Re: [Dots] Signal / Data / Alias / Filter Implementation
"Jon Shallow" <supjps-ietf@jpshallow.com> Thu, 03 August 2017 07:57 UTC
Return-Path: <supjps-ietf@jpshallow.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18750126CB6 for <dots@ietfa.amsl.com>; Thu, 3 Aug 2017 00:57:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.891
X-Spam-Level:
X-Spam-Status: No, score=-1.891 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xPlZ4ZdhXAR3 for <dots@ietfa.amsl.com>; Thu, 3 Aug 2017 00:56:57 -0700 (PDT)
Received: from mail.jpshallow.com (mail.jpshallow.com [217.40.240.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5B1F124234 for <dots@ietf.org>; Thu, 3 Aug 2017 00:56:56 -0700 (PDT)
Received: from [127.0.0.1] (helo=N01332) by mail.jpshallow.com with smtps (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.89) (envelope-from <jon.shallow@jpshallow.com>) id 1ddB03-0000AG-5H for ietf-supjps-dots@ietf.org; Thu, 03 Aug 2017 08:56:55 +0100
From: Jon Shallow <supjps-ietf@jpshallow.com>
To: dots@ietf.org
References: <035401d30b77$fb3a1da0$f1ae58e0$@jpshallow.com> <628E4313-95D3-42F5-9DDB-00C7B4EBB4D6@arbor.net> <039001d30ba3$7f4290c0$7dc7b240$@jpshallow.com> <B8BBF80E-5A5B-473D-A0B2-B6EFEC21DEBF@arbor.net> <4a158137-5c92-974e-3e4d-6c46fb3e5a52@nttv6.jp>
In-Reply-To: <4a158137-5c92-974e-3e4d-6c46fb3e5a52@nttv6.jp>
Date: Thu, 03 Aug 2017 08:56:57 +0100
Message-ID: <040101d30c2e$14440f70$3ccc2e50$@jpshallow.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0402_01D30C36.7609D700"
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-gb
Thread-Index: AQI4Xj59hXHis+FNi2tfJtTtHlSsOQE/0lLFAki09OwCqf5EqgEj+Lm5oWzh0cA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/h9OYbdB9jWlpS7QyP-i7fnB0Fzg>
Subject: Re: [Dots] Signal / Data / Alias / Filter Implementation
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 07:57:00 -0000
Hi Kaname, So as I read this, you are either extending the ietf-dot-signal definition to include source-* (and icmp, fragmentation and possibly rate-limiting) information or you are using Filters over the data channel (which is what Tiru is referring to). If it is an extension to ietf-dot-signal, then this needs to be formalised for interoperability between different suppliers. Similarly, ietf-dots-data-channel-identifier needs to be extended – but I do think the naming (e.g. target-ip instead of just ip) needs to be consistent between ietf-dot-signal and ietf-dots-data-channel-identifier. “5.3.1” of draft-ietf-dots-signal-channel would also need to reflect the ietf-dot-signal change. “6.” and “10.1.2” of draft-ietf-dots-signal-channel would also need CBOR to be updated with source-* etc. definitions. I am of the firm opinion that destination-ip is REQUIRED and MUST be within the mitigation scope of the DOTS Client to prevent taking out someone else’s IP. This is true for ietf-dot-signal, ietf-dots-data-channel-identifier and ietf-dots-access-control-list. I do not think fragmentation represented as port=0 is sufficient (and is not necessarily intuitive – it could be read as just take out the subsequent packets of a fragmented sequence if the layer 4 header is not there and hence no port). I think it should have its own ietf-dot-signal definition. It is unclear to me the usage of alias in the ietf-dot-signal – is it the DOTS client uses just the alias when requesting mitigation, or if extra parameters are provided (e.g. alias plus target-port-range) are the extra parameters a replacement or in addition to what is in the ietf-dots-data-channel-identifier or are the extra parameters ignored altogether? Regards Jon From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of kaname nishizuka Sent: 03 August 2017 06:21 To: Dobbins, Roland; Jon Shallow Cc: dots@ietf.org Subject: Re: [Dots] Signal / Data / Alias / Filter Implementation Hi Jon, I'm implementing the DOTS protocol based on current specifications. The DOTS protocol can handle source-* information in a mitigation signal request. For example, the DOTS server can enable BGP Flowspec from 5-tuple information derived from mitigation request message from DOTS client, that is actually we are planning to add to our software. Destination information is used to validate whether the mitigation-scope is really the property of the DOTS client's organization or not. So, if the request is only including source-* information, how to validate the request is another problem because it can cause unintended side effect to other customers/services (but could be implementation specific) * How do we handle specific ICMP types in a mitigation signal request? Tiru wrote: > Thanks for the review. Fixed comments 1 and 2 in my local copy. To support filtering rules based on ICMP type and code, and filtering based on fragments, the base ACL model defined in https://tools.ietf.org/html/draft-ietf-netmod-acl-model-06 needs to be extended in this draft using augmentation (see https://tools.ietf.org/html/rfc6020#section-4.2.8). > I will extend the ACL YANG model in the next revision. And the latest version of draft-ietf-netmod-acl-model (-11) includes ICMP-ACL (type, code,,) I think we should update the draft. * How do we handle fragmentation in a mitigation signal request? fragmentation can be represented as port=0. Is this a sufficient representation? thanks, Kaname On 2017/08/03 3:27, Dobbins, Roland wrote: On Aug 2, 2017, at 22:25, Jon Shallow <supjps-ietf@jpshallow.com> wrote: In draft-ietf-dots-use-cases-07 3.1.6. End-customer operating a CPE network infrastructure device with an integrated DOTS client 3.1.6 from idraft-ietf-dots-use-cases-07 in full: 3.1.6. End-customer operating a CPE network infrastructure device with an integrated DOTS client Similar to the above use-case featuring applications or services with built-in DDoS attack detection/classification and DOTS client capabilities, in this scenario, an end-customer network infrastructure CPE device such as a router, layer-3 switch, firewall, or load-balance incorporates both the functionality required to detect and classify incoming DDoS attacks as well as DOTS client functionality. The subsequent DOTS communications dialogue and resultant DDoS mitigation initiation and termination activities take place in the same manner as the use-cases described above. ----------------------------------- Roland Dobbins <rdobbins@arbor.net> _______________________________________________ Dots mailing list Dots@ietf.org https://www.ietf.org/mailman/listinfo/dots
- [Dots] Signal / Data / Alias / Filter Implementat… Jon Shallow
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Roland Dobbins
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Jon Shallow
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Dobbins, Roland
- Re: [Dots] Signal / Data / Alias / Filter Impleme… kaname nishizuka
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Jon Shallow
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Konda, Tirumaleswar Reddy
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Roland Dobbins
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Roland Dobbins
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Konda, Tirumaleswar Reddy
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Jon Shallow
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Konda, Tirumaleswar Reddy
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Jon Shallow
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Konda, Tirumaleswar Reddy
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Jon Shallow
- Re: [Dots] Signal / Data / Alias / Filter Impleme… kaname nishizuka
- Re: [Dots] Signal / Data / Alias / Filter Impleme… kaname nishizuka
- Re: [Dots] Signal / Data / Alias / Filter Impleme… kaname nishizuka
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Roland Dobbins
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Jon Shallow
- Re: [Dots] Signal / Data / Alias / Filter Impleme… Konda, Tirumaleswar Reddy