IETF Logo Mail Archive

Re: [Dots] FW: Prior discussion about draft-fu-ipfix-network-security-00

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Wed, 25 March 2015 04:10 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB0491ACD8B for <dots@ietfa.amsl.com>; Tue, 24 Mar 2015 21:10:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ILrI4Zv-JZLY for <dots@ietfa.amsl.com>; Tue, 24 Mar 2015 21:10:46 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4433E1ACD8A for <dots@ietf.org>; Tue, 24 Mar 2015 21:10:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3061; q=dns/txt; s=iport; t=1427256646; x=1428466246; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=XoXUTQc9D6JU4G+ljQPPJcMLNCoPp09zwLM27cqtSbQ=; b=QJVQ3wk7VNYbF7KJtpd13HqP1A8liNQEGc4THDqApNNv1OqC5GUD2vSR O1VS2XT1McpuPvvW3UyeoTrOzgs43wgE6N+Y9pY62jPuAPTGZs4jwDpKB wuUNx+3L8VDjkemwHKjToHnOunCz9ne1nT10NI4lmChQc7LZiAqFeB/Jo s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0C8BwA7NBJV/4ENJK1cgwZSWgTEDoIxCoV1AoFMTAEBAQEBAX2EFAEBAQQBAQFrFwQCAQgRBAEBAQodBycLFAgBCAIEAQkJCIgnDcleAQEBAQEBAQEBAQEBAQEBAQEBAQEBEwSLIYRFOAaDEYEWBY4ggjCGE5gIIoNub4FEfwEBAQ
X-IronPort-AV: E=Sophos;i="5.11,462,1422921600"; d="scan'208";a="135092507"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-1.cisco.com with ESMTP; 25 Mar 2015 04:10:45 +0000
Received: from xhc-rcd-x11.cisco.com (xhc-rcd-x11.cisco.com [173.37.183.85]) by alln-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id t2P4AjOh013521 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 25 Mar 2015 04:10:45 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.80]) by xhc-rcd-x11.cisco.com ([173.37.183.85]) with mapi id 14.03.0195.001; Tue, 24 Mar 2015 23:10:45 -0500
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: will <mbset@sbcglobal.net>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] FW: Prior discussion about draft-fu-ipfix-network-security-00
Thread-Index: AQHQZbIomCgFLJJduk2Sw02RO77S3p0rFqgAgAAy8ID//7bUcIAAbHcAgAFE7YD//+OQoA==
Date: Wed, 25 Mar 2015 04:10:44 +0000
Message-ID: <1C9F17D1873AFA47A969C4DD98F98A75153B049E@xmb-rcd-x10.cisco.com>
References: <358188D97DBE45F787E97C9E29B1C0A3@takeAsus> <D1360207.B412%nteague@verisign.com> <77FA386512F0D748BC7C02C36EB1106D955C93@szxeml557-mbs.china.huawei.com> <1C9F17D1873AFA47A969C4DD98F98A75153AC9EA@xmb-rcd-x10.cisco.com> <D1364C2B.B4E6%nteague@verisign.com> <551204A9.5060406@sbcglobal.net>
In-Reply-To: <551204A9.5060406@sbcglobal.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.82.247.22]
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dots/mhsgioJMQUqzbKnF5j1HXB9dvnQ>
Subject: Re: [Dots] FW: Prior discussion about draft-fu-ipfix-network-security-00
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 04:10:48 -0000

I think that is a strong assumption that would simplify the problem, but probably is not very practical.

After attending the BOF today it seems the problem trying to solve here is signaling over saturated links and the a data representation of DDoS activity to be exchanged. For the latter, existing representations could do the job IMO, unless there is DDoS info that cannot be described. But then we would need specific examples.

As someone put it in the BOF call today, scope should be well-defined if this ends up being a WG I believe.

Panos


-----Original Message-----
From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of will
Sent: Tuesday, March 24, 2015 8:43 PM
To: dots@ietf.org
Subject: Re: [Dots] FW: Prior discussion about draft-fu-ipfix-network-security-00

If we are worried about trying to signal over saturated links, maybe we should consider using out of band signaling.

On 03/24/2015 01:20 AM, Teague, Nik wrote:
> Hi,
>
> On 23/03/2015 22:54, "Panos Kampanakis (pkampana)" 
> <pkampana@cisco.com>
> wrote:
>
>> Hello,
>>
>> It seems to me that the "signaling in order to mitigate DDoS" problem 
>> has been solved already by BGP FlowSpec. I am not sure if defining 
>> more verbose and detailed communications between network elements 
>> would add much value, since these devices cannot do more than 
>> signalling and mitigate.
>>
>> Panos
> Flowspec is very effective within the bounds of its capabilities - if 
> a bad actor is hammering my network with an ntp reflection attack or 
> my web server with a whole swathe of large udp packets then I can 
> easily build filters to handle that - if the bad actor is hitting my 
> web server with a syn flood from a massively random source pool then I 
> have to consider rate limiting as probably my best, but maybe not 
> ideal, option.  If I try and generate more than 12k flow route filters 
> to push to either my equipment or my service providers (depending upon 
> whether they support Flowspec) then things can get a little hairy.  
> DDoS mitigation CPE and DDoS mitigation providers exist because the 
> need is there - The DOTS proposal is that effective signaling is 
> necessary between these elements, not specifically generic network 
> elements, but actual elements that are concerned with often complex 
> attacks that a flow route filter is unable to deal with.  If my 
> ingress links are saturated then signaling via a tcp oriented session 
> can potentially result in more cycles being spent trying to initiate 
> and maintain a session than actual information transferŠ and if the connection drops then the whole thing has to start again.
>
> Thanks,
>
> -Nik
>
>
>
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots
>

_______________________________________________
Dots mailing list
Dots@ietf.org
https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email