.128.21.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DA17120905 for <dots@ietf.org>; Thu, 6 Feb 2020 03:08:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1580987329; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xYAxRzpy7LQUhwk3neBTArVCvyGmf3RcnOdRx0V6eHc=; b=P3mdYyrBqW9478qNe2T+BRCt1N1clKyHkHKlIz7eDSHFbkcqszSOC74qWDXoEFPgmOI3Ah YNpwd1Lh7ZgLZr76nrlD3sdhqulMRSgVTjQZwp8w4DwT17/wUjd1JSJwb5ondF6pxlkRLD yekKpdIrr3yZ9+I+DrFkog5gEW7yka8=
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02lp2059.outbound.protection.outlook.com [104.47.36.59]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-10-92qLifzEPeazT5-YoTYcbw-1; Thu, 06 Feb 2020 06:08:42 -0500
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com (10.172.118.12) by CY4PR1601MB1285.namprd16.prod.outlook.com (10.172.118.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2707.21; Thu, 6 Feb 2020 11:08:40 +0000
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::e851:20e8:57bd:fedd]) by CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::e851:20e8:57bd:fedd%12]) with mapi id 15.20.2707.024; Thu, 6 Feb 2020 11:08:40 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
CC: Roman Danyliw <rdd@cert.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "valery@smyslov.net" <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>, "draft-ietf-dots-architecture@ietf.org" <draft-ietf-dots-architecture@ietf.org>
Thread-Topic: [Dots] Benjamin Kaduk's Yes on draft-ietf-dots-architecture-16: (with COMMENT)
Thread-Index: AQHV3LC0tvXwmfcRCEKmrHAz1U5ZWKgN4miw
Date: Thu, 06 Feb 2020 11:08:40 +0000
Message-ID: <CY4PR1601MB12541179F49E2CFD70E29CC9EA1D0@CY4PR1601MB1254.namprd16.prod.outlook.com>
References: <158096794633.30610.7698585491429934350.idtracker@ietfa.amsl.com>
In-Reply-To: <158096794633.30610.7698585491429934350.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 58fd6e02-d082-4455-fed4-08d7aaf4ebfa
x-ms-traffictypediagnostic: CY4PR1601MB1285:
x-microsoft-antispam-prvs: <CY4PR1601MB128578FFB56DF824531BD591EA1D0@CY4PR1601MB1285.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0305463112
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(366004)(376002)(39860400002)(396003)(136003)(189003)(199004)(32952001)(66476007)(71200400001)(53546011)(33656002)(2906002)(5660300002)(6506007)(76116006)(966005)(478600001)(66556008)(86362001)(66946007)(66446008)(52536014)(26005)(64756008)(186003)(316002)(110136005)(54906003)(55016002)(9686003)(81166006)(7696005)(8676002)(81156014)(8936002)(4326008)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1601MB1285; H:CY4PR1601MB1254.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZjvjB5GXhWcG7F6MJzNasSOe4nMpFuw2HcCszV86Rmrg12loiItegipCV/F9xRNs+WXx01R9Jl6ZoqSNbEB6vWZhrB5Jag4lwQHCCxLMITsv0p6gwI2GvFN/VPG5KoKyKIQhQbTnxVy3IbpIKTucKQ5nYvd8h5x85cFRRhv9SXv8oMlgcShp9m+1l5GGRORbTIqfAPrF349AHwKSdzCuFEzvgdI/ZJWf1EgXptG0jnq6N3+uOaTyDM5p1y3O5y5ltaEleNKPOzPZ5wwDduVBhhaJVbyA4l4DZV1magHqFxbcIvlwsJ37qWOSUzcNY1e7kpjhW+qZ3OdyMS1z8jWQh6JnwT0n2yuurKEBoecLVbcLFEOpARd1EFDRuZzzN3SfopzjlHWVW9PwG64eVUM/CwDrYPRn3a2GuafD/4uDjSDGXvqXDOqjf8FgPlVKwwlT0rKucEmzuZrYIN1d29146zpYeVBMVMKy98RaodBFQZDyIy9OMSI68VQdjKAUwAMbpxMuwzdcOQLM8zG7CDUbrGy5UzMEYmeWXa49IJi6DgcGiuq3DdhxE/XSuf64EaWH5taqHE6nZGd/CKQ8Zu8rr4XIzDwyxtGSdlyVN+SPyj4=
x-ms-exchange-antispam-messagedata: 8n1TAZ5tngEu8i57fZAX2iU9HPWDGRhggFGIrHmh9racwav9AW8gOqrAjP/jestCqBUhLuFX+sz+O6nhoG8LOT2jZ1ZuB4KeLA10hZN4zYNFIAIZZJTWZPpjnso/TX0gNu0BkVLGMcXYozYUsPFFvQ==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 58fd6e02-d082-4455-fed4-08d7aaf4ebfa
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Feb 2020 11:08:40.2522 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tHxEuwWxL+HfMFxfrlnqRebH6F/kpVj4jL/bjYa78mFv90HUQQq0R4qAEMjaHG9/tcTjZ0pn/9ZO6JNQRvvZSEep83eaAK2CvGLyAzH3V9xBc0uXbtnFVuhpDNCI1y0x
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1601MB1285
X-MC-Unique: 92qLifzEPeazT5-YoTYcbw-1
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: mcafee.com
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/cJQ46ha4eqGKT3xzJLfhJQsfVrU>
Subject: Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dots-architecture-16: (with COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2020 11:08:55 -0000
Hi Ben, Please see inline > -----Original Message----- > From: Dots <dots-bounces@ietf.org> On Behalf Of Benjamin Kaduk via > Datatracker > Sent: Thursday, February 6, 2020 11:16 AM > To: The IESG <iesg@ietf.org> > Cc: Roman Danyliw <rdd@cert.org>; dots-chairs@ietf.org; > valery@smyslov.net; dots@ietf.org; draft-ietf-dots-architecture@ietf.org > Subject: [Dots] Benjamin Kaduk's Yes on draft-ietf-dots-architecture-16: > (with COMMENT) > > CAUTION: External email. Do not click links or open attachments unless you > recognize the sender and know the content is safe. > > Benjamin Kaduk has entered the following ballot position for > draft-ietf-dots-architecture-16: Yes > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dots-architecture/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks for this well-written document! It's a great high-level summary of > DOTS and I just have some fairly minor comments. > > There might be a bit of mismatch between describing the signal channel > session as associated with "an ephemeral security association" in Section > 3.1 and as "expected to be long-lived" in Section 3.2.4.1. Good catch, removed "ephemeral". > > Section 2.2.3 > > The DOTS gateway MUST perform full stack DOTS session termination and > reorigination between its client and server side. The details of how > this is achieved are implementation specific. The DOTS protocol does > not include any special features related to DOTS gateways, and hence > from a DOTS perspective, whenever a DOTS gateway is present, the DOTS > session simply terminates/originates there. > > Does the 'cdid' count as a "special feature"? Yes, removed the last line. > > Section 2.3.1 > > An example is a DOTS gateway at the network client's side, and > another one at the server side. The first gateway can be located at > a CPE to aggregate requests from multiple DOTS clients enabled in an > > nit: "CPE" does not appear as "well known" at https://www.rfc- > editor.org/materials/abbrev.expansion.txt and should be expanded on first > use. Fixed. > > Section 3.2.3 > > We could mention that the recursing gateway (e.g., Cn in Figure 12) must still > be authorized to request mitigation for the resources (also) controlled by > client Cc (though perhaps the closing discussion about there typically being a > SLA among client, recursed, and recursing domain suffices). Good point, updated text as follows: Typically there is a contractual Service Level Agreement (SLA) negotiated among the DOTS client domain, the recursed domain and the recursing domain to meet the privacy requirements of the DOTS client domain and authorization for the recursing domain to request mitigation for the resources controlled by the DOTS client domain. > > Section 3.2.4.1 > > DOTS client to initialize a new DOTS session. This challenge might > in part be mitigated by use of resumption via a PSK in TLS 1.3 > [RFC8446] and DTLS 1.3 [I-D.ietf-tls-dtls13] (session resumption in > TLS 1.2 [RFC5246] and DTLS 1.2 [RFC6347]), but keying material must > be available to all DOTS servers sharing the anycast Service Address > in that case. > > "which has operational challenges of its own", perhaps. Sure, updated. > > session may