IETF Logo Mail Archive

Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (2nd Part)

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 16 January 2019 13:34 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B33F130F3B; Wed, 16 Jan 2019 05:34:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.553
X-Spam-Level:
X-Spam-Status: No, score=-11.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dgmJRp74z6nz; Wed, 16 Jan 2019 05:34:14 -0800 (PST)
Received: from MIVWSMAILOUT1.mcafee.com (mivwsmailout1.mcafee.com [161.69.47.167]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77B66130F72; Wed, 16 Jan 2019 05:34:13 -0800 (PST)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1547645535; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-microsoft-antispam-prvs:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:spamdiagnosticoutput: spamdiagnosticmetadata:Content-Type:Content-Transfer-Encoding: MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=v LKOHaGfEGzyRxEFH43u9oq1/5k6XwD/2o/RYrzSOy 8=; b=YoSMETKCUzKexqltRYymAxmU5U7ZiTmkm6gHcGrGTsl3 4XrgoRXPQgfzOvqmkU2+USFxDpNWab4WMDuIgbiFMGO9ESUW5i NH/Uh57ZFtQYGzQQGcW9zcJeXPgA7OGWM6Taffh+VnDsgf14Co wsX47JYqrv/mf6mQ5nb+yifcT+I=
Received: from DNVEXAPP1N06.corpzone.internalzone.com (DNVEXAPP1N06.corpzone.internalzone.com [10.44.48.90]) by MIVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 3ac2_7ecb_f5a572cc_bd0f_43d3_a6e4_f0a9c1bfaf39; Wed, 16 Jan 2019 07:32:15 -0600
Received: from DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Wed, 16 Jan 2019 06:30:04 -0700
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Wed, 16 Jan 2019 06:30:04 -0700
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (10.44.176.241) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Wed, 16 Jan 2019 06:30:02 -0700
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2840.namprd16.prod.outlook.com (20.178.234.26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.24; Wed, 16 Jan 2019 13:30:02 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::202f:5967:73ad:130f]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::202f:5967:73ad:130f%5]) with mapi id 15.20.1537.018; Wed, 16 Jan 2019 13:30:02 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Benjamin Kaduk <kaduk@mit.edu>, "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>
CC: "dots@ietf.org" <dots@ietf.org>
Thread-Topic: AD review of draft-ietf-dots-signal-channel-25 (2nd Part)
Thread-Index: AdSth/4V4uJk+YuhSsWU4l/lLLRChwAFrvyw
Date: Wed, 16 Jan 2019 13:30:01 +0000
Message-ID: <BYAPR16MB279064AFE1D99F1455E32466EA820@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <787AE7BB302AE849A7480A190F8B93302EA08269@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA08269@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.100.18
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [122.171.119.30]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR16MB2840; 6:lWI4YSh6SdyKN2tOLDZ2oUGM8KiARZgqJyloKnm4JqL+eg0pvGHldhvgiLHD9WkS0BblEVBtm8L62qEXpDb9NBg+1DMPab+NBMsjp+HLGdLu485vuSs/3bRZmQWNH1DOZWylnxdB5zy0UJbOHgmVwDMLvH8Pk3NMVD1vrWp/3a8racwawskIY2+2d1yGz5MSkxZNcIJ39Als9DZuPO7xqndQbt7ktZhcg7gw1oV8Aye/p7UBoZBWIU9lbfeWBrpfbZM6a10cK1yubiGORSbpJ+FJN0Kzx8cw5DVU5DwS7jESi9KdN0jfmcn291e7gWne7gfFChBLv2eobdQr2uwxiYm3t9iheaqB+Ld1gTRPhaA8gQyQl+ZOkmy+h085y5dAbUmweuaB9FB8vzPvZdKFDxq1oWI6e2IN4GxgD5BodkZo7pYWsUW9KC7jlsqDKgcUsAuP4iMDzkyQx4D+n1Gl6g==; 5:4D63kbrwIadB5Zv547rhhCCPQJ24HPz3+y9OPQDdjIqOhsQQKMyTtfeZu7jr2MovjGGv6FHKL7cIsDs66iY34PWNVpbVbi9tSfq5NDXXu/AFDx3ZjpcOk9lclLmPkmFCf4ieWC0/puVScFtt5I2TkWwFDMhciyAZqlAZNhVrNsB/ZtjPEUZcc6tlyrOjfyVng6pWJjg4M3taClrfFGn9/Q==; 7:wmB3KyUJGC2QrBS9Dc6yqXS0qQnJg0OUOhQlljYBrqT7P/e0VKfLLaYUJ1qobSMkQYxZzDvhnoAMvDkZnRW8DiGKNTNTm4wzOLCGCIhgVjaPzj0ijJs4s+ORNaMYttiE0CHDGPWow5IKoa2TBLSFxg==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: d5d76de9-5391-4d43-ec3a-08d67bb6b82d
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(7193020); SRVR:BYAPR16MB2840;
x-ms-traffictypediagnostic: BYAPR16MB2840:
