IETF Logo Mail Archive

Re: [Dots] Opsdir last call review of draft-ietf-dots-signal-filter-control-04

Tim Chown <Tim.Chown@jisc.ac.uk> Wed, 17 June 2020 11:09 UTC

Return-Path: <Tim.Chown@jisc.ac.uk>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC0A23A096A; Wed, 17 Jun 2020 04:09:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jisc.ac.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HaxvjmzkUH3C; Wed, 17 Jun 2020 04:09:38 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2088.outbound.protection.outlook.com [40.107.21.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0CBD3A0969; Wed, 17 Jun 2020 04:09:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VUhH5tV3EANVHTjXqWO/W4oXwuDsxx3E3sK7sqxdou20g1LMoF4PmSrO4XlD4AIfUldbJWaxOMNF7Ofv01dgOShjBqxjcpVagHXnu6a0bZL2FXkOxEwwJiofppPN2KcnypetDf9Y56wLNAepAPFguBjm6aPmf+dUjMqFoigWq6gmjhpmW36+QCPAT8vS9+BBeHU8q3tm8oFanptN+HHC5oKXUKv4Rszk0kizWPFG9mCLIUpaxrMS1vuSyPTqBaVDgYwarCYjyXfHkmy6QSTmGAFYZrGkcGGdk0p/mb/BPHvJ1UDyI8qmf3DB2KG5OqBi408FufNXCfvZK47k6rT2uw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yp+KQ0prtxoKwAWGyP8BaGNNEKLlj8FzIosa3k7Di2Q=; b=CKjy1ZFa68i/393TU7cGHGKSDxOxtDhf/pZ3UXJteQncgGcCRdGcvXQBz69rObSmZ6bQPmrwWkSj9wFxcAl1S0b1I6dZ3H7iVRQtto2APgWVyIKLM5WW1jmPjhcyTjYqg5yEFuomgzBHn7/J/QzW5iTc269K35F/7JH3FN94Ahb/Zjjw3bC+e9nFcgLX8kS1SQBga2vIjRf/IFbWJKeJVNIiBGMw8qm5nAzyGT0X+vB6FGXIafqjfeZpEjAu0KjS+VjqM77LW3T72LWVyRSnHu1ePH6FX4UPbonxcvp9kncIzUS+Z9+K3briMDSCE5bYtIQjm3P4ZrY9LXv/+Dd+VQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc.ac.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yp+KQ0prtxoKwAWGyP8BaGNNEKLlj8FzIosa3k7Di2Q=; b=hIfHufBe+sKrKW/Nax37/ZVwJ9ZF8LR1NggGdpwdZnCo/j0G3Crl0oictzAChNex8R0gRgkAJL3wwSIEWTWRYSWk1CL4RUUiKtM/uzBB0bM/ulGUxIrbuDxzbn63kmKuKgeg2cYYp93gPRhhnCtKT1DnHLGH7Ogn+aKtnHZ2+a4=
Received: from AM4PR07MB3217.eurprd07.prod.outlook.com (2603:10a6:205:4::26) by AM0PR07MB6419.eurprd07.prod.outlook.com (2603:10a6:20b:144::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.9; Wed, 17 Jun 2020 11:09:34 +0000
Received: from AM4PR07MB3217.eurprd07.prod.outlook.com ([fe80::9857:8800:92cf:7911]) by AM4PR07MB3217.eurprd07.prod.outlook.com ([fe80::9857:8800:92cf:7911%6]) with mapi id 15.20.3109.018; Wed, 17 Jun 2020 11:09:34 +0000
From: Tim Chown <Tim.Chown@jisc.ac.uk>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>
CC: "ops-dir@ietf.org" <ops-dir@ietf.org>, "draft-ietf-dots-signal-filter-control.all@ietf.org" <draft-ietf-dots-signal-filter-control.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: Opsdir last call review of draft-ietf-dots-signal-filter-control-04
Thread-Index: AQHWQ6ItV3xb5NwsSUGnm/P7ToH/p6jbVZaAgAACojCAAVATAA==
Date: Wed, 17 Jun 2020 11:09:34 +0000
Message-ID: <94E9A8DA-4892-413A-99F9-4C89208BCA4D@jisc.ac.uk>
References: <159223370986.12685.10672338283953567887@ietfa.amsl.com> <11378_1592286685_5EE85DDD_11378_313_1_787AE7BB302AE849A7480A190F8B9330314DEC67@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <0006AA12-CF04-49CC-AEED-35D2B5EA6BD0@jisc.ac.uk> <18279_1592322123_5EE8E84B_18279_81_11_787AE7BB302AE849A7480A190F8B9330314DF1BF@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <18279_1592322123_5EE8E84B_18279_81_11_787AE7BB302AE849A7480A190F8B9330314DF1BF@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.80.23.2.2)
authentication-results: orange.com; dkim=none (message not signed) header.d=none;orange.com; dmarc=none action=none header.from=jisc.ac.uk;
x-originating-ip: [212.188.254.49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 52f43e60-27c1-4154-9e27-08d812aeeae8
x-ms-traffictypediagnostic: AM0PR07MB6419:
x-microsoft-antispam-prvs: <AM0PR07MB6419FFE2425F3E8AE8768030D69A0@AM0PR07MB6419.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 04371797A5
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wuBN1f6S+WdoDikQAN0oVSPSckbOQg9T45Nt4NVbq7s7HURAMz3Qsmo8mIBYCXJkFDmN70Nf0hMZdpiN1FWv0MTEWzlZP3lHFIdXvfhIJRv58SBNgPmrrIy5ZQ4p1kgxHNMhEug9qp5gSfk5W4VciI8C2fqfbFHw6HYB48PBzdgypCmLmMSrfQf5LuYn17PRsasHuhEBU5Z6CcgnqpVe72aARNOFQLUi7HjettulFGuh4IOewLea2uzbIAxmLGr+lnQSTPYi4SpBxw2JSprZ0PVGrnxsLLSuLnuPCfh/vne6Ecd2Jmw0FYRVn1b6WT3HTYa0W7gKXNcuNO6DZgYhlmIPrE5LPDsqOjatT/hNfgKP29yXYE9NyYajr4SrldUg8Nmly0JkqfHJLLQHEl2ogw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM4PR07MB3217.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(366004)(136003)(376002)(39850400004)(346002)(53546011)(6512007)(54906003)(8676002)(66446008)(76116006)(66476007)(64756008)(91956017)(66556008)(966005)(71200400001)(66946007)(4326008)(478600001)(6486002)(786003)(33656002)(2906002)(86362001)(316002)(8936002)(36756003)(186003)(26005)(6506007)(55236004)(5660300002)(83380400001)(2616005)(6916009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: tXadaSToG52sZHI9scnkbUzXrnkp2T34hnjCGoVjWGBZmleNJWSwb34uBL4j2fJj+Nd1CHIe8/xirrMwm8Gi514qedsnjfcaWkFZVINfnd4UZFPhHnN+hjy4/53lloooX+ifLBdYB/et/NsVon+O0v+9W748t3k3b4wwUYfvQ4GERgLkl9il3O+8xWnIP6BHkYt6hqUkHmGaQVIgQY78Yzl47S/O+j9+O1kwmVPKwyJKasnJb5K1DRUJPZpyQ+zgdtrVIxVuYdXnnd5OeLwoPPAlVoLwRgj4E7cJ1Cv5ItksbtGjcxqTYkpQZiTDTZgWBfD31MWHbfp5Wujyj/ZsDzyjHsRMFUrC4jSDNkoI7OFUWzTE40b8VxHn59as5klM1smE1j+V5rAUs8qM8nqVylbRoYY9IVLrcQtFM7UZcjIuUNpW/CxamllgiCh8VEk1RSAzXeFfqNl6n5i8t262KqA9VHLzbKLKnU9N8z23chAVLAvF/cVC6BTmn7eddqsT
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <D0C373F9ECE7054580A92A7F2DBB0B16@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: jisc.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 52f43e60-27c1-4154-9e27-08d812aeeae8
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jun 2020 11:09:34.6928 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sbNgnNbtTrRR6UZuJHs6cybCoHd5fj789ygHgYML926UnjG4O4cIabc2yq1DsHnrLXmhosBGe42dyLd6WfaRFA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6419
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/oNh7FqAangL5Gl485LNtMvEJ0Ew>
Subject: Re: [Dots] Opsdir last call review of draft-ietf-dots-signal-filter-control-04
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2020 11:09:41 -0000

