Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)
"Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net> Tue, 05 March 2019 11:31 UTC
Return-Path: <ietf@kuehlewind.net>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDD571310BE; Tue, 5 Mar 2019 03:31:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B_n83YRjnEPg; Tue, 5 Mar 2019 03:31:40 -0800 (PST)
Received: from wp513.webpack.hosteurope.de (wp513.webpack.hosteurope.de [IPv6:2a01:488:42:1000:50ed:8223::]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C576131072; Tue, 5 Mar 2019 03:31:40 -0800 (PST)
Received: from sessfw99-sesbfw99-92.ericsson.net ([192.176.1.92] helo=[10.156.247.140]); authenticated by wp513.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1h18II-0003zt-Cb; Tue, 05 Mar 2019 12:31:34 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
In-Reply-To: <BYAPR16MB2790CA5915717C58079425D6EA7E0@BYAPR16MB2790.namprd16.prod.outlook.com>
Date: Tue, 05 Mar 2019 12:31:32 +0100
Cc: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "frank.xialiang@huawei.com" <frank.xialiang@huawei.com>, "draft-ietf-dots-requirements@ietf.org" <draft-ietf-dots-requirements@ietf.org>, "dots@ietf.org" <dots@ietf.org>, The IESG <iesg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1368787E-C78D-417A-972D-95CF9CA790EB@kuehlewind.net>
References: <155068522853.31498.10686203344983870104.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93302EA23122@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <66BB8E3D-DEB6-43AC-AAEB-B6EB1A248865@kuehlewind.net> <787AE7BB302AE849A7480A190F8B93302EA232A6@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <6EFF6377-02A4-4D0B-BCF2-313FDB3B18B8@kuehlewind.net> <787AE7BB302AE849A7480A190F8B93302EA2346F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790CA5915717C58079425D6EA7E0@BYAPR16MB2790.namprd16.prod.outlook.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-bounce-key: webpack.hosteurope.de;ietf@kuehlewind.net;1551785500;377a713f;
X-HE-SMSGID: 1h18II-0003zt-Cb
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/e40jfVgPC72T_uuNYRX2E3yBRPk>
Subject: Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2019 11:31:44 -0000
Hi Tiru, thanks, the proposed text works well for me! Mirja > Am 21.02.2019 um 15:58 schrieb Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>: > >> -----Original Message----- >> From: mohamed.boucadair@orange.com <mohamed.boucadair@orange.com> >> Sent: Thursday, February 21, 2019 8:10 PM >> To: Mirja Kuehlewind (IETF) <ietf@kuehlewind.net> >> Cc: dots-chairs@ietf.org; frank.xialiang@huawei.com; dots@ietf.org; The IESG >> <iesg@ietf.org>; draft-ietf-dots-requirements@ietf.org >> Subject: RE: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements- >> 18: (with DISCUSS and COMMENT) >> >> This email originated from outside of the organization. Do not click links or >> open attachments unless you recognize the sender and know the content is safe. >> >> Re-, >> >> My point is that combining RFC8085 and deployments where timers can be >> controlled/discovered is sufficient to fulfill the requirement. >> >> Of course, this does not guarantee that bindings are kept active if a NAT/FW >> assigns timers of less than 15 seconds...which is fair. The requirement does not >> ask for such guarantee. > > Agreed, I propose the following update to capture the discussion and addresses the comment: > > Channel Health Monitoring: DOTS agents MUST support exchange of heartbeat messages over the signal channel to monitor channel health. These keepalives serve the purpose to maintain any on-path NAT or Firewall bindings to avoid cryptographic handshake for new mitigation requests. The heartbeat interval during active mitigation could be negotiable based on NAT/Firewall characteristics. Absent information about the NAT/Firewall characteristics, DOTS agent needs to ensure its on-path NAT or Firewall bindings do not expire, by using the keep-alive frequency discussed in Section 3.5 of [RFC8085]. > > Cheers > -Tiru > >> >> Cheers, >> Med >> >>> -----Message d'origine----- >>> De : Mirja Kuehlewind (IETF) [mailto:ietf@kuehlewind.net] Envoyé : >>> jeudi 21 février 2019 14:46 À : BOUCADAIR Mohamed TGI/OLN Cc : >>> dots-chairs@ietf.org; frank.xialiang@huawei.com; dots@ietf.org; The >>> IESG; draft-ietf-dots-requirements@ietf.org >>> Objet : Re: [Dots] Mirja Kühlewind's Discuss on >>> draft-ietf-dots-requirements- >>> 18: (with DISCUSS and COMMENT) >>> >>> Hi Med, >>> >>> please see below. >>> >>>> Am 21.02.2019 um 13:17 schrieb mohamed.boucadair@orange.com: >>>> >>>>>>> 2) Also on this text in SIG-004: >>>>>>> "The heartbeat interval during active mitigation could be >>>>>>> negotiable, but MUST be frequent enough to maintain any on-path >>>>>>> NAT or Firewall bindings during mitigation. When TCP is used as >>>>>>> transport, the DOTS signal channel heartbeat messages need to be >>>>>>> frequent enough to maintain the TCP connection state." >>>>>>> >>>>>>> As Joe commented already, different heartbeats at different >>>>>>> layers can >>> be >>>>>>> used >>>>>>> at the same time for different purposes. You can use heartbeats >>>>>>> at the application layer to check service availability while e.g. >>>>>>> using a >>> higher >>>>>>> frequent heartbeat at the