Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (2nd Part)
"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Thu, 17 January 2019 06:58 UTC
Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6FED126DBF; Wed, 16 Jan 2019 22:58:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.554
X-Spam-Level:
X-Spam-Status: No, score=-11.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TmaWK-B20kNb; Wed, 16 Jan 2019 22:58:14 -0800 (PST)
Received: from MIVWSMAILOUT1.mcafee.com (mivwsmailout1.mcafee.com [161.69.47.167]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3DA6124B0C; Wed, 16 Jan 2019 22:58:13 -0800 (PST)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1547708181; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-microsoft-antispam-prvs:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:spamdiagnosticoutput: spamdiagnosticmetadata:Content-Type:Content-Transfer-Encoding: MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=RPMh86BlQCs3MO608U5w+92FKedk8flannoMAz x9uMY=; b=OX4vlokdC28xp1AaP43v12psNmOD60lhRZ88izr0 FaDYiIIM30G2YiU8q+h/ejh9ywg6cQzmDCsWouTLBCNM1UWDiH ef/560JE+sEqqGFs8skzcW90moPsve3L7YPix7UAGRcFiKd5Qt fY/OPekRSndZ7R7NCpjSBcviX0Rla+w=
Received: from DNVEXAPP1N04.corpzone.internalzone.com (DNVEXAPP1N04.corpzone.internalzone.com [10.44.48.88]) by MIVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 682f_cf02_107b8b0f_ce6a_4c64_b058_29806c39af09; Thu, 17 Jan 2019 00:56:20 -0600
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Wed, 16 Jan 2019 23:54:04 -0700
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Wed, 16 Jan 2019 23:54:04 -0700
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (10.44.176.242) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Wed, 16 Jan 2019 23:54:04 -0700
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2647.namprd16.prod.outlook.com (20.177.228.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.19; Thu, 17 Jan 2019 06:54:02 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::202f:5967:73ad:130f]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::202f:5967:73ad:130f%5]) with mapi id 15.20.1537.018; Thu, 17 Jan 2019 06:54:02 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: AD review of draft-ietf-dots-signal-channel-25 (2nd Part)
Thread-Index: AdSth/4V4uJk+YuhSsWU4l/lLLRChwAFrvywABL91YAADwLuEA==
Date: Thu, 17 Jan 2019 06:54:02 +0000
Message-ID: <BYAPR16MB27905389000C0C35DF02CB2AEA830@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <787AE7BB302AE849A7480A190F8B93302EA08269@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB279064AFE1D99F1455E32466EA820@BYAPR16MB2790.namprd16.prod.outlook.com> <20190116222741.GK91727@kduck.mit.edu>
In-Reply-To: <20190116222741.GK91727@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.100.18
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR16MB2647; 6:LrXYoB1d1bEQhxW0z9Ozx1uH1TH2sui/2ZA8T/aZ4ADZBUO/m/g7OkoaLrglx9tS6y5SuPfevmxQ/IYes1jn82XWpK9H+UWemjXAjIkpAt2RTfEGIxHZftwgSEz/ljWz3XLZbp9NLplTaK6gRgzOCqEO7k/tRo8LNMAJKCpUZ8g8CoXg20bI1wHFANYHeRY34XrX2nmd4l9pESGHhd3GMA72T2/IXwP1ikBKaw9IT3c2PTv2qsFE13i9FHPSzpvGJNOsG4moDr2c6Jr1uh1jz3J9Arak43RfJSS6v64rq6lQCEI7syyzD2TNA2ETZrdrOJieONwlb2RvMxKN3hm/uaGzi+kJyXrvZEhtY6UQEra6+ZnVgDfZErCLhVVNGlIHZbgsfX68b8M4397qxfjN31VxO5QDBJVoJY7muWf5T4abwEO/UIBRUhZDIyJIhZiaxz3Q2f68kmysNvBCA4QoQw==; 5:2o0anVTM/kskAWlsXtCOpKej9N6Dn/PuYcZeHlIvtRxKxdQGwO+Dcw+3eYC6b2XzpgnLTwnO0jZf6hdb6MQ2L6FSipqiFotZzsi3sU7WokRikyiz9lBgWP+yDpa/PQdYDyaSTuck8ACOLf+dSX6fvYk35NlxNTjw3hUYjfFkoHFf+2k6p/e65RHuCpu0jy6V418YaWa6jhaCDVZ5ijMZaA==; 7:3PFgnXIsf5BpBRd5Ad/vdRL1TlxHbwDBrec9CN9FMiZRGSp013xio2cPSVJPpZ4exeZog7HyPDZY88qly07k7Sh3bGL1OxxOnTro0OYFBz2N5Uh8bcYt7xMr1hWHp9cAZVf/6i2/ZzX9lfQHRSoAHQ==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 3a9d077d-de3c-47d8-dbbc-08d67c489083
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(7193020); SRVR:BYAPR16MB2647;
x-ms-traffictypediagnostic: BYAPR16MB2647:
x-microsoft-antispam-prvs: <BYAPR16MB264713F81E433142DD10C866EA830@BYAPR16MB2647.namprd16.prod.outlook.com>
x-forefront-prvs: 0920602B08
