Re: [Dots] New Version Notification for draft-ietf-dots-telemetry-05.txt
mohamed.boucadair@orange.com Fri, 03 April 2020 08:24 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82CE63A142F for <dots@ietfa.amsl.com>; Fri, 3 Apr 2020 01:24:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.599
X-Spam-Level:
X-Spam-Status: No, score=-1.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, PDS_BTC_ID=0.499, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgPHdE_QERhf for <dots@ietfa.amsl.com>; Fri, 3 Apr 2020 01:24:05 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.41]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B07653A1403 for <dots@ietf.org>; Fri, 3 Apr 2020 01:24:04 -0700 (PDT)
Received: from opfedar03.francetelecom.fr (unknown [xx.xx.xx.5]) by opfedar26.francetelecom.fr (ESMTP service) with ESMTP id 48ttJ319t2zFq99; Fri, 3 Apr 2020 10:24:03 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1585902243; bh=XsR9ZofUSitNV3rUF5ByJdgmqTzKLFr/tnxlC8lHFYQ=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=J9Zoct5hxuaCOj+9H4c93YT9PL1mJKqq2MSNMA6wRUVherJjzU2YswbbpMpuI5Rah gUTdSBNeqf+c/0Q7k7Sgo+UJfH0LIBEJtTGdQovCzpTOeI4rA/32XbATM7JFlc8KhS N0Af1WQIpmh7/LwGV8s7Gut3TVYmgkttqC4/ksI6moZT2q9z5u0bCyd+FU5aLlQaJ8 mAvlvbSRh1rSQciYUiYD+weDX16U1IVW8VeqMjwiwvJskjjobv2+fKsgzMThS3NS42 Y4FchuGJFHbsziZ+tCUk6U4/+GovZ+8wz2UCL+Oo/Pe+M9zycUpmZzneNnS49um9BH 2tQnGVpBruuWA==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.38]) by opfedar03.francetelecom.fr (ESMTP service) with ESMTP id 48ttJ305Z0zCqkY; Fri, 3 Apr 2020 10:24:03 +0200 (CEST)
From: mohamed.boucadair@orange.com
To: Jon Shallow <supjps-ietf@jpshallow.com>, "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>, kaname nishizuka <kaname@nttv6.jp>
CC: "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] New Version Notification for draft-ietf-dots-telemetry-05.txt
Thread-Index: AQKpDKSlae91Qx1rveAaG4y93fawwwGS0CN0ActngzYBop/8/AGLlQYiAqtlZCwC5xXv2wJXxJ8rAWqlVlgB+pAcCQK0mLlyAOa0qGymFG2a0IAAsLmggAAwQqA=
Date: Fri, 03 Apr 2020 08:24:02 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93303148D71C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <158532456961.24330.9684049527965442282@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93303148203F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <0acd01d60458$9df439f0$d9dcadd0$@jpshallow.com> <787AE7BB302AE849A7480A190F8B933031482353@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <0b7501d604f9$40fd53c0$c2f7fb40$@jpshallow.com> <787AE7BB302AE849A7480A190F8B933031483683@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <0db001d606d0$3f6312b0$be293810$@jpshallow.com> <787AE7BB302AE849A7480A190F8B933031489524@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <0ed901d6079d$ad34b1e0$079e15a0$@jpshallow.com> <787AE7BB302AE849A7480A190F8B93303148B373@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <101201d60868$affd91a0$0ff8b4e0$@jpshallow.com> <787AE7BB302AE849A7480A190F8B93303148D091@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <112b01d60927$b2ae7300$180b5900$@jpshallow.com> <787AE7BB302AE849A7480A190F8B93303148D4EE@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93303148D4EE@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/gfX9-NOGuUDZ2e8nGxWbCPmFPag>
Subject: Re: [Dots] New Version Notification for draft-ietf-dots-telemetry-05.txt
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 08:24:07 -0000
Jon, FWIW, the proposed change on the tree diagram can be seen here: https://github.com/boucadair/draft-dots-telemetry/commit/ea7c2101c4d3f748808c25fa85900fca7bca273b#diff-37c9ec7a9a8498c6dc3829deef79b5e7 Of course, this is a proposal for discussion. Cheers, Med > -----Message d'origine----- > De : Dots [mailto:dots-bounces@ietf.org] De la part de > mohamed.boucadair@orange.com > Envoyé : vendredi 3 avril 2020 07:54 > À : Jon Shallow; Konda, Tirumaleswar Reddy; kaname nishizuka > Cc : dots@ietf.org > Objet : Re: [Dots] New Version Notification for draft-ietf-dots- > telemetry-05.txt > > Hi Jon, > > Moving the discussion to the WG list as this is an important design > change we need to make. > > Please see inline. > > Cheers, > Med > > > -----Message d'origine----- > > De : Jon Shallow [mailto:supjps-ietf@jpshallow.com] > > Envoyé : jeudi 2 avril 2020 21:49 > > À : BOUCADAIR Mohamed TGI/OLN; Konda, Tirumaleswar Reddy; kaname > > nishizuka > > Objet : RE: [Dots] New Version Notification for draft-ietf-dots- > > telemetry-05.txt > > > > Stepping back to look at the bigger picture, I think that I would be > > more interested in the detail of a potentially multi-vectored > mutating > > attack, and so question whether having target-protocol as an overall > > restrictive view of all the detail makes sense. It is easier to > > filter out data that I do not want / care about after receiving it. > > The remote peer may not have the same view of what to send v what I > am > > interested in. > > > > [I am concerned about over-filling a packet and having to go into > CoAP > > Block2 mode though which will fail on a saturated link. I have not > > done any sizing of that yet with genuine attack information] > > > > So, for the /tm and /tm-setup stuff do we really need target- > protocol > > and could just have protocol as an optional, but array, entity? > > [Med] It is important to provide details per protocol as this will > help identifying abnormal patterns. > > We could associate 0 to mean "all" protocols but I know this will hurt > many. We can consider the following change: > > OLD > > | +--rw baseline* [id] > | +--rw id uint32 > | +--rw target-prefix* inet:ip- > prefix > | +--rw target-port-range* [lower-port] > | | +--rw lower-port inet:port-number > | | +--rw upper-port? inet:port-number > | +--rw target-protocol* uint8 > | +--rw target-fqdn* inet:domain- > name > | +--rw target-uri* inet:uri > | +--rw total-traffic-normal-baseline* [unit > protocol] > | | +--rw unit unit > | | +--rw protocol uint8 > | | +--rw low-percentile-g? yang:gauge64 > | | +--rw mid-percentile-g? yang:gauge64 > | | +--rw high-percentile-g? yang:gauge64 > | | +--rw peak-g? yang:gauge64 > > NEW: > > | +--:(baseline) > | +--rw baseline* [id] > | +--rw id uint32 > | +--rw target-prefix* inet:ip- > prefix > | +--rw target-port-range* [lower-port] > | | +--rw lower-port inet:port-number > | | +--rw upper-port? inet:port-number > | +--rw target-protocol* uint8 > | +--rw target-fqdn* > inet:domain-name > | +--rw target-uri* inet:uri > | +--rw alias-name* string > | +--rw total-traffic-normal* [unit] > | | +--rw unit unit > | | +--rw low-percentile-g? yang:gauge64 > | | +--rw mid-percentile-g? yang:gauge64 > | | +--rw high-percentile-g? yang:gauge64 > | | +--rw peak-g? yang:gauge64 > | +--rw total-traffic-normal-per-protocol* [unit > protocol] > | | +--rw unit unit > | | +--rw protocol uint8 > | | +--rw low-percentile-g? yang:gauge64 > | | +--rw mid-percentile-g? yang:gauge64 > | | +--rw high-percentile-g? yang:gauge64 > | | +--rw peak-g? yang:gauge64 > > Of course, the protocol must be listed in target-protocol (if > present). > > > > > Then for /mitigate, target-protocol is ignored in deciding what to > > send back, but the use of an optional protocol array can reduce some > > of the packet size. > > > > total-attack-connection / total-connection-capacity will only be > for > > connection based connections - primarily TCP I suspect. > > [Med] Agree. > > However > > (target) ports may be relevant here - a server may be able to > support > > X HTTPS connections, but only Y DNS (TCP) connections - or a load- > > balancer in the path is only capable of handling Z connections - no > > matter what the port is.. So, do we want to introduce optional > ports? > > [Med] These ports have to be listed in target-port-range (if present). > If we include port to the existing list, we can't maintain two entries > for the same protocol but with distinct port. It may be more simple to > make this change: > > OLD: > | +--rw total-connection-capacity* [protocol] > | +--rw protocol uint8 > | +--rw connection? uint64 > | +--rw connection-client? uint64 > | +--rw embryonic? uint64 > | +--rw embryonic-client? uint64 > | +--rw connection-ps? uint64 > | +--rw connection-client-ps? uint64 > | +--rw request-ps? uint64 > | +--rw request-client-ps? uint64 > | +--rw partial-request-ps? uint64 > | +--rw partial-request-client-ps? uint64 > > NEW: > > | +--rw total-connection-capacity* [protocol] > | | +--rw protocol uint8 > | | +--rw connection? uint64 > | | +--rw connection-client? uint64 > | | +--rw embryonic? uint64 > | | +--rw embryonic-client? uint64 > | | +--rw connection-ps? uint64 > | | +--rw connection-client-ps? uint64 > | | +--rw request-ps? uint64 > | | +--rw request-client-ps? uint64 > | | +--rw partial-request-ps? uint64 > | | +--rw partial-request-client-ps? uint64 > | +--rw total-connection-capacity-per-port* [protocol > lower-port] > | +--rw protocol uint8 > | +--rw lower-port inet:port- > number > | +--rw connection? uint64 > | +--rw connection-client? uint64 > | +--rw embryonic? uint64 > | +--rw embryonic-client? uint64 > | +--rw connection-ps? uint64 > | +--rw connection-client-ps? uint64 > | +--rw request-ps? uint64 > | +--rw request-client-ps? uint64 > | +--rw partial-request-ps? uint64 > | +--rw partial-request-client-ps? uint64 > > > > > > > NEW: > > > > "Sending a DELETE with no 'tmid' indicates that all 'tmids' must > > be > > > > deactivated." > > > > > > > > I found this (but I prefer your addition for consistency) > > > > A DOTS client that lost the state of its active 'tmids' or has to > > set > > 'tmid' back to zero (e.g., crash or restart) MUST send a GET > > request > > to the DOTS server to retrieve the list of active 'tmid'. The > DOTS > > client may then delete 'tmids' that should not be active anymore. > > > > [Med] Yes. The NEW text will be right after this one. > > > Other minor nits > > > > OLD > > attack-severity: Attack severity. These values are supported: > > Emergency (1), critical (2), and alert (3). > > NEW (case of emergency) > > attack-severity: Attack severity. These values are supported: > > emergency (1), critical (2), and alert (3). > > > > OLD > > tmid: Telemetry Identifier is an identifier for the DOTS pre-or- > > ongoing-mitigation telemetry data represented as an integer. > > This identifier MUST be generated by DOTS clients. 'tsid' > > values > > NEW tsid -> tmid > > tmid: Telemetry Identifier is an identifier for the DOTS pre-or- > > ongoing-mitigation telemetry data represented as an integer. > > This identifier MUST be generated by DOTS clients. 'tmid' > > values > > > > [Med] Fixed. Thanks. > > > Regards > > > > Jon > > > > > > > -----Original Message----- > > > From: mohamed.boucadair@orange.com > > [mailto:mohamed.boucadair@orange.com] > > > Sent: 02 April 2020 19:42 > > > To: Jon Shallow; Konda, Tirumaleswar Reddy; kaname nishizuka > > > Subject: RE: [Dots] New Version Notification for draft-ietf-dots- > > telemetry-05.txt > > > > > > Re-, > > > > > > The same issue applies as well for the baseline component: > > > > > > If we convey multiple protocols in target-prefix and want to > signal > > all total- > > > traffic-normal-baseline + total-traffic-normal-baseline of each > > protocol listed in > > > target-prefix, we will need to have to use an index in addition to > > the unit. > > > Protocol can then become optional. The same apply for total- > > connection- > > > capacity. > > > > > > I need to think about this further. > > > > > > Cheers, > > > Med > > > > > > > -----Message d'origine----- > > > > De : BOUCADAIR Mohamed TGI/OLN > > > > Envoyé : jeudi 2 avril 2020 19:29 > > > > À : 'Jon Shallow'; Konda, Tirumaleswar Reddy; kaname nishizuka > > > > Objet : RE: [Dots] New Version Notification for draft-ietf-dots- > > > > telemetry-05.txt > > > > > > > > Hi Jon, > > > > > > > > Please see inline. > > > > > > > > Cheers, > > > > Med > > > > > > > > > -----Message d'origine----- > > > > > De : Jon Shallow [mailto:supjps-ietf@jpshallow.com] > > > > > Envoyé : mercredi 1 avril 2020 23:01 > > > > > À : BOUCADAIR Mohamed TGI/OLN; Konda, Tirumaleswar Reddy; > kaname > > > > > nishizuka > > > > > Objet : RE: [Dots] New Version Notification for draft-ietf- > dots- > > > > > telemetry-05.txt > > > > > > > > > > Hi Med et al, > > > > > > > > > > Other nits (as well as 2 following sections) > > > > > > > > > > OLD: > > > > > > > > > > ongoing-mitigation telemetry data from the DOTS server. > The > > GET > > > > > request specify a 'tmid' (Figure 31) or not (Figure 32). > > > > > > > > > > NEW: > > > > > > > > > > ongoing-mitigation telemetry data from the DOTS server. > The > > GET > > > > > request specifies a 'tmid' (Figure 31) or not (Figure 32). > > > > > > > > > > > > > [Med] Fixed. > > > > > > > > > > > > > DELETE /tm > > > > > > > > > > Does no tmid= delete all tmids ? > > > > > - In particular after a restart of a client? > > > > > > > > > > > > > [Med] Yes, they should be "deactivated". > > > > > > > > NEW: > > > > "Sending a DELETE with no 'tmid' indicates that all 'tmids' must > > be > > > > deactivated." > > > > > > > > > > > > > > > > .. The below is coming from what the server sends to the > > client > > > > > perspective. I > > > > > > accept that in the client sending to the server having > target- > > > > > protocol and > > > > > > protocol may give rise to some potential confusion... > > > > > > > > > > > > > > [Med] Let's see how to avoid the inconsistency. The YANG module > is > > > > currently reflecting the text we have I draft-ietf-dots- > telemetry- > > > > 04#section-7.1. We need to check that section to see where the > > per- > > > > transport is mentioned and make sure we don't break things. > > > > > > > > For example, if protocol is present in the target, we to avoid > > > > conflicting (and redundant) information to be supplied in the > > > > telemetry data. > > > > > > > > > > > > > > > > > > In terms of protocol, there are still some consistencies > > even if > > > > > you accept the > > > > > > > argument that protocol is already defined in the > mitigation > > > > scope > > > > > (which I am > > > > > > > not happy with). > > > > > > > > > > > > > > 1) target-protocol is optionally set and it is an array > > whereas > > > > > protocol is > > > > > > singular > > > > > > > > > > > > > > 2) protocol is defined mitigation scope augment as per > > > > > > > module: ietf-dots-telemetry > > > > > > > augment /ietf-signal:dots-signal/ietf-signal:message- > > > > type/ietf- > > > > > > signal:mitigation- > > > > > > > scope/ietf-signal:scope: > > > > > > > +--ro total-traffic* [unit protocol] {dots-telemetry}? > > > > > > > | +--ro unit unit > > > > > > > | +--ro protocol uint8 > > > > > > > | +--ro low-percentile-g? yang:gauge64 > > > > > > > | +--ro mid-percentile-g? yang:gauge64 > > > > > > > | +--ro high-percentile-g? yang:gauge64 > > > > > > > | +--ro peak-g? yang:gauge64 > > > > > > > +--rw total-attack-traffic* [unit] {dots-telemetry}? > > > > > > > | +--rw unit unit > > > > > > > | +--rw low-percentile-g? yang:gauge64 > > > > > > > And so there is no consistency between total-traffic and > > total- > > > > > attack-traffic > > > > > > > > [Med] The idea was to have a view of total traffic bound to a > > target > > > > prefix/domain. We should clarify or remove the protocol for this > > one. > > > > Fair enough. > > > > > > > > > > > > > > > > > > 3) For /tm you have > > > > > > > +--:(telemetry) {dots-telemetry}? > > > > > > > +--rw pre-or-ongoing-mitigation* [cuid tmid] > > > > > > > .. > > > > > > > | +--rw target-protocol* uint8 > > > > > > > .. > > > > > > > +--rw total-traffic* [unit protocol] > > > > > > > | +--rw unit unit > > > > > > > | +--rw protocol uint8 > > > > > > > .. > > > > > > > +--rw total-attack-traffic* [unit protocol] > > > > > > > | +--rw unit unit > > > > > > > | +--rw protocol uint8 > > > > > > > > > > > > > > And so could argue here that protocol is not needed > > > > > > > > [Med] but we may have many protocols listed under target- > protocol. > > > > > > > > > > > > > > > > > > 4) If target-protocol is not specified, then it refers to > > any > > > > > protocol. If target- > > > > > > > protocol is not defined in /mitigate, then I have no way > of > > > > > indicating which is a > > > > > > > problematic protocol if protocol is not supported. > > > > > > > > [Med] Good point. This one (and the following one) justifies > that > > we > > > > need to revisit the design. > > > > > > > > We ca group the data by target-protocol and send many tmids if > > many > > > > protocols need to be returned. Protocol can be then optional. > > > > > > > > Would that be better? > > > > > > > > > > > > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots
- Re: [Dots] New Version Notification for draft-iet… mohamed.boucadair
- Re: [Dots] New Version Notification for draft-iet… mohamed.boucadair
- Re: [Dots] New Version Notification for draft-iet… mohamed.boucadair
- Re: [Dots] New Version Notification for draft-iet… Jon Shallow