Re: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue

"Jon Shallow" <supjps-ietf@jpshallow.com> Mon, 29 April 2019 09:40 UTC

Return-Path: <supjps-ietf@jpshallow.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97E2F1200C3 for <dots@ietfa.amsl.com>; Mon, 29 Apr 2019 02:40:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jiQYdVSqD5Cr for <dots@ietfa.amsl.com>; Mon, 29 Apr 2019 02:40:38 -0700 (PDT)
Received: from mail.jpshallow.com (mail.jpshallow.com [217.40.240.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 957AA12001B for <dots@ietf.org>; Mon, 29 Apr 2019 02:40:38 -0700 (PDT)
Received: from [127.0.0.1] (helo=N01332) by mail.jpshallow.com with esmtp (Exim 4.91) (envelope-from <jon.shallow@jpshallow.com>) id 1hL2m1-0003ar-M3; Mon, 29 Apr 2019 10:40:33 +0100
From: "Jon Shallow" <supjps-ietf@jpshallow.com>
To: "'Konda, Tirumaleswar Reddy'" <TirumaleswarReddy_Konda@mcafee.com>, <mohamed.boucadair@orange.com>, "kaname nishizuka" <kaname@nttv6.jp>, <dots@ietf.org>
References: <787AE7BB302AE849A7480A190F8B93302EA649B4@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <c3c9614f-908a-c132-cd35-6c627e341f2b@nttv6.jp> <012601d4fb49$3328c000$997a4000$@jpshallow.com> <BYAPR16MB279020119E24ADCB54B339E3EA3D0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA6591A@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB27903D8D208FA3AC951FDEE4EA3D0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA65AD6@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB279013E8029BE0294293A333EA3D0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA6623D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790146175B845622B2EF438EA3E0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA6649C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB27909F467FFE57F380015E94EA3E0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA66FEC@OPEXCAUBMA2.c orporate.adroo t.infra.ftgroup> <BYAPR16MB279071FE429E252221521470EA390@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA67156@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790D9396449CF75422C010CEA390@BYAPR16MB2790.namprd16.prod.outlook.com>
In-Reply-To: <BYAPR16MB2790D9396449CF75422C010CEA390@BYAPR16MB2790.namprd16.prod.outlook.com>
Date: Mon, 29 Apr 2019 10:40:33 +0100
Message-ID: <03f901d4fe6f$98f00a00$cad01e00$@jpshallow.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJQEGP+1iseERi2OTPcLXp1W/83ywIpkhMbAavtnMUChxPz1wD32vTSASwkWbADAaBxcAEHrc8OAf+TrikBMzqEGAE6ytM+AexiOccBac8EEQHsepgcAihEijwBhMPb9KSNgRhw
Content-Language: en-gb
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/ey1RMc_S8n14yXJ1BXl28kS-mFw>
Subject: Re: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Apr 2019 09:40:41 -0000

Hi,

See inline,

Regards

Jon

> -----Original Message-----
> From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda, Tirumaleswar Reddy
> Sent: 29 April 2019 10:22
> To: mohamed.boucadair@orange.com; Jon Shallow; 'kaname nishizuka';
> dots@ietf.org
> Subject: Re: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue
> 
> > -----Original Message-----
> > From: mohamed.boucadair@orange.com
> <mohamed.boucadair@orange.com>
> > Sent: Monday, April 29, 2019 2:46 PM
> > To: Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@McAfee.com>;
> > Jon Shallow <supjps-ietf@jpshallow.com>; 'kaname nishizuka'
> > <kaname@nttv6.jp>; dots@ietf.org
> > Subject: RE: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue
> >
> > This email originated from outside of the organization. Do not click links or
> open
> > attachments unless you recognize the sender and know the content is safe.
> >
> > (Focusing on this particular point).
> >
> >
> > > -----Message d'origine-----
> > > De : Konda, Tirumaleswar Reddy
> > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > Envoyé : lundi 29 avril 2019 10:52
> > > À : BOUCADAIR Mohamed TGI/OLN; Jon Shallow; 'kaname nishizuka';
> > > dots@ietf.org Objet : RE: [Dots]
> > > (draft-ietf-dots-signal-filter-control) ACL Stats issue
> > >
> > > > > >
> > > > > >  ACL-specific stats and mitigation stats will give a clear
> > > > > > > picture of the traffic rate-limited, bad traffic dropped by
> > > > > > > the DDoS mitigation system, and using these stats the DOTS
> > > > > > > client can heuristically determine the amount of legitimate
> > > > > > > traffic dropped because of rate-limit and the impact of the attack
> on its
> > service.
> > > > > >
> > > > > > [Med] The impact can be observed locally (e.g., bad QoS,
> > > > > > inability to
> > > > > access a
> > > > > > service, instable connectivity, etc.). I still don’t see how
> > > > > > sharing the
> > > > > ACL stats
> > > > > > will be helpful here.
> > > > > >
> > > > > > A DOTS client can preinstall the same rate-limit filter with but
> > > > > > with
> > > > > different
> > > > > > policies. It can select the appropriate ACL to
> > > > > > activate/deactivate based on local experience.
> > > > >
> > > > > I don't get how the local experience will help the client pick an
> > > > > alternate mitigation provider who can handle the attack scale.
> > > >
> > > > [Med] Modern CPEs include automated features to assess the
> > > > availability of services such as VoIP, IPTV, etc. The DOTS client
> > > > can be fed with input
> > > from
> > > > these modules and react accordingly.
> >
> > [Med] s/client/server.

Is this correct?

> >
> > >
> > > I meant the target network cannot infer the amount of legitimate
> > > traffic (or infer the number of users) unable to use its service
> > > because of the rate- limit action.
> > >
> >
> > [Med] The amount of traffic is not required to assess the availability of
> > "nominal" services (the example above). What is really important is
> whether
> > some critical services are available. That information can be determined
> without
> > needing the ACL stats.
> 
> I am not referring to "nominal" services or critical resources. For instance,
> consider Netflix is not accessible to a large number
> of users because of the rate-limit action.

The DOTS server will have a limited (only because they have to be previously defined) set of (possibly inactivated) ACLS on the server.  If the "standard" white/black list are unable to bring the inbound pipe back to not being flooded, then a (likely global for the DOTS client's networks) Rate-Limit ACL must be brought in.  Once the Inbound pipe is available, then analysis of the data reaching the DOTs client will show the top users which then need their own limiting (black or rate-limit) ACL set up over the data channel.  At this point the Rate-Limit ACL can removed to see if things are stable again.
[I agree that the CPE may not have this top usage capability]

If Netflix (or similar) has a priority when under attack, then this needs to be added into a White ACL which can be done once the inbound pipe is not flooded (or be a part of the standard white lists)

~jon

> 
> -Tiru
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots