IETF Logo Mail Archive

Re: [Dots] AD review of draft-ietf-dots-data-channel-25

<mohamed.boucadair@orange.com> Thu, 28 February 2019 12:30 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F22F2130F56; Thu, 28 Feb 2019 04:30:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cHYDaic5a0oP; Thu, 28 Feb 2019 04:30:11 -0800 (PST)
Received: from orange.com (mta134.mail.business.static.orange.com [80.12.70.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA198130F90; Thu, 28 Feb 2019 04:30:09 -0800 (PST)
Received: from opfednr03.francetelecom.fr (unknown [xx.xx.xx.67]) by opfednr21.francetelecom.fr (ESMTP service) with ESMTP id 449Bhc0NBJz5wkY; Thu, 28 Feb 2019 13:30:08 +0100 (CET)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.48]) by opfednr03.francetelecom.fr (ESMTP service) with ESMTP id 449Bhb6mVwzDq7g; Thu, 28 Feb 2019 13:30:07 +0100 (CET)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM32.corporate.adroot.infra.ftgroup ([fe80::81c9:5f:b9c5:1241%21]) with mapi id 14.03.0435.000; Thu, 28 Feb 2019 13:30:07 +0100
From: mohamed.boucadair@orange.com
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, Benjamin Kaduk <kaduk@mit.edu>
CC: "dots@ietf.org" <dots@ietf.org>, "draft-ietf-dots-data-channel@ietf.org" <draft-ietf-dots-data-channel@ietf.org>
Thread-Topic: AD review of draft-ietf-dots-data-channel-25
Thread-Index: AQHUxRIUo475NEhnvke5Q68IH00fwKXgsiOQgAAV9gCAEoE9oIABvKCAgAAWnNCAABl5QA==
Date: Thu, 28 Feb 2019 12:30:06 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA26A2B@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <20190213164622.GX56447@kduck.mit.edu> <787AE7BB302AE849A7480A190F8B93302EA1F03D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190214191707.GM56447@kduck.mit.edu> <787AE7BB302AE849A7480A190F8B93302EA1FCF6@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB279099DF23F40CF46280EEE2EA600@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA1FEC0@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790FF9AA5D6C22037F62B54EA740@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA26902@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790F8CA2FF82789D36A94CAEA750@BYAPR16MB2790.namprd16.prod.outlook.com>
In-Reply-To: <BYAPR16MB2790F8CA2FF82789D36A94CAEA750@BYAPR16MB2790.namprd16.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/cTysUaecsM2NeoexNqrKdk7GDgA>
Subject: Re: [Dots] AD review of draft-ietf-dots-data-channel-25
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2019 12:30:15 -0000

Re-,

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
> Envoyé : jeudi 28 février 2019 12:00
> À : BOUCADAIR Mohamed TGI/OLN; Benjamin Kaduk
> Cc : dots@ietf.org; draft-ietf-dots-data-channel@ietf.org
> Objet : RE: AD review of draft-ietf-dots-data-channel-25
> 
> > -----Original Message-----
> > From: mohamed.boucadair@orange.com <mohamed.boucadair@orange.com>
> > Sent: Thursday, February 28, 2019 2:59 PM
> > To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
> > Benjamin Kaduk <kaduk@mit.edu>
> > Cc: dots@ietf.org; draft-ietf-dots-data-channel@ietf.org
> > Subject: RE: AD review of draft-ietf-dots-data-channel-25
> >
> >
> >
> > Re-,
> >
> > I added this note to my local copy:
> >
> >    How a DOTS client synchronizes its configuration with the one
> >    maintained by its DOTS server(s) is implementation-specific.  For
> >    example, a DOTS client can send a GET message before and/or after each
> >    configuration change request.
> 
> The example does not look correct, no need to send GET messages to
> synchronize the configuration during peace time.

[Med] The example was on purpose. We don't specify when and why a client has to check. That is implementation-specific. 

  We need an example to
> discuss the scenario when attack traffic is initiated and client did not
> receive response to the configuration request from the DOTS server.
> I propose the following update:
> For example, a DOTS client can re-establish the disconnected DOTS signal
> channel session after the attack is mitigated and
> sends a GET message before configuration change request.
> 

[Med] I updated the text as follows (we don't need to be exhaustive):

  How a DOTS client synchronizes its configuration with the one
   maintained by its DOTS server(s) is implementation-specific.  For
   example:

   o  a DOTS client can systematically send a GET message before and/or
      after a configuration change request.

   o  a DOTS client can re-establish the disconnected DOTS session after
      an attack is mitigated and sends a GET message before a
      configuration change request.


> Cheers,
> -Tiru
> 
> >
> > Cheers,
> > Med
> >
> > > -----Message d'origine-----
> > > De : Konda, Tirumaleswar Reddy
> > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > Envoyé : mercredi 27 février 2019 07:59 À : BOUCADAIR Mohamed TGI/OLN;
> > > Benjamin Kaduk Cc : dots@ietf.org;
> > > draft-ietf-dots-data-channel@ietf.org
> > > Objet : RE: AD review of draft-ietf-dots-data-channel-25
> > >
> > > > -----Original Message-----
> > > > From: mohamed.boucadair@orange.com
> > <mohamed.boucadair@orange.com>
> > > > Sent: Friday, February 15, 2019 5:53 PM
> > > > To: Konda, Tirumaleswar Reddy
> > <TirumaleswarReddy_Konda@McAfee.com>;
> > > > Benjamin Kaduk <kaduk@mit.edu>
> > > > Cc: dots@ietf.org; draft-ietf-dots-data-channel@ietf.org
> > > > Subject: RE: AD review of draft-ietf-dots-data-channel-25
> > > >
> > > > This email originated from outside of the organization. Do not click
> > > > links
> > > or
> > > > open attachments unless you recognize the sender and know the
> > > > content is
> > > safe.
> > > >
> > > > Hi Tiru,
> > > >
> > > > Please see inline.
> > > >
> > > > Cheers,
> > > > Med
> > > >
> > > > > -----Message d'origine-----
> > > > > De : Konda, Tirumaleswar Reddy
> > > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > > Envoyé : vendredi 15 février 2019 12:06 À : BOUCADAIR Mohamed
> > > > > TGI/OLN; Benjamin Kaduk Cc : dots@ietf.org;
> > > > > draft-ietf-dots-data-channel@ietf.org
> > > > > Objet : RE: AD review of draft-ietf-dots-data-channel-25
> > > > >
> > > > > I am catching up with the discussion, couple of points:
> > > > >
> > > > > 1)
> > > > >       *  If a network resource (DOTS client) detects a potential DDoS
> > > > >          attack from a set of IP addresses, the DOTS client informs
> its
> > > > >          servicing DOTS gateway of all suspect IP addresses that need
> to
> > > > >          be drop- or accept-listed for further investigation.
> > > > >
> > > > > Comment> I don't see why suspect IP addresses will be accept-listed ?
> > > > >                     We may want to remove "or accept-listed" from
> > > > > the above line.
> > > > >
> > > >
> > > > [Med] Ack.
> > > >
> > > > > [Med] The dots client will know if its request is successfully
> delivered.
> > > > > When an attack is ongoing, the dots client should not use it data
> > > > > channel because it is likely to be perturbed.
> > > > >
> > > > > Comment> If the HTTP response from the server did not reach the
> > > > > Comment> client
> > > > > because of a volumetric attack saturating the incoming the link,
> > > > > the DOTS client will not know whether the configuration is
> > > > > successfully updated or not. After the attack is mitigated, the
> > > > > client will have to re-establish the TLS session and retrieve the
> > > > > configuration to check if its last request was successfully
> > > > > applied or not before updating the configuration.
> > > > >
> > > >
> > > > [Med] Agree. Still, how the client syncs its config with the one
> > > > maintained
> > > by
> > > > the server is implementation-specific. A client can send a GET
> > > > before
> > > and/or
> > > > after a configuration change request, in regular intervals, after
> > > > attack mitigation, etc.
> > >
> > > Adding a Implementation Note looks useful to me.
> > >
> > > -Tiru
> > >
> > > >
> > > > > Cheers,
> > > > > -Tiru

v2.38.3 | Report a Bug | By Email | System Status