Re: [Dots] Secdir last call review of draft-ietf-dots-signal-channel-30
<mohamed.boucadair@orange.com> Fri, 15 March 2019 12:26 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CBCE131229; Fri, 15 Mar 2019 05:26:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pE-OLvFrrRVM; Fri, 15 Mar 2019 05:26:55 -0700 (PDT)
Received: from orange.com (mta240.mail.business.static.orange.com [80.12.66.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47CD1130E62; Fri, 15 Mar 2019 05:26:55 -0700 (PDT)
Received: from opfedar05.francetelecom.fr (unknown [xx.xx.xx.7]) by opfedar27.francetelecom.fr (ESMTP service) with ESMTP id 44LPvx1Zgnz2y5T; Fri, 15 Mar 2019 13:26:53 +0100 (CET)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.38]) by opfedar05.francetelecom.fr (ESMTP service) with ESMTP id 44LPvx0rgrz2xCC; Fri, 15 Mar 2019 13:26:53 +0100 (CET)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM5C.corporate.adroot.infra.ftgroup ([fe80::393d:418c:3f1d:991d%21]) with mapi id 14.03.0439.000; Fri, 15 Mar 2019 13:26:53 +0100
From: mohamed.boucadair@orange.com
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-dots-signal-channel.all@ietf.org" <draft-ietf-dots-signal-channel.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-dots-signal-channel-30
Thread-Index: AQHU2xxjRsTGH2X350i3IMDpwuRCCqYMhIbggAAWifA=
Date: Fri, 15 Mar 2019 12:26:52 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA3E789@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <155257761487.2625.10003476313108979036@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93302EA3DFC8@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <72f7b85c-74fb-0f79-8211-50043c2b4b47@cs.tcd.ie> <787AE7BB302AE849A7480A190F8B93302EA3E475@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <f15534d0-4c4e-171e-a092-5947eada76ca@cs.tcd.ie> <787AE7BB302AE849A7480A190F8B93302EA3E6E1@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB27909890588A3D557F3DDB51EA440@BYAPR16MB2790.namprd16.prod.outlook.com>
In-Reply-To: <BYAPR16MB27909890588A3D557F3DDB51EA440@BYAPR16MB2790.namprd16.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/ieeWnSPZEosbvt69JhQnB_ubNQU>
Subject: Re: [Dots] Secdir last call review of draft-ietf-dots-signal-channel-30
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2019 12:26:58 -0000
Tiru, I'm not sure if this is the case Stephen is referring to, but this falls under the generic considerations: High-level DOTS security considerations are documented in [I-D.ietf-dots-requirements] and [I-D.ietf-dots-architecture]. And then I-D.ietf-dots-requirements: To detect compromised DOTS agents, DOTS operators should carefully monitor and audit DOTS agents to detect misbehavior and to deter misuse, while employing current secure network communications best practices to reduce attack surface. Still, a good strategy for an attack to succeed is to not signal the attack! Cheers, Med > -----Message d'origine----- > De : Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com] > Envoyé : vendredi 15 mars 2019 11:56 > À : BOUCADAIR Mohamed TGI/OLN; Stephen Farrell; secdir@ietf.org > Cc : draft-ietf-dots-signal-channel.all@ietf.org; ietf@ietf.org; > dots@ietf.org > Objet : RE: Secdir last call review of draft-ietf-dots-signal-channel-30 > > Hi Med, > > Stephen is referring to an attack where a compromised DOTS client initiates > mitigation request for a target resource that is attacked and learns the > mitigation efficacy of the DOTS server, informs the mitigation efficacy to > DDoS attacker to change the DDoS attack strategy. > > We can add the following lines to address his comment: > > A compromised DOTS client can collude with a DDoS attacker to send mitigation > request for a target resource, learns the mitigation efficacy from the DOTS > server, and conveys the efficacy to the DDoS attacker to learn the mitigation > capabilities of the DDoS mitigation and to possibly change the DDoS attack > strategy. This attack can be prevented by auditing the behavior of DOTS > clients and authorizing the DOTS client to request mitigation for specific > target resources. > > Cheers, > -Tiru > > > -----Original Message----- > > From: Dots <dots-bounces@ietf.org> On Behalf Of > > mohamed.boucadair@orange.com > > Sent: Friday, March 15, 2019 4:15 PM > > To: Stephen Farrell <stephen.farrell@cs.tcd.ie>; secdir@ietf.org > > Cc: draft-ietf-dots-signal-channel.all@ietf.org; ietf@ietf.org; > dots@ietf.org > > Subject: Re: [Dots] Secdir last call review of draft-ietf-dots-signal- > channel-30 > > > > This email originated from outside of the organization. Do not click links > or > > open attachments unless you recognize the sender and know the content is > safe. > > > > Re-, > > > > Please see inline. > > > > Cheers, > > Med > > > > > -----Message d'origine----- > > > De : Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > > > Envoyé : vendredi 15 mars 2019 11:20 > > > À : BOUCADAIR Mohamed TGI/OLN; secdir@ietf.org Cc : > > > draft-ietf-dots-signal-channel.all@ietf.org; ietf@ietf.org; > > > dots@ietf.org Objet : Re: Secdir last call review of > > > draft-ietf-dots-signal-channel-30 > > > > > > > > > Hiya, > > > > > > On 15/03/2019 06:47, mohamed.boucadair@orange.com wrote: > > > >> ISTM that all clients can get information about how an attack is > > > >> being seen at other clients, isn't that right? > > > > [Med] No. A client can only get information that is bound to it. > > > Where does the spec say that? I don't recall the term "bound" > > > used that way but may have missed it. > > > > > > > [Med] The specification says: > > > > If a DOTS client is entitled to solicit the DOTS service, the DOTS > > server enables mitigation on behalf of the DOTS client by > > communicating the DOTS client's request to a mitigator (which may be > > colocated with the DOTS server) and relaying the feedback of the > > thus-selected mitigator to the requesting DOTS client. > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ And > > > > 'cuid' is a mandatory Uri-Path parameter for GET requests. > > > > > > > And it still seems a bit hard to enforce. If two clients (one ok, one > > > zombied) ask the same server/network how many packets targetted at > > > 10.0.0/24 were dropped won't they get the same answer? (Assuming both > > > clients are within that /24.) > > > > [Med] Attack status information is bound to a DOTS client as shown in the > > YANG tree module: > > > > +--:(mitigation-scope) > > | +--rw scope* [cuid mid] > > | +--rw cdid? string > > | +--rw cuid string > > | +--rw mid uint32 > > ... > > | +--ro status? iana-signal:status > > ... > > | +--ro bytes-dropped? yang:zero-based-counter64 > > | +--ro bps-dropped? yang:zero-based-counter64 > > | +--ro pkts-dropped? yang:zero-based-counter64 > > | +--ro pps-dropped? yang:zero-based-counter64 > > | +--rw attack-status? iana-signal:attack-status > > > > * If client 1 asked for mitigation for 10.0.0/24, then only that client can > access > > to attack status information. > > * If another client 2 asks for mitigation for the same prefix, the server > applies a > > conflict handling procedure and decides which request to maintain as > active. > > Only one mitigation for a given scope can be maintained. Only that selected > > client can access to the attack status information. > > > > _______________________________________________ > > Dots mailing list > > Dots@ietf.org > > https://www.ietf.org/mailman/listinfo/dots
- [Dots] Secdir last call review of draft-ietf-dots… Stephen Farrell via Datatracker
- Re: [Dots] Secdir last call review of draft-ietf-… mohamed.boucadair
- Re: [Dots] Secdir last call review of draft-ietf-… Stephen Farrell
- Re: [Dots] Secdir last call review of draft-ietf-… Konda, Tirumaleswar Reddy
- Re: [Dots] Secdir last call review of draft-ietf-… mohamed.boucadair
- Re: [Dots] Secdir last call review of draft-ietf-… mohamed.boucadair
- Re: [Dots] Secdir last call review of draft-ietf-… Konda, Tirumaleswar Reddy
- Re: [Dots] Secdir last call review of draft-ietf-… Stephen Farrell
- Re: [Dots] Secdir last call review of draft-ietf-… mohamed.boucadair
- Re: [Dots] Secdir last call review of draft-ietf-… Konda, Tirumaleswar Reddy
- Re: [Dots] Secdir last call review of draft-ietf-… mohamed.boucadair
- Re: [Dots] Secdir last call review of draft-ietf-… Michael Richardson
- Re: [Dots] Secdir last call review of draft-ietf-… Konda, Tirumaleswar Reddy
- Re: [Dots] Secdir last call review of draft-ietf-… mohamed.boucadair