x-microsoft-antispam-prvs: <BYAPR16MB2840D4D014A336465317E5D3EA820@BYAPR16MB2840.namprd16.prod.outlook.com>
x-forefront-prvs: 091949432C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(39860400002)(136003)(396003)(366004)(346002)(376002)(32952001)(189003)(53434003)(199004)(55784004)(13464003)(105586002)(71190400001)(305945005)(68736007)(7736002)(71200400001)(6116002)(3846002)(66066001)(6306002)(14454004)(72206003)(966005)(9686003)(316002)(99286004)(26005)(6246003)(2171002)(5660300001)(186003)(33656002)(4326008)(106356001)(110136005)(11346002)(53546011)(486006)(81156014)(446003)(97736004)(6436002)(6506007)(2501003)(53936002)(55016002)(80792005)(74316002)(7696005)(229853002)(81166006)(8936002)(2906002)(102836004)(478600001)(14444005)(76176011)(476003)(86362001)(256004)(25786009)(30864003)(78486014)(8676002)(85282002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2840; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: PhK2ZohQ42Rb087DUYQYhPB4E5czd2qE+6UgSP9yOIxjo6cGE6N/KAmmHYieDDL54kjZM7ksTibophA8RIsCtjaZxmZesvyb0ZVPSP+gU5mGmGKFOfac/InSKdyglehkQT9caMIl/cw94UvDARqiW+mfmQEldhxXzv6bbJXcdedc65mSdunrWiiuy0N9UePpWe94qZY/rSQ6EigmMn+iBqa17D4xLAondO44ELtU1y2plwNqfXsTiU32Qpzkd7G9p2a4HCE467bUqnlnY7NZJGdR6csMRKKe61b1A9++uvuVKvLxKWjIPntcav58gbw/VQQER+UvLmmh5jlJzOtjQ3XQEUPoNP1csVMUOScQH7ugty+vOyKJb+5odr38KZ4SHty4qE9OKIjBidJwdg5yPFKyKNKRqRu+BfroKTfKDjU=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d5d76de9-5391-4d43-ec3a-08d67bb6b82d
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jan 2019 13:30:02.1644 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2840
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6461> : inlines <6994> : streams <1810250> : uri <2780807>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/dubXv34-sHjVDE0D7sbZ4p2mgOQ>
Subject: Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (2nd Part)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jan 2019 13:34:18 -0000

> -----Original Message-----
> From: Dots <dots-bounces@ietf.org> On Behalf Of
> mohamed.boucadair@orange.com
> Sent: Wednesday, January 16, 2019 4:11 PM
> To: Benjamin Kaduk <kaduk@mit.edu>; draft-ietf-dots-signal-
> channel@ietf.org
> Cc: dots@ietf.org
> Subject: Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (2nd Part)
> 
> 
> 
> Re-,
> 
> Please see inline.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Benjamin Kaduk [mailto:kaduk@mit.edu] Envoyé : mercredi 16
> > janvier 2019 01:14 À : draft-ietf-dots-signal-channel@ietf.org
> > Cc : dots@ietf.org
> > Objet : AD review of draft-ietf-dots-signal-channel-25
> >
> >
> > Section 4.4
> >
> >    GET:    DOTS clients may use the GET method to subscribe to DOTS
> >            server status messages, or to retrieve the list of its
> >            mitigations maintained by a DOTS server (Section 4.4.2).
> >
> > I'm not really a canonical HTTP expert, but I suspect that using GET
> > to "subscribe" will raise some eyebrows at later stages of review.
> 
> [Med] We are following RFC7641. I would be surprised if this is an issue.
> 
>  Maybe
> > we should just leave it as-is and wait for such review to arrive,
> > though, rather than trying to do something preemptively.
> 
> [Med] Yes.
> 
> >
> > I don't know if this is the proper section to talk about it, but we
> > should probably have some text justifying the use of application-layer
> > acknowledgment as opposed to just using Confirmable CoAP messages.
> 
> [Med] I'm not sure to understand this one. Which "application-layer
> acknowledgment" are you referring to?
> 
> >
> > Section 4.4.1
> >
> > If Figure 5 is going to use actual/example values for cuid and mid,
> > then I'd suggest also using actual/example values for the JSON fields
> > (instead of "integer" and "string" and such).
> 
> [Med] I split the figure into two so that we don't have this problem.
> 
> >
> >    cuid:  Stands for Client Unique Identifier.  A globally unique
> >       identifier that is meant to prevent collisions among DOTS clients,
> >       especially those from the same domain.  It MUST be generated by
> >       DOTS clients.
