Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt

"Meiling Chen" <chenmeiling@chinamobile.com> Tue, 23 July 2019 09:52 UTC

Return-Path: <chenmeiling@chinamobile.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99FE012002F for <dots@ietfa.amsl.com>; Tue, 23 Jul 2019 02:52:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.588
X-Spam-Level:
X-Spam-Status: No, score=-2.588 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BWuXivIIA4Qn for <dots@ietfa.amsl.com>; Tue, 23 Jul 2019 02:52:04 -0700 (PDT)
Received: from cmccmta1.chinamobile.com (cmccmta1.chinamobile.com [221.176.66.79]) by ietfa.amsl.com (Postfix) with ESMTP id 7D4A212013F for <dots@ietf.org>; Tue, 23 Jul 2019 02:52:03 -0700 (PDT)
Received: from spf.mail.chinamobile.com (unknown[172.16.121.11]) by rmmx-syy-dmz-app01-12001 (RichMail) with SMTP id 2ee15d36d7ef8b1-fcdea; Tue, 23 Jul 2019 17:48:31 +0800 (CST)
X-RM-TRANSID: 2ee15d36d7ef8b1-fcdea
X-RM-TagInfo: emlType=0
X-RM-SPAM-FLAG: 00000000
Received: from cmcc-PC (unknown[10.2.51.70]) by rmsmtp-syy-appsvr06-12006 (RichMail) with SMTP id 2ee65d36d7e38b3-92bdd; Tue, 23 Jul 2019 17:48:30 +0800 (CST)
X-RM-TRANSID: 2ee65d36d7e38b3-92bdd
Date: Tue, 23 Jul 2019 17:48:24 +0800
From: "Meiling Chen" <chenmeiling@chinamobile.com>
To: =?UTF-8?B?S29uZGEsIFRpcnVtYWxlc3dhciBSZWRkeQ==?= <TirumaleswarReddy_Konda@McAfee.com>, kaname <kaname@nttv6.jp>, "tirumal reddy" <kondtir@gmail.com>
Cc: dots <dots@ietf.org>
References: <156233245922.21720.2303446065970922340.idtracker@ietfa.amsl.com>, <CAFpG3gcgpJRyLSoLkOMuUWY8pZrBPDCCz6-sc8A=1KW3GMpm+g@mail.gmail.com>, <9401a258-5a32-b612-450b-10d3452777ac@nttv6.jp>, <DM5PR16MB17054921F8CC3C2C90CB6A4BEAC40@DM5PR16MB1705.namprd16.prod.outlook.com>, <a70c3aad-8b41-3d3c-7cd9-88d681e888b6@nttv6.jp>, <MWHPR16MB171185CA2F151A9A5C9AAB78EAC70@MWHPR16MB1711.namprd16.prod.outlook.com>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7.2.9.115[cn]
Mime-Version: 1.0
Message-ID: <2019072317482429157346@chinamobile.com>
Content-Type: multipart/alternative; boundary="----=_001_NextPart641445653283_=----"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/jhGj1l_X_y--AjFsO7ed2E0ykqg>
Subject: Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 09:52:13 -0000

Hi kaname,Exactly, DDoS mitigation system and DDoS detection system (for example, a flow collector) are separately, one scenario of the deployments that the DOTS server is integrated with the flow collector.I'd like to do more discussion,  there exist some VIPs that they don't have their own DDoS detection system, and buy another company's service to prevent attack.on this occasion, attack target can't sense the attack, DDoS detection system is responsible for the role of Dots Client,  then a centralized scheduling platform(if it exists) can act as Dots server.in the draft draft-chen-dots-server-hierarchical-deployment we make some consideration for dots server deployment(welcome reading and comments)Htmlized: https://tools.ietf.org/html/draft-chen-dots-server-hierarchical-deployment-00
Traffic Amount:     4.02k pps  [question] is it means the total packets including attacks and normal traffic? In my draft I named attack-bandwidth.
Threshold:          4.00k pps[question] is threshold setting depending on each attack type?In my draft I named  Target-attack-type-threshold   
Direction:          incoming
Victim IP Address:  x.x.x.x/32[comments]: It would also be helpful to assess the number of all attack ips in distributed attack mode 
Attack Type:        TCP SYN
[comments]:In the draft draft-chen-dots-attack-informations-02 we propose a unify classify method to name the attack type.
Htmlized: https://tools.ietf.org/html/draft-chen-dots-attack-informations-02

From: Konda, Tirumaleswar Reddy
Date: 2019-07-23 15:04
To: kaname nishizuka; tirumal reddy; dots@ietf.org
Subject: Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
Thanks for the clarification. I don’t think any of the DOTS use cases documents discuss this deployment. DOTS signal channel looks more suitable for these Pre-mitigation DOTS Telemetry Attributes than the DOTS data channel. 
 
