Re: [Dots] draft-fu-dots-ipfix-extension revised into draft-fu-dots-ipfix-tcp-tracking

Roland Dobbins <rdobbins@arbor.net> Thu, 16 March 2017 11:38 UTC

Return-Path: <rdobbins@arbor.net>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE147129400 for <dots@ietfa.amsl.com>; Thu, 16 Mar 2017 04:38:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.922
X-Spam-Level:
X-Spam-Status: No, score=-1.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thescout.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z_U70eWcXL3A for <dots@ietfa.amsl.com>; Thu, 16 Mar 2017 04:38:01 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0134.outbound.protection.outlook.com [104.47.34.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64FC61293DA for <dots@ietf.org>; Thu, 16 Mar 2017 04:38:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thescout.onmicrosoft.com; s=selector1-arbor-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Roe0SJjZiHYEqZzo+SZy385hyWobn0EfEQRe5FAYUnc=; b=HLF7Nc1ULsjf4aoBFId3GYvNnzjILOSTe7adI1EiEdL75Jz0fMjOVc0N/3/R7gOoDzSj/eGR7gw1RC4OdxpH5rDHlzNWTkQoU9qb3tsWL/n84R1RxExPnHGrfJPjIgOR8yGI+onXz+4VpmRtzu0XGT4ZkK+R11yapDQABTGgq1E=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arbor.net;
Received: from [172.19.254.107] (49.228.114.252) by BN3PR0101MB1028.prod.exchangelabs.com (10.160.182.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.961.17; Thu, 16 Mar 2017 11:37:57 +0000
From: Roland Dobbins <rdobbins@arbor.net>
To: "dots@ietf.org" <dots@ietf.org>
Date: Thu, 16 Mar 2017 18:37:35 +0700
Message-ID: <707552ED-22FA-4455-9D9F-95A8670620F1@arbor.net>
In-Reply-To: <20170316110115.8499287.34698.143525@sandvine.com>
References: <F8F4995E43962F4996B280E9678CED0001538042@SZXEMI507-MBX.china.huawei.com> <359EC4B99E040048A7131E0F4E113AFC0104F19267@marathon> <F8F4995E43962F4996B280E9678CED00015389FC@SZXEMI507-MBX.china.huawei.com> <359EC4B99E040048A7131E0F4E113AFC0104F1C5A1@marathon> <F8F4995E43962F4996B280E9678CED0001538F0E@SZXEMI507-MBX.china.huawei.com> <20170316110115.8499287.34698.143525@sandvine.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.6r5347)
X-Originating-IP: [49.228.114.252]
X-ClientProxiedBy: SG2PR01CA0046.apcprd01.prod.exchangelabs.com (10.165.10.14) To BN3PR0101MB1028.prod.exchangelabs.com (10.160.182.16)
X-MS-Office365-Filtering-Correlation-Id: 90783e96-5e4f-420e-9b9d-08d46c60e564
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:BN3PR0101MB1028;
X-Microsoft-Exchange-Diagnostics: 1; BN3PR0101MB1028; 3:H115TbnDstACFk7+IG9PVfRdbcX+9qo9AwhPXUmqrFKcrJYQ/CqTeIuIngCKU6ODxYRGC601YlzM0nuSDkGVUIGXYBMZjMDEndzfi3PkUDnZdXhPrsghlc2dg33va9XoHaL0FfjCL5GB5m/YzgjTHRFsxJHkkLtCY6ZpFGzB6M5Exs0ishEUofKUhusJR7a7kezjO083IZ6ZFz9glpWoxN1IbtsR1PwVe8hME1dhM1t0cBDtt+/I4QctukYLi31TrvpoDLovBoHqHN0EAj9doQ==; 25:Wj0r6nlkONG2dDIVdXG24SclsLMkRD2zvEkfE1DBNPe9Mgxh5Zz3b0b+Q2oYwJtqna4AE5HSwPRKJQXMoGd+svpPRevFGMlFzmKjwZbg+K2ee1C/CnIZf5NfjGT76PEV1txO+yq9FllEbsxYQxosd+J7TbdBxeuTSiPQZ8/RSl6SMDdHde09TPT8nMrBjdcGoJYn4sb4ekLbBqDraF547Cqs2fGDuutFiedBZgQT2obBzIIs2GGw5rRYILUqFze3t5hlQD+6jxDTXMSwwkGnl6An8mRfCWYx+nUXcx6Z/CUCD2qRGq4hkTwYI7JPKrepana2Ic9r4Pkn5wxK7ZwIKsHjN+7DzdXU1yW+InWdQQlu+V+Ug4H8F0OGtf9Oj+fHnlwV+PXYdStLhxkv2TFc+Dj96GMuNOCi+TIRYI6MVnr7nXN3Hi7UfyDchl76aSCfsvJhjtM2H4GqSybWsomaqQ==
