Re: [Dots] draft-fu-dots-ipfix-extension revised into draft-fu-dots-ipfix-tcp-tracking
Roland Dobbins <rdobbins@arbor.net> Thu, 16 March 2017 11:38 UTC
Return-Path: <rdobbins@arbor.net>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE147129400 for <dots@ietfa.amsl.com>; Thu, 16 Mar 2017 04:38:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.922
X-Spam-Level:
X-Spam-Status: No, score=-1.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thescout.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z_U70eWcXL3A for <dots@ietfa.amsl.com>; Thu, 16 Mar 2017 04:38:01 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0134.outbound.protection.outlook.com [104.47.34.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64FC61293DA for <dots@ietf.org>; Thu, 16 Mar 2017 04:38:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thescout.onmicrosoft.com; s=selector1-arbor-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Roe0SJjZiHYEqZzo+SZy385hyWobn0EfEQRe5FAYUnc=; b=HLF7Nc1ULsjf4aoBFId3GYvNnzjILOSTe7adI1EiEdL75Jz0fMjOVc0N/3/R7gOoDzSj/eGR7gw1RC4OdxpH5rDHlzNWTkQoU9qb3tsWL/n84R1RxExPnHGrfJPjIgOR8yGI+onXz+4VpmRtzu0XGT4ZkK+R11yapDQABTGgq1E=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arbor.net;
Received: from [172.19.254.107] (49.228.114.252) by BN3PR0101MB1028.prod.exchangelabs.com (10.160.182.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.961.17; Thu, 16 Mar 2017 11:37:57 +0000
From: Roland Dobbins <rdobbins@arbor.net>
To: "dots@ietf.org" <dots@ietf.org>
Date: Thu, 16 Mar 2017 18:37:35 +0700
Message-ID: <707552ED-22FA-4455-9D9F-95A8670620F1@arbor.net>
In-Reply-To: <20170316110115.8499287.34698.143525@sandvine.com>
References: <F8F4995E43962F4996B280E9678CED0001538042@SZXEMI507-MBX.china.huawei.com> <359EC4B99E040048A7131E0F4E113AFC0104F19267@marathon> <F8F4995E43962F4996B280E9678CED00015389FC@SZXEMI507-MBX.china.huawei.com> <359EC4B99E040048A7131E0F4E113AFC0104F1C5A1@marathon> <F8F4995E43962F4996B280E9678CED0001538F0E@SZXEMI507-MBX.china.huawei.com> <20170316110115.8499287.34698.143525@sandvine.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.6r5347)
X-Originating-IP: [49.228.114.252]
X-ClientProxiedBy: SG2PR01CA0046.apcprd01.prod.exchangelabs.com (10.165.10.14) To BN3PR0101MB1028.prod.exchangelabs.com (10.160.182.16)
X-MS-Office365-Filtering-Correlation-Id: 90783e96-5e4f-420e-9b9d-08d46c60e564
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:BN3PR0101MB1028;