> >
> > In order to get global uniqueness we either need sufficient randomness
> > or a hierarchical allocation strategy.  Since we recommend a strategy
> > that involves hashing the (public) client certificate, we may also
> > want to note that this value does not need to be unguessable.  If a
> > random allocation is possible, I suggest giving guidance on how many
> > random bits must be used to sufficiently ensure global uniqueness (128
> > might be enough).
> 
> [Med] An attack vector that can be achieved if the cuid is guessable is if a
> misbehaving client from within the client's domain succeeds to be granted
> access by the server and then uses the cuid of another client of the domain
> to delete active mitigation/etc.
> 
> For this attack vector to happen, the misbehaving client needs to pass
> security validation checks by the server. Therefore, I'm not sure if it is worth
> to add an allocation reco given this perquisite.
> 
> Thoughts?

UUID discussed in https://tools.ietf.org/html/rfc4122 is another way of generating a globally unique identifier.  A compromised DOTS client can sniff the TLS 1.2 handshake, use the client certificate to identify the "cuid" used by another DOTS client. This attack is not possible with TLS 1.3 (TLS handshake is encrypted).

Cheers,
-Tiru

> 
> >
> >                           The output of the cryptographic hash algorithm
> >       is truncated to 16 bytes; truncation is done by stripping off the
> >       final 16 bytes.  The truncated output is base64url encoded.
> >
> > side note: Truncation to 128 bits reduces the collision resistance to
> > 64-bit strength, though this is probably acceptable in this use case.
> >
> >       DOTS servers MUST return 4.09 (Conflict) error code to a DOTS peer
> >       to notify that the 'cuid' is already in-use by another DOTS
> >       client.  Upon receipt of that error code, a new 'cuid' MUST be
> >       generated by the DOTS peer.
> >
> > Is there any way in which this situation could arise during some sort
> > of migration scenario?
> 
> [Med] This can be for example a client which does not follow the "SHOULD"
> for creating the cuid.
> 
> >
> >       Client-domain DOTS gateways MUST handle 'cuid' collision directly
> >       and it is RECOMMENDED that 'cuid' collision is handled directly by
> >       server-domain DOTS gateways.
> >
> > Is a gateway supposed to know if it is "client-side" or "server-side"
> > by explicit configuration or some more automatic method?
> 
> [Med] This can be done by an explicit configuration.
> 
> >
> >    'cuid' and 'mid' MUST NOT appear in the PUT request message body.
> >
> > Do we need to say this given that there's no obvious structure in
> > which to put them?  (That is, is this just a reminder to implementors
> > of a previous version of the draft versus guidance to new
> > implementations?)
> 
> [Med] We used to have those in the message body in previous versions of
> the spec/implementations. Furthermore, there are cases where "mid" is
> allowed to be included in the message body (e.g., PUT response). We
> included this note for implementers because of some behaviors observed
> during past interops.
> 
> >
> >       The prefix list MUST NOT include broadcast, loopback, or multicast
> >       addresses.  These addresses are considered as invalid values.
> > In
> >
> > Does "invalid" mean that the particular address gets ignored or that
> > the entire request is rejected?
> 
> [Med] The expected behavior is covered by this text:
> 
> " ... or contains invalid or unknown parameters, the DOTS server MUST reply
> with 4.00 (Bad Request)."
> 
> >
> >    target-fqdn:   A list of Fully Qualified Domain Names (FQDNs)
> >       identifying resources under attack.  An FQDN is the full name of a
> >       resource, rather than just its hostname.  For example, "venera" is
> >       a hostname, and "venera.isi.edu" is an FQDN [RFC1983].
> >
> > I would suggest referring to draft-ietf-dnsop-terminology-bis rather
> > than trying to reproduce a definition of FQDN.
> >
> 
> [Med] I added an informative reference to draft-ietf-dnsop-terminology-bis.
> 
> > We also may want to note that the DNS view can change depending on the
> > vantage point used to make the observation.
> 
> [Med] Not sure what to do with this one given that the text says:
> 
> "How a name is passed to an underlying name resolution library is
> implementation- and deployment-specific."
> 
> >
> > On page 18 we say that server-domain DOTS gateways "MUST supply [...]
> > 'cdid'", but the previous paragraph says that there SHOULD be a
> > configuration option for whether to insert 'cdid' on such systems.
> > The two requirements are in conflict; which was intended?  (I assume
> > the MUST -- why would it be desired to not have the information
> > available?)
> 
> [Med] This text is about gateways that are instructed to insert the cdid
> parameter. gateways facing a client's domain are in this case.
> 
> I updated the text with "server-domain DOTS gateways instructed to insert
> the 'cdid' parameter MUST supply.."
