Re: [Dots] draft-ietf-dots-data-channel - ietf-dots-access-control-list extensions

Artyom Gavrichenkov <ximaera@gmail.com> Fri, 04 August 2017 17:02 UTC

Return-Path: <ximaera@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 023DF1323FC for <dots@ietfa.amsl.com>; Fri, 4 Aug 2017 10:02:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z3jeK21WoQNX for <dots@ietfa.amsl.com>; Fri, 4 Aug 2017 10:02:33 -0700 (PDT)
Received: from mail-pf0-x22f.google.com (mail-pf0-x22f.google.com [IPv6:2607:f8b0:400e:c00::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12B1B13239D for <dots@ietf.org>; Fri, 4 Aug 2017 10:02:33 -0700 (PDT)
Received: by mail-pf0-x22f.google.com with SMTP id c28so9357276pfe.3 for <dots@ietf.org>; Fri, 04 Aug 2017 10:02:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=TPDf+st8Tdw0MMFdwS0PB8gdrCPNWmcIY/EZTxBjWfU=; b=vfnDWh14aFPjMcPAw/fjS/G2SH3jEPQhL0KDDjWxQSl2vUIgM9jZjLwMMyCc6lNftE Mir/cbDC0PSi3szzQD6QXksYlo+WDr6ECxC5JBfoLTumBxwBCFAcYMu4/aICMngaP8GG G/uIk/i7x1W1rKkGaE3heVJ4LvzNi0pflwm0/cBiGPPqIB7M/ddIb28cOZdrXZdDskka IhTpKzcbTMBjo4Um7FTxW6f2jp+RuFcKuU5TrVFlMbjXtk3yPlqeQyhiDSCJnsQEDQcC lzb49/S8lsoYV2j9PTPH+cARBbLWRe6kGpoTiv+zmkmuVd7f7aA9qwoxcl4U3T72Uc8s oJ8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=TPDf+st8Tdw0MMFdwS0PB8gdrCPNWmcIY/EZTxBjWfU=; b=M1M9Trvr0h6wVmAha2xiEy3fnJac694Aje63HWOiQiu/HIlS0Mjz2ObfKkIcuKcQJT Um168zC2HqO+tqt0nZWLXLBTyziFFF0HryMEpLCqVBLf7S/I3B9MTY7PpH2l0KxGkTNp z9T35nQ3OyBBR0zLNK1ccYs/GPvTTFMU3aHgAXVn9CCmU3vD0AOvUKZsGPNH3t248nfy H74rOrtQOBVRaJS7TZZIZjXzEHakrVxj0h6zkrIm/nzISggmR3gCLSa01snwdizrzyo9 PU2f8rRsSHeEXUPUCeFFGehnFZ63Hn45ttnjS4iSir5jlE2++eWzG8UTkTVTJuIUMrA5 GB2w==
X-Gm-Message-State: AIVw113B0uTXc7S8b4/kHlvft1KRGK4kch/zcfvEZy+IjiNzIeCW0Fd3 YYCJ4FJLif1ht2J6d2/vTVeoT5dSRg==
X-Received: by 10.98.61.13 with SMTP id k13mr3127543pfa.75.1501866152515; Fri, 04 Aug 2017 10:02:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.133.150 with HTTP; Fri, 4 Aug 2017 10:02:31 -0700 (PDT)
Received: by 10.100.133.150 with HTTP; Fri, 4 Aug 2017 10:02:31 -0700 (PDT)
In-Reply-To: <063901d30d29$d9e5e9a0$8db1bce0$@jpshallow.com>
References: <063901d30d29$d9e5e9a0$8db1bce0$@jpshallow.com>
From: Artyom Gavrichenkov <ximaera@gmail.com>
Date: Fri, 04 Aug 2017 20:02:31 +0300
Message-ID: <CALZ3u+ZXnUi=S-=hJ49V3H9JZ1PDjSbvswgVE1m8b4JZHe1UPA@mail.gmail.com>
To: Jon Shallow <supjps-ietf@jpshallow.com>
Cc: dots@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c12826c855db90555f07627"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/d6pj-o1gDGIDiltVQXOFnWOCNRc>
Subject: Re: [Dots] draft-ietf-dots-data-channel - ietf-dots-access-control-list extensions
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Aug 2017 17:02:35 -0000

Hi Jon,

Personally, I don't think this is a good idea. Here are my reasons.

Neither a country code nor an AS number (be the latter a current BGP Origin
attribute value, as seen by a mitigator, or simply an entry in a RIR DB)
are present in the network and transport layer header data. Both are often
meant to be taken from some foreign key-value stores of disputable quality.

LIRs often, to say the least, tend to underestimate the importance of
updating their data in their respective RIR databases (see, I'm trying to
put it gently). In turn, those databases are now often considered as
unreliable sources of information sometimes even when it comes to routing
data. With geographic data (which is not used for routing purposes and thus
never gets verified), everything is much, much worse.

There are organisations (MaxMind, IPIP and others) which maintain their
own, proprietary geo databases, in proprietary formats, which are still far
from ideal, but suitable enough for purposes of, say, measuring statistics.
Yet, most of those databases are not good enough for the means of
preventing access because of a high rate of both false positives and false
negatives. Here's a recent case: https://github.com/
docker/for-linux/issues/57#issuecomment-314476406

So as there's no "official" geoblocking method, a proposed extension should
explicitly specify which exactly database should be used. Now it seems to
be better for the user of a DOTS client to implement an access to such
databases (be it MaxMind, RIPE DB, Spamhaus or whatever key-value store a
user chooses) theirselves, while a DOTS server would only see the final
resolution on an IP address or network.

| Artyom Gavrichenkov
| gpg: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191
| mailto: ximaera@gmail.com
| fb: ximaera
| telegram: xima_era
| skype: xima_era
| tel. no: +7 916 515 49 58


4 авг. 2017 г. 4:59 PM пользователь "Jon Shallow" <supjps-ietf@jpshallow.com>
написал:

> Does it make sense to add to the extensions of
> ietf-dots-access-control-list the ability to black list or possibly white
> list, Country Codes and AS numbers?
>
>
>
> Regards
>
>
>
> Jon
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots
>
>