IETF Logo Mail Archive

Re: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Fri, 29 September 2017 04:22 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C97A13292A for <dots@ietfa.amsl.com>; Thu, 28 Sep 2017 21:22:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9zX7JxsoXc-O for <dots@ietfa.amsl.com>; Thu, 28 Sep 2017 21:22:37 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 968E1132331 for <Dots@ietf.org>; Thu, 28 Sep 2017 21:22:36 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1506658947; h=From: To:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: authentication-results:x-originating-ip:x-ms-publictraffictype: x-microsoft-exchange-diagnostics:x-ms-exchange-antispam-srfa-diagnostics: x-ms-office365-filtering-correlation-id:x-microsoft-antispam: x-ms-traffictypediagnostic:x-exchange-antispam-report-test: x-microsoft-antispam-prvs:x-exchange-antispam-report-cfa-test: x-forefront-prvs:x-forefront-antispam-report: received-spf:spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:MIME-Version:X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=n1gTrVFxFHepk3/5k9HR/nnzP41y+916esvV7v E/sFY=; b=NEDYpI4tZxA/TxFN469L767+EtH+79vwCWOfAfsD RZvPZbP+GJU+c6IcuK/+TXcFbQEGU+SQcG8u6rlaNYwmGOsXEN JQXQtGp/YomKqct3q+j9bPGRGXdgJjVyldTEZZQA6R3wEKx+HN OoDpoKHB3hmNTJiCc4oQHxlA8ysqypE=
Received: from MIVEXAPP1N01.corpzone.internalzone.com (unknown [10.48.48.88]) by DNVWSMAILOUT1.mcafee.com with smtp id 2212_025a_b67ce648_1e7b_445d_9a39_8211b3721873; Thu, 28 Sep 2017 23:22:26 -0500
Received: from MIVEXUSR1N05.corpzone.internalzone.com (10.48.48.85) by MIVEXAPP1N01.corpzone.internalzone.com (10.48.48.88) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 29 Sep 2017 00:22:24 -0400
Received: from MIVO365EDGE3.corpzone.internalzone.com (10.48.176.86) by MIVEXUSR1N05.corpzone.internalzone.com (10.48.48.85) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend Transport; Fri, 29 Sep 2017 00:22:19 -0400
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (10.48.176.242) by edge.mcafee.com (10.48.176.86) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 29 Sep 2017 00:22:01 -0400
Received: from DM5PR16MB1788.namprd16.prod.outlook.com (10.172.44.144) by DM5PR16MB1785.namprd16.prod.outlook.com (10.172.44.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Fri, 29 Sep 2017 04:22:18 +0000
Received: from DM5PR16MB1788.namprd16.prod.outlook.com ([10.172.44.144]) by DM5PR16MB1788.namprd16.prod.outlook.com ([10.172.44.144]) with mapi id 15.20.0077.011; Fri, 29 Sep 2017 04:22:18 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: kaname nishizuka <kaname@nttv6.jp>, "Xialiang (Frank)" <frank.xialiang@huawei.com>, "Dots@ietf.org" <Dots@ietf.org>
Thread-Topic: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?
Thread-Index: AdMPF2QONmutCNOvSwe0CfD0yMkBTgAACUnwAA6poPAABEOgkAAAs7nQClUTPoAAB3H3QA==
Date: Fri, 29 Sep 2017 04:22:17 +0000
Message-ID: <DM5PR16MB17880DA8BDE932F1A758E27AEA7E0@DM5PR16MB1788.namprd16.prod.outlook.com>
References: <C02846B1344F344EB4FAA6FA7AF481F12BB2D185@DGGEML502-MBX.china.huawei.com> <C02846B1344F344EB4FAA6FA7AF481F12BB2D19B@DGGEML502-MBX.china.huawei.com> <DM5PR16MB17880F012FB44009155ADCA1EAB50@DM5PR16MB1788.namprd16.prod.outlook.com> <C02846B1344F344EB4FAA6FA7AF481F12BB2D39C@DGGEML502-MBX.china.huawei.com> <DM5PR16MB17888218351CF06BDF691F34EAB50@DM5PR16MB1788.namprd16.prod.outlook.com> <2acd7300-6684-1491-4f98-7029d0b7c1b0@nttv6.jp>
