Re: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Mon, 29 April 2019 08:53 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 735DA1202F6 for <dots@ietfa.amsl.com>; Mon, 29 Apr 2019 01:53:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QUWiho9_kv6j for <dots@ietfa.amsl.com>; Mon, 29 Apr 2019 01:53:20 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7CEF12008A for <dots@ietf.org>; Mon, 29 Apr 2019 01:53:19 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1556527612; h=From: To:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: Content-Transfer-Encoding:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=GQbbUxsQladWrlEOBmE+koJP7YhlX1P04Ku84D KPOe0=; b=L4JFJvE1Ny7rKRHn2N65TXXOdd/gsrflpOYYRK3g 7GKeYcGFStR7jZy3lgGx6lGUTJEwx/b+fkMtNK9EAchwqJp4s0 66L4rCiuWkFk+AhRtNeCYAn1kb9FOooJ7PZUZwX9Sd0XCJis36 kzmR1J1vGSZrJRj3HEcX4xLKQpMV2ic=
Received: from DNVEXAPP1N06.corpzone.internalzone.com (unknown [10.44.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 4acf_5edb_a0bd58a4_a00d_4105_b107_71c892e185e4; Mon, 29 Apr 2019 02:46:51 -0600
Received: from DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 29 Apr 2019 02:52:51 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Mon, 29 Apr 2019 02:52:51 -0600
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (10.44.176.242) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 29 Apr 2019 02:52:02 -0600
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2422.namprd16.prod.outlook.com (20.177.225.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1835.15; Mon, 29 Apr 2019 08:52:02 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::4873:7200:9e57:9e62]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::4873:7200:9e57:9e62%5]) with mapi id 15.20.1835.010; Mon, 29 Apr 2019 08:52:02 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Jon Shallow <supjps-ietf@jpshallow.com>, 'kaname nishizuka' <kaname@nttv6.jp>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue
Thread-Index: AdT6ZmI8uG0f606MQBW+/9uvcTWn6QA3ueOAAAD5v4AAAuISAAACLWCwAASh2bAAAFNQMAAALZggAB/gx7AADZnDQAAB9k5gAAGY4eAAh04/QAAA/5ng
Date: Mon, 29 Apr 2019 08:52:02 +0000
Message-ID: <BYAPR16MB279071FE429E252221521470EA390@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <787AE7BB302AE849A7480A190F8B93302EA649B4@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <c3c9614f-908a-c132-cd35-6c627e341f2b@nttv6.jp> <012601d4fb49$3328c000$997a4000$@jpshallow.com> <BYAPR16MB279020119E24ADCB54B339E3EA3D0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA6591A@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB27903D8D208FA3AC951FDEE4EA3D0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA65AD6@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB279013E8029BE0294293A333EA3D0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA6623D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790146175B845622B2EF438EA3E0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA6649C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB27909F467FFE57F380015E94EA3E0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA66FEC@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA66FEC@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3be56801-8289-49b3-a041-08d6cc7ff2e2
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:BYAPR16MB2422;
x-ms-traffictypediagnostic: BYAPR16MB2422:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <BYAPR16MB242263660A591F7B96868A53EA390@BYAPR16MB2422.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0022134A87
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(39860400002)(366004)(136003)(396003)(189003)(199004)(32952001)(13464003)(99286004)(6506007)(76176011)(71200400001)(71190400001)(186003)(8936002)(6306002)(80792005)(7696005)(97736004)(52536014)(2906002)(72206003)(6246003)(966005)(316002)(110136005)(55016002)(229853002)(53936002)(25786009)(86362001)(9686003)(53546011)(33656002)(66066001)(5660300002)(74316002)(93886005)(2501003)(14454004)(64756008)(81156014)(68736007)(66476007)(81166006)(66556008)(66946007)(3846002)(66446008)(26005)(6116002)(73956011)(76116006)(5024004)(256004)(14444005)(7736002)(8676002)(446003)(6436002)(305945005)(476003)(478600001)(11346002)(102836004)(486006)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2422; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: XHshFqv1MdiLuUMar+8a+gAAUSZFrk/Kdtq1ksRmVimzsNpI65nHSfnO3u6CsuCMjf6y6znaNkY8KB/KY8IxeMkDJmyqPejw8aXitVK7tRLSvoYW/oH25SCSFTPm4yUxNomW42GkB1aMkxV85txGGRR7uzOTI0sHRTIPw+MHEw1NktG5q/GSn35jab8ssumeWiDeOGbfDX9nMhrT3GfuAptR5xvVUN2+QZpxiySms5UmwhnYzXNokM4Pb2jqkEC6HBG8dubRfHCYMKWHLSnWBpf9ryEyc7cyUwDOJhDiLOm6DgU4tC7gSpriqcltIo6VUHES/952GPFsPqSte1iHo+YAFsZU9+BoL/Ns9+Gku5ZfHS4nmmCwLUHzAIRRA/vdrA/OGm9Lyrim0MFGWD6/l8lUqnSt0GCq0BB4ZLb3L1Q=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3be56801-8289-49b3-a041-08d6cc7ff2e2
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Apr 2019 08:52:02.5553 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2422
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6534> : inlines <7062> : streams <1820052> : uri <2838409>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/gn7RawiYZmLFR0YP7VJv8ZQu8R0>
Subject: Re: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Apr 2019 08:53:22 -0000