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(366004)(376002)(396003)(39860400002)(136003)(51914003)(53434003)(189003)(199004)(55784004)(13464003)(32952001)(5660300001)(476003)(446003)(305945005)(74316002)(11346002)(4744004)(72206003)(66066001)(478600001)(71190400001)(71200400001)(966005)(55016002)(105586002)(106356001)(14454004)(68736007)(25786009)(30864003)(256004)(97736004)(14444005)(5024004)(33656002)(4326008)(80792005)(6116002)(3846002)(53936002)(9686003)(486006)(6306002)(2906002)(53946003)(86362001)(6246003)(2171002)(53546011)(6506007)(8676002)(81166006)(81156014)(76176011)(7696005)(7736002)(26005)(102836004)(186003)(6916009)(99286004)(229853002)(6436002)(8936002)(316002)(54906003)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2647; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: krndWw59OMOQLA8PlxWev8MAApblCUDMbrZIfnlFwB9yaN7HfMqdpythn9wOzWZawMZ/4cduwwY4W5QorlQbPDNQV0JpcI3QWkH9qJaaiHPF9N6qF6K/rj8ONgwukhg9cZpWjeepjHRxWBLxuEceatID/ReBoyfdqVXOeKCgejpsEWzaaPFjtXpE2zEVKLmEHZ5dNkgwsq5G4hscNWgR2wP2QBHeaC7V7/ubDvmwIRplUKdH/vzM4OfMyemPQaLK3lBly4IYq+qDHZtUbzXLPuvrobZe1lUJUutQe2eVALX9zfAY5Uz+3Nv9cy1D48kBelckMBRPedrYSHKIYScLzrvAAgPgq08u3MEKbuVUSIjNMh/qBl+HhHBihui8cgCXbuOcF07w3trMjPugSRbpmfl/5qBEQXJmAJ0ydPGy+CU=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3a9d077d-de3c-47d8-dbbc-08d67c489083
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jan 2019 06:54:02.1912 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2647
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6462> : inlines <6996> : streams <1810319> : uri <2781180>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/jC8n0HYaywxzZ-TKYuqLwYd83L0>
Subject: Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (2nd Part)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2019 06:58:19 -0000
> -----Original Message----- > From: Benjamin Kaduk <kaduk@mit.edu> > Sent: Thursday, January 17, 2019 3:58 AM > To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com> > Cc: mohamed.boucadair@orange.com; draft-ietf-dots-signal- > channel@ietf.org; dots@ietf.org > Subject: Re: AD review of draft-ietf-dots-signal-channel-25 (2nd Part) > > This email originated from outside of the organization. Do not click links or > open attachments unless you recognize the sender and know the content is > safe. > > On Wed, Jan 16, 2019 at 01:30:01PM +0000, Konda, Tirumaleswar Reddy > wrote: > > > -----Original Message----- > > > From: Dots <dots-bounces@ietf.org> On Behalf Of > > > mohamed.boucadair@orange.com > > > Sent: Wednesday, January 16, 2019 4:11 PM > > > To: Benjamin Kaduk <kaduk@mit.edu>; draft-ietf-dots-signal- > > > channel@ietf.org > > > Cc: dots@ietf.org > > > Subject: Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 > > > (2nd Part) > > > > > > > > > > > > Re-, > > > > > > Please see inline. > > > > > > Cheers, > > > Med > > > > > > > -----Message d'origine----- > > > > De : Benjamin Kaduk [mailto:kaduk@mit.edu] Envoyé : mercredi 16 > > > > janvier 2019 01:14 À : draft-ietf-dots-signal-channel@ietf.org > > > > Cc : dots@ietf.org > > > > Objet : AD review of draft-ietf-dots-signal-channel-25 > > > > > > > > > > > > Section 4.4 > > > > > > > > GET: DOTS clients may use the GET method to subscribe to DOTS > > > > server status messages, or to retrieve the list of its > > > > mitigations maintained by a DOTS server (Section 4.4.2). > > > > > > > > I'm not really a canonical HTTP expert, but I suspect that using > > > > GET to "subscribe" will raise some eyebrows at later stages of review. > > > > > > [Med] We are following RFC7641. I would be surprised if this is an issue. > > > > > > Maybe > > > > we should just leave it as-is and wait for such review to arrive, > > > > though, rather than trying to do something preemptively. > > > > > > [Med] Yes. > > Sounds good. > > > > > > > > > I don't know if this is the proper section to talk about it, but > > > > we should probably have some text justifying the use of > > > > application-layer acknowledgment as opposed to just using > Confirmable CoAP messages. > > > > > > [Med] I'm not sure to understand this one. Which "application-layer > > > acknowledgment" are you referring to? > > Maybe I was just misreading. Does > > Requests marked by the DOTS client as Non-confirmable messages are > sent at regular intervals until a response is received from the DOTS > server. > > refer to a "response" at the application layer (as opposed to the CoAP layer)? No, the non-confirmable response is returned at the CoAP layer itself. > > > > > > > > > Section 4.4.1 > > > > > > > > If Figure 5 is going to use actual/example values for cuid and > > > > mid, then I'd suggest also using actual/example values for the > > > > JSON fields (instead of "integer" and "string" and such). > > > > > > [Med] I split the figure into two so that we don't have this problem. > > > > > > > > > > > cuid: Stands for Client Unique Identifier. A globally unique > > > > identifier that is meant to prevent collisions among DOTS clients, > > > > especially those from the same domain. It MUST be generated by > > > > DOTS clients. > > > > > > > > In order to get global uniqueness we either need sufficient > > > > randomness or a hierarchical