IETF Logo Mail Archive

Re: [Dots] Secdir last call review of draft-ietf-dots-signal-channel-30

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Fri, 15 March 2019 10:57 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C94D8128701; Fri, 15 Mar 2019 03:57:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j92N4SipWthp; Fri, 15 Mar 2019 03:56:56 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65E161311F2; Fri, 15 Mar 2019 03:56:54 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1552647196; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:x-originating-ip: x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-forefront-prvs:x-forefront-antispam-report: received-spf:authentication-results:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: Content-Transfer-Encoding:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=mB6Ty01bzvZ/vEWVa8ZJOy/b9aqkNBlPRwIANQ 0EwZc=; b=d/9qVEZ5LlmvzdLsleBsbClVhm1SqQp1o+iSccL8 YsB7fOVVBvH+pG+K1ukcN7ukrXUeN9Ze/8+Q0wFmx46lQv5QUh 1ntXFjMaL/xV5MfFkXaC3SDGQvQNqzGH8WMCjyziw0lFv1kMCT jm9l0wt8zLbSxIu9XSVimGzSkdGB8+w=
Received: from DNVEXAPP1N04.corpzone.internalzone.com (DNVEXAPP1N04.corpzone.internalzone.com [10.44.48.88]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 4013_9745_5e12782d_caf8_441f_8535_535430ee911e; Fri, 15 Mar 2019 04:53:16 -0600
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 15 Mar 2019 04:56:22 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Fri, 15 Mar 2019 04:56:22 -0600
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (10.44.176.243) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 15 Mar 2019 04:56:14 -0600
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2696.namprd16.prod.outlook.com (20.178.197.218) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.13; Fri, 15 Mar 2019 10:56:13 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::9c48:452b:e39c:ef39]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::9c48:452b:e39c:ef39%2]) with mapi id 15.20.1709.011; Fri, 15 Mar 2019 10:56:13 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-dots-signal-channel.all@ietf.org" <draft-ietf-dots-signal-channel.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-dots-signal-channel-30
Thread-Index: AQHU2xxjG8gRJA7b406ek86bI9y+AKYMhIbg
Date: Fri, 15 Mar 2019 10:56:13 +0000
Message-ID: <BYAPR16MB27909890588A3D557F3DDB51EA440@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <155257761487.2625.10003476313108979036@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93302EA3DFC8@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <72f7b85c-74fb-0f79-8211-50043c2b4b47@cs.tcd.ie> <787AE7BB302AE849A7480A190F8B93302EA3E475@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <f15534d0-4c4e-171e-a092-5947eada76ca@cs.tcd.ie> <787AE7BB302AE849A7480A190F8B93302EA3E6E1@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA3E6E1@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 580e43f9-9fb3-41e3-40b3-08d6a934d72d
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:BYAPR16MB2696;
x-ms-traffictypediagnostic: BYAPR16MB2696:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <BYAPR16MB2696943F3EBA845B79D57EA0EA440@BYAPR16MB2696.namprd16.prod.outlook.com>
x-forefront-prvs: 09778E995A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(136003)(396003)(376002)(346002)(39860400002)(32952001)(13464003)(199004)(189003)(93886005)(53936002)(476003)(2906002)(102836004)(446003)(5660300002)(97736004)(6346003)(6116002)(3846002)(81156014)(6506007)(486006)(53546011)(316002)(26005)(33656002)(76176011)(11346002)(52536014)(81166006)(7696005)(8676002)(71200400001)(71190400001)(110136005)(54906003)(186003)(4326008)(68736007)(55016002)(72206003)(99286004)(6306002)(305945005)(7736002)(86362001)(80792005)(6246003)(9686003)(74316002)(25786009)(6436002)(5024004)(14444005)(2501003)(14454004)(106356001)(256004)(478600001)(66066001)(105586002)(8936002)(966005)(229853002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2696; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: h1AvKL9MIo05TiPqPeUbeuOcytyXgdllcLJp3Md2efz7KXZXpdwskpLA9OtIXJOlMi2grXaOqFgqwEar5G/fhaSs9XyxHRjFTy4HlMUDsai22owXMwBMuDuDvLW/ZQHoXIzLijZgpG2Mp7xIMqIUla/BpM7nZetNp5y4njRrGp6Cxyg5nIIrBl6SbGnkmilV9Sn8AZUpJYWvP5iv5bIg1ZfkGfWDrY04mCNCcIDISf8s6WexfiFf/8x09qOO4f/9owHoY3kJH8IVdJN3vJPEeofJnkNHRDnbUXpW2fNFWcnY/ORc+SIUcbZ9HRM/4qkIX4BKSxJ2We1362yUjx/0dNYLiWrImlYRxVti6qufIz53196yJ21FVzz0ReDhjXB5C85MURgO/QdaBG0RzLbONUr3yoPE+9iqVx6C3klBLBg=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 580e43f9-9fb3-41e3-40b3-08d6a934d72d
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2019 10:56:13.1323 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2696
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.5
X-NAI-Spam-Version: 2.3.0.9418 : core <6503> : inlines <7034> : streams <1815769> : uri <2813174>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/iu53X1z7FZ79YaSQGbSydjPjrV8>
Subject: Re: [Dots] Secdir last call review of draft-ietf-dots-signal-channel-30
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2019 10:57:01 -0000