> -----Original Message-----
> From: mohamed.boucadair@orange.com
> <mohamed.boucadair@orange.com>
> Sent: Monday, April 29, 2019 12:07 PM
> To: Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@McAfee.com>; Jon Shallow <supjps-
> ietf@jpshallow.com>; 'kaname nishizuka' <kaname@nttv6.jp>;
> dots@ietf.org
> Subject: RE: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is
> safe.
> 
> Hi Tiru,
> 
> Please see inline.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Konda, Tirumaleswar Reddy
> > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > Envoyé : vendredi 26 avril 2019 16:01
> > À : BOUCADAIR Mohamed TGI/OLN; Jon Shallow; 'kaname nishizuka';
> > dots@ietf.org Objet : RE: [Dots]
> > (draft-ietf-dots-signal-filter-control) ACL Stats issue
> >
> > > -----Original Message-----
> > > From: mohamed.boucadair@orange.com
> > > <mohamed.boucadair@orange.com>
> > > Sent: Friday, April 26, 2019 6:38 PM
> > > To: Konda, Tirumaleswar Reddy
> > > <TirumaleswarReddy_Konda@McAfee.com>; Jon Shallow <supjps-
> > > ietf@jpshallow.com>; 'kaname nishizuka' <kaname@nttv6.jp>;
> > > dots@ietf.org
> > > Subject: RE: [Dots] (draft-ietf-dots-signal-filter-control) ACL
> > > Stats issue
> > >
> > > This email originated from outside of the organization. Do not click
> > > links
> > or
> > > open attachments unless you recognize the sender and know the
> > > content is safe.
> > >
> > > Re-,
> > >
> > > Please see inline.
> > >
> > > Cheers,
> > > Med
> > >
> > > > -----Message d'origine-----
> > > > De : Konda, Tirumaleswar Reddy
> > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > Envoyé : vendredi 26 avril 2019 14:20 À : BOUCADAIR Mohamed
> > > > TGI/OLN; Jon Shallow; 'kaname nishizuka'; dots@ietf.org Objet :
> > > > RE: [Dots]
> > > > (draft-ietf-dots-signal-filter-control) ACL Stats issue
> > > >
> > > > > -----Original Message-----
> > > > > From: Dots <dots-bounces@ietf.org> On Behalf Of
> > > > > mohamed.boucadair@orange.com
> > > > > Sent: Friday, April 26, 2019 11:22 AM
> > > > > To: Konda, Tirumaleswar Reddy
> > > > > <TirumaleswarReddy_Konda@McAfee.com>; Jon Shallow <supjps-
> > > > > ietf@jpshallow.com>; 'kaname nishizuka' <kaname@nttv6.jp>;
> > > > > dots@ietf.org
> > > > > Subject: Re: [Dots] (draft-ietf-dots-signal-filter-control) ACL
> > > > > Stats issue
> > > > >
> > > > > This email originated from outside of the organization. Do not
> > > > > click links
> > > > or
> > > > > open attachments unless you recognize the sender and know the
> > > > > content is safe.
> > > > >
> > > > > Hi Tiru,
> > > > >
> > > > > The question then is: How knowing these stats will help in
> > > > > softening the impact on the "business of the victim" other than
> > > > > observing that traffic is being rate-limited (which is already
> > > > > known to the client)? That information will be made available
> > > > > anyway once the DOTS data channel is functional
> > > > again.
> > > >
> > > > While the DDOS attack is progress (it may last for few weeks), the
> > > > ACL stats can help the client learn the scale of the DDoS attack,
> > > > and can identify alternate mitigation providers capable of
> > > > handling the attack
> > scale.
> > >
> > > [Med] Wouldn't that be inferred from the aggregate stats returned in
> > > the signal channel and local observation?
> >
> > No, the client will not know the amount of traffic dropped by the
> > rate-limit ACL.
> 
> [Med] The ACL will rate limit both attack and legitimate traffic. So, unless
> some "additional" information is made available to the DOTS client, the client
> cannot infer "the scale of the DDoS attack" from those ACL stats.

