IETF Logo Mail Archive

Re: [Dots] Opsdir last call review of draft-ietf-dots-requirements-16

<mohamed.boucadair@orange.com> Mon, 26 November 2018 07:31 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51227128CE4; Sun, 25 Nov 2018 23:31:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NS9LnDhvm0K0; Sun, 25 Nov 2018 23:31:54 -0800 (PST)
Received: from orange.com (mta240.mail.business.static.orange.com [80.12.66.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8956B130F02; Sun, 25 Nov 2018 23:31:53 -0800 (PST)
Received: from opfedar02.francetelecom.fr (unknown [xx.xx.xx.4]) by opfedar21.francetelecom.fr (ESMTP service) with ESMTP id 433JWq5Mmhz7tT9; Mon, 26 Nov 2018 08:31:51 +0100 (CET)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.17]) by opfedar02.francetelecom.fr (ESMTP service) with ESMTP id 433JWq4SGvzCqkM; Mon, 26 Nov 2018 08:31:51 +0100 (CET)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM24.corporate.adroot.infra.ftgroup ([fe80::a1e6:3e6a:1f68:5f7e%18]) with mapi id 14.03.0415.000; Mon, 26 Nov 2018 08:31:51 +0100
From: mohamed.boucadair@orange.com
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, Scott Bradner <sob@sobco.com>, "ops-dir@ietf.org" <ops-dir@ietf.org>
CC: "draft-ietf-dots-requirements.all@ietf.org" <draft-ietf-dots-requirements.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: Opsdir last call review of draft-ietf-dots-requirements-16
Thread-Index: AQHUhDUARqA1nFnmP0GlAEiOaOlZnaVhdQAAgAApvsA=
Date: Mon, 26 Nov 2018 07:31:50 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302E04D374@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <154309157569.4300.10419245253211850237@ietfa.amsl.com> <BN6PR16MB1425E843797A597B75D14A38EAD70@BN6PR16MB1425.namprd16.prod.outlook.com>
In-Reply-To: <BN6PR16MB1425E843797A597B75D14A38EAD70@BN6PR16MB1425.namprd16.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/dn1w_mOZ6T5HQy5GTWf-Po65N3U>
Subject: Re: [Dots] Opsdir last call review of draft-ietf-dots-requirements-16
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Nov 2018 07:31:56 -0000

Hi Tiru, all,

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Dots [mailto:dots-bounces@ietf.org] De la part de Konda, Tirumaleswar
> Reddy
> Envoyé : lundi 26 novembre 2018 06:16
> À : Scott Bradner; ops-dir@ietf.org
> Cc : draft-ietf-dots-requirements.all@ietf.org; ietf@ietf.org; dots@ietf.org
> Objet : Re: [Dots] Opsdir last call review of draft-ietf-dots-requirements-16
> 
> Hi Scott,
> 
> Thanks for the review, Please see inline
> 
> > -----Original Message-----
> > From: Scott Bradner <sob@sobco.com>
> > Sent: Sunday, November 25, 2018 2:03 AM
> > To: ops-dir@ietf.org
> > Cc: draft-ietf-dots-requirements.all@ietf.org; ietf@ietf.org; dots@ietf.org
> > Subject: Opsdir last call review of draft-ietf-dots-requirements-16
> >
> > This email originated from outside of the organization. Do not click links
> or
> > open attachments unless you recognize the sender and know the content is
> safe.
> >
> > Reviewer: Scott Bradner
> > Review result: Has Nits
> >
> > This is an OPS-DIR review of Distributed Denial of Service (DDoS) Open
> Threat
> > Signaling Requirements (draft-ietf-dots-requirements)
> >
> > This document lists requirements for a protocol to used between providers
> of
> > DDOS mitigation services and users of such services, as such there can be
> no
> > direct operational issues with the document.  I also did not find any
> indirect
> > operational issues.
> >
> > I think the document would benefit from the addition of a section before
> the
> > requirements section that specifically describes the setup assumed by the
> > document. The descriptions before there hint at a presumed setup but a new
> > section that clearly states the setup would be helpful. (the setup appears
> to be
> > one where all network traffic to and from a protected entity flows through
> a
> > DDoS mitigation service provider.  The provider includes one or more DOTS
> > servers.  The protected entity includes one or more DOTS clients that
> > communicate with the DOTS servers)
> 
> The requirements drafts refers to the DOTS architecture draft that discusses
> the architectural relationships, components and concepts used in a DOTS
> deployment.
> 
> >
> > Requirement SIG-005 addresses channel redirection – maybe there needs to be
> > a way that clients can move to a new server on their own if they lose
> hearbeat
> > from the server they were using – that might include a way for a server to
> > provide a list of alternative servers to the clients
> 
> We can update SIG-004 requirement to say the following:
> 
> The DOTS client may be provided with a list of DOTS servers.

[Med] IMHO given that the requirements I-D points to the architecture I-D, we don't need to be redundant:

   The DOTS client may be provided with a list of DOTS servers, each
   associated with one or more IP addresses.  These addresses may or may
   not be of the same address family.  The DOTS client establishes one
   or more sessions by connecting to the provided DOTS server addresses.

But, of course it is not harmful to restate it if it helps the reader.

  If the DOTS
> client considers the signal channel is defunct due to the extended absence of
> DOTS server heartbeat, the DOTS client can establish  a new DOTS signal
> channel with the other DOTS servers in the list.
> 

[Med] Some comments here:
* I would not mix server selection/server migration with server redirection. That is, the proposed text is to be placed somewhere else in the I-D, not under SIG-004.
* I would not describe the behavior (e.g., if xxx, establish a new session) in the Requirements I-D, but focus on the expected functionality if we really need to say something. 
* A DOTS client provisioned with multiple dots server may already have other sessions established. How those sessions are established is policy-based. 
* Establishing a new session should be carefully considered to avoid, e.g., leaking information among servers not belonging to the same domain or oscillate between servers.
 
We can include a generic text such as the following:

  "Additional means to enhance the resilience of DOTS protocols, including when multiple DOTS servers are provisioned to the DOTS clients, SHOULD be considered." 


> -Tiru
> 
> >
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email