Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-signal-channel-31: (with DISCUSS and COMMENT)

<mohamed.boucadair@orange.com> Mon, 06 May 2019 14:17 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8F1B120052; Mon, 6 May 2019 07:17:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AHX6x1pRgRSC; Mon, 6 May 2019 07:17:45 -0700 (PDT)
Received: from orange.com (mta136.mail.business.static.orange.com [80.12.70.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BDA1120019; Mon, 6 May 2019 07:17:45 -0700 (PDT)
Received: from opfednr01.francetelecom.fr (unknown [xx.xx.xx.65]) by opfednr21.francetelecom.fr (ESMTP service) with ESMTP id 44yPvq33pnz5wCN; Mon, 6 May 2019 16:17:43 +0200 (CEST)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.89]) by opfednr01.francetelecom.fr (ESMTP service) with ESMTP id 44yPvq2HHJzDq7P; Mon, 6 May 2019 16:17:43 +0200 (CEST)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM44.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0439.000; Mon, 6 May 2019 16:17:42 +0200
From: <mohamed.boucadair@orange.com>
To: Mirja Kuehlewind <ietf@kuehlewind.net>
CC: The IESG <iesg@ietf.org>, "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>, Liang Xia <frank.xialiang@huawei.com>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: =?utf-8?B?TWlyamEgS8O8aGxld2luZCdzIERpc2N1c3Mgb24gZHJhZnQtaWV0Zi1kb3Rz?= =?utf-8?Q?-signal-channel-31:_(with_DISCUSS_and_COMMENT)?=
Thread-Index: AQHVBBLrtjibErdZ+E+HsN0ik7eR0aZeIPiA
Date: Mon, 6 May 2019 14:17:42 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA6C9E6@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <155672175129.924.6789867477696592350.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93302EA68C1A@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <F5FA219E-0124-43D8-A3FE-EAEDDAB7CA22@kuehlewind.net>
In-Reply-To: <F5FA219E-0124-43D8-A3FE-EAEDDAB7CA22@kuehlewind.net>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/ctvDVfqughBBcitLWDgYcIMuRvM>
Subject: Re: [Dots] =?utf-8?q?Mirja_K=C3=BChlewind=27s_Discuss_on_draft-ietf-?= =?utf-8?q?dots-signal-channel-31=3A_=28with_DISCUSS_and_COMMENT=29?=
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 May 2019 14:17:47 -0000

Hi Mirja, 

Focusing on this particular DISCUSS point. 

A typical case when a connection is done during attack time is redirection. That is, the nominal DOTS server may redirect a DOTS client to another server with 5.03. Connection attempts will need to be established with the new server as fast as possible so that a mitigation request is placed.

Cheers,
Med

> -----Message d'origine-----
> De : Mirja Kuehlewind [mailto:ietf@kuehlewind.net]
> Envoyé : lundi 6 mai 2019 15:52
> À : BOUCADAIR Mohamed TGI/OLN
> Cc : The IESG; draft-ietf-dots-signal-channel@ietf.org; Liang Xia; dots-
> chairs@ietf.org; dots@ietf.org
> Objet : Re: Mirja Kühlewind's Discuss on draft-ietf-dots-signal-channel-31:
> (with DISCUSS and COMMENT)
> 
> >>
> >> ----------------------------------------------------------------------
> >> DISCUSS:
> >> ----------------------------------------------------------------------
> >>
> > ====
> >
> >>
> >> 2) Section 4.3 says:
> >> "In reference to Figure 4, the DOTS client sends two TCP SYNs and two
> >>   DTLS ClientHello messages at the same time over IPv6 and IPv4."
> >> However, RFC8305 explicitly states that connection attempts SHOULD NOT be
> >> made
> >> simultaneously (see sec 5).
> >>
> >
> > [Med] This one is discussed in another thread.
> 
> My discuss point was actually different. Due over network overload, probing
> should NOT be done simultaneously. However, I’ve seen that you now also
> changed the mechanism to only use simultaneous probing when under attack.
> That may be fine, however, it is not fully clear why happy eyeballs would be
> needed at all during an attack as the assumption is that you always have an
> active session (starting before the attack). I would further like to see it
> made even more clear that probing MUST be performed sequentially (as
> described in RFC8305) otherwise.
>