Re: [Dots] Fwd: New Version Notification for draft-fu-dots-ipfix-extension-01.txt
kaname nishizuka <kaname@nttv6.jp> Tue, 12 July 2016 08:58 UTC
Return-Path: <kaname@nttv6.jp>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22FAA12D754 for <dots@ietfa.amsl.com>; Tue, 12 Jul 2016 01:58:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.189
X-Spam-Level:
X-Spam-Status: No, score=-3.189 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9xhVFVCfMpuu for <dots@ietfa.amsl.com>; Tue, 12 Jul 2016 01:58:46 -0700 (PDT)
Received: from guri.nttv6.jp (guri.nttv6.jp [IPv6:2402:c800:ff06:a::4]) by ietfa.amsl.com (Postfix) with ESMTP id DD9BD12B016 for <dots@ietf.org>; Tue, 12 Jul 2016 01:58:45 -0700 (PDT)
Received: from z.nttv6.jp (z.nttv6.jp [192.168.8.15]) by guri.nttv6.jp (NTTv6MTA) with ESMTP id 242B04E664; Tue, 12 Jul 2016 17:58:45 +0900 (JST)
Received: from SR2-nishizuka.local (fujiko.nttv6.jp [IPv6:2402:c800:ff06:136::141]) by z.nttv6.jp (NTTv6MTA) with ESMTP id DA23D3AC80; Tue, 12 Jul 2016 17:58:44 +0900 (JST)
To: "Xialiang (Frank)" <frank.xialiang@huawei.com>, "dots@ietf.org" <dots@ietf.org>
References: <C02846B1344F344EB4FAA6FA7AF481F12AF5BF2B@SZXEMA502-MBS.china.huawei.com>
From: kaname nishizuka <kaname@nttv6.jp>
Message-ID: <ba65d41c-3d43-2932-1020-7de38d615421@nttv6.jp>
Date: Tue, 12 Jul 2016 17:58:44 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <C02846B1344F344EB4FAA6FA7AF481F12AF5BF2B@SZXEMA502-MBS.china.huawei.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/gSDH7amBpXqNmduHbW6ZEBi2L_s>
Cc: "Roman D. Danyliw" <rdd@cert.org>, Tobias Gondrom <tobias.gondrom@gondrom.org>
Subject: Re: [Dots] Fwd: New Version Notification for draft-fu-dots-ipfix-extension-01.txt
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 08:58:48 -0000
Hi Frank, I think the content of the draft has changed dramatically in this revision. Though I'm not sure that the DOTS WG is the most suitable place to handle the extention of IEs of IPFIX, I added a comment in reply especially from operational view point. best regards, kaname nishizuka On 2016/06/14 18:40, Xialiang (Frank) wrote: > Hi all, > We submit a new version of this draft. > Thanks for the discussion and comments from this WG, we try to clarify the puzzles and explain the real problem we want to solve and the solution in this updated document. > > Overall, we want to cover the following points in this version: > > 1. This document mainly concerns on the attack telemetry information, such as: the new telemetry information we need for attack detection, and how to use them, etc; > > 2. Current IPFIX and PSAMP standards do not support the detection of some connection-based and Zero-Day DDoS attacks well, which normally are the kinds of the low & slow DDoS attack and not easy to be inspected as flood attacks. In our draft, we analyze this point and clearly propose to use the connection sampling method (which is specified by IPFIX/PSAMP) with some extended new IPFIX IEs to fill the gap; [clarifying question] Is the connection sampling method equal to the filtering technique in RFC5475? > 3. We also try to explain that the connection sampling method and the new specified IPFIX IEs are very effective for detection some categories of attack, and are feasible in the aspects of implementation, performance, deployment; The main concern regarding to this proposal is performance impact on the sampling process. How can it select the connection which includes attack vector like slow dos. Description of some technique of selecting malicious connections out of huge number of connections would be needed. > 4. There are already some good solutions applied in today's network for DDoS attack detection and runs well, but some of they are proprietary and not standardized, some of them are still not suitable for some kinds of attack well. Our proposal will not conflict to them and more intend to be the router/switch's functional enhancement, or just another solution choice. Many operators are using coarse-to-fine approach. They are using flow sampling for coarse detection and non-sampling methods like DPI for fine-grained detection. Non-sampling methods could be more suitable than the new specified IPFIX IEs to detect some categories of attacks. Could you describe the technique of connection sampling in detail which will not affect the performance of router/switches. > Any comments from you are warmly welcome! > > B.R. > Frank > > > > -----邮件原件----- > 发件人: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] > 发送时间: 2016年6月14日 11:35 > 收件人: limin 00223961; DaCheng Zhang; Futianfu; Dacheng Zhang; Xialiang (Frank) > 主题: New Version Notification for draft-fu-dots-ipfix-extension-01.txt > > > A new version of I-D, draft-fu-dots-ipfix-extension-01.txt > has been successfully submitted by Liang Xia and posted to the IETF repository. > > Name: draft-fu-dots-ipfix-extension > Revision: 01 > Title: IPFIX IE Extensions for DDoS Attack Detection > Document date: 2016-06-14 > Group: Individual Submission > Pages: 21 > URL: https://www.ietf.org/internet-drafts/draft-fu-dots-ipfix-extension-01.txt > Status: https://datatracker.ietf.org/doc/draft-fu-dots-ipfix-extension/ > Htmlized: https://tools.ietf.org/html/draft-fu-dots-ipfix-extension-01 > Diff: https://www.ietf.org/rfcdiff?url2=draft-fu-dots-ipfix-extension-01 > > Abstract: > DDoS Open Threat Signaling (DOTS) Working Group is for developing > the standard signaling mechanisms, together with the DDoS related > telemetry and threat handling requests and data transmitted by them > used in DDoS problem space. Although IP Flow Information Export > (IPFIX), Packet Sampling (PSAMP), and Packet Selection methods are > useful for network security inspection, there are still some gaps > existing to identify some categories of DDoS attacks. To fill in > the gaps, this document describes the connection sampling mechanism > and explains why it is needed for detecting DDoS attacks. It also > defines several new IPFIX Information Elements (IEs). Then, it > presents some examples to show how to use these new IPFIX IEs > together with the existing IPFIX IEs to detect specific DDoS attacks. > > > > > Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots
- Re: [Dots] Fwd: New Version Notification for draf… kaname nishizuka
- [Dots] Fwd: New Version Notification for draft-fu… Xialiang (Frank)