Based on statistics like the amount of attack traffic dropped by DMS, legitimate traffic received (after scrubbing), amount of traffic rate-limited, the client can infer the possible amount of good traffic rate-limited.

> 
> Things are different for the aggregate stats returned by the signal channel.
> 
> >
> > >
> > > >
> > > > >
> > > > > An example to soften such impacts could be: A DOTS client can
> > > > > manipulate ACLs with different rate-limit policies that it can
> > > > > activate/deactivate
> > > > based on
> > > > > local available information AND/OR status/aggregate stats
> > > > > received via the signal channel without relying on ACL-specific
> > > > > stats received from the
> > > > server.
> > > >
> > > > If the server can provide the aggregate stats, it can also provide
> > > > ACL- specific stats.
> > >
> > > [Med] If it can do so, it can do it also for any ACL.
> >
> > The other ACLs to permit white-listed traffic or drop black-listed
> > traffic is not impacting legitimate traffic to reach the target. As
> > you already know, rate-limit ACL is different, it is dropping good traffic.
> 
> [Med] That's one dimension of the discussion (how to make use of shared
> data). The other dimension is: if the server is able to share ACL-related stats,
> why the functionality should be restricted to specific ACL types or as a
> function of the channel.

As I have previously mentioned, the rate-limit ACL is different from other ACL types, and hence the need of this functionality.
Conveying ACL-related stats for all other ACL types in the response packet over UDP would possibility exceed the path MTU, that's one of the reasons to restrict the functionality to only rate-limit ACL 
(or ACL activated using mitigation request). 

> 
> For example, a rate limit ACL can be programmed to be automatically
> enabled during mitigation (data channel) or explicitly using the signal channel.

I don’t think target networks would typically enable rate-limit ACL to be automatically enabled during mitigation, it means the target network is ready to lose business just because it was subjected to DDoS attack and even if the mitigation provider is capable of handling the attack, and your proposed scenario looks less likely. 

> Why the stats can only be shared for this ACL in the second case and not for
> the first case?
> 
> >
> > >
> > >  ACL-specific stats and mitigation stats will give a clear
> > > > picture of the traffic rate-limited, bad traffic dropped by the
> > > > DDoS mitigation system, and using these stats the DOTS client can
> > > > heuristically determine the amount of legitimate traffic dropped
> > > > because of rate-limit and the impact of the attack on its service.
> > >
> > > [Med] The impact can be observed locally (e.g., bad QoS, inability
> > > to
> > access a
> > > service, instable connectivity, etc.). I still don’t see how sharing
> > > the
> > ACL stats
> > > will be helpful here.
> > >
> > > A DOTS client can preinstall the same rate-limit filter with but
> > > with
> > different
> > > policies. It can select the appropriate ACL to activate/deactivate
> > > based on local experience.
> >
> > I don't get how the local experience will help the client pick an
> > alternate mitigation provider who can handle the attack scale.
> 
> [Med] Modern CPEs include automated features to assess the availability of
> services such as VoIP, IPTV, etc. The DOTS client can be fed with input from
> these modules and react accordingly.

I meant the target network cannot infer the amount of legitimate traffic (or infer the number of users) unable to use its service because of the rate-limit action.

Cheers
-Tiru

> 
>  Imagine the hot customer
> > calls because its services are not available to legitimate users
> > because of rate-limit action, the client needs to have a granular
> > visibility (visibility is a critical criteria in MITRE attack
> > framework https://attack.mitre.org/).