Re: [Dots] DOTS Telemetry: URI Path
kaname nishizuka <kaname@nttv6.jp> Fri, 31 January 2020 02:10 UTC
Return-Path: <kaname@nttv6.jp>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 668C112080E for <dots@ietfa.amsl.com>; Thu, 30 Jan 2020 18:10:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nttv6.jp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DSQCaPYofozr for <dots@ietfa.amsl.com>; Thu, 30 Jan 2020 18:10:23 -0800 (PST)
Received: from guri.nttv6.jp (guri.nttv6.jp [115.69.228.140]) by ietfa.amsl.com (Postfix) with ESMTP id 88070120019 for <dots@ietf.org>; Thu, 30 Jan 2020 18:10:22 -0800 (PST)
Received: from z.nttv6.jp (z.nttv6.jp [IPv6:2402:c800:ff06:6::f]) by guri.nttv6.jp (NTTv6MTA) with ESMTP id 1335F25F751; Fri, 31 Jan 2020 11:10:20 +0900 (JST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nttv6.jp; s=20180820; t=1580436620; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yHDMRQ6r7mQVRZbhnJ9MupCBg182u5v9Y0YtTfCuz14=; b=a0sX8lOqOb9/9ls9+lyUPCTkmi6OeAwBtt2KDLBY+rH8CcwblUO+7dKwRgbXIFhfwHU1lR KnxEC71xqv9BdrEtULQN3Rm8GP7oa59zrJtvmL4KS5qB6WJpSQnKfYy/qDjv/FHwAQ3D+9 Wzt4WqC9/EZJZIguul9M7qGkQVBjYxM=
Received: from MacBook-Pro-17.local (fujiko.nttv6.jp [IPv6:2402:c800:ff06:136::141]) by z.nttv6.jp (NTTv6MTA) with ESMTP id 0052475906F; Fri, 31 Jan 2020 11:10:19 +0900 (JST)
To: mohamed.boucadair@orange.com, "dots@ietf.org" <dots@ietf.org>
References: <787AE7BB302AE849A7480A190F8B93303140D0DC@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <787AE7BB302AE849A7480A190F8B93303141357C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
From: kaname nishizuka <kaname@nttv6.jp>
Message-ID: <70510b36-aac4-db69-c88c-3204894f92c0@nttv6.jp>
Date: Fri, 31 Jan 2020 11:10:19 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <787AE7BB302AE849A7480A190F8B93303141357C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Content-Type: multipart/alternative; boundary="------------3BE20D40B4706AC000FD9DF6"
Content-Language: en-US
Authentication-Results: guri.nttv6.jp; spf=pass smtp.mailfrom=kaname@nttv6.jp
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/n_ajDL4wn3mPAr1WgnsP6P_ihos>
Subject: Re: [Dots] DOTS Telemetry: URI Path
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2020 02:10:27 -0000
Hi Med, As per the hackathon report of the last IETF, Server to Client telemetry would require another URI in order to convey asynchronous notification of attack-details from a DOTS server. https://datatracker.ietf.org/meeting/106/materials/slides-106-dots-dots-telemetry-related-hackathon-activity-report-00 slide 9. I'd like to hear notions whether that is already taken into account or not. Second, regarding with machine learning capability of DOTS, we've noticed some costomized feature like a ratio of SYN versus ACK in TCP flag is contributing for precise attack detection (in a feature construction process which is for obtaining contributing features from several metrics). At the last meeting, we've discussed that conveying normal metric is already done by IPFIX. But should adding this kind of DDoS dedicated metric be done in IPFIX or DOTS? thanks, Kaname On 2020/01/29 23:47, mohamed.boucadair@orange.com wrote: > > Hi all, > > We are currently in the process of updating the draft. I’m afraid that we will finaly need to go with more operation path URIs. See inline for more details. > > Cheers, > > Med > > *De :*Dots [mailto:dots-bounces@ietf.org] *De la part de* mohamed.boucadair@orange.com > *Envoyé :* jeudi 23 janvier 2020 16:41 > *À :* dots@ietf.org; 'kaname nishizuka' > *Objet :* [Dots] DOTS Telemetry: URI Path > > Hi all, > > In the current version of the telemetry draft, we are using ‘/telemetry’ for telemetry-related operations. Kaname suggested to define three operation suffixes for that. I do think that two are sufficient as indicated below: > > +-------------------------+----------------+ > > | Operation | Operation Path | > > +-------------------------+----------------+ > > | Telemetry Setup | /tm-setup | > > +-------------------------+----------------+ > > | Telemetry | /tm | > > +-------------------------+----------------+ > > A dedicated uri (/tm-setup) will be used for telemetry setup operations (baseline, configuration): see the excerpt below: > > augment /ietf-signal:dots-signal/ietf-signal:message-type: > > +--:(telemetry-setup) {dots-telemetry}? > > | +--rw telemetry* [cuid tsid] > > | +--rw cuid string > > | +--rw cdid? string > > | +--rw tsid uint32 > > | +--rw telemetry-config > > | | +--rw low-percentile? percentile > > | | +--rw mid-percentile? percentile > > | | +--rw high-percentile? percentile > > | | +--rw unit-config* [unit] > > | | +--rw unit unit > > | | +--rw unit-status? Boolean > > … > > | +--rw baseline > > | +--rw total-pipe-capability* [unit] > > | | +--rw unit unit > > | | +--rw pipe? uint64 > > | +--rw total-traffic-normal-baseline* [unit protocol] > > | | +--rw unit unit > > | | +--rw protocol uint8 > > | | +--rw low-percentile-g? yang:gauge64 > > | | +--rw mid-percentile-g? yang:gauge64 > > | | +--rw high-percentile-g? yang:gauge64 > > | | +--rw peak-g? yang:gauge64 > > | +--rw total-connection-capacity* [protocol] > > | +--rw protocol uint8 > > … > > */[Med] The current updated tree structure is as follows: /* > > *//* > > */ augment /ietf-signal:dots-signal/ietf-signal:message-type:/* > > */ +--:(telemetry-setup) {dots-telemetry}?/* > > */ | +--rw telemetry* [cuid tsid]/* > > */ | +--rw cuid string/* > > */ | +--rw cdid? string/* > > */ | +--rw tsid uint32/* > > */ | +--rw telemetry-config/* > > */ | | +--rw measurement-interval? interval/* > > */ | | +--rw measurement-sample? sample/* > > */ | | +--rw low-percentile? percentile/* > > */ | | +--rw mid-percentile? percentile/* > > */ | | +--rw high-percentile? percentile/* > > */ | | +--rw unit-config* [unit]/* > > */ | | +--rw unit unit/* > > */ | | +--rw unit-status? boolean/* > > */ | +--rw total-pipe-capacity* [link-id unit]/* > > */ | | +--rw link-id nt:link-id/* > > */ | | +--rw unit unit/* > > */ | | +--rw pipe? uint64/* > > */ | +--rw baseline/* > > */ | +--rw target-prefix* inet:ip-prefix/* > > */ | +--rw target-port-range* [lower-port]/* > > */ | | +--rw lower-port inet:port-number/* > > */ | | +--rw upper-port? inet:port-number/* > > */ | +--rw target-protocol* uint8/* > > */ | +--rw target-fqdn* inet:domain-name/* > > */ | +--rw target-uri* inet:uri/* > > */ | +--rw total-traffic-normal-baseline* [unit protocol]/* > > */ | | +--rw unit unit/* > > */ | | +--rw protocol uint8/* > > */ | | +--rw low-percentile-g? yang:gauge64/* > > */ | | +--rw mid-percentile-g? yang:gauge64/* > > */ | | +--rw high-percentile-g? yang:gauge64/* > > */ | | +--rw peak-g? yang:gauge64/* > > */ | +--rw total-connection-capacity* [protocol]/* > > */ | +--rw protocol uint8/* > > */ | +--rw connection? uint64/* > > */ | +--rw connection-client? uint64/* > > */ | +--rw embryonic? uint64/* > > */ | +--rw embryonic-client? uint64/* > > */ | +--rw connection-ps? uint64/* > > */ | +--rw connection-client-ps? uint64/* > > */ | +--rw request-ps? uint64/* > > */ | +--rw request-client-ps? uint64/* > > */ | +--rw partial-request-ps? uint64/* > > */ | +--rw partial-request-client-ps? uint64/* > > *//* > > */The new structure is designed with the following objectives:/* > > ·*/Allow a multi-homed client domain to signal the capacity of each interconnection link. /* > > ·*/The normal traffic base line can be provided for the overall domain (an aggregated prefix, or no target-clause included at all) or for specific targets (IP addresses, prefixes)/* > > ·*/These parameters can be communicated using the same or distinct request. Checks on