In-Reply-To: <2acd7300-6684-1491-4f98-7029d0b7c1b0@nttv6.jp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [122.172.220.42]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR16MB1785; 6:FspSkJ/kgq30NmujmNHZfOtIrQCG0FtBYWuLvq6kOAyYwZdlr8QRbuDQULsmx8rDXsxTe495W4aEHuBdLt7XpqxpMBXGTBObG1oxZay1gVb46Ea2ctZnpJNZk2nGxAjetAavnurykKR1W7ltAYU8cOtQC68GKooNfULJVs30SgUi20SZd1kiluEFW2/XYbLEJqwz5/ZJ2U8wJTNR870DUMPkJ/Cl4pmjLwK6fh3KRA+Xt965cMQiq8wHQKu7iobavtlzrxMfiRPshw5abOMPe8psqPARt/LclkMOWGMB4H0rllHdr55FSG+0ldzu71o0zc9RaDG/7TnE2lxkR4MGBw==; 5:A8E9gpOm+jlqnU+GdywM6ShClaTjGgHKqxfbw98/rB6VDkDTLbNIpvw/rnBM8/KXOxpchieo0btGBhGtZotATiDQNdhYr1LwUaAXowLTAlhDF331UkvSTVzKLcooAKtzCum/N0ug3bSHiGfjBUVhww==; 24:Np5nQv6IWM5Qjg8z9Yrr8qFWZFabNYTH9mLuxIbEMuDFCK0Xq5/V5fsRiGWQNbhoTe5Sy7EXhhSrWekjRUXV3lopKvoIpEQZ9tokOGtVwwQ=; 7:hSec7bZJZryBAPRrp6nKYJbooqJXffz34SirfP82dEluw5ZQM0B/FpxusTU29WIN/KAPbKi38bxk0tkG6obrmwO3Uh9Zc0rmpjuSwZSxZ6puJedcdRPXRdA7js22b/QH5PL0Q6vDx/FNu6OzFUim5KSYkniPbFZAape5qN/UOM84G6wo4tlyCgbEfCv7CqN4kAbLBTytSq30lQBYkJV7NvilekHb51VPW7E5oNH1Fgo=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 648126ea-222c-41d9-2d6d-08d506f1abbf
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254152)(2017052603199)(201703131423075)(201703031133081)(201702281549075); SRVR:DM5PR16MB1785;
x-ms-traffictypediagnostic: DM5PR16MB1785:
x-exchange-antispam-report-test: UriScan:(158342451672863)(50582790962513)(21748063052155)(123452027830198);
x-microsoft-antispam-prvs: <DM5PR16MB1785631E8D7863C9759A75F0EA7E0@DM5PR16MB1785.namprd16.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(10201501046)(3002001)(100000703101)(100105400095)(93006095)(93001095)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123555025)(20161123560025)(20161123558100)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM5PR16MB1785; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM5PR16MB1785;
x-forefront-prvs: 0445A82F82
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(377454003)(199003)(189002)(24454002)(32952001)(81166006)(5660300001)(93886005)(55016002)(53936002)(99286003)(6306002)(7696004)(2950100002)(9686003)(54896002)(66066001)(6246003)(14454004)(478600001)(86362001)(6506006)(72206003)(77096006)(25786009)(68736007)(110136005)(2900100001)(236005)(966005)(229853002)(80792005)(97736004)(2501003)(3660700001)(106356001)(224303003)(54356999)(76176999)(50986999)(74316002)(33656002)(7736002)(105586002)(790700001)(6116002)(102836003)(3846002)(53546010)(189998001)(101416001)(2906002)(606006)(8936002)(316002)(81156014)(3280700002)(6436002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB1785; H:DM5PR16MB1788.namprd16.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR16MB17880DA8BDE932F1A758E27AEA7E0DM5PR16MB1788namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Sep 2017 04:22:17.7829 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB1785
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.6
X-NAI-Spam-Version: 2.3.0.9418 : core <6126> : inlines <6099> : streams <1765063> : uri <2508315>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/jFrFCmFYYTDwMtdd05_OpcIUhTM>
Subject: Re: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Sep 2017 04:22:40 -0000

