[Dots] Comments for draft-hayashi-dots-dms-offload

"Panwei (William)" <william.panwei@huawei.com> Tue, 06 August 2019 03:52 UTC

Return-Path: <william.panwei@huawei.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A250120122 for <dots@ietfa.amsl.com>; Mon, 5 Aug 2019 20:52:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YSauG_I86inK for <dots@ietfa.amsl.com>; Mon, 5 Aug 2019 20:52:34 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE80012011B for <dots@ietf.org>; Mon, 5 Aug 2019 20:52:33 -0700 (PDT)
Received: from lhreml704-cah.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id BC92540D1631753F1576; Tue, 6 Aug 2019 04:52:30 +0100 (IST)
Received: from NKGEML413-HUB.china.huawei.com (10.98.56.74) by lhreml704-cah.china.huawei.com (10.201.108.45) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 6 Aug 2019 04:52:29 +0100
Received: from NKGEML513-MBS.china.huawei.com ([169.254.2.208]) by NKGEML413-HUB.china.huawei.com ([10.98.56.74]) with mapi id 14.03.0439.000; Tue, 6 Aug 2019 11:51:12 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: H Y <yuuhei.hayashi@gmail.com>
CC: dots <dots@ietf.org>
Thread-Topic: Comments for draft-hayashi-dots-dms-offload
Thread-Index: AdVMCgmZ4COkfVoLSrijKGXrfvkNkg==
Date: Tue, 6 Aug 2019 03:51:11 +0000
Message-ID: <30E95A901DB42F44BA42D69DB20DFA6A6DE3F02A@nkgeml513-mbs.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.134.37.117]
Content-Type: multipart/alternative; boundary="_000_30E95A901DB42F44BA42D69DB20DFA6A6DE3F02Ankgeml513mbschi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/grmUDa4DgshpzIRpB-taH7JjwMk>
Subject: [Dots] Comments for draft-hayashi-dots-dms-offload
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 03:52:37 -0000

Hi Yuhei,

In the IETF 105 meeting, there wasn’t enough time to discuss your draft, so I put my comments here for more discussion.
My comments are all about the ‘Signaling Method and Conveyed Information’ for different Attacks. The following figure is copied from your draft.
  +-------------+-----------------------------------+------------------+
  |             |        Reflection Attack          |  Non-Reflection  |
  |             |                                   |     Attack       |
  +-------------+-----------------------------------+------------------+
 | Out-of-band | Attack Time                                          |
  |     case    | Method : Data Channel                                |
  |             | Info : src_ip, src_port, dst_ip, dst_port, protocol  |
  +-------------+-----------------------------------+------------------+
  |   In-band   | Attack Time                       | Attack Time      |
  |    case     | (Number of reflector is small)    | Method : Signal  |
  |             | Method : Signal Channel with src  |          Channel |
  |             | Info : src_ip, src_port,          | Info : dst_ip,   |
  |             |        dst_ip, protocol           |        dst_port, |
  |             +-----------------------------------+        protocol  |
  |             | Attack Time                       |                  |
  |             | (Number of reflector is enormous) |                  |
  |             | Method : Signal Channel with src  |                  |
  |             | Info : src_port, dst_ip, protocol |                  |
  |             +-----------------------------------+------------------+
  |             | Peace Time                        | Peace Time       |
  |             | Method : Data Channel             | Method : Data    |
  |             | Info : src_port,                  |          Channel |
  |             |        dst_ip, protocol           | Info : dst_ip,   |
  |             |                                   |        dst_port, |
  |             |                                   |        protocol  |
  |             |                                   |                  |
  |             | Attack Time                       | Attack Time      |
  |             | Method : Signal Channel           | Method : Signal  |
  |             |          Control Filtering        |          Channel |
  |             | Info : ACL name                   | Control Filtering|
  |             |                                   | Info : ACL name  |
  |-------------+------------------------------------------------------+

1. For ‘In-band Case’ and ‘Attack Time’, ‘dst_port’ is conveyed for ‘Non-Reflection Attack’ and isn’t for ‘Reflection Attack’, so I infer that maybe a lot of or even all ports will be attacked on ‘Reflection Attack’ so you can’t or don’t need to convey ‘dst_port’. Also I noticed that non source attribute is conveyed on ‘Non-Reflection Attack’. So, different kinds of information are conveyed in different situations, but I didn’t find any references for your conclusions, can you give some references or descriptions to explain how you get the conclusions?
2. For ‘Reflection Attack’, ‘In-band Case’ and ‘Attack Time’, you give two methods based on the number of reflector, what I’m confused is how to distinguish whether the number is small or enormous. I think the comparison is a very subjective thing, different people may have different understanding, so I don’t know whether it’s suitable or common to just say the number is small or enormous.
3. For ‘In-band Case’ and ‘Peace Time’, you want to send the ACLs by Data Channel before the attack, and activate them by Signal Channel during attack. But how do you know the targets and attack sources before the attack, especially the DMS may be in charge of the whole network?

Regards & Thanks!
潘伟 Wei Pan
华为技术有限公司 Huawei Technologies Co., Ltd.