allocation strategy. Since we > > > > recommend a strategy that involves hashing the (public) client > > > > certificate, we may also want to note that this value does not > > > > need to be unguessable. If a random allocation is possible, I > > > > suggest giving guidance on how many random bits must be used to > > > > sufficiently ensure global uniqueness (128 might be enough). > > > > > > [Med] An attack vector that can be achieved if the cuid is guessable > > > is if a misbehaving client from within the client's domain succeeds > > > to be granted access by the server and then uses the cuid of another > > > client of the domain to delete active mitigation/etc. > > > > > > For this attack vector to happen, the misbehaving client needs to > > > pass security validation checks by the server. Therefore, I'm not > > > sure if it is worth to add an allocation reco given this perquisite. > > > > > > Thoughts? > > I don't think we need to have text around 'cuid' allocation, but should > mention the possibility of this spoofing attack by a compromised client, in > the security considerations. > > > UUID discussed in https://tools.ietf.org/html/rfc4122 is another way of > generating a globally unique identifier. A compromised DOTS client can sniff > the TLS 1.2 handshake, use the client certificate to identify the "cuid" used > by another DOTS client. This attack is not possible with TLS 1.3 (TLS > handshake is encrypted). > > For 1.3 the attacker would need to have data from a server in order to see > another client's certificate, yes, which is presumably a harder attack. Yup, will update Security Considerations. > > I don't think a UUID reference would be very valuable here. If cuid collision happens, UUID can be used to generate the cuid. > > > Cheers, > > -Tiru > > > > > > > > > > > > > The output of the cryptographic hash algorithm > > > > is truncated to 16 bytes; truncation is done by stripping off the > > > > final 16 bytes. The truncated output is base64url encoded. > > > > > > > > side note: Truncation to 128 bits reduces the collision resistance > > > > to 64-bit strength, though this is probably acceptable in this use case. > > > > > > > > DOTS servers MUST return 4.09 (Conflict) error code to a DOTS peer > > > > to notify that the 'cuid' is already in-use by another DOTS > > > > client. Upon receipt of that error code, a new 'cuid' MUST be > > > > generated by the DOTS peer. > > > > > > > > Is there any way in which this situation could arise during some > > > > sort of migration scenario? > > > > > > [Med] This can be for example a client which does not follow the > "SHOULD" > > > for creating the cuid. > > Of course. I'm wondering if a legitmiate client that does follow the > "SHOULD" could ever see this error code in the absence of an attack, for > example if the client's network address changes. Yes, I too don't think a legitimate client will see this error code in the absence of an attack. > > > > > > > > > Client-domain DOTS gateways MUST handle 'cuid' collision directly > > > > and it is RECOMMENDED that 'cuid' collision is handled directly by > > > > server-domain DOTS gateways. > > > > > > > > Is a gateway supposed to know if it is "client-side" or "server-side" > > > > by explicit configuration or some more automatic method? > > > > > > [Med] This can be done by an explicit configuration. > > Okay. Let's wait to see if any other reviewers ask for clarifying text that this > can only be known via explicit configuration. > > > > > > > > > 'cuid' and 'mid' MUST NOT appear in the PUT request message body. > > > > > > > > Do we need to say this given that there's no obvious structure in > > > > which to put them? (That is, is this just a reminder to > > > > implementors of a previous version of the draft versus guidance to > > > > new > > > > implementations?) > > > > > > [Med] We used to have those in the message body in previous versions > > > of the spec/implementations. Furthermore, there are cases where > > > "mid" is allowed to be included in the message body (e.g., PUT > > > response). We included this note for implementers because of some > > > behaviors observed during past interops. > > Okay. (I think this is actually one of the things I asked before and you > already answered; sorry for the duplication.) > > > > > > > > > The prefix list MUST NOT include broadcast, loopback, or multicast > > > > addresses. These addresses are considered as invalid values. > > > > In > > > > > > > > Does "invalid" mean that the particular address gets ignored or > > > > that the entire request is rejected? > > > > > > [Med] The expected