The signal channel draft does not mandate certificates for mutual authentication (Using an AAA server is only an example deployment). DOTS agents in the same domain can use other mechanisms like TLS-PSK and SPKI. Andrew and I am planning put up a draft on DOTS provisioning.

-Tiru

From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of kaname nishizuka
Sent: Friday, September 29, 2017 6:02 AM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; Xialiang (Frank) <frank.xialiang@huawei.com>; Dots@ietf.org
Subject: Re: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

Hi Tiru,

in section 9 of signal-channel draft, AAA server exists.
Let me clarify the text.

Mutual authentication between a DOTS client and a DOTS gateway MUST use (client) certificates?
Between them (in the same domain), a mutual authentication without certificates (i.e. choices other than EAP-TLS) would be a good option, if it meets the mutual authentication and encryption requirement.

TLS-PSK mode and Subject Public Key Info (SPKI)  looks good to me.

I hope those options would be discussed in WGmeeting.


On 2017/08/07 19:19, Konda, Tirumaleswar Reddy wrote:
You may want to look into https://tools.ietf.org/html/rfc6959#section-7
<snip>
   Even if every Internet-connected network implements source address
   validation at the ultimate network ingress, and assurances exist that
   intermediate devices are to never modify datagram source addresses,
   source addresses cannot be used as an authentication mechanism.

-Tiru

From: Xialiang (Frank) [mailto:frank.xialiang@huawei.com]
Sent: Monday, August 7, 2017 3:28 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com><mailto:TirumaleswarReddy_Konda@McAfee.com>; Dots@ietf.org<mailto:Dots@ietf.org>
Subject: 答复: another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

Hi Tiru,
Thanks for your analysis. It makes sense to me~~

To be accurate, IP whitelist does not relax the mutual authentication requirement, but indeed lose the encryption benefits.

B.R.
Frank

发件人: Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
发送时间: 2017年8月7日 17:51
收件人: Xialiang (Frank); Dots@ietf.org<mailto:Dots@ietf.org>
主题: RE: another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

TLS supports pre-shared key based authentication. The other mechanisms are Subject Public Key Info (SPKI) Fingerprint pin set for mutual authentication (self-signed certificates or raw public keys) without having to deal with CA.

I don’t think DOTS should relax the mutual authentication and encryption requirements.

-TIru

From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Xialiang (Frank)
Sent: Monday, August 7, 2017 6:25 AM
To: Dots@ietf.org<mailto:Dots@ietf.org>
Subject: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

In addition to IP whitelist and certificate, pre-share key can also be an option.
Right?

发件人: Dots [mailto:dots-bounces@ietf.org] 代表 Xialiang (Frank)
发送时间: 2017年8月7日 8:52
收件人: Dots@ietf.org<mailto:Dots@ietf.org>
主题: [Dots] Can DOTS protocol support IP whitelist for DOTS client's AA?

Hi,
I think the direct use of IP whitelist on the DOTS server to authenticate and authorize the DOTS client is a simple and effect method, at least in some special use cases, like: DOTS client does not support certificate, an ISP which detects the spoofed source address, etc.

So, should we support this as an optional way for the DOTS client’s AA and add it into the DOTS protocol drafts?

B.R.
Frank




_______________________________________________

Dots mailing list

Dots@ietf.org<mailto:Dots@ietf.org>

https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email