Hi Med,

Stephen is referring to an attack where a compromised DOTS client initiates mitigation request for a target resource that is attacked and learns the mitigation efficacy of the DOTS server, informs the mitigation efficacy to DDoS attacker to change the DDoS attack strategy.  

We can add the following lines to address his comment:

A compromised DOTS client can collude with a DDoS attacker to send mitigation request for a target resource, learns the mitigation efficacy from the DOTS server, and conveys the efficacy to the DDoS attacker to learn the mitigation capabilities of the DDoS mitigation and to possibly change the DDoS attack strategy. This attack can be prevented by auditing the behavior of DOTS clients and authorizing the DOTS client to request mitigation for specific target resources.

Cheers,
-Tiru

> -----Original Message-----
> From: Dots <dots-bounces@ietf.org> On Behalf Of
> mohamed.boucadair@orange.com
> Sent: Friday, March 15, 2019 4:15 PM
> To: Stephen Farrell <stephen.farrell@cs.tcd.ie>; secdir@ietf.org
> Cc: draft-ietf-dots-signal-channel.all@ietf.org; ietf@ietf.org; dots@ietf.org
> Subject: Re: [Dots] Secdir last call review of draft-ietf-dots-signal-channel-30
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is safe.
> 
> Re-,
> 
> Please see inline.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
> > Envoyé : vendredi 15 mars 2019 11:20
> > À : BOUCADAIR Mohamed TGI/OLN; secdir@ietf.org Cc :
> > draft-ietf-dots-signal-channel.all@ietf.org; ietf@ietf.org;
> > dots@ietf.org Objet : Re: Secdir last call review of
> > draft-ietf-dots-signal-channel-30
> >
> >
> > Hiya,
> >
> > On 15/03/2019 06:47, mohamed.boucadair@orange.com wrote:
> > >> ISTM that all clients can get information about how an attack is
> > >> being seen at other clients, isn't that right?
> > > [Med] No. A client can only get information that is bound to it.
> > Where does the spec say that? I don't recall the term "bound"
> > used that way but may have missed it.
> >
> 
> [Med] The specification says:
> 
>    If a DOTS client is entitled to solicit the DOTS service, the DOTS
>    server enables mitigation on behalf of the DOTS client by
>    communicating the DOTS client's request to a mitigator (which may be
>    colocated with the DOTS server) and relaying the feedback of the
>    thus-selected mitigator to the requesting DOTS client.
>                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ And
> 
>    'cuid' is a mandatory Uri-Path parameter for GET requests.
> 
> 
> > And it still seems a bit hard to enforce. If two clients (one ok, one
> > zombied) ask the same server/network how many packets targetted at
> > 10.0.0/24 were dropped won't they get the same answer? (Assuming both
> > clients are within that /24.)
> 
> [Med] Attack status information is bound to a DOTS client as shown in the
> YANG tree module:
> 
>            +--:(mitigation-scope)
>            |  +--rw scope* [cuid mid]
>            |     +--rw cdid?                   string
>            |     +--rw cuid                    string
>            |     +--rw mid                     uint32
>                 ...
>            |     +--ro status?                 iana-signal:status
>                 ...
>            |     +--ro bytes-dropped?          yang:zero-based-counter64
>            |     +--ro bps-dropped?            yang:zero-based-counter64
>            |     +--ro pkts-dropped?           yang:zero-based-counter64
>            |     +--ro pps-dropped?            yang:zero-based-counter64
>            |     +--rw attack-status?          iana-signal:attack-status
> 
> * If client 1 asked for mitigation for 10.0.0/24, then only that client can access
> to attack status information.
> * If another client 2 asks for mitigation for the same prefix, the server applies a
> conflict handling procedure and decides which request to maintain as active.
> Only one mitigation for a given scope can be maintained. Only that selected
> client can access to the attack status information.
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email