X-Microsoft-Exchange-Diagnostics: 1; BN3PR0101MB1028; 31:VYDObU8/TbHyi5zL4Ck+rqwvcE0Ep1Q1TloNL5tJPlfTqjfzEsplVn/4l3coXSJFRlcf4M3BBCci1YMPuMy1/fxVoTZuVSNqL+Qbat5Gkz3mtS+AdX4Hnr5q8cFGWNiC2KFbRkj3K4q14DOgkASb9bidylXsxhENN5ZNO4L1jaTyTAXox5awT1zKKPkh9hfdpM2hSjqTIPS0D2QZII92Z81giIdvXGQGfSsbjRep5xjZlDM1xzNWrvXjHvNOE/k/sqG5giYs2gNDx6mSLIhV9ptknEnr8bE0kA+Bd4MyFC4=; 20:oeHDrQ8paA50KIPPhuCgO+tDGr5F1zPsqch1gZdTvmy28eV5JlcYyLpoTh6+UnB7zh5HngCehCs6ijc9jN6jxCkctzLr61Zimzc/YPsqg2nymz+qZW6tH2/JtvcwTvcULTAXP4dzcXLSC2CyZGNyZiMh92dGAqMaHGQNHcWkLW5EaRaHMZVgVinfQtFbwMhx1U5zqg2vUYMcTtlOxmFuWPuzyB9rp+UcMP3WV7+o9mby4Kds5jmMFKiQi46ivFudPr8dpAhbgZZbLjarQO0Q0k44erc769ujciIi0VgAVoNWG50GwV69KkXrSlg+VdswptQMxZfLOUQerQcGysCZOEHZHxiaRBVr9Cgy0a12Gv+4WtfDDOkIP0SlD7CMGEYsevwVCbfqKwnzTFsPnLneHogZ0beMgxXyZU+Vejwm2o7gBfLo2HOFBMODCLoGhyI4qWEugUEBfW3DPyWWRruKTC5+EWoDoj9sNIAK6NtQbqjogcLo8Ekyg2d0DlVebcXH
X-Microsoft-Antispam-PRVS: <BN3PR0101MB1028DCC2847FCF07D5311B36CA260@BN3PR0101MB1028.prod.exchangelabs.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040375)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6041248)(20161123555025)(20161123560025)(20161123562025)(20161123564025)(20161123558025)(6072148); SRVR:BN3PR0101MB1028; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0101MB1028;
X-Microsoft-Exchange-Diagnostics: 1; BN3PR0101MB1028; 4:33+yWMRpxfaujjWDDysW3vnePb4BT572cbamE2QLNYURT7+roHGIYlxwbJKsnBb4zuoSKRO6umjGSAJ0c8IWKE11jpVtyQzQ87MhdaDD/K8IvGFGJtmuYJyw+MPqNOahsDWVWenZRRba3q4VQs8ShQJA3xDDt5vjXMl+p8uLGfVEnpEpHS8avgBXW6YaEmOjtvpk6rccRQQBI8vNzuXRCasE2zO+iJUrTPKAh88dCC5SK8rJhb/3xkk8/NHXp2eYxTIJiYELiSu3O5eE53muSHw0vJ+B+LQwShiFmrS7Sv+lTy2RXrM4AlhMtILNF58oqvvaBZY6Ey+BpwSFI91rDZ4T12f9DM1rPr6HuxguYCAVqOBWvtQs93DqoryX7acisNfouYzDeOvdfEfwlW0sB1ZbguBdejO26238AOxpdZ4XZYj39E05CG2pf71D86nUIgJMx5TM1oBZUccGjXq5yl6t3Z6u2pZVPeOZjRrVsPyBIuWINu9z9Vdd7RZyLaRoOkm4yAbQvFp6X1cr07juPhTi/z10bAAR8YuOnDBYLtfw8asPQ2qGT5Y+v34Wfl6ddnEeIe1AqyLUgapiWAZiSg==
X-Forefront-PRVS: 024847EE92
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4630300001)(6049001)(6009001)(39450400003)(24454002)(90366009)(77096006)(6486002)(42186005)(47776003)(3846002)(6116002)(2351001)(5640700003)(25786008)(36756003)(229853002)(6666003)(2950100002)(6916009)(189998001)(66066001)(53546007)(50466002)(230783001)(110136004)(53936002)(7736002)(305945005)(2906002)(6246003)(50986999)(76176999)(93886004)(38730400002)(50226002)(1730700003)(8676002)(81166006)(2501003)(86362001)(5660300001)(5003940100001)(33656002)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0101MB1028; H:[172.19.254.107]; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BN3PR0101MB1028; 