IETF Logo Mail Archive

Re: [Dots] Signal / Data / Alias / Filter Implementation

"Jon Shallow" <supjps-ietf@jpshallow.com> Thu, 03 August 2017 07:57 UTC

Return-Path: <supjps-ietf@jpshallow.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18750126CB6 for <dots@ietfa.amsl.com>; Thu, 3 Aug 2017 00:57:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.891
X-Spam-Level:
X-Spam-Status: No, score=-1.891 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xPlZ4ZdhXAR3 for <dots@ietfa.amsl.com>; Thu, 3 Aug 2017 00:56:57 -0700 (PDT)
Received: from mail.jpshallow.com (mail.jpshallow.com [217.40.240.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5B1F124234 for <dots@ietf.org>; Thu, 3 Aug 2017 00:56:56 -0700 (PDT)
Received: from [127.0.0.1] (helo=N01332) by mail.jpshallow.com with smtps (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.89) (envelope-from <jon.shallow@jpshallow.com>) id 1ddB03-0000AG-5H for ietf-supjps-dots@ietf.org; Thu, 03 Aug 2017 08:56:55 +0100
From: Jon Shallow <supjps-ietf@jpshallow.com>
To: dots@ietf.org
References: <035401d30b77$fb3a1da0$f1ae58e0$@jpshallow.com> <628E4313-95D3-42F5-9DDB-00C7B4EBB4D6@arbor.net> <039001d30ba3$7f4290c0$7dc7b240$@jpshallow.com> <B8BBF80E-5A5B-473D-A0B2-B6EFEC21DEBF@arbor.net> <4a158137-5c92-974e-3e4d-6c46fb3e5a52@nttv6.jp>
In-Reply-To: <4a158137-5c92-974e-3e4d-6c46fb3e5a52@nttv6.jp>
Date: Thu, 03 Aug 2017 08:56:57 +0100
Message-ID: <040101d30c2e$14440f70$3ccc2e50$@jpshallow.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0402_01D30C36.7609D700"
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-gb
Thread-Index: AQI4Xj59hXHis+FNi2tfJtTtHlSsOQE/0lLFAki09OwCqf5EqgEj+Lm5oWzh0cA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/h9OYbdB9jWlpS7QyP-i7fnB0Fzg>
Subject: Re: [Dots] Signal / Data / Alias / Filter Implementation
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 07:57:00 -0000

Hi Kaname,

 

So as I read this, you are either extending the ietf-dot-signal definition to include source-* (and icmp, fragmentation and possibly rate-limiting) information or you are using Filters over the data channel (which is what Tiru is referring to).  If it is an extension to ietf-dot-signal, then this needs to be formalised for interoperability between different suppliers.  Similarly, ietf-dots-data-channel-identifier needs to be extended – but I do think the naming (e.g. target-ip instead of just ip) needs to be consistent between ietf-dot-signal and ietf-dots-data-channel-identifier.  “5.3.1” of draft-ietf-dots-signal-channel would also need to reflect the ietf-dot-signal change. “6.” and “10.1.2” of draft-ietf-dots-signal-channel would also need CBOR to be updated with source-* etc. definitions.

 

I am of the firm opinion that destination-ip is REQUIRED and MUST be within the mitigation scope of the DOTS Client to prevent taking out someone else’s IP.  This is true for ietf-dot-signal, ietf-dots-data-channel-identifier and ietf-dots-access-control-list.

 

I do not think fragmentation represented as port=0 is sufficient (and is not necessarily intuitive – it could be read as just take out the subsequent packets of a fragmented sequence if the layer 4 header is not there and hence no port). I think it should have its own ietf-dot-signal definition.

 

It is unclear to me the usage of alias in the ietf-dot-signal – is it the DOTS client uses just  the alias when requesting mitigation, or if extra parameters are provided (e.g. alias plus target-port-range) are the extra parameters a replacement or in addition to what is in the ietf-dots-data-channel-identifier or are the extra parameters ignored altogether?

 

Regards

 

Jon

 

From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of kaname nishizuka
Sent: 03 August 2017 06:21
To: Dobbins, Roland; Jon Shallow
Cc: dots@ietf.org
Subject: Re: [Dots] Signal / Data / Alias / Filter Implementation

 

Hi Jon,

I'm implementing the DOTS protocol based on current specifications.
The DOTS protocol can handle source-* information in a mitigation signal request.
For example, the DOTS server can enable BGP Flowspec from 5-tuple information derived from mitigation request message from DOTS client, that is actually we are planning to add to our software.
Destination information is used to validate whether the mitigation-scope is really the property of the DOTS client's organization or not.
So, if the request is only including source-* information, how to validate the request is another problem because it can cause unintended side effect to other customers/services (but could be implementation specific)

* How do we handle specific ICMP types  in a mitigation signal request?

Tiru wrote:
> Thanks for the review. Fixed comments 1 and 2 in my local copy. To support filtering rules based on ICMP type and code, and filtering based on fragments, the base ACL model defined in https://tools.ietf.org/html/draft-ietf-netmod-acl-model-06 needs to be extended in this draft using augmentation (see https://tools.ietf.org/html/rfc6020#section-4.2.8). 
> I will extend the ACL YANG model in the next revision. 

And the latest version of draft-ietf-netmod-acl-model (-11) includes ICMP-ACL (type, code,,)
I think we should update the draft.

* How do we handle fragmentation in a mitigation signal request?
fragmentation can be represented as port=0. Is this a sufficient representation?

thanks,
Kaname




On 2017/08/03 3:27, Dobbins, Roland wrote:

 

On Aug 2, 2017, at 22:25, Jon Shallow <supjps-ietf@jpshallow.com> wrote:

In draft-ietf-dots-use-cases-07 
3.1.6.  End-customer operating a CPE network infrastructure device with
       an integrated DOTS client

 

3.1.6 from idraft-ietf-dots-use-cases-07 in full:

 

 

3.1.6.  End-customer operating a CPE network infrastructure device with
        an integrated DOTS client
 
   Similar to the above use-case featuring applications or services with
   built-in DDoS attack detection/classification and DOTS client
   capabilities, in this scenario, an end-customer network
   infrastructure CPE device such as a router, layer-3 switch, firewall,
   or load-balance incorporates both the functionality required to
   detect and classify incoming DDoS attacks as well as DOTS client
   functionality.
 
   The subsequent DOTS communications dialogue and resultant DDoS
   mitigation initiation and termination activities take place in the
   same manner as the use-cases described above.
----------------------------------- 
Roland Dobbins <rdobbins@arbor.net>






_______________________________________________
Dots mailing list
Dots@ietf.org
https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email