IETF Logo Mail Archive

Re: [Dots] draft-ietf-dots-filter-control: acl updates

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 15 May 2019 07:11 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D89B4120288 for <dots@ietfa.amsl.com>; Wed, 15 May 2019 00:11:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uMZxM2ij1Zpi for <dots@ietfa.amsl.com>; Wed, 15 May 2019 00:11:52 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55391120285 for <dots@ietf.org>; Wed, 15 May 2019 00:11:52 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1557903877; h=From: To:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=2UCpEIBiURJzWF13F5zUl1GB8nqqqaULe16CZj 2aYZM=; b=Sm3G39E1tNb4540oXpJ270TSG8vvDHx+5hpRbkk8 S9GhK141NHEtafq/Cy72PsBA8XlFdqdhYXSUYgRSBKNVN3aetE SZ2J5t/EiiZPGWi90E9oYyH26GpT/wztlMWwQHr259qZCFMCQm JlE3AW0FC8T7Q0g3Qfuq4LtXs8nCkKk=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (unknown [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 4ee7_2cb5_5f1462cb_374f_43a7_b227_fba011ee6c3b; Wed, 15 May 2019 01:04:37 -0600
Received: from DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 15 May 2019 01:11:17 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Wed, 15 May 2019 01:11:17 -0600
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (10.44.176.243) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 15 May 2019 01:10:45 -0600
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2664.namprd16.prod.outlook.com (20.177.224.210) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1878.24; Wed, 15 May 2019 07:10:44 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::a1b2:db65:869b:542d]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::a1b2:db65:869b:542d%6]) with mapi id 15.20.1878.024; Wed, 15 May 2019 07:10:44 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: draft-ietf-dots-filter-control: acl updates
Thread-Index: AdUKY25JElmJGCHmS8ShhhzPTbwDWQAiEOEw
Date: Wed, 15 May 2019 07:10:44 +0000
Message-ID: <BYAPR16MB279089B075158BFF8C8B2E5FEA090@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <787AE7BB302AE849A7480A190F8B93302EA7DAAF@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA7DAAF@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 73225081-0d30-4808-ea19-08d6d90472d3
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:BYAPR16MB2664;
x-ms-traffictypediagnostic: BYAPR16MB2664:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BYAPR16MB2664DBBAF12E9C29B2F06003EA090@BYAPR16MB2664.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0038DE95A2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(346002)(136003)(396003)(376002)(39860400002)(189003)(199004)(32952001)(53754006)(14444005)(5024004)(256004)(6436002)(102836004)(476003)(99286004)(33656002)(53546011)(7696005)(229853002)(110136005)(76176011)(2906002)(15650500001)(6506007)(68736007)(186003)(2420400007)(6116002)(26005)(790700001)(76116006)(73956011)(66446008)(64756008)(66556008)(66476007)(66946007)(66066001)(3846002)(72206003)(8936002)(8676002)(81156014)(81166006)(316002)(2501003)(71190400001)(71200400001)(25786009)(478600001)(74316002)(86362001)(11346002)(14454004)(486006)(7110500001)(52536014)(53936002)(446003)(5660300002)(80792005)(9686003)(6306002)(54896002)(55016002)(7736002)(6246003)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2664; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: FGGLr5lvrv/zW2kJ98NJDEHGNl2NEBm+t3OhFdrjG+xb3GQfRDU4fJqWt5yY1Gx+kVshJNHYx7ohiA4wc6bJV2k9ghaEeYCM4RsVUxZHMWroSTPPirXi+VTZizkaVApiGxHuz6QkuNZvg+uusiqunz+MZgasVN7v6u1v8vNDsRBH73is4kf2k1hEctVxd00P8n3duE7qeO2gflx3M2oG33fUG2Fs8MHIKB/R0MIjScWnnYCK6JQ9yst8QsqMzzSYHBFLn8lZlVNits/isjqwJMLiRrSv8tDzch1QP4R5bGsAlrYqF9AxPIFsqcCwpv1kyylo7srfs7QCyFQqaaoLYH9stKzlniYP6iOtVW1oS7shIIRTfISsqYRpIKT3pkogQsF2MDCFje7pIVrfRuxZgyBSuG4KMEn0ezpIpOUg874=
Content-Type: multipart/alternative; boundary="_000_BYAPR16MB279089B075158BFF8C8B2E5FEA090BYAPR16MB2790namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 73225081-0d30-4808-ea19-08d6d90472d3
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 May 2019 07:10:44.7342 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2664
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6546> : inlines <7077> : streams <1821574> : uri <2844683>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/emxc-jcCWz1WgHP3SIjS0K6P-FQ>
Subject: Re: [Dots] draft-ietf-dots-filter-control: acl updates
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 May 2019 07:11:55 -0000