23:yPiwJFgxl27LcoFW7fm5SIY697iH/mNaDdHemH+eKhujW+o04GTMA+Wl2K5eRknpMwMIHGMQSjpFjTi7PptoXeLxnbVFlWuooQd+108EkZChlUucp72m2/nlNvmYfz0vyhVcHJGzk1Dv66IC+nUrHf1uw4wFdKF6uWsS83VJ9qbkRxjgdFxa4FmNFE2p1r+cigMDj0/OnxDCYddr4yxsbdNItshZPBC5Ub7YieDzm4DZQC8D5qo3f3m/ybgrknQTeFzKtfHTl/spLZQEsGVIWmSS3MPxBiZqDVeeCbRaESDC+8YLs17IWy8Gf/GhejlibzRUj6d6fxj1v718ETEmKpoI5YPfrVMY8stMS8WJnOQceaVLI+/rTXYZg4Jq/cCnRKh6+PcpJnbRgO1nJ8rabCHYjqvAEfpOS/s6Qs05jon0EA26xlxfyQ9u+uBWVLlSb5HIn6cfawLfH3ME0YDUY28mJw5lkrbJDDMwSXMafDSLUGtAnVhEfXm7iNq3YyDD2Kv31jYrBK+znQ/8zkw56tezK41S7wmnjkfOCictaSFe3AQpVRwXxbZoaafN84/YODzCQv6BrrPOcPde2YxPQcyHF/O+UdDRYcZ7MV0hdeh1vF7bM8JXFwlaanzoTwYnOzkNXb//+nRRSaxYyLeFJdZGrF7c/XG4b1L1srKLMbpnoIOiUxUEQ7s5evBe3Yc2n0Yd6VLipk1TU74CQK+6HtbtqLJXoXlxEsnuzsFD56iPEfmFcxdNcIAkobL0PrIsntw+SdEl+YnZi8397As/fMGXC+r4s+NvRuShQb4riBHme5anPYp3jqEnF2W8TtS6hYcYniTrCT6Qh14fsTuChrOENF22ITShGydlnKdPHDibsJYFIvEomMVsEP7E/cgaXq6XpJy7oM6qBaN1e4x6KwoqWujrNMTfEIsroqz+eANP79RPTlWapbxJyir44mdxuV6reM+AXmCvs/YoXODsa4dkfjYLidR5bnPOUvfO7adSLvxNvhCSUSub5oPIjcFENxUK+wVAuZxtOv3ctaVUBVMyZiyk+waempdqprL3M+dS0IrTlnCqMgxHIxWnvV4YTUbbD6DgTXi8IaP2WrVqcfBBTizJbLp0rt38Ifd2YHI=
X-Microsoft-Exchange-Diagnostics: 1; BN3PR0101MB1028; 6:EBeoW8Oc2AqWtyiGqFPEX5O8oynhM9FQENLuNrR09QaDtB16AfahuNTy/AxZ/aR31TcKZByjIVvv+B7T92fIFeqF2rNiXJV8pbEobXgP+MxvX6G9ocqzzxHmq9n/seqPdpYmbESxbUR2X3xJzmnAYEvBSBY6Jgf+3JStkiwU53Nv/wKssyr+596KPSJ9eeT88hqYFr4k+dP+PSjkUwrh6Etow2BZZiH6p3ac4bPMmhIyg/0Jp6eqPVbxH+DfbBcTcv/hmiciPwlPX4UTtx1BJPHaBxAt/Kh7+yOopuFb7UPtNhJeCgV83KqwQ2T6/WauiR6vJSWrKpF8I23REx2189dPzoe0jf7UK/6XuHWWQtAE+6N5A3vRejh+CPRH89zDLEHFNaVjzs5hccTg99A7Rw==; 5:yIKVxSGvuSFxGWji/AO0UmVbnk55CJFE6hjH8zZYqaJKM8TkfxrtzFqHAcX8IEMHaHX57XmSOSfvxuSri2hTlZK+zYCo0VWtlKZW1FlTJcYQfngUuK89l3qvHJENte4XJ3iktIfUfg91/nPT10X6Iw==; 24:hOnc/W2vzA14GlpcdCXu7CUg+La0hIY/XwwJaWttRqLvVWrxjcy17eGpXnyOC/scEW444Q3ob1YDwnvp/6T057/u7IQNoKC5TXetdMQZsuY=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; BN3PR0101MB1028; 7:zNMAGLaVb4k2M71iKSQdO3kXg7GDW+WRRwmz0TWPaSf4npIExR+dnpdAX/GdDFhgfJOzv/AlG8m+CIOwaIVIgrLXzgabBXu/7zOplxFmnJIgVrmFY/YE0VhEvUUL1N15JcmgNex/n1vcp5OI3xIL8IkDsk19zjdr/87Pna94898KUn/6vK6wgdiLSJ9LMEKpTM3taF5DgX/8Irlzlh85i86xGlmy0QYTJ9KcASLvBiAWFyxIOjlg8k3VC/MKLTwMk8UC8mSpZVntcX9Lhcj+wSZ7rh+BwaNZjuEjlRsIfrOAgYWoHLKYvTIAmjrAvGTwGq0WETLYS6Y8wB4TETAcIw==
X-OriginatorOrg: arbor.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Mar 2017 11:37:57.9193 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0101MB1028
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/exjE912ZTU0qsZMFLYIvOlP_eeA>
Subject: Re: [Dots] draft-fu-dots-ipfix-extension revised into draft-fu-dots-ipfix-tcp-tracking
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2017 11:38:05 -0000

