IETF Logo Mail Archive

Re: [Dots] clarification questions from the hackathon

"Jon Shallow" <supjps-ietf@jpshallow.com> Thu, 28 March 2019 17:05 UTC

Return-Path: <supjps-ietf@jpshallow.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59DBE120319 for <dots@ietfa.amsl.com>; Thu, 28 Mar 2019 10:05:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PVVdKihtETJs for <dots@ietfa.amsl.com>; Thu, 28 Mar 2019 10:05:38 -0700 (PDT)
Received: from mail.jpshallow.com (mail.jpshallow.com [217.40.240.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2E8612024A for <dots@ietf.org>; Thu, 28 Mar 2019 10:05:34 -0700 (PDT)
Received: from [127.0.0.1] (helo=N01332) by mail.jpshallow.com with esmtp (Exim 4.91) (envelope-from <jon.shallow@jpshallow.com>) id 1h9YT3-0007B2-Tk; Thu, 28 Mar 2019 17:05:30 +0000
From: Jon Shallow <supjps-ietf@jpshallow.com>
To: mohamed.boucadair@orange.com, kaname nishizuka <kaname@nttv6.jp>, dots@ietf.org
Date: Thu, 28 Mar 2019 17:05:27 -0000
Message-ID: <108a01d4e588$72f886b0$58e99410$@jpshallow.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-gb
Thread-Index: AdTliGx+SHuMyqAwQXGIbxMDIEwnuA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/n1vrJn2d1KxaB9_3QOq2qZcv4XQ>
Subject: Re: [Dots] clarification questions from the hackathon
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2019 17:05:44 -0000

Hi All,

See inline

Regards

Jon

> -----Original Message-----
> From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of ietf-
> supjps-mohamed.boucadair@orange.com
> Sent: 28 March 2019 13:39
> To: kaname nishizuka; dots@ietf.org
> Subject: Re: [Dots] clarification questions from the hackathon
> 
> Re-,
> 
> Please see inline.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Dots [mailto:dots-bounces@ietf.org] De la part de kaname nishizuka
> > Envoyé : jeudi 28 mars 2019 11:38
> > À : dots@ietf.org
> > Objet : [Dots] clarification questions from the hackathon
> >
> > Hi,
> >
> > I'd like to continue discussion of these topics in the ML.
> >
> > #1: Questions about signal-control-filtering
> >   1. Should a mitigation request create a mitigation before doing a PUT +
> > acl-list [{acl-name, activation-type}] against the active mitigation, or is a
> > ‘PUT + acl-list [{acl-name, activation-type}]’ allowed to create a new
> > mitigation?
> 
> [Med] Both are currently allowed in the draft. I don't still a valid reason to
> restrict this.

[Jon] As per draft
   A DOTS client MUST NOT use the filtering control over DOTS signal
   channel if no attack (mitigation) is active;

[Jon] then needs to be reworded as there is no active mitigation until the PUT is done...
I believe that both cases should be supported.
> 
> >   2. Should the response to a GET (or Observed GET) include the acl-list
> > [{acl-name, activation-type}] if the PUT included it?
> 
> [Med] The current spec says "no". That's said, what would be the value in
> returning it? Then, why not allowing to return the references to all ACLs that
> are enabled during the mitigation time?
> 
[Jon] When observing the mitigation request, if the activation-type is changed externally, the client will then know about the change. Assuming the response got back to the client, this is effectively an ACK to the fact that the ACL change got through.

Interesting concept about knowing about all the relevant ACLs as returned over the signal channel.  More work for the server to do in determining which ACLs are valid for, say, a specific IP address that is being mitigated.  Not entirely convinced of the benefit of this as this generally is available over the data channel.

> >   3. Does the response to the PUT (the echoed back response payload of the
> > PUT representation https://tools.ietf.org/html/rfc7252#section-5.9.1.1 )
> > include the acl-list (if defined) or not?
> 
> [Med] It doesn't as we don't change the behavior of the base spec.
> 
[Jon] By base spec I assume you mean the signal draft.  However the answer has to be "yes - it is included" if following RFC7252 5.9.1.1 and "The payload returned with the response, if any, is a representation of the action result".  

Again, it is letting the client know that the PUT actually did get through (assuming the response gets through) prior to doing any GETs.
~jon

> >   4. Is the activation change to the ACL a permanent change to the ACL (so a
> > GET on the data channel returns the new type)?
> 
> [Med] Yes. The draft will be updated to make this clearer.
> 
> >   5. Does the activation change to the ACL count as an ACL refresh (pending-
> > lifetime update)?
> 
> [Med] Yes. Some text will be added to clarify the refresh point. That's said, as
> discussed in the data-channel, the dots client may need to send a GET after
> an attack for sync purposes.
> 
> >   6. Is CBOR activation –type comprehension-required or comprehension-
> > optional?
> >
> 
> [Med] This is a comprehension-required attribute (already discussed in the
> draft).
> 
> > Regarding with the 1st point, we got feedbacks from Med and Tiru that both
> > should be allowed.
> > If ‘PUT + acl-list [{acl-name, activation-type}]’ allowed to create a new
> > mitigation, it should be treated as this is a request in "attack-time".
> 
> [Med] I confirm.
> 
> >
> > (#2: Data Channel Implicit protocol number was addressed clearly by Med's
> > comment.)
> >
> > #3: (D)TLS session lifetime
> >  From the view point of DOTS server, when to expire the old (D)TLS session
> is
> > implementation specific though, I'd like to hear from experts about
> > preferable setting (timer or something else...?)
> >
> 
> [Med] For me, this is implementation-specific.
> 
> > thanks,
> 
> [Med] Many thanks for sharing the feedback from the hackathon. Much
> appreciated.
> 
> > Kaname
> >
> > _______________________________________________
> > Dots mailing list
> > Dots@ietf.org
> > https://www.ietf.org/mailman/listinfo/dots
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.29.0 | Report a Bug | By Email | System Status