IETF Logo Mail Archive

Re: [Dots] Suggestions about draft-nishizuka-dots-signal-control-filtering

"Panwei (William)" <william.panwei@huawei.com> Fri, 23 November 2018 08:24 UTC

Return-Path: <william.panwei@huawei.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 043D9130DFE for <dots@ietfa.amsl.com>; Fri, 23 Nov 2018 00:24:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.59
X-Spam-Level:
X-Spam-Status: No, score=-2.59 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HirUran_EESo for <dots@ietfa.amsl.com>; Fri, 23 Nov 2018 00:24:54 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D91B130DF4 for <dots@ietf.org>; Fri, 23 Nov 2018 00:24:53 -0800 (PST)
Received: from lhreml703-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id C92AD4826E688 for <dots@ietf.org>; Fri, 23 Nov 2018 08:24:48 +0000 (GMT)
Received: from NKGEML413-HUB.china.huawei.com (10.98.56.74) by lhreml703-cah.china.huawei.com (10.201.108.44) with Microsoft SMTP Server (TLS) id 14.3.408.0; Fri, 23 Nov 2018 08:24:49 +0000
Received: from NKGEML513-MBX.china.huawei.com ([169.254.1.171]) by NKGEML413-HUB.china.huawei.com ([10.98.56.74]) with mapi id 14.03.0415.000; Fri, 23 Nov 2018 16:24:46 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>
CC: "dots@ietf.org" <dots@ietf.org>, kaname nishizuka <kaname@nttv6.jp>
Thread-Topic: Suggestions about draft-nishizuka-dots-signal-control-filtering
Thread-Index: AdSDBf0VtkQPWnToQ7CWp4O9gIla1g==
Date: Fri, 23 Nov 2018 08:24:46 +0000
Message-ID: <30E95A901DB42F44BA42D69DB20DFA6A608D45C7@nkgeml513-mbx.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.134.37.117]
Content-Type: multipart/alternative; boundary="_000_30E95A901DB42F44BA42D69DB20DFA6A608D45C7nkgeml513mbxchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/dIwE63vW0ncT-kBF4tAMVmtpiEc>
Subject: Re: [Dots] Suggestions about draft-nishizuka-dots-signal-control-filtering
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2018 08:24:57 -0000

Hi Tiru, Med,

Thank you for explaining and reminding me. I just remembered that this terminology has already been described in the requirement draft.
Accept-list: A list of filters indicating sources from which traffic
should always be allowed, regardless of contradictory data gleaned
in a detected attack.

Best Regards
Wei Pan

发件人: Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
发送时间: 2018年11月23日 16:07
收件人: mohamed.boucadair@orange.com; Panwei (William) <william.panwei@huawei.com>; kaname nishizuka <kaname@nttv6.jp>
抄送: dots@ietf.org
主题: RE: Suggestions about draft-nishizuka-dots-signal-control-filtering

If accept-listed sources are attacking the target, the DOTS server cannot turn-off the accept-list filtering rules without the consent from the DOTS client. DOTS server can inform the DOTS client of the conflict and/or the DOTS client with DDoS detection capability can identify the attack, and using the signal channel de-activate the accept-list filtering rules.

“accept-list” does not mean only the traffic matching the accept-list will be allowed to reach the target.

Cheers,
-Tiru

From: Dots <dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>> On Behalf Of mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>
Sent: Friday, November 23, 2018 12:04 PM
To: Panwei (William) <william.panwei@huawei.com<mailto:william.panwei@huawei.com>>; kaname nishizuka <kaname@nttv6.jp<mailto:kaname@nttv6.jp>>
Cc: dots@ietf.org<mailto:dots@ietf.org>
Subject: Re: [Dots] Suggestions about draft-nishizuka-dots-signal-control-filtering


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi Wei,

Please see inline.

Cheers,
Med

De : Dots [mailto:dots-bounces@ietf.org] De la part de Panwei (William)
Envoyé : vendredi 23 novembre 2018 04:09
À : kaname nishizuka
Cc : dots@ietf.org<mailto:dots@ietf.org>
Objet : [Dots] Suggestions about draft-nishizuka-dots-signal-control-filtering

Hi Kaname,

I have read your draft recently, and I have two suggestions about it.

1.      I’d like to suggest using “whitelist” or “DDoS detection whitelist” instead of “accept-list” in the typical case.

[Med] accept-list means white-list. accept-list is already used in DOTS requirements and data channel. The signal channel will make use of that term too. FWIW, that change is made because of what was reported by hrpc.

A typical case is a DOTS client which configures during peace time
filtering rules using data channel to permit traffic from accept-
listed sources, but during the volumetric DDoS attack the DDoS
mitigator identifies the source addresses/prefixes in the accept-
listed filtering rules are attacking the target. For example, an
attacker can spoof the IP addresses of accept-listed sources to
generate attack traffic or the attacker can compromise the accept-
listed sources and program them to launch DDoS attack.
In this typical case, when you use “accept-list”, it sounds like that only the traffic which match the accept-list can reach the target. I don’t know if you mean so, but if YES, I feel like the extension may not be essentially needed in such case. Because if a DDoS attack occurs in such situation, the attacker must have been included in the accept-list. The DOTS server can get this conclusion as the DOTS client can, so the DOTS server can de-activate the accept-list by its own without DOTS client’s request of filtering rules.
In my opinion, “whitelist” or “DDoS detection whitelist” is more suitable than  “accept-list”. Because it indicates that the traffic which doesn’t match the DDoS whitelist can also reach the target, as long as it passes the detection. And if a DDoS attack happens, the DOTS server can’t know if the attacker is in the whitelist. If DOTS client find that the attacker is included in the DDoS whitelist, it must request the DOTS server to de-activate the whitelist.