On 16 Mar 2017, at 18:01, Dave Dolson wrote:

> Clearly these are intended to be collected by stateful devices that do 
> see both directions of traffic, not generic routers.

 From draft-fu-dots-ipfix-extension:

'For a network device, such as a router, to detect anomaly TCP traffics, 
it has to understand the semantics of TCP operations, more specifically, 
it has to be able to track TCP connection states.  If a router has 
implemented such ability, it can export characteristics information 
regarding the TCP connections.'

It's pretty clear that the draft authors were in fact explicitly talking 
about generic routers, which is the source of some (but not all) 
previously-expressed objections.

There are also multiple incorrect statements and implied statements in 
the draft, which indicate a lack of awareness of the current state of 
the art in attack detection/classification utilizing existing telemetry 
capabilities.  Furthermore, the amount of state required to try and 
track the things highlighted in the draft is way more than even a 
stateful middlebox could handle for even a relatively small amount of 
traffic.

It's a lot more efficient to export the relevant telemetry to a 
collection/analysis system (which could in fact be an on-board 
power-sucking-alien general-purpose computer) and do this sort of thing 
there.  Trying to do these calculations and maintain this state in the 
data-plane is a non-starter at any kind of speed/scale.

Again, all this is out of scope for DOTS.  It would be more appropriate 
to talk to the appropriate AD and/or submit these to the registry for 
review, as Roman indicated.  It would be even more appropriate to 
implement them and see how well they actually work in practice before 
doing either.

-----------------------------------
Roland Dobbins <rdobbins@arbor.net>