transport layer to maintain firewall >>>>>>> and NAT >>>>> state. >>>>>> >>>>>> [Med] Please note that the text you quoted is about "during active >>>>> mitigation". When no attack is ongoing, we do have the following >>>>> behavior which covers your comment: >>>>>> >>>>>> When DOTS agents are exchanging heartbeats and no >>>>>> mitigation request is active, either agent MAY request changes to >>>>>> the heartbeat rate. For example, a DOTS server might want to >>>>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >>>>>> reduce heartbeat frequency or cease heartbeat exchanges when an >>>>>> >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >>>>>> active DOTS client has not requested mitigation, in order to >>>>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >>>>>> control load. >>>>>> >>>>>>> The advantage to such an approach is that there is less >>>>>>> application >>> layer >>>>>>> overhead/load e.g. in scenarios where it might be expensive to >>>>>>> wake up >>> the >>>>>>> application or a server is already highly loaded. Also note that >>>>>>> the >>>>> time- >>>>>>> outs >>>>>>> values of NATs and firewalls on the path are usually unknown, >>>>>>> therefore >>> an >>>>>>> application can never rely on heartbeats (no matter at which >>>>>>> level) and >>>>> must >>>>>>> be >>>>>>> prepared to try to reconnect on the application layer if the >>>>>>> connection fails. >>>>>>> Usually, the main reason for using heartbeats to maintain NAT or >>> firewall >>>>>>> state >>>>>>> (vs. reconnect every time) in TCP is if the application is time- >>> sensitive >>>>> and >>>>>>> a >>>>>>> full TCP handshake takes too long for the desired service. I'm >>>>>>> not sure >>>>> that >>>>>>> the case for DOTS, however, I understand it may be beneficial to >>>>>>> have established state if an attack is on-going. >>>>>> >>>>>> [Med] This is important to avoid new handshakes when the client >>>>>> has to >>>>> request a mitigation. >>>>> >>>>> This is okay but could be spelled out more explicitly as a >>>>> requirement, rather than taking about the details of sending heartbeats. >>>>>> >>>>>>> >>>>>>> For UDP I guess it's more complicated in your case. Time-outs are >>> usually >>>>>>> very >>>>>>> short, however, state is created with the first packet of a flow >>>>>>> (as >>> there >>>>> is >>>>>>> no handshake in UDP). As you don't see blocking if state is >>>>>>> expired as >>> new >>>>>>> state is created immediately, it's kind of impossible to measure >>>>>>> the configured time-out values. Only if the firewall is under >>>>>>> attack it would start >>>>> blocking >>>>>>> UDP traffic that is has no state for yet. So I understand why it >>>>>>> is >>>>> desirable >>>>>>> to maintain UDP state for you, however, I don't understand how >>>>>>> you can >>>>> know >>>>>>> that your frequency is high enough to actually keep the state >>>>>>> open. Note >>>>> that >>>>>>> TCP time-outs are usually in the order of hours, while UDP >>>>>>> time-outs are usually in range of tens of seconds, and might >>>>>>> expire even quicker if a system is under attack. If that is a >>>>>>> scenario that is important for you, and assuming that not all >>>>>>> time-outs values on the path can be known, I guess it would >>>>> be >>>>>>> recommendable to use TCP instead. >>>>>>> >>>>>>> In any case this can not be a MUST requirement (as timers are >>>>>>> usually >>> not >>>>>>> known). I would recommend to state something like: >>>>>>> >>>>>>> "MAY be frequent enough to maintain NAT or firewall state, if >>>>>>> timer >>> values >>>>>>> are >>>>>>> known, or if TCP is used, SHOULD use in addition TCP heartbeats >>>>>>> to >>>>> maintain >>>>>>> the TCP connection state and reconnect immediately if a failure >>>>>>> is >>>>> detected." >>>>>>> >>>>>> >>>>>> [Med] The original wording is accurate and reflects the >>>>>> requirement of >>> the >>>>> WG. How this will be enforced is part of the solution/specification space. >>>>> >>>>> My hold point here is that >>>>> >>>>> "MUST be frequent enough to maintain any on-path NAT or Firewall >>>>> bindings during mitigation.“ >>>>> >>>>> cannot be a MUST requirement as the network time-out values are not >>>>> known >>> by >>>>> the endpoints. Therefore it is impossible to fulfill this requirement. >>>> >>>> [Med] Two comments here: >>>> * The requirement can be fulfilled by relying RFC8085 >>>> recommendations. This >>> is discussed in the spec documents. >>> >>> RFC8085 provide recommended value and limits, however, this does not >>> guarantee that the proposed values actually match the time-out values >>> as deployed on the path. >>> >>>> * there are deployments in which timers can be discovered (e.g., PCP >>> (RFC6887)). >>> >>> This does not work in all cases and the draft does not seem to require >>> the usage of anything like this. If a requirement is that the timeout >>> values MUST be known in the deployed scenario, then that should be >>> spelled out, however, I assume that is not your intention because that >>> would limit deployment heavily. >>> >>> Mirja >>> >
- [Dots] Mirja Kühlewind's Discuss on draft-ietf-do… Mirja Kühlewind
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Teague, Nik
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)