Cheers,
-Tiru
 
From: kaname nishizuka <kaname@nttv6.jp>; 
Sent: Monday, July 22, 2019 8:26 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;; tirumal reddy <kondtir@gmail.com>;; dots@ietf.org
Subject: Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
 
CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


Hi Tiru,

Let me explain it.
There is a service by several transit providers such as detection capabilities to notify clients of potential attacks.
It is assumed that they have a DDoS mitigation system and a DDoS detection system (for example, a flow collector) separately.
It is a realistic deployment that the DOTS server is integrated with the flow collector.

When an attack occur, the DDoS detection system will notice that the customer is under attack, then the pre-mitigation DOTS telemetry(= attack details) can be signaled from the DOTS server to the (associated) DOTS client.

Here is one of the traffic anomaly detection notification example (threshold basis) quoted from some actual service.
Organization:       XXX
Attack ID:          13227
Start Time:         2019/06/05 22:52:30 JST+0900
Level:              1
Traffic Amount:     4.02k pps
Threshold:          4.00k pps
Direction:          incoming
Victim IP Address:  x.x.x.x/32
Attack Type:        TCP SYN

It says like "it seems you're under attack, what will you do? (We can offer some protection)"

regards,
Kaname

On 2019/07/22 23:11, Konda, Tirumaleswar Reddy wrote:
Thanks Kaname for the support. I did not get the comment. what type of pre-mitigation DOTS telemetry attributes can be signaled from the DOTS server to the DOTS client ?
And How will the DOTS server know the pre-mitigation DOTS telemetry attributes relevant or associated with a DOTS client ? 
 
Cheers,
-Tiru
 
From: Dots <dots-bounces@ietf.org>; On Behalf Of kaname nishizuka
Sent: Monday, July 22, 2019 6:44 PM
To: tirumal reddy <kondtir@gmail.com>;; dots@ietf.org
Subject: Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
 
CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


I support this draft.

I'd like to mention about the telemetry attributes from a DOTS server to a DOTS client.
Currently, several transit ISPs are providing DDoS detection and protection services.
In such a service, they send a DDoS detection notification via e-mail when they noticed that their customer is under attack.
The mail includes the telemetry information such as 4.1.5. Attack Details.
This info can be used for further decision of protection strategy by the customer's security operators.
I think it should be covered by the DOTS telemetry specification.

One suggestion to the draft:
Pre-mitigation DOTS Telemetry Attributes can also be signaled from the DOTS server to the DOTS client.

thanks,
Kaname



On 2019/07/05 22:20, tirumal reddy wrote:
Hi all,
 
https://tools.ietf.org/html/draft-reddy-dots-telemetry-00 aims to enrich DOTS protocols with various telemetry attributes allowing optimal DDoS attack mitigation. This document specifies the normal traffic baseline and attack traffic telemetry attributes a DOTS client can convey to its DOTS server in the mitigation request, the mitigation status telemetry attributes a DOTS server can communicate to a DOTS client, and the mitigation efficacy telemetry attributes a DOTS client can communicate to a DOTS server.  The telemetry attributes can assist the mitigator to choose the DDoS mitigation techniques and perform optimal DDoS attack mitigation.

Comments, suggestions, and questions are more than welcome.

Cheers,
-Tiru
 
---------- Forwarded message ---------
From: <internet-drafts@ietf.org>;
Date: Fri, 5 Jul 2019 at 18:44
Subject: New Version Notification for draft-reddy-dots-telemetry-00.txt
To: Tirumaleswar Reddy <kondtir@gmail.com>;, Ehud Doron <ehudd@radware.com>;, Mohamed Boucadair <mohamed.boucadair@orange.com>;



A new version of I-D, draft-reddy-dots-telemetry-00.txt
has been successfully submitted by Tirumaleswar Reddy and posted to the
IETF repository.

Name:           draft-reddy-dots-telemetry
Revision:       00
Title:          Distributed Denial-of-Service Open Threat Signaling (DOTS) Telemetry
Document date:  2019-07-05
Group:          Individual Submission
Pages:          13
URL:            https://www.ietf.org/internet-drafts/draft-reddy-dots-telemetry-00.txt
Status:         https://datatracker.ietf.org/doc/draft-reddy-dots-telemetry/
Htmlized:       https://tools.ietf.org/html/draft-reddy-dots-telemetry-00
Htmlized:       https://datatracker.ietf.org/doc/html/draft-reddy-dots-telemetry


Abstract:
   This document aims to enrich DOTS signal channel protocol with
   various telemetry attributes allowing optimal DDoS attack mitigation.
   This document specifies the normal traffic baseline and attack
   traffic telemetry attributes a DOTS client can convey to its DOTS
   server in the mitigation request, the mitigation status telemetry
   attributes a DOTS server can communicate to a DOTS client, and the
   mitigation efficacy telemetry attributes a DOTS client can
   communicate to a DOTS server.  The telemetry attributes can assist
   the mitigator to choose the DDoS mitigation techniques and perform
   optimal DDoS attack mitigation.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat



_______________________________________________Dots mailing listDots@ietf.orghttps://www.ietf.org/mailman/listinfo/dots
 


_______________________________________________Dots mailing listDots@ietf.orghttps://www.ietf.org/mailman/listinfo/dots