Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 23 July 2019 07:04 UTC
Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08333120096 for <dots@ietfa.amsl.com>; Tue, 23 Jul 2019 00:04:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.388
X-Spam-Level:
X-Spam-Status: No, score=-2.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f-wcFL2fHBKe for <dots@ietfa.amsl.com>; Tue, 23 Jul 2019 00:04:23 -0700 (PDT)
Received: from us-smtp-delivery-210.mimecast.com (us-smtp-delivery-210.mimecast.com [216.205.24.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A61012004C for <dots@ietf.org>; Tue, 23 Jul 2019 00:04:22 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1563864781; h=ARC-Seal: ARC-Message-Signature:ARC-Authentication-Results: From:To:Subject:Thread-Topic:Thread-Index: Date:Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-CrossTenant-userprincipalname: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=SoZoJKVX0OFuug72clxPmgGRaZW1OvyKOPU/Qn xvy5M=; b=LSu9SX/1hmWB6DM97xmxUwZBVadv3UVj2rTidU9a j6NIK5n8hqeSqpwEGW728KYd/Vm89ZtOJaP//brllHlaINFxDO FUXnwjUIrEC5k1DLTrKrgcY5nuk4hCd8YdJPO1hasvt6c2CUvL mkE2YjLtDtVxMcEOko7As2SPn7lJ1wc=
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-295-eoHU11chMNmUi_6fM6bNeQ-1; Tue, 23 Jul 2019 03:04:17 -0400
Received: from DNVEXAPP1N05.corpzone.internalzone.com (unknown [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 6c16_b34a_f61fbbb3_9698_4dcb_bdb0_244efb95cf53; Tue, 23 Jul 2019 00:53:00 -0600
Received: from DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 23 Jul 2019 01:04:03 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Tue, 23 Jul 2019 01:04:03 -0600
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (10.44.176.241) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 23 Jul 2019 01:04:02 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PuYX1S+EQ6LgVx0QAsGPyPtWvOSgPu6vNDZe4ZkxZUhtQovhn5aVSCsA/pORJeXN7LMb2+KkjTLUa+763zrKWFOgNySpz2b8/KNraYl9WGbuXWQ03J/qCItkCqkfgxolkVvb/Wck0qWCoR3zVkhBAtgaGjvAzoq/+2dyp458sWfJ8s+Qmw+W38uQgyo/2scK5CO/8sCV9LY2dilseduBgM3scNCq+Zk/FSKggqMIBYxkDd3mzoWRIIaS5rsyd3AJlgaoYlQctCVcxxA+S5dJBhBCfetscriY53M9Fm5ciKeFVD4ysmbRW+zzIDdBcahsdmk+jWsd824Wwu47HkIcDg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SoZoJKVX0OFuug72clxPmgGRaZW1OvyKOPU/Qnxvy5M=; b=c8RcPGf3BGnoAiKuniH24TCjVHzfyCcTcDbf66kagceOO83XKlD2wQvecMOfFbKsOkDyZyHgDOmVu6tbu2N09WDB27FbTjciOYm/yDIepGEpbPIHim9td1vRFB4nAaRyqCFdOZUN26gWqKtTqAbBsipbY8U90tgGblRNz9pKVHG/F75K736zrPvS4PTbLESNyf/gW7Zx9eNhITTKADHz22WS2OnDJKMmJo1wGEQ5O5/3jzEz2C3BzGRVjc3TIDIq02ADOxV/fLV9hXXzUzX/D1jCetPEZNFfBABuun8kxIhQ4M88iL2oZKweGIH2pXI8D2KERnfQnMXpdnRuzKE48A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=mcafee.com;dmarc=pass action=none header.from=mcafee.com;dkim=pass header.d=mcafee.com;arc=none
Received: from MWHPR16MB1711.namprd16.prod.outlook.com (10.174.162.17) by MWHPR16MB0064.namprd16.prod.outlook.com (10.172.101.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2094.16; Tue, 23 Jul 2019 07:04:00 +0000
Received: from MWHPR16MB1711.namprd16.prod.outlook.com ([fe80::f42d:2a20:253f:a3da]) by MWHPR16MB1711.namprd16.prod.outlook.com ([fe80::f42d:2a20:253f:a3da%3]) with mapi id 15.20.2094.017; Tue, 23 Jul 2019 07:04:00 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: kaname nishizuka <kaname@nttv6.jp>, tirumal reddy <kondtir@gmail.com>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
Thread-Index: AQHVMzSMCPbrTboVdUKfxcuyXDvZxqbWuDsAgAAPDoCAAA1WgIABCZCQ
Date: Tue, 23 Jul 2019 07:04:00 +0000
Message-ID: <MWHPR16MB171185CA2F151A9A5C9AAB78EAC70@MWHPR16MB1711.namprd16.prod.outlook.com>
References: <156233245922.21720.2303446065970922340.idtracker@ietfa.amsl.com> <CAFpG3gcgpJRyLSoLkOMuUWY8pZrBPDCCz6-sc8A=1KW3GMpm+g@mail.gmail.com> <9401a258-5a32-b612-450b-10d3452777ac@nttv6.jp> <DM5PR16MB17054921F8CC3C2C90CB6A4BEAC40@DM5PR16MB1705.namprd16.prod.outlook.com> <a70c3aad-8b41-3d3c-7cd9-88d681e888b6@nttv6.jp>
In-Reply-To: <a70c3aad-8b41-3d3c-7cd9-88d681e888b6@nttv6.jp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.3.0.16
dlp-reaction: no-action
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 188d2644-1683-45dd-798e-08d70f3bf036
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:MWHPR16MB0064;
x-ms-traffictypediagnostic: MWHPR16MB0064:
x-ms-exchange-purlcount: 8
x-microsoft-antispam-prvs: <MWHPR16MB0064C75D668CB612D7EF3CE3EAC70@MWHPR16MB0064.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0107098B6C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(396003)(366004)(376002)(136003)(39860400002)(22974007)(51914003)(189003)(199004)(53754006)(32952001)(966005)(3846002)(8676002)(54896002)(86362001)(7696005)(110136005)(316002)(55016002)(53936002)(9686003)(5660300002)(7110500001)(6246003)(66556008)(66476007)(64756008)(66446008)(15650500001)(478600001)(25786009)(76116006)(5024004)(256004)(66574012)(6116002)(66946007)(74316002)(236005)(790700001)(6306002)(2420400007)(68736007)(52536014)(7736002)(14444005)(229853002)(81156014)(2906002)(33656002)(81166006)(486006)(8936002)(76176011)(11346002)(476003)(99286004)(2501003)(71190400001)(71200400001)(26005)(66066001)(186003)(606006)(53546011)(6436002)(6506007)(446003)(80792005)(53386004)(14454004)(102836004)(21314003)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR16MB0064; H:MWHPR16MB1711.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: KtbA1QDibEvnwlk/LUX4Vt6apsTCeOKTaNgf0OSM0EuTKmUL+dAWBkg0loZuktzWiCnwuHG6H5bWEh19l4w3UPJPC9hJVRcF07P+brQ/Yl2K42fW2Bpm94mJwHRXC3R4JYCGCoFlnQzc1B3FuWylJTy2r/BVXepGKJbCFvOmHlgBaiVNa0JsOXgidu1KEMo7K8hH4gzXgythYhipnaWDHOf7WzGYPuZNUQVVcBai/FEDIy6CgB3U0lZgXFypjCtGQfHsPK5cePwq+cjS02oQ4zH4+qe0up9jtGC0XVUKrWjthEILuqvKU66YSZLZ4E/5+T32Mjht2g/H+UlHyuYPHSzYZSgM93r1fpTbm3Dh79BjqFht6XAmeZoRwX9SElEYspdTdejUaayVGql8zNkY5517BZ6RsjPVa0XZx52jru4=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 188d2644-1683-45dd-798e-08d70f3bf036
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2019 07:04:00.1891 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TirumaleswarReddy_Konda@McAfee.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR16MB0064
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.2
X-NAI-Spam-Version: 2.3.0.9418 : core <6595> : inlines <7122> : streams <1828166> : uri <2871202>
X-MC-Unique: eoHU11chMNmUi_6fM6bNeQ-1
X-Mimecast-Spam-Score: 0
Content-Type: multipart/alternative; boundary="_000_MWHPR16MB171185CA2F151A9A5C9AAB78EAC70MWHPR16MB1711namp_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/lQNh_FZdpaCAoQRXwc3yAIN-1Q8>
Subject: Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 07:04:27 -0000
