Re: [Dots] feedback on draft-ietf-dots-requirements
"Mortensen, Andrew" <amortensen@arbor.net> Mon, 20 February 2017 18:30 UTC
Return-Path: <amortensen@arbor.net>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D42D126BF7 for <dots@ietfa.amsl.com>; Mon, 20 Feb 2017 10:30:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.788
X-Spam-Level:
X-Spam-Status: No, score=-3.788 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.887, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thescout.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CU8DEmfJrlmK for <dots@ietfa.amsl.com>; Mon, 20 Feb 2017 10:30:36 -0800 (PST)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0090.outbound.protection.outlook.com [104.47.42.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 701AF1294B6 for <dots@ietf.org>; Mon, 20 Feb 2017 10:30:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thescout.onmicrosoft.com; s=selector1-arbor-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=OsaP6pZQb5/w9yaMVxb/jDlUCThaRHEny+pgUml/CUs=; b=fMwd+BRntA927LQkQ12opmmTmjoLNZ6jmKq2HjPYRKnO4BzeQYqb5KO95goVXjCecTP2M2b4zqBAFmjvM49qtMoOQS/+EQujRQ1zSu2uuwNL/KByZVDco4cq35BpX60JhcrpPZGAtTzN4jJ0/Dad1ZJhY/xNd46yE4B3mz8A0i8=
Received: from MWHPR0101MB3118.prod.exchangelabs.com (10.174.167.145) by MWHPR0101MB3120.prod.exchangelabs.com (10.174.168.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.919.13; Mon, 20 Feb 2017 18:30:34 +0000
Received: from MWHPR0101MB3118.prod.exchangelabs.com ([10.174.167.145]) by MWHPR0101MB3118.prod.exchangelabs.com ([10.174.167.145]) with mapi id 15.01.0919.015; Mon, 20 Feb 2017 18:30:34 +0000
From: "Mortensen, Andrew" <amortensen@arbor.net>
To: Dave Dolson <ddolson@sandvine.com>
Thread-Topic: feedback on draft-ietf-dots-requirements
Thread-Index: AdJCw56N3It0vvnJSvSfOG8E2IPZ9BI48yMA
Date: Mon, 20 Feb 2017 18:30:33 +0000
Message-ID: <C94EC833-D04D-49A7-A13B-392ACB52BF45@arbor.net>
References: <E8355113905631478EFF04F5AA706E9831186C30@wtl-exchp-2.sandvine.com>
In-Reply-To: <E8355113905631478EFF04F5AA706E9831186C30@wtl-exchp-2.sandvine.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=amortensen@arbor.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [76.206.40.10]
x-ms-office365-filtering-correlation-id: d661fdb0-504e-41bb-fe74-08d459be8edb
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:MWHPR0101MB3120;
x-microsoft-exchange-diagnostics: 1; MWHPR0101MB3120; 7:glq57aAjRyl+vv7I7IwnD1t0L7GefuTxOcb3q6nr47GoO9HWMzHoG8eYucD+DbRu/JnnpgX8N6fIwoT55ZB63kDJQ48/LxKIJbSt2u0VN++mmNSz4FAtM+T1+p/ozC9i5/PtB2tkYQoOjOV+pBJt1PqSS/oIK68DSOKWR4436ac+SMrIfuQcnBg7//q1cERfwega/TqfqUCh/guAgAOjrZ2EAAHm6dopdKWaPWBp5mN7CnFXcDmTSY/QzskCuvGVp+T3vAgnVzaEsJEILKOMX2HXm7iXl+EirR6RU6b1ZorvEMKgGw6w+9CAx3VLZVXYmSpxD2S1UaRGAwrwZFyymw==
x-microsoft-antispam-prvs: <MWHPR0101MB31200530B260BA38D835C76FD15E0@MWHPR0101MB3120.prod.exchangelabs.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6041248)(20161123555025)(20161123564025)(20161123562025)(20161123560025)(20161123558025)(6072148); SRVR:MWHPR0101MB3120; BCL:0; PCL:0; RULEID:; SRVR:MWHPR0101MB3120;
x-forefront-prvs: 02243C58C6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39450400003)(189002)(199003)(377454003)(57704003)(24454002)(81166006)(8936002)(25786008)(68736007)(86362001)(77096006)(6436002)(6486002)(36756003)(8676002)(6506006)(6916009)(81156014)(122556002)(3660700001)(3280700002)(2906002)(229853002)(82746002)(54356999)(50986999)(76176999)(2950100002)(102836003)(6116002)(38730400002)(110136004)(4326007)(3846002)(230783001)(6246003)(105586002)(83716003)(2900100001)(106356001)(101416001)(97736004)(189998001)(92566002)(7736002)(99286003)(53936002)(236005)(33656002)(5660300001)(54896002)(6512007)(66066001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR0101MB3120; H:MWHPR0101MB3118.prod.exchangelabs.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: arbor.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_C94EC833D04D49A7A13B392ACB52BF45arbornet_"
MIME-Version: 1.0
X-OriginatorOrg: arbor.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Feb 2017 18:30:33.6349 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 54f11205-d4aa-4809-bd36-0b542199c5b2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR0101MB3120
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/l1AnemQ8rNqnpU6RyYjwxvoV0RM>
Cc: "dots@ietf.org" <dots@ietf.org>