behavior is covered by this text: > > > > > > " ... or contains invalid or unknown parameters, the DOTS server > > > MUST reply with 4.00 (Bad Request)." > > > > > > > > > > > target-fqdn: A list of Fully Qualified Domain Names (FQDNs) > > > > identifying resources under attack. An FQDN is the full name of a > > > > resource, rather than just its hostname. For example, "venera" is > > > > a hostname, and "venera.isi.edu" is an FQDN [RFC1983]. > > > > > > > > I would suggest referring to draft-ietf-dnsop-terminology-bis > > > > rather than trying to reproduce a definition of FQDN. > > > > > > > > > > [Med] I added an informative reference to draft-ietf-dnsop-terminology- > bis. > > Thanks > > > > > We also may want to note that the DNS view can change depending on > > > > the vantage point used to make the observation. > > > > > > [Med] Not sure what to do with this one given that the text says: > > > > > > "How a name is passed to an underlying name resolution library is > > > implementation- and deployment-specific." > > I was thinking something like "the results returned for resolving a name can > depend on many factors, including when the request was made and the > address of the DNS resolver used -- there is no guarantee that the DOTS > server will resolve a name to the same addresses that the DOTS client does". Good point, will update draft. > > > > > > > > > On page 18 we say that server-domain DOTS gateways "MUST supply > > > > [...] 'cdid'", but the previous paragraph says that there SHOULD > > > > be a configuration option for whether to insert 'cdid' on such systems. > > > > The two requirements are in conflict; which was intended? (I > > > > assume the MUST -- why would it be desired to not have the > > > > information > > > > available?) > > > > > > [Med] This text is about gateways that are instructed to insert the > > > cdid parameter. gateways facing a client's domain are in this case. > > > > > > I updated the text with "server-domain DOTS gateways instructed to > > > insert the 'cdid' parameter MUST supply.." > > Ah, that makes sense -- thanks. > > > > > > > > > The same paragraph also says that the 'cdid' is "likely to be the > > > > same as" the 'cuid', though in addition to the listed reasons the > > > > client only has a SHOULD requirement to follow this procedure for > > > > generating 'cuid'; it may be worth noting the client's leeway here as > well. > > > > > > [Med] Yes, this is why we have "likely" in the text. > > > > > > > > > > > If a DOTS client is provisioned, for example, with distinct > > > > certificates as a function of the peer server-domain DOTS gateway, > > > > distinct 'cdid' values may be supplied by a server-domain DOTS > > > > gateway. The ultimate DOTS server MUST treat those 'cdid' values > > > > as equivalent. > > > > > > > > Is this paragraph trying to say that a client might supply > > > > different certs to different gateways in the same domain > > > > > > [Med] Yes. > > > > > > (e.g., if one such > > > > gateway does not support ecdsa certs)? It was pretty confusing on > > > > the first read, in particular how the ultimate DOTS server would > > > > know that the different 'cdid' values actually correspond to the > > > > same client [domain]. > > > > > > [Med] This is supposed to be provisioned on the server. This is > > > deployment- specific; hence no mention in the draft. > > Ah, thanks for the explanation. I don't have any suggested rewording that > would help clarify -- all I can come up with is to add ", when configured to > know they represent the same client", which is both long and not really > saying anything new. > > > > > > > > > DOTS servers MUST ignore 'cdid' attributes that are directly > > > > supplied by source DOTS clients or client-domain DOTS gateways. > > > > This implies that first server-domain DOTS gateways MUST strip > > > > 'cdid' attributes supplied by DOTS clients. DOTS servers SHOULD > > > > support a configuration parameter to identify DOTS gateways that > > > > are trusted to supply 'cdid' attributes. > > > > > > > > Is there any mechanism (e.g., autodetection) other than this by > > > > which servers/proxies can learn about the topology information > > > > needed to fulfil these requirements? > > > > > > [Med] I'm not aware of such mechanism. > > Okay, thanks. > > > > > > > > > Because of the complexity to handle partial failure cases, this > > > > specification does not allow for including multiple mitigation > > > > requests in the same PUT request. Concretely, a DOTS client MUST > NOT > > > > include multiple 'scope' parameters in the same PUT