Hi Med,

Thanks, I think that answers all my questions and comments.

Best wishes,
Tim

> On 16 Jun 2020, at 16:42, mohamed.boucadair@orange.com wrote:
> 
> Re-, 
> 
> Please see inline. 
> 
> Cheers,
> Med
> 
>> -----Message d'origine-----
>> De : Tim Chown [mailto:Tim.Chown@jisc.ac.uk]
>> Envoyé : mardi 16 juin 2020 16:57
>> À : BOUCADAIR Mohamed TGI/OLN
>> Cc : ops-dir@ietf.org; draft-ietf-dots-signal-filter-control.all@ietf.org;
>> last-call@ietf.org; dots@ietf.org
>> Objet : Re: Opsdir last call review of draft-ietf-dots-signal-filter-
>> control-04
>> 
>> Hi,
>> 
>> Some comments on your comments in line….
>> 
>>> On 16 Jun 2020, at 06:51, mohamed.boucadair@orange.com wrote:
>>> 
>>> Hi Tim,
>>> 
>>> Thank you for the review. Much appreciated.
>>> 
>>> A candidate version that takes into account your review is available at:
>>> 
>>> https://github.com/boucadair/filter-control/blob/master/draft-ietf-dots-
>> signal-filter-control-05.txt
>> 
>> [TC] what would be great is a diff to the version I reviewed.
>> 
> 
> [Med] Here it is: https://github.com/boucadair/filter-control/blob/master/diff-review-Tim-Chown.pdf 
> 
> The changes includes your comments on the proposed new introduction text. 
> 
> 
>>> Please see inline.
>>> 
>>> Cheers,
>>> Med
>>> 
>>>> -----Message d'origine-----
>>>> De : Tim Chown via Datatracker [mailto:noreply@ietf.org]
>>>> Envoyé : lundi 15 juin 2020 17:08
>>>> À : ops-dir@ietf.org
>>>> Cc : draft-ietf-dots-signal-filter-control.all@ietf.org; last-
>>>> call@ietf.org; dots@ietf.org
>>>> Objet : Opsdir last call review of draft-ietf-dots-signal-filