[Dots] 答复: A general question about the near source mitigation and DOTS call home mechanism:

"Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com> Fri, 12 July 2019 05:55 UTC

Return-Path: <frank.xialiang@huawei.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 08FE9120052; Thu, 11 Jul 2019 22:55:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id G9p_dhGVZM-K; Thu, 11 Jul 2019 22:55:51 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45C4B120048; Thu, 11 Jul 2019 22:55:51 -0700 (PDT)
Received: from lhreml704-cah.china.huawei.com (unknown []) by Forcepoint Email with ESMTP id 72B8920CEE5FB6A5CAAD; Fri, 12 Jul 2019 06:55:49 +0100 (IST)
Received: from DGGEMM422-HUB.china.huawei.com ( by lhreml704-cah.china.huawei.com ( with Microsoft SMTP Server (TLS) id 14.3.408.0; Fri, 12 Jul 2019 06:55:46 +0100
Received: from DGGEMM511-MBX.china.huawei.com ([]) by dggemm422-hub.china.huawei.com ([]) with mapi id 14.03.0439.000; Fri, 12 Jul 2019 13:54:18 +0800
From: "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "dots@ietf.org" <dots@ietf.org>
CC: "draft-ietf-dots-signal-call-home.authors@ietf.org" <draft-ietf-dots-signal-call-home.authors@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>
Thread-Topic: A general question about the near source mitigation and DOTS call home mechanism:
Thread-Index: AdU4YWiV0o6ZgW1PTuq0BxDsS/XflAAD0NKQAAEiEIA=
Date: Fri, 12 Jul 2019 05:54:18 +0000
Message-ID: <C02846B1344F344EB4FAA6FA7AF481F13E7C8896@dggemm511-mbx.china.huawei.com>
References: <C02846B1344F344EB4FAA6FA7AF481F13E7C87BC@dggemm511-mbx.china.huawei.com> <787AE7BB302AE849A7480A190F8B93302EACACA3@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EACACA3@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_C02846B1344F344EB4FAA6FA7AF481F13E7C8896dggemm511mbxchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/hRd3BRTUjXx5roIS2jJ6UXzTny4>
Subject: [Dots] =?utf-8?b?562U5aSNOiBBIGdlbmVyYWwgcXVlc3Rpb24gYWJvdXQg?= =?utf-8?q?the_near_source_mitigation_and_DOTS_call_home_mechanism=3A?=
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2019 05:55:54 -0000

Hi Med,
Ok. Thanks for the clarification.

Any suggestions about whether we should add these attack source related information into the base dots signal channel draft? As a contributor, I think it’s friendly for the RFC readers to find all the useful attributes in one draft.


发件人: mohamed.boucadair@orange.com [mailto:mohamed.boucadair@orange.com]
发送时间: 2019年7月12日 13:25
收件人: Xialiang (Frank, Network Standard & Patent Dept) <frank.xialiang@huawei.com>;; dots@ietf.org
抄送: draft-ietf-dots-signal-call-home.authors@ietf.org; dots-chairs@ietf.org
主题: RE: A general question about the near source mitigation and DOTS call home mechanism:

Hi Franck,

The source information can be used in the DOTS signal channel. The I-D says the following:

   This specification extends the mitigation request defined in

   Section 4.4.1 of [I-D.ietf-dots-signal-channel<https://tools.ietf.org/html/draft-ietf-dots-signal-call-home-03#ref-I-D.ietf-dots-signal-channel>;] to convey the

   attacker source prefixes and source port numbers.

     augment /ietf-signal:dots-signal/ietf-signal:message-type


       +--rw source-prefix*     inet:ip-prefix {source-signaling}?

       +--rw source-port-range* [lower-port] {source-signaling}?

       |  +--rw lower-port    inet:port-number

       |  +--rw upper-port?   inet:port-number

       +--rw source-icmp-type-range*

          |                    [lower-type] {source-signaling}?

          +--rw lower-type    uint8

          +--rw upper-type?   uint8

The attributes are optional for the DOTS signal channel:

      This is an optional attribute for the base DOTS signal channel

      operations [I-D.ietf-dots-signal-channel<https://tools.ietf.org/html/draft-ietf-dots-signal-call-home-03#ref-I-D.ietf-dots-signal-channel>;].

while some of them are mandatory for the call home:

   The 'source-prefix' parameter is a mandatory attribute when the


   attack traffic information is signaled by a DOTS client in the Call


   Home scenario (depicted in Figure 2).



De : Xialiang (Frank, Network Standard & Patent Dept) [mailto:frank.xialiang@huawei.com]
Envoyé : vendredi 12 juillet 2019 05:38
À : dots@ietf.org<mailto:dots@ietf.org>
Cc : draft-ietf-dots-signal-call-home.authors@ietf.org<mailto:draft-ietf-dots-signal-call-home.authors@ietf.org>; dots-chairs@ietf.org<mailto:dots-chairs@ietf.org>
Objet : A general question about the near source mitigation and DOTS call home mechanism:

Hi all,
If I am correct, current dots call home draft include 2 main points: 1—dots server create underlay tls connection with dots client due to the dots server is located behind home gateway (more generally, DC gateway, cloud gateway, branch gateway, …); 2—for near source mitigation, dots client should send the attack source information (address, port, …) to dots server for its mitigation.

I am wondering why we cannot use the same attack source information of point 2 in the dots signal channel, which aims for the same goal of near source mitigation? I do see the use cases and requirements for many outbound attacks. And it also means the point 1 and 2 of signal channel call home is not necessary to be combined together always.

And should we consider the update of current signal channel WG draft, or other way?

Your comments?