X-Microsoft-Exchange-Diagnostics: 1; BN3PR0101MB1028; 3:H115TbnDstACFk7+IG9PVfRdbcX+9qo9AwhPXUmqrFKcrJYQ/CqTeIuIngCKU6ODxYRGC601YlzM0nuSDkGVUIGXYBMZjMDEndzfi3PkUDnZdXhPrsghlc2dg33va9XoHaL0FfjCL5GB5m/YzgjTHRFsxJHkkLtCY6ZpFGzB6M5Exs0ishEUofKUhusJR7a7kezjO083IZ6ZFz9glpWoxN1IbtsR1PwVe8hME1dhM1t0cBDtt+/I4QctukYLi31TrvpoDLovBoHqHN0EAj9doQ==; 25:Wj0r6nlkONG2dDIVdXG24SclsLMkRD2zvEkfE1DBNPe9Mgxh5Zz3b0b+Q2oYwJtqna4AE5HSwPRKJQXMoGd+svpPRevFGMlFzmKjwZbg+K2ee1C/CnIZf5NfjGT76PEV1txO+yq9FllEbsxYQxosd+J7TbdBxeuTSiPQZ8/RSl6SMDdHde09TPT8nMrBjdcGoJYn4sb4ekLbBqDraF547Cqs2fGDuutFiedBZgQT2obBzIIs2GGw5rRYILUqFze3t5hlQD+6jxDTXMSwwkGnl6An8mRfCWYx+nUXcx6Z/CUCD2qRGq4hkTwYI7JPKrepana2Ic9r4Pkn5wxK7ZwIKsHjN+7DzdXU1yW+InWdQQlu+V+Ug4H8F0OGtf9Oj+fHnlwV+PXYdStLhxkv2TFc+Dj96GMuNOCi+TIRYI6MVnr7nXN3Hi7UfyDchl76aSCfsvJhjtM2H4GqSybWsomaqQ==
X-Microsoft-Exchange-Diagnostics: 1; BN3PR0101MB1028; 31:VYDObU8/TbHyi5zL4Ck+rqwvcE0Ep1Q1TloNL5tJPlfTqjfzEsplVn/4l3coXSJFRlcf4M3BBCci1YMPuMy1/fxVoTZuVSNqL+Qbat5Gkz3mtS+AdX4Hnr5q8cFGWNiC2KFbRkj3K4q14DOgkASb9bidylXsxhENN5ZNO4L1jaTyTAXox5awT1zKKPkh9hfdpM2hSjqTIPS0D2QZII92Z81giIdvXGQGfSsbjRep5xjZlDM1xzNWrvXjHvNOE/k/sqG5giYs2gNDx6mSLIhV9ptknEnr8bE0kA+Bd4MyFC4=; 20:oeHDrQ8paA50KIPPhuCgO+tDGr5F1zPsqch1gZdTvmy28eV5JlcYyLpoTh6+UnB7zh5HngCehCs6ijc9jN6jxCkctzLr61Zimzc/YPsqg2nymz+qZW6tH2/JtvcwTvcULTAXP4dzcXLSC2CyZGNyZiMh92dGAqMaHGQNHcWkLW5EaRaHMZVgVinfQtFbwMhx1U5zqg2vUYMcTtlOxmFuWPuzyB9rp+UcMP3WV7+o9mby4Kds5jmMFKiQi46ivFudPr8dpAhbgZZbLjarQO0Q0k44erc769ujciIi0VgAVoNWG50GwV69KkXrSlg+VdswptQMxZfLOUQerQcGysCZOEHZHxiaRBVr9Cgy0a12Gv+4WtfDDOkIP0SlD7CMGEYsevwVCbfqKwnzTFsPnLneHogZ0beMgxXyZU+Vejwm2o7gBfLo2HOFBMODCLoGhyI4qWEugUEBfW3DPyWWRruKTC5+EWoDoj9sNIAK6NtQbqjogcLo8Ekyg2d0DlVebcXH
X-Microsoft-Antispam-PRVS: <BN3PR0101MB1028DCC2847FCF07D5311B36CA260@BN3PR0101MB1028.prod.exchangelabs.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040375)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6041248)(20161123555025)(20161123560025)(20161123562025)(20161123564025)(20161123558025)(6072148); SRVR:BN3PR0101MB1028; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0101MB1028;
X-Microsoft-Exchange-Diagnostics: 1; BN3PR0101MB1028; 4:33+yWMRpxfaujjWDDysW3vnePb4BT572cbamE2QLNYURT7+roHGIYlxwbJKsnBb4zuoSKRO6umjGSAJ0c8IWKE11jpVtyQzQ87MhdaDD/K8IvGFGJtmuYJyw+MPqNOahsDWVWenZRRba3q4VQs8ShQJA3xDDt5vjXMl+p8uLGfVEnpEpHS8avgBXW6YaEmOjtvpk6rccRQQBI8vNzuXRCasE2zO+iJUrTPKAh88dCC5SK8rJhb/3xkk8/NHXp2eYxTIJiYELiSu3O5eE53muSHw0vJ+B+LQwShiFmrS7Sv+lTy2RXrM4AlhMtILNF58oqvvaBZY6Ey+BpwSFI91rDZ4T12f9DM1rPr6HuxguYCAVqOBWvtQs93DqoryX7acisNfouYzDeOvdfEfwlW0sB1ZbguBdejO26238AOxpdZ4XZYj39E05CG2pf71D86nUIgJMx5TM1oBZUccGjXq5yl6t3Z6u2pZVPeOZjRrVsPyBIuWINu9z9Vdd7RZyLaRoOkm4yAbQvFp6X1cr07juPhTi/z10bAAR8YuOnDBYLtfw8asPQ2qGT5Y+v34Wfl6ddnEeIe1AqyLUgapiWAZiSg==
X-Forefront-PRVS: 024847EE92
