Re: [Dots] clarification questions from the hackathon

<mohamed.boucadair@orange.com> Thu, 28 March 2019 13:56 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91F13120466 for <dots@ietfa.amsl.com>; Thu, 28 Mar 2019 06:56:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F3B_QyHHysoK for <dots@ietfa.amsl.com>; Thu, 28 Mar 2019 06:56:44 -0700 (PDT)
Received: from orange.com (mta135.mail.business.static.orange.com [80.12.70.35]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92DA31204BD for <dots@ietf.org>; Thu, 28 Mar 2019 06:56:44 -0700 (PDT)
Received: from opfednr02.francetelecom.fr (unknown [xx.xx.xx.66]) by opfednr25.francetelecom.fr (ESMTP service) with ESMTP id 44VRHb1Lg8zCrgH; Thu, 28 Mar 2019 14:56:43 +0100 (CET)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.64]) by opfednr02.francetelecom.fr (ESMTP service) with ESMTP id 44VRHb0Rmnz8sYR; Thu, 28 Mar 2019 14:56:43 +0100 (CET)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBMA3.corporate.adroot.infra.ftgroup ([fe80::90fe:7dc1:fb15:a02b%21]) with mapi id 14.03.0439.000; Thu, 28 Mar 2019 14:56:42 +0100
From: mohamed.boucadair@orange.com
To: Olli Vanhoja <olli@zeit.co>, kaname nishizuka <kaname@nttv6.jp>
CC: "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] clarification questions from the hackathon
Thread-Index: AQHU5VO3CfVXhciSq0+ZqKxGOtsoYqYhDJ7w
Date: Thu, 28 Mar 2019 13:56:42 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA4EDD0@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <946bcc8c-2e3e-3b09-b8d1-631475ea0ea0@nttv6.jp> <CABrJZ5EBALYdSXu0L1EXX+31Fsbtq_KKPfPhO8M=SnLfS56GMw@mail.gmail.com>
In-Reply-To: <CABrJZ5EBALYdSXu0L1EXX+31Fsbtq_KKPfPhO8M=SnLfS56GMw@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/kd2PMDL0wXIMaXS0nTBwP5D5-sI>
Subject: Re: [Dots] clarification questions from the hackathon
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2019 13:56:59 -0000

Hi Olli,

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Dots [mailto:dots-bounces@ietf.org] De la part de Olli Vanhoja
> Envoyé : jeudi 28 mars 2019 11:48
> À : kaname nishizuka
> Cc : dots@ietf.org
> Objet : Re: [Dots] clarification questions from the hackathon
> 
> Some additional questions.
> 
> I saw somewhere a probably outdated spec with a version ned URL
> /.well-known/dots/v1/mitigate
> This was however dropped from the draft:
> /.well-known/dots/mitigate
> 
> Why is this? Wouldn't it be a good idea to allow versioning somewhere,
> either in the request path or the request body?

[Med] That change was made to reflect a change in the requirements I-D with regards to versioning. The spec relies on two sets of attributes (comprehension-required, comprehension-optional) to extend the protocol by adding new features instead of bumping the version number. 

> 
> Was there any consideration about PKI and/or key distribution? Or
> should implementors and users solve this?
> 

[Med] This is left to deployments. Existing specs do only say the following:

   A key challenge to deploying DOTS is the provisioning of DOTS
   clients, including the distribution of keying material to DOTS
   clients to enable the required mutual authentication of DOTS agents.
   Enrollment over Secure Transport (EST) [RFC7030] defines a method of
   certificate enrollment by which domains operating DOTS servers may
   provide DOTS clients with all the necessary cryptographic keying
   material, including a private key and a certificate to authenticate
   themselves.  One deployment option is DOTS clients behave as EST
   clients for certificate enrollment from an EST server provisioned by
   the mitigation provider.  This document does not specify which EST or
   other mechanism the DOTS client uses to achieve initial enrollment.


Having deployment guidelines would be helpful, though. 

> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots