Re: [Dots] Telemetry draft: Vendor Specific data reduction

Jon Shallow <supjps-ietf@jpshallow.com> Tue, 28 April 2020 15:15 UTC

Return-Path: <supjps-ietf@jpshallow.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE6833A172F for <dots@ietfa.amsl.com>; Tue, 28 Apr 2020 08:15:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9CNPsLNFHfLy for <dots@ietfa.amsl.com>; Tue, 28 Apr 2020 08:15:57 -0700 (PDT)
Received: from mail.jpshallow.com (mail.jpshallow.com [217.40.240.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74E2A3A1729 for <dots@ietf.org>; Tue, 28 Apr 2020 08:15:43 -0700 (PDT)
Received: from mail2.jpshallow.com ([192.168.0.3] helo=N01332) by mail.jpshallow.com with esmtp (Exim 4.92.3) (envelope-from <jon.shallow@jpshallow.com>) id 1jTRxS-00056v-21; Tue, 28 Apr 2020 16:15:38 +0100
From: "Jon Shallow" <supjps-ietf@jpshallow.com>
To: <mohamed.boucadair@orange.com>, <dots@ietf.org>
References: <020a01d61954$64b50320$2e1f0960$@jpshallow.com> <00a301d61d37$219f1990$64dd4cb0$@jpshallow.com> <787AE7BB302AE849A7480A190F8B9330314A0CED@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B9330314A0CED@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Date: Tue, 28 Apr 2020 16:15:45 +0100
Message-ID: <017201d61d6f$e40b75e0$ac2261a0$@jpshallow.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0173_01D61D78.45D16480"
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-gb
Thread-Index: AQHtT51ggH6aH9X9eXlnZao+3cestAGwV+RpAmslRWWoP1QcgA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/cdv5N5bCposm51B5FBTaP4Zzs4M>
Subject: Re: [Dots] Telemetry draft: Vendor Specific data reduction
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 15:16:00 -0000

Hi Med,

 

To give an example for “attack-id” and “attack-name” the DDOS Mitigator that
I work with has several components that identify the same attack

 

Index: 3016

Short-Name: tcpattack_synflood

Descriptive-Name: “TCP Attack - Syn Flood"

 

And in the code I was using the index for “attack-id” and the
Descriptive-Name for the “attack-name” for the recent telemetry Interop with
Kaname.

 

With a multi-vector attack, the descriptive name information was a
substantive part of the telemetry information being passed back to the
client.

 

Similarly, if the DDoS Mitigator was to act as a client to an upstream DOTS
server (which in my case it can), then again there is a lot of information
being relayed that could be reduced with a mapping between” attack-id” and
“attack-name” for a specific vendor “id” being uploaded ahead of time – and
can be refreshed if new attacks are discovered and mitigated.

 

Regards

 

Jon

 

From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of
mohamed.boucadair@orange.com
Sent: 28 April 2020 12:00
To: Jon Shallow; dots@ietf.org
Subject: Re: [Dots] Telemetry draft: Vendor Specific data reduction

 

Hi Jon,

 

Apologies for the delay to follow on this one. 

 

attack-name is more about a description than a name. This field may also be
used to map attack details from distinct vendors because there is no a
global registry (and we don’t want to create one). 

 

Having the ability to retrieve a list prior to an attack is interesting to
consider but the (optional) attribute may still be needed to be included for
new attack types. 

 

Note that the name attribute is also used by a DOTS client to send telemetry
to a DOTS server. 

 

Attack-id is defined as a string because we inspired from existing event
notification formats. Some of these formats allow for an even ID to be
integer or string. 

 

Cheers,

Med

 

De : Dots [mailto:dots-bounces@ietf.org] De la part de Jon Shallow
Envoyé : mardi 28 avril 2020 10:29
À : dots@ietf.org
Objet : Re: [Dots] Telemetry draft: Vendor Specific data reduction

 

Hi All,

 

Any thoughts on this data reduction?

 

While it is possible for a Vendor to come up with their own augmented YANG
to cover their vendor specifics, it gets problematic when 2 or more Vendor
specifics need to be understood by a client or a server.

 

Having a “/vendor-mapping” operation path means that vendor mapping of
“attack-id” and “attack-name” can easily be exchanged.

 

If “attack-id” is an integer instead of a string, then “attack-id” could
become a Vendor specific set of enums (they do not need to start from 1)
based on “id”.

 

Regards

 

Jon

 

From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Jon Shallow
Sent: 23 April 2020 10:49
To: dots@ietf.org
Subject: [Dots] Telemetry draft: Vendor Specific data reduction

 

Hi All,

 

When passing telemetry attack information back and forth, there are some
ways that we need to consider on data reduction, thus reducing the
likelihood of having to do Block transfers.

 

My understanding is that there is a one-to-one relationship between
“attack-id” and “attack-name”.

 

My first suggestion is that the client is able to upload to a server, and
the server can download on request, a vendor’s mapping of “attack-id” to
“attack-name” for the specific vendor “id”.  Then, whenever there is
telemetry information ”id” + “attack-id” need to be provided, but much space
can be saved by not having to also include “attack-name”.

 

Second suggestion is that “attack-id” is an integer instead of a string to
again save on space in the telemetry data.

 

Regards

 

Jon