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4630300001)(6049001)(6009001)(39450400003)(24454002)(90366009)(77096006)(6486002)(42186005)(47776003)(3846002)(6116002)(2351001)(5640700003)(25786008)(36756003)(229853002)(6666003)(2950100002)(6916009)(189998001)(66066001)(53546007)(50466002)(230783001)(110136004)(53936002)(7736002)(305945005)(2906002)(6246003)(50986999)(76176999)(93886004)(38730400002)(50226002)(1730700003)(8676002)(81166006)(2501003)(86362001)(5660300001)(5003940100001)(33656002)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0101MB1028; H:[172.19.254.107]; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BN3PR0101MB1028; 23:yPiwJFgxl27LcoFW7fm5SIY697iH/mNaDdHemH+eKhujW+o04GTMA+Wl2K5eRknpMwMIHGMQSjpFjTi7PptoXeLxnbVFlWuooQd+108EkZChlUucp72m2/nlNvmYfz0vyhVcHJGzk1Dv66IC+nUrHf1uw4wFdKF6uWsS83VJ9qbkRxjgdFxa4FmNFE2p1r+cigMDj0/OnxDCYddr4yxsbdNItshZPBC5Ub7YieDzm4DZQC8D5qo3f3m/ybgrknQTeFzKtfHTl/spLZQEsGVIWmSS3MPxBiZqDVeeCbRaESDC+8YLs17IWy8Gf/GhejlibzRUj6d6fxj1v718ETEmKpoI5YPfrVMY8stMS8WJnOQceaVLI+/rTXYZg4Jq/cCnRKh6+PcpJnbRgO1nJ8rabCHYjqvAEfpOS/s6Qs05jon0EA26xlxfyQ9u+uBWVLlSb5HIn6cfawLfH3ME0YDUY28mJw5lkrbJDDMwSXMafDSLUGtAnVhEfXm7iNq3YyDD2Kv31jYrBK+znQ/8zkw56tezK41S7wmnjkfOCictaSFe3AQpVRwXxbZoaafN84/YODzCQv6BrrPOcPde2YxPQcyHF/O+UdDRYcZ7MV0hdeh1vF7bM8JXFwlaanzoTwYnOzkNXb//+nRRSaxYyLeFJdZGrF7c/XG4b1L1srKLMbpnoIOiUxUEQ7s5evBe3Yc2n0Yd6VLipk1TU74CQK+6HtbtqLJXoXlxEsnuzsFD56iPEfmFcxdNcIAkobL0PrIsntw+SdEl+YnZi8397As/fMGXC+r4s+NvRuShQb4riBHme5anPYp3jqEnF2W8TtS6hYcYniTrCT6Qh14fsTuChrOENF22ITShGydlnKdPHDibsJYFIvEomMVsEP7E/cgaXq6XpJy7oM6qBaN1e4x6KwoqWujrNMTfEIsroqz+eANP79RPTlWapbxJyir44mdxuV6reM+AXmCvs/YoXODsa4dkfjYLidR5bnPOUvfO7adSLvxNvhCSUSub5oPIjcFENxUK+wVAuZxtOv3ctaVUBVMyZiyk+waempdqprL3M+dS0IrTlnCqMgxHIxWnvV4YTUbbD6DgTXi8IaP2WrVqcfBBTizJbLp0rt38Ifd2YHI=
X-Microsoft-Exchange-Diagnostics: 1; BN3PR0101MB1028; 6:EBeoW8Oc2AqWtyiGqFPEX5O8oynhM9FQENLuNrR09QaDtB16AfahuNTy/AxZ/aR31TcKZByjIVvv+B7T92fIFeqF2rNiXJV8pbEobXgP+MxvX6G9ocqzzxHmq9n/seqPdpYmbESxbUR2X3xJzmnAYEvBSBY6Jgf+3JStkiwU53Nv/wKssyr+596KPSJ9eeT88hqYFr4k+dP+PSjkUwrh6Etow2BZZiH6p3ac4bPMmhIyg/0Jp6eqPVbxH+DfbBcTcv/hmiciPwlPX4UTtx1BJPHaBxAt/Kh7+yOopuFb7UPtNhJeCgV83KqwQ2T6/WauiR6vJSWrKpF8I23REx2189dPzoe0jf7UK/6XuHWWQtAE+6N5A3vRejh+CPRH89zDLEHFNaVjzs5hccTg99A7Rw==; 5:yIKVxSGvuSFxGWji/AO0UmVbnk55CJFE6hjH8zZYqaJKM8TkfxrtzFqHAcX8IEMHaHX57XmSOSfvxuSri2hTlZK+zYCo0VWtlKZW1FlTJcYQfngUuK89l3qvHJENte4XJ3iktIfUfg91/nPT10X6Iw==; 24:hOnc/W2vzA14GlpcdCXu7CUg+La0hIY/XwwJaWttRqLvVWrxjcy17eGpXnyOC/scEW444Q3ob1YDwnvp/6T057/u7IQNoKC5TXetdMQZsuY=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; BN3PR0101MB1028; 7:zNMAGLaVb4k2M71iKSQdO3kXg7GDW+WRRwmz0TWPaSf4npIExR+dnpdAX/GdDFhgfJOzv/AlG8m+CIOwaIVIgrLXzgabBXu/7zOplxFmnJIgVrmFY/YE0VhEvUUL1N15JcmgNex/n1vcp5OI3xIL8IkDsk19zjdr/87Pna94898KUn/6vK6wgdiLSJ9LMEKpTM3taF5DgX/8Irlzlh85i86xGlmy0QYTJ9KcASLvBiAWFyxIOjlg8k3VC/MKLTwMk8UC8mSpZVntcX9Lhcj+wSZ7rh+BwaNZjuEjlRsIfrOAgYWoHLKYvTIAmjrAvGTwGq0WETLYS6Y8wB4TETAcIw==
X-OriginatorOrg: arbor.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Mar 2017 11:37:57.9193 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0101MB1028
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/exjE912ZTU0qsZMFLYIvOlP_eeA>