Thanks for the clarification. I don’t think any of the DOTS use cases documents discuss this deployment. DOTS signal channel looks more suitable for these Pre-mitigation DOTS Telemetry Attributes than the DOTS data channel. Cheers, -Tiru From: kaname nishizuka <kaname@nttv6.jp> Sent: Monday, July 22, 2019 8:26 PM To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; tirumal reddy <kondtir@gmail.com>; dots@ietf.org Subject: Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe. ________________________________ Hi Tiru, Let me explain it. There is a service by several transit providers such as detection capabilities to notify clients of potential attacks. It is assumed that they have a DDoS mitigation system and a DDoS detection system (for example, a flow collector) separately. It is a realistic deployment that the DOTS server is integrated with the flow collector. When an attack occur, the DDoS detection system will notice that the customer is under attack, then the pre-mitigation DOTS telemetry(= attack details) can be signaled from the DOTS server to the (associated) DOTS client. Here is one of the traffic anomaly detection notification example (threshold basis) quoted from some actual service. Organization: XXX Attack ID: 13227 Start Time: 2019/06/05 22:52:30 JST+0900 Level: 1 Traffic Amount: 4.02k pps Threshold: 4.00k pps Direction: incoming Victim IP Address: x.x.x.x/32 Attack Type: TCP SYN It says like "it seems you're under attack, what will you do? (We can offer some protection)" regards, Kaname On 2019/07/22 23:11, Konda, Tirumaleswar Reddy wrote: Thanks Kaname for the support. I did not get the comment. what type of pre-mitigation DOTS telemetry attributes can be signaled from the DOTS server to the DOTS client ? And How will the DOTS server know the pre-mitigation DOTS telemetry attributes relevant or associated with a DOTS client ? Cheers, -Tiru From: Dots <dots-bounces@ietf.org><mailto:dots-bounces@ietf.org> On Behalf Of kaname nishizuka Sent: Monday, July 22, 2019 6:44 PM To: tirumal reddy <kondtir@gmail.com><mailto:kondtir@gmail.com>; dots@ietf.org<mailto:dots@ietf.org> Subject: Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe. ________________________________ I support this draft. I'd like to mention about the telemetry attributes from a DOTS server to a DOTS client. Currently, several transit ISPs are providing DDoS detection and protection services. In such a service, they send a DDoS detection notification via e-mail when they noticed that their customer is under attack. The mail includes the telemetry information such as 4.1.5. Attack Details. This info can be used for further decision of protection strategy by the customer's security operators. I think it should be covered by the DOTS telemetry specification. One suggestion to the draft: Pre-mitigation DOTS Telemetry Attributes can also be signaled from the DOTS server to the DOTS client. thanks, Kaname On 2019/07/05 22:20, tirumal reddy wrote: Hi all, https://tools.ietf.org/html/draft-reddy-dots-telemetry-00 aims to enrich DOTS protocols with various telemetry attributes allowing optimal DDoS attack mitigation. This document specifies the normal traffic baseline and attack traffic telemetry attributes a DOTS client can convey to its DOTS server in the mitigation request, the mitigation status telemetry attributes a DOTS server can communicate to a DOTS client, and the mitigation efficacy telemetry attributes a DOTS client can communicate to a DOTS server. The telemetry attributes can assist the mitigator to choose the DDoS mitigation techniques and perform optimal DDoS attack mitigation. Comments, suggestions, and questions are more than welcome. Cheers, -Tiru ---------- Forwarded message --------- From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> Date: Fri, 5 Jul 2019 at 18:44 Subject: New Version Notification for draft-reddy-dots-telemetry-00.txt To: Tirumaleswar Reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>>, Ehud Doron <ehudd@radware.com<mailto:ehudd@radware.com>>, Mohamed Boucadair <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>> A new version of I-D, draft-reddy-dots-telemetry-00.txt has been successfully submitted by Tirumaleswar Reddy and posted to the IETF repository. Name: draft-reddy-dots-telemetry Revision: 00 Title: Distributed Denial-of-Service Open Threat Signaling (DOTS) Telemetry Document date: 2019-07-05 Group: Individual Submission Pages: 13 URL: https://www.ietf.org/internet-drafts/draft-reddy-dots-telemetry-00.txt Status: https://datatracker.ietf.org/doc/draft-reddy-dots-telemetry/ Htmlized: https://tools.ietf.org/html/draft-reddy-dots-telemetry-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-reddy-dots-telemetry Abstract: This document aims to enrich DOTS signal channel protocol with various telemetry attributes allowing optimal DDoS attack mitigation. This document specifies the normal traffic baseline and attack traffic telemetry attributes a DOTS client can convey to its DOTS server in the mitigation request, the mitigation status telemetry attributes a DOTS server can communicate to a DOTS client, and the mitigation efficacy telemetry attributes a DOTS client can communicate to a DOTS server. The telemetry attributes can assist the mitigator to choose the DDoS mitigation techniques and perform optimal DDoS attack mitigation. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>. The IETF Secretariat _______________________________________________ Dots mailing list Dots@ietf.org<mailto:Dots@ietf.org> https://www.ietf.org/mailman/listinfo/dots _______________________________________________ Dots mailing list Dots@ietf.org<mailto:Dots@ietf.org> https://www.ietf.org/mailman/listinfo/dots
- [Dots] Fwd: New Version Notification for draft-re… tirumal reddy
- Re: [Dots] Fwd: New Version Notification for draf… kaname nishizuka
- Re: [Dots] Fwd: New Version Notification for draf… Konda, Tirumaleswar Reddy
- Re: [Dots] Fwd: New Version Notification for draf… kaname nishizuka
- Re: [Dots] Fwd: New Version Notification for draf… Konda, Tirumaleswar Reddy
- Re: [Dots] Fwd: New Version Notification for draf… Jon Shallow
- Re: [Dots] Fwd: New Version Notification for draf… Meiling Chen
- Re: [Dots] Fwd: New Version Notification for draf… H Y
- Re: [Dots] Fwd: New Version Notification for draf… kaname nishizuka
- Re: [Dots] Fwd: New Version Notification for draf… kaname nishizuka
- Re: [Dots] Fwd: New Version Notification for draf… Konda, Tirumaleswar Reddy
- Re: [Dots] Fwd: New Version Notification for draf… Konda, Tirumaleswar Reddy
- Re: [Dots] Fwd: New Version Notification for draf… mohamed.boucadair
- Re: [Dots] Fwd: New Version Notification for draf… mohamed.boucadair
- Re: [Dots] Fwd: New Version Notification for draf… Konda, Tirumaleswar Reddy
- Re: [Dots] Fwd: New Version Notification for draf… mohamed.boucadair
- Re: [Dots] Fwd: New Version Notification for draf… kaname nishizuka
- Re: [Dots] Fwd: New Version Notification for draf… H Y
- Re: [Dots] Fwd: New Version Notification for draf… Konda, Tirumaleswar Reddy
- Re: [Dots] Fwd: New Version Notification for draf… H Y
- Re: [Dots] Fwd: New Version Notification for draf… Konda, Tirumaleswar Reddy
- Re: [Dots] Fwd: New Version Notification for draf… mohamed.boucadair
- Re: [Dots] Fwd: New Version Notification for draf… Konda, Tirumaleswar Reddy
- Re: [Dots] Fwd: New Version Notification for draf… mohamed.boucadair