overlapping targets and links are covered. /* > > *//* > > */Nevertheless, this design brings some complexity if a request overlaps with an existing pipe request but a new baseline traffic. We may either go for an additional uri or maintain one single uri but go with the following design (which is my favorite):/* > > *//* > > augment /ietf-signal:dots-signal/ietf-signal:message-type: > > +--:(telemetry-setup) {dots-telemetry}? > > | +--rw telemetry* [cuid tsid] > > | +--rw cuid string > > | +--rw cdid? string > > | +--rw tsid uint32 > > | +--rw (setup-type)? > > | +--:(telemetry-config) > > | | +--rw measurement-interval? interval > > | | +--rw measurement-sample? sample > > | | +--rw low-percentile? percentile > > | | +--rw mid-percentile? percentile > > | | +--rw high-percentile? percentile > > | | +--rw unit-config* [unit] > > | | +--rw unit unit > > | | +--rw unit-status? boolean > > | +--:(pipe) > > | | +--rw total-pipe-capacity* [link-id unit] > > | | +--rw link-id nt:link-id > > | | +--rw unit unit > > | | +--rw pipe? uint64 > > | +--:(baseline) > > | +--rw baseline > > | +--rw target-prefix* inet:ip-prefix > > | +--rw target-port-range* [lower-port] > > | | +--rw lower-port inet:port-number > > | | +--rw upper-port? inet:port-number > > | +--rw target-protocol* uint8 > > | +--rw target-fqdn* inet:domain-name > > | +--rw target-uri* inet:uri > > | +--rw total-traffic-normal-baseline* [unit protocol] > > | | +--rw unit unit > > | | +--rw protocol uint8 > > | | +--rw low-percentile-g? yang:gauge64 > > | | +--rw mid-percentile-g? yang:gauge64 > > | | +--rw high-percentile-g? yang:gauge64 > > | | +--rw peak-g? yang:gauge64 > > | +--rw total-connection-capacity* [protocol] > > | +--rw protocol uint8 > > | +--rw connection? uint64 > > | +--rw connection-client? uint64 > > | +--rw embryonic? uint64 > > | +--rw embryonic-client? uint64 > > | +--rw connection-ps? uint64 > > | +--rw connection-client-ps? uint64 > > | +--rw request-ps? uint64 > > | +--rw request-client-ps? uint64 > > | +--rw partial-request-ps? uint64 > > *//* > > */Thoughts?/* > > While ‘/tm’ can be used for sharing pre-mitigation telemetry data (an excerpt of the tree is shown below). > > +--:(telemetry) {dots-telemetry}? > > +--rw pre-mitigation* [cuid telemetry-id] > > +--rw cuid string > > +--rw cdid? string > > +--rw telemetry-id uint32 > > +--rw target > > | +--rw target-prefix* inet:ip-prefix > > | +--rw target-port-range* [lower-port] > > | | +--rw lower-port inet:port-number > > | | +--rw upper-port? inet:port-number > > | +--rw target-protocol* uint8 > > | +--rw target-fqdn* inet:domain-name > > | +--rw target-uri* inet:uri > > +--ro total-attack-traffic* [unit protocol] > > | +--ro unit unit > > | +--ro protocol uint8 > > | +--ro low-percentile-g? yang:gauge64 > > | +--ro mid-percentile-g? yang:gauge64 > > | +--ro high-percentile-g? yang:gauge64 > > | +--ro peak-g? yang:gauge64 > > +--ro total-traffic* [unit protocol] > > … > > +--ro attack-detail > > +--ro vendor-id? uint32 > > +--ro attack-id? string > > +--ro attack-name? string > > +--ro attack-severity? attack-severity > > +--ro start-time? uint64 > > +--ro end-time? uint64 > > +--ro source-count > > | +--ro low-percentile-g? yang:gauge64 > > | +--ro mid-percentile-g? yang:gauge64 > > | +--ro high-percentile-g? yang:gauge64 > > | +--ro peak-g? yang:gauge64 > > +--ro top-talker > > +--ro source-prefix* [source-prefix] > > +--ro spoofed-status? boolean > > +--ro source-prefix inet:ip-prefix > > … > > Unless there are objections, we will implement this change in the next iteration of the draft. > > Cheers, > > Med >
- [Dots] DOTS Telemetry: URI Path mohamed.boucadair
- Re: [Dots] DOTS Telemetry: URI Path mohamed.boucadair
- Re: [Dots] DOTS Telemetry: URI Path kaname nishizuka
- Re: [Dots] DOTS Telemetry: URI Path mohamed.boucadair