I’m not object to your case, I just want to make it clear and no misunderstanding.

2. I’d like to suggest adding a guideline or suggestion about using signal channel to control filtering rules.
The purpose of using DOTS signal channel to control filtering rules is trying to help mitigate the DDoS attack when under attack time. This purpose should also be the guideline.
Requests which can help mitigate the attack should be send by the signal channel immediately. Requests which can’t help mitigate the attack should wait for the data channel to be re-established and then be sent by the data channel.
For example, during attack time, de-activating a drop-list (or blacklist) or activating a accept-list (or whitelist) may usually not help mitigate the DDoS attack. So If there is no necessary reason, these two requests should wait for using the data channel.

[Med] Agree. We do have the following in -01:

   A DOTS client relies on the information received from the DOTS server
   and/or local information to the DOTS client domain to trigger a
   filter control request.  Obviously, only filters that are pertinent
   for an ongoing mitigation should be controlled by a DOTS client using
   the DOTS signal channel.

And

   The DOTS client can also decide to send a PUT request to deactivate
   the "an-accept-list" ACL, if suspect traffic is received from an
   accept-listed source (2001:db8:1234::/48).  The structure of that PUT
   is the same as the one shown in Figure 4.


Best Regards
Wei Pan

发件人: Dots [mailto:dots-bounces@ietf.org] 代表 kaname nishizuka
发送时间: 2018年11月21日 9:50
收件人: dots@ietf.org<mailto:dots@ietf.org>
主题: [Dots] Fwd: I-D Action: draft-nishizuka-dots-signal-control-filtering-00.txt

Hi,

Base on the discussion of Bangkok interop: control data channel filtering via signal channel,
we've submitted the new draft for an extension to the DOTS signal channel to control the filtering rules during attack mitigation.

thanks,
Kaname Nishizuka



-------- Forwarded Message --------
Subject:

I-D Action: draft-nishizuka-dots-signal-control-filtering-00.txt

Date:

Tue, 20 Nov 2018 17:42:13 -0800

From:

internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>

Reply-To:

internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>

To:

i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>



A New Internet-Draft is available from the on-line Internet-Drafts directories.





        Title           : Controlling Filtering Rules Using DOTS Signal Channel

        Authors         : Kaname Nishizuka

                          Takahiko Nagata

                          Tirumaleswar Reddy

                          Mohamed Boucadair

    Filename        : draft-nishizuka-dots-signal-control-filtering-00.txt

    Pages           : 11

    Date            : 2018-11-20



Abstract:

   This document specifies an extension to the DOTS signal channel to

   control the filtering rules during attack mitigation.



   This extension allows a DOTS client to activate or de-activate

   filtering rules during a DDoS attack.  The characterization of these

   filters is supposed to be conveyed by a DOTS client during peace time

   by means of DOTS data channel.



Editorial Note (To be removed by RFC Editor)



   Please update these statements within the document with the RFC

   number to be assigned to this document:



   o  "This version of this YANG module is part of RFC XXXX;"



   o  "RFC XXXX: Controlling Filtering Rules Using DOTS Signal Channel";



   o  reference: RFC XXXX



   o  [RFCXXXX]



   Please update these statements with the RFC number to be assigned to

   the following documents:



   o  "RFC SSSS: Distributed Denial-of-Service Open Threat Signaling

      (DOTS) Signal Channel Specification" (used to be

      [I-D.ietf-dots-signal-channel])



   o  "RFC DDDD: Distributed Denial-of-Service Open Threat Signaling

      (DOTS) Data Channel Specification" (used to be

      [I-D.ietf-dots-data-channel])



   Please update the "revision" date of the YANG module.





The IETF datatracker status page for this draft is:

https://datatracker.ietf.org/doc/draft-nishizuka-dots-signal-control-filtering/



There are also htmlized versions available at:

https://tools.ietf.org/html/draft-nishizuka-dots-signal-control-filtering-00

https://datatracker.ietf.org/doc/html/draft-nishizuka-dots-signal-control-filtering-00





Please note that it may take a couple of minutes from the time of submission

until the htmlized version and diff are available at tools.ietf.org.



Internet-Drafts are also available by anonymous FTP at:

ftp://ftp.ietf.org/internet-drafts/



_______________________________________________

I-D-Announce mailing list

I-D-Announce@ietf.org<mailto:I-D-Announce@ietf.org>

https://www.ietf..org/mailman/listinfo/i-d-announce<https://www.ietf.org/mailman/listinfo/i-d-announce>

Internet-Draft directories: http://www.ietf.org/shadow.html

or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

v2.23.0 | Report a Bug | By Email