Subject: Re: [Dots] feedback on draft-ietf-dots-requirements
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2017 18:30:39 -0000
Thanks, Dave. This is very helpful. My (extremely tardy) responses are inline. I’ve snipped most of the minor rephrasing suggestions. All comments are me speaking for myself, not necessarily for the other requirements draft editors. I’ve opened issues on github for most of these comments. On Nov 26, 2016, at 9:31 PM, Dave Dolson <ddolson@sandvine.com<mailto:ddolson@sandvine.com>> wrote: …snip... 1.2 …snip... For “countermeasure”, this sounds like only packet filtering. Is that accurate and complete? Could tar-pit or routing changes be included in countermeasures? I don’t want the document to restrict the definition of countermeasure, but I’m also not keen to enshrine specific types of countermeasure, either. I’ll revise to make it clearer. Is “signal channel” intended to be the same thing as the “session” mentioned in the architecture? I think so, and terminology should be made consistent between the docs. If not, I don’t understand the difference between channel and session. Speaking for myself, the “channel” distinction is meant to distinguish the unreliable, lightweight SOS messages to be used when under attack from the reliable messaging required to e.g. manage filters and resource aliases. The “signaling session” in the architecture document is active messaging between DOTS agents over the signal channel. Should “Filter” be limited to the two actions of rate-limiting or discarding? Is filter really intended to include action, or just the match criteria? It sounds like you’re really asking whether we should leave the definition of “filtering” up to the DOTS server/mitigator. I worry that leaving “filtering” loosely defined will lead to confusion further down the line. I think we need explicit actions: discard is very different from rate-limit. As I see it, filtering is distinct from vendor extensions which might include countermeasure specifics. I don’t think DOTS is a general purpose interface for countermeasure configuration. Similarly for “Blacklist”: is block the only valid action for black-listed addresses? Yes, that’s the distinguishing characteristic of a blacklisted source. A whitelisted source is always allowed to pass. The DOTS client has full control over the black-/white-lists, though the scope is restricted by the DOTS server to prefixes/resources belonging to the DOTS client. 2. The second paragraph says “DOTS is an advisory protocol.” I thought this might mean that (a) a client’s request for aid may be ignored and (b) mitigation may be done prior to request or after withdrawal. Would that idea be accurate? I think (a) is correct, though ignoring a request without providing a reason when a service agreement is in place seems like a poor way to manage a service. In general a DOTS request for mitigation should result in mitigation, assuming business or service agreements are in place, but mitigating the attack might involve more than just a In calling DOTS “advisory” I was trying to emphasize two points: the difficulty of maintaining reliable messaging under attack conditions (with the corollary that a DOTS server may not be able to help even if a request gets through); and the fact that DOTS is not a general purpose mitigation API. Maybe I should clarify that further. I believe the DOTS *signal channel* is not a general purpose mitigation API. The DOTS data channel could evolve into that as a sort of DOTS control protocol, in which the impact of an attack on the communication layer between client and server is not a concern. (My thinking is that a DOTS server may know better than the client based on a wider source of telemetry.) Agreed. Once a mitigator begins filtering traffic bound for the domain of the DOTS client, the DOTS client’s view into the attack is skewed. - in GEN-004, consider picking a specific MTU size, like 500 bytes, because otherwise there is no way to judge if the protocol meets requirements. This has become more important since you suggested it, in light of the recent thread on telemetry. draft-reddy-dots-signal-channel is suggesting 500 bytes in the event the client can’t discern path MTU. I’m comfortable with text to the effect that clients SHOULD try to determine path MTU, and fall back to 500 bytes if it can’t