I don’t think approach (1) is a good idea because of out of order delivery of packets. Further, the anti-relay detection technique in DTLS uses sliding windows procedure. An MITM can possibility cache and drop the packets from the client, and replay the cached packets that fall within the sliding window. For instance in the below example, the server could receive packets in the order T0, T4, T1, T2.

Monotonically increasing ‘mid’ is the only defense against this mechanism, and I don’t think the signal channel draft needs any update.

Cheers,
-Tiru

From: Dots <dots-bounces@ietf.org> On Behalf Of mohamed.boucadair@orange.com
Sent: Tuesday, May 14, 2019 8:14 PM
To: dots@ietf.org
Subject: [Dots] draft-ietf-dots-filter-control: acl updates


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi all,

The current version of the draft allows to include acl attributes in requests with new or existing ‘mid’s. By “existing mid’, we meant an existing request which does not include acl attributes when the request was initially created. For such requests, the activation-type of the same acl can be changed as the attack evolve or even control other ACLs. This is supposed to be covered by this text:

   When acl-* attributes are to be
   included in a mitigation request with an existing 'mid', the DOTS
   client MUST repeat all the other parameters as sent in the original
   mitigation request (i.e., having that 'mid') apart from a possible
   change to the lifetime parameter value.

For example:
T0: R(mid)
T1: R(mid, acl1, activation-type=value1)
T2: R(mid, acl2, activation-type=value2)
T3: R(mid, acl1, activation-type=value2)
T4: R(mid)
...

Now, if acl attributes are included in a request with a new mid, we need to specify how activation-type (and acl-list in general) can be updated. We do have two options:


  1.  Update the draft with this NEW text:


   If 'acl-list', 'acl-name', and 'activation-type' attributes are

   included in the initial mitigation request (that is, a mitigation

   request with a new 'mid'), the DOTS client may update the

   'acl-list' as an active attack evolves.  To do so, the DOTS

   client MUST repeat all the other parameters as sent in the original

   mitigation request apart from a possible change to the 'acl-list’

   and the lifetime parameter values.

   And the signal channel spec as follows:


   For a mitigation request to continue beyond the initial negotiated

   lifetime, the DOTS client has to refresh the current mitigation

   request by sending a new PUT request..  This PUT request MUST use the

   same 'mid' value, and MUST repeat all the other parameters as sent in

   the original mitigation request apart from a possible change to the

   lifetime parameter value or other changes to attributes defined in future extensions.

                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

For example:
T0: R(mid, acl1, activation-type=value1)
T1: R(mid, acl2, activation-type=value2)
T2: R(mid, acl1, activation-type=value2)
..



  1.  Require a new mid each time a client has to insert acl attributes.

For example:
T0: R(mid0)
T1: R(mid1, acl1, activation-type=value1)
T2: R(mid2, acl2, activation-type=value2)
T3: R(mid3, acl1, activation-type=value2)
...


Thoughts?

Cheers,
Med

v2.23.0 | Report a Bug | By Email