request. > > > > > > > > "multiple 'scope' parameters" reads like a CBOR object with > > > > duplicate keys; is this intended to refer to a multi-valued array? > > > > > > [Med] What is intended is that the scope list should include only one > entry.. > > > > > > I can change to "multiple 'scope' clauses" > > I'm not sure how different that is. It sounds like you're trying to avoid > "multiple entries in the 'scope' array"? Yes, proposed wording to say "MUST NOT include multiple entries in the 'scope' array" looks better. > > > > > > > > > The DOTS server couples the DOTS signal and data channel sessions > > > > using the DOTS client identity and optionally the 'cdid' > > > > parameter > > > > > > > > This requires the client to use the same certificate to > > > > authenticate the signal and data channels to a given server (even > > > > when a gateway is in use). Above, we discussed cases where a > > > > client might have multiple certificates available. > > > > > > [Med] Actually, the text above applies also if distinct certificates are used. > > > Equivalent "client identity" are supposed to be known to the server > > > by an out of band means. In all cases, the identity (same or > > > equivalent) is used to couple the sessions. > > Hmm. If we are talking anything fancier than just comparing Subject > information from the certificate (which apparently I forgot about when I > wrote the above!), I think we may want to have some text in the document > mentioning the possibility of out of band configuration. Nothing fancy, the two certificates will have the same distinguished name (DN) in the subject field. A CA can issue multiple certificates with the same DN to the DOTS client (or subject). > > > > Where do we specify the requirement to use the > > > > same certificate for signal and data channels? > > > > > > [Med] We don't have such requirement in existing DOTS documents. > > > > > > > > > > > DOTS agents can safely > > > > ignore Vendor-Specific parameters they don't understand. > > > > > > > > This is not a very useful statemnet if the agent must know that a > > > > parameter is vendor-specific in order to safely ignore it. > > > > > > [Med] The agent relies on the cbor key value to determine that a > > > parameter can be safely ignored or not (comprehension-required). A > > > range of keys is reserved for comprehension-optional. An agent > > > checks the range to which belong a parameter, and then behaves > accordingly. > > If we really mean comprehension-optional, maybe we should just say that, > instead of "Vendor-Specific". Yes, will update. > > > > > > > > > If the DOTS server does not find the 'mid' parameter value conveyed > > > > in the PUT request in its configuration data, it MAY accept the > > > > mitigation request by sending back a 2.01 (Created) response to the > > > > DOTS client; the DOTS server will consequently try to mitigate the > > > > attack. > > > > > > > > If the DOTS server finds the 'mid' parameter value conveyed in the > > > > PUT request in its configuration data bound to that DOTS client, it > > > > MAY update the mitigation request, and a 2.04 (Changed) response is > > > > returned to indicate a successful update of the mitigation request. > > > > > > > > There are two "MAY"s spread across these two paragraphs; do we > > > > want to say anything about in what cases the server might want to > > > > have different behavior (i.e., ignore the MAY)? > > > > > > > > > > [Med] For the first MAY, a typical example is when a rate limit is enforced: > > > > > > Rate-limiting DOTS requests, including those with new 'cuid' values, > > > from the same DOTS client defends against DoS attacks that would > > > result in varying the 'cuid' to exhaust DOTS server resources. Rate- > > > limit policies SHOULD be enforced on DOTS gateways (if deployed) and > > > DOTS servers > > > > > > For the second MAY, the server may have more visibility on the > > > attack and then may decide to update accordingly. > > > > > > I don't know if it is worth to add examples. Any preference? > > I would lean towards adding "A server could reject mitigation requests when > it is near capacity or needs to rate-limit a particular client, for example" for > the former, but leaving the latter as-is. But I have no strong preferences > here and am happy to advance the document either way. Sure, will update draft. Cheers, -Tiru > > -Ben
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… Konda, Tirumaleswar Reddy
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… Konda, Tirumaleswar Reddy
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… mohamed.boucadair