involve diverting traffic to a scrubbing center. If the > DOTS session flaps due to anycast changes as described above, > mitigation may also flap as the DOTS servers sharing the anycast DOTS > service address toggles mitigation on detecting DOTS session loss, > depending on whether the client has configured mitigation on loss of > signal. > > I am not sure if we've mentioned configuring mitigation on loss of signal, yet. > A forward reference to Section 3.3.3 might help. Done. > > Section 3.2.5 > > Network address translators (NATs) are expected to be a common > feature of DOTS deployments. The Middlebox Traversal Guidelines in > [RFC8085] include general NAT considerations for DOTS deployments > when the signal channel is established over UDP. > > nit: the guidelines in 8085 are not specifically about DOTS deployments, so > probably we should say "that are applicable to" DOTS deployments. Fixed. > > Section 3.2.5.1 > > request accurate mitigation scopes. To that aim, the DOTS client can > rely on mechanisms, such as [RFC8512] to retrieve static explicit > mappings. This document does not prescribe the method by which > > nit: no comma. Okay. > > Section 3.3.3 > > The impact of mitigating due to loss of signal in either direction > must be considered carefully before enabling it. Signal loss is not > caused by links congested with attack traffic alone, and as such > mitigation requests triggered by signal channel degradation in either > > nit: I think this could be parsed as "links are congested by attack traffic and > other traffic", whereas we intend to say that "attack traffic is not the only > possible cause of link congestion". Perhaps "Attack traffic congesting links is > not the only reason why signal could be lost" is more clear. Thanks, updated. > > Section 5 > > DOTS is at risk from three primary attack vectors: agent > impersonation, traffic injection and signal blocking. These vectors > > We seem to only partially discuss countermeasures for these attacks in the > rest of the section; one piece that seems noteworthy in its absence is the > requirement (already described in the body text) to authenticate the peer > and perform authorization checks on client requests. Mitigating against > signal blocking is in general hard, but we could consider mentioning again that > the automated mitigation on loss of signal discussed in Section 3.3.3 is an > option, albeit one with risks of its own. Added the following lines: DOTS agents MUST perform mutual authentication to ensure authenticity of each other and DOTS servers MUST verify that the requesting DOTS client is authorized to request mitigation for specific target resources (see Section 2.2.2). An MITM attacker can intercept and drop packets, preventing the DOTS peers from receiving some or all of the DOTS messages, automated mitigation on loss of signal can be used as a countermeasure but with risks discussed in Section 3.3.3. > > Section 8.2 > > One could perhaps argue that RFC 4033 and RFC 6887 should be normative > ("[RFC4033] must be used where [...]", "[RFC6887] may be used to [...]"). Moved. > > There's a stronger case that RFC 4786 should be normative, as we use a BCP > 14 keyword allowing its deployment. Done. Cheers, -Tiru > > > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots
- [Dots] Benjamin Kaduk's Yes on draft-ietf-dots-ar… Benjamin Kaduk via Datatracker
- Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dot… mohamed.boucadair
- Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dot… Konda, Tirumaleswar Reddy
- Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dot… Konda, Tirumaleswar Reddy
- Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dot… Benjamin Kaduk