Subject: Re: [Dots] draft-fu-dots-ipfix-extension revised into draft-fu-dots-ipfix-tcp-tracking
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2017 11:38:05 -0000
On 16 Mar 2017, at 18:01, Dave Dolson wrote: > Clearly these are intended to be collected by stateful devices that do > see both directions of traffic, not generic routers. From draft-fu-dots-ipfix-extension: 'For a network device, such as a router, to detect anomaly TCP traffics, it has to understand the semantics of TCP operations, more specifically, it has to be able to track TCP connection states. If a router has implemented such ability, it can export characteristics information regarding the TCP connections.' It's pretty clear that the draft authors were in fact explicitly talking about generic routers, which is the source of some (but not all) previously-expressed objections. There are also multiple incorrect statements and implied statements in the draft, which indicate a lack of awareness of the current state of the art in attack detection/classification utilizing existing telemetry capabilities. Furthermore, the amount of state required to try and track the things highlighted in the draft is way more than even a stateful middlebox could handle for even a relatively small amount of traffic. It's a lot more efficient to export the relevant telemetry to a collection/analysis system (which could in fact be an on-board power-sucking-alien general-purpose computer) and do this sort of thing there. Trying to do these calculations and maintain this state in the data-plane is a non-starter at any kind of speed/scale. Again, all this is out of scope for DOTS. It would be more appropriate to talk to the appropriate AD and/or submit these to the registry for review, as Roman indicated. It would be even more appropriate to implement them and see how well they actually work in practice before doing either. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
- [Dots] draft-fu-dots-ipfix-extension revised into… Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roland Dobbins
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Teague, Nik
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roman Danyliw
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roland Dobbins
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roland Dobbins
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roland Dobbins
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roman Danyliw
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Dave Dolson
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roland Dobbins
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roland Dobbins
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Zhenghui (Marvin)
- Re: [Dots] draft-fu-dots-ipfix-extension revised … Roland Dobbins