IETF Logo Mail Archive

Re: [Dots] DOTS telemetry questions

<mohamed.boucadair@orange.com> Fri, 21 February 2020 07:00 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF9AC120033 for <dots@ietfa.amsl.com>; Thu, 20 Feb 2020 23:00:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vBjle6d76Zn0 for <dots@ietfa.amsl.com>; Thu, 20 Feb 2020 23:00:11 -0800 (PST)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.35]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 306081200FF for <dots@ietf.org>; Thu, 20 Feb 2020 23:00:11 -0800 (PST)
Received: from opfednr03.francetelecom.fr (unknown [xx.xx.xx.67]) by opfednr24.francetelecom.fr (ESMTP service) with ESMTP id 48P2Qc6rF3z1yVc; Fri, 21 Feb 2020 08:00:08 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1582268409; bh=ddUkHCqRAPyAyXphHoKzegfEQ2kweRX2C5N8l9bubzA=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=TipHcVmxaUbnU5DGf4s3YlkJWmGAgsWWdISlhhsuLQcZo17iDh4J3/pPF68ZFFLCE Mrtz+hhOe0NltUoYjMbvmy/8i7FJfSNVB+kfqLqIaS6qnUPIb0BgS4rEcerazwPMMG VmC4t4dtOXgjVWXRKZJbZx1WDy6crm/+13MhrFuqHYwcpB4VPNsaYtDIAOaqG86vUi HLSgM9bN+F/EIwQC/0fGxM27e6Qbs1Dbumeys5FO2TutrzWcSiyiaE9bybIqkvY+sP iXW3PAQp7tVOJDC9hLlQDVPwb96CGYhLVLAKlKDHYVDP54NeHh6X5w2NS42qkW5USO ET3jsBgpXpwAw==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.101]) by opfednr03.francetelecom.fr (ESMTP service) with ESMTP id 48P2Qc61dmzDq7v; Fri, 21 Feb 2020 08:00:08 +0100 (CET)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM6F.corporate.adroot.infra.ftgroup ([fe80::c489:b768:686a:545b%23]) with mapi id 14.03.0468.000; Fri, 21 Feb 2020 08:00:08 +0100
From: mohamed.boucadair@orange.com
To: Jon Shallow <supjps-ietf@jpshallow.com>, "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>, kaname nishizuka <kaname@nttv6.jp>
CC: "dots@ietf.org" <dots@ietf.org>
Thread-Topic: DOTS telemetry questions
Thread-Index: AdXoMF1Myh1CUH9JQYWfs7E2CgsnOAATeuaw
Date: Fri, 21 Feb 2020 07:00:07 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93303143DAF8@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <188801d5e830$635d97d0$2a18c770$@jpshallow.com>
In-Reply-To: <188801d5e830$635d97d0$2a18c770$@jpshallow.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B93303143DAF8OPEXCAUBMA2corp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/jHQUhAIrJBy9KA_Hens58yu2ExA>
Subject: Re: [Dots] DOTS telemetry questions
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2020 07:00:23 -0000

Hi Jon,

(ccing the WG to track the changes).

Please see inline.

Cheers,
Med

De : Jon Shallow [mailto:supjps-ietf@jpshallow.com]
Envoyé : jeudi 20 février 2020 21:58
À : BOUCADAIR Mohamed TGI/OLN; Konda, Tirumaleswar Reddy; kaname nishizuka
Objet : DOTS telemetry questions

Hi Guys,


1)      For example CBOR mappings

     Header: PUT (Code=0.03)
     Uri-Path: ".well-known"
     Uri-Path: "dots"
     Uri-Path: "mitigate"
     Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
     Uri-Path: "mid=123"
     If-Match:
     Content-Format: "application/dots+cbor"

     {
      "ietf-dots-signal-channel:mitigation-scope": {
        "scope": [
          {
            "alias-name": [
               "myserver"
             ],
            "attack-status": "under-attack",
            "ietf-dots-telemetry:total-attack-traffic": [
              {
                "ietf-dots-telemetry:unit": "megabytes-ps",
                "ietf-dots-telemetry:mid-percentile-g": "900"
              }
            ]
          }
        ]
      }
     }

    Figure 33: An Example of Mitigation Efficacy Update with Telemetry
                                Attributes

And yet the mapping table only has (no ietf-dots-telemetry: prefix)

    | total-attack-traffic | list        |32794 | 4 array       | Array  |

I appreciate that ietf-dots-telemetry:total-attack-traffic and total-attack traffic are the same CBOR value (or are they?)
[Med] The same value is used but I didn't check if there are side effects.

Please note that we have this note is section 10:

==
   o  Some of these attributes should be prepended with "ietf-dots-
      telemetry:"
==

but when mapping the CBOR back to JSON the variant of JSON parameter is context (Uri-Path: mitigate or tm) dependent.



2)      why do we not have a "enum megabit-ps" in "typedef unit" in the YANG Module?

[Med]  This can be added to the list as 'units()' are negotiated. *-bytes are more used for aggregates, but let's be consistent and have both bit/bytes in the units.



3)      I think that I have worked out that server-originated-telemetry if set allows telemetry included in the mitigation status rather than only returned using Uri-path: tm - correct?

[Med] I confirm. Note that including pre-mitigation returned using "Uri-path:tm" is controlled by PUT/GET (Section 7.3).



4)      I am confused by "pre-mitigation" which can be transmitted pre any mitigation taking place, or actually during when mitigation is taking place (or so I think) and would simply be better described as "attack-details" - especially with a statement such as



   DOTS agents MUST bind pre-mitigation telemetry data with mitigation

   requests relying upon the target clause.



[Med] That's an option but the current design allows to have the telemetry in // in order to supply more data ** without impacting the placement of a mitigation request ** hence the need to bind both (if any). If telemetry attributes are defined as mandatory (discussed in another thread), this would mean that the server will reject a mitigation that includes such attributes. With the current design, we have a functionality that can be safely enabled independently of the decision that we will make about whether telemetry attributes are mandatory to be supported or not.



Another point we can check to ease correlation between a mitigation request and pre-mitigation telemetry is to signal the "mid" in the telemetry message.



Regards



Jon

v2.23.0 | Report a Bug | By Email