be discovered. In 2.2, … snip ... OP-004: This requirement has several ideas in it, which I think should be broken into multiple requirements: (a) The idea that messages be acknowledged with a status code. - But it is unclear whether the status must be delivered immediately, or reported later. I expect there could be an immediate “I hear your request”, which doesn’t necessarily mean anything can be done. There should be a way for the client to later ask, “how are you doing with that request?” I meant this to be less restrictive than what you’ve described. There should be some way for the DOTS client to detect that its messages are being received/processed or lost, and the same is true for the DOTS server. That doesn’t have to mean an HTTP-like model. For example, in the protocol draft Nik Teague and I have put together, the signal channel is ongoing, periodic communication between client and server. The client does not need to send a separate message to ask about request status, since the DOTS server will send it in a few seconds anyway. (b) Whether the server MUST do as it is told. - On this point, I think the “MUST cease mitigation activity” is wrong, since the server may have other evidence or other clients requesting the mitigation. This is acknowledged by the “may continue mitigating” later in the paragraph. So at minimum the MUST is too strong. The full phrase is “MUST cease mitigation as quickly as possible”, by which I meant to express the importance of allowing the server to maintain the mitigation for a short period to reduce the impact of a DOTS client rapidly toggling mitigation. It sounds like the duration of that short period needs to be defined. I think two things should be clear in the final text: 1) The DOTS client can cease to be the cause for a mitigation at any time by sending a mitigation termination request, but cannot consider a mitigation terminated until confirmation from the server. (Mitigation lifetime is there to handle the cases where the server’s confirmation is not delivered.) 2) Once a DOTS client tells a DOTS server to stop mitigating, the DOTS client is no longer responsible for the mitigation. The DOTS server/mitigator can continue mitigating arbitrarily, but after the mitigation termination grace period elapses and the client hasn’t renewed a request for mitigation, all responsibility for the mitigation is borne by the DOTS server domain. OP-006. I would like to see all of specific scopes precisely defined as required or optional, but not as examples. Yes, this is a good suggestion. Also, I’m not clear on what DNS name filtering means: is this for filtering DNS packets, or for looking up the name and filtering the corresponding addresses? It’s not DNS name filtering, but indicating which FQDNs need mitigation. OP-008. I hope there isn’t going to be an argument about this, but… I believe it is not a client error to ask for a mitigation that conflicts with another client (how could it even know?). Rather, it is up to the server to weigh the various requests and act for the overall good. As paragraph 2 of section 2 says, “DOTS is an advisory protocol”. I don’t even think an overlapping prefix range is an error; rather both clients have identified the same attack. This is a fair counterpoint. “Act for the overall good” is unfortunately not concrete enough for a requirement. Cases like two DOTS clients requesting mitigation for the same resources are easy to handle—the server just lets the losing client know mitigation is already in progress—but partially overlapping mitigation requests are harder to handle. Does the server notify each client that the actual mitigation scope is larger than originally requested? 2.5 - Data model requirements I’m not sure what to make of this section. I think I just want to review the data model. I’m comfortable just removing this section. With Flemming's draft apparently evolving more toward information model, do we need to discuss data model at all outside of the solutions drafts? andrew
- [Dots] feedback on draft-ietf-dots-requirements Dave Dolson
- Re: [Dots] feedback on draft-ietf-dots-requiremen… Mortensen, Andrew
- Re: [Dots] feedback on draft-ietf-dots-requiremen… Dave Dolson
- Re: [Dots] feedback on draft-ietf-dots-requiremen… Xialiang (Frank)
- Re: [Dots] feedback on draft-ietf-dots-requiremen… kaname nishizuka