> 
> >
> > The same paragraph also says that the 'cdid' is "likely to be the same
> > as" the 'cuid', though in addition to the listed reasons the client
> > only has a SHOULD requirement to follow this procedure for generating
> > 'cuid'; it may be worth noting the client's leeway here as well.
> 
> [Med] Yes, this is why we have "likely" in the text.
> 
> >
> >       If a DOTS client is provisioned, for example, with distinct
> >       certificates as a function of the peer server-domain DOTS gateway,
> >       distinct 'cdid' values may be supplied by a server-domain DOTS
> >       gateway.  The ultimate DOTS server MUST treat those 'cdid' values
> >       as equivalent.
> >
> > Is this paragraph trying to say that a client might supply different
> > certs to different gateways in the same domain
> 
> [Med] Yes.
> 
>  (e.g., if one such
> > gateway does not support ecdsa certs)?  It was pretty confusing on the
> > first read, in particular how the ultimate DOTS server would know that
> > the different 'cdid' values actually correspond to the same client
> > [domain].
> 
> [Med] This is supposed to be provisioned on the server. This is deployment-
> specific; hence no mention in the draft.
> 
> >
> >       DOTS servers MUST ignore 'cdid' attributes that are directly
> >       supplied by source DOTS clients or client-domain DOTS gateways.
> >       This implies that first server-domain DOTS gateways MUST strip
> >       'cdid' attributes supplied by DOTS clients.  DOTS servers SHOULD
> >       support a configuration parameter to identify DOTS gateways that
> >       are trusted to supply 'cdid' attributes.
> >
> > Is there any mechanism (e.g., autodetection) other than this by which
> > servers/proxies can learn about the topology information needed to
> > fulfil these requirements?
> 
> [Med] I'm not aware of such mechanism.
> 
> >
> >    Because of the complexity to handle partial failure cases, this
> >    specification does not allow for including multiple mitigation
> >    requests in the same PUT request.  Concretely, a DOTS client MUST NOT
> >    include multiple 'scope' parameters in the same PUT request.
> >
> > "multiple 'scope' parameters" reads like a CBOR object with duplicate
> > keys; is this intended to refer to a multi-valued array?
> 
> [Med] What is intended is that the scope list should include only one entry..
> 
> I can change to "multiple 'scope' clauses"
> 
> >
> >    The DOTS server couples the DOTS signal and data channel sessions
> >    using the DOTS client identity and optionally the 'cdid' parameter
> >
> > This requires the client to use the same certificate to authenticate
> > the signal and data channels to a given server (even when a gateway is
> > in use).  Above, we discussed cases where a client might have multiple
> > certificates available.
> 
> [Med] Actually, the text above applies also if distinct certificates are used.
> Equivalent "client identity" are supposed to be known to the server by an
> out of band means. In all cases, the identity (same or equivalent) is used to
> couple the sessions.
> 
>   Where do we specify the requirement to use the
> > same certificate for signal and data channels?
> 
> [Med] We don't have such requirement in existing DOTS documents.
> 
> >
> >                                                DOTS agents can safely
> >    ignore Vendor-Specific parameters they don't understand.
> >
> > This is not a very useful statemnet if the agent must know that a
> > parameter is vendor-specific in order to safely ignore it.
> 
> [Med] The agent relies on the cbor key value to determine that a parameter
> can be safely ignored or not (comprehension-required). A range of keys is
> reserved for comprehension-optional. An agent checks the range to which
> belong a parameter, and then behaves accordingly.
> 
> >
> >    If the DOTS server does not find the 'mid' parameter value conveyed
> >    in the PUT request in its configuration data, it MAY accept the
> >    mitigation request by sending back a 2.01 (Created) response to the
> >    DOTS client; the DOTS server will consequently try to mitigate the
> >    attack.
> >
> >    If the DOTS server finds the 'mid' parameter value conveyed in the
> >    PUT request in its configuration data bound to that DOTS client, it
> >    MAY update the mitigation request, and a 2.04 (Changed) response is
> >    returned to indicate a successful update of the mitigation request.
> >
> > There are two "MAY"s spread across these two paragraphs; do we want to
> > say anything about in what cases the server might want to have
> > different behavior (i.e., ignore the MAY)?
> >
> 
> [Med] For the first MAY, a typical example is when a rate limit is enforced:
> 
>    Rate-limiting DOTS requests, including those with new 'cuid' values,
>    from the same DOTS client defends against DoS attacks that would
>    result in varying the 'cuid' to exhaust DOTS server resources.  Rate-
>    limit policies SHOULD be enforced on DOTS gateways (if deployed) and
>    DOTS servers
> 
> For the second MAY, the server may have more visibility on the attack and
> then may decide to update accordingly.
> 
> I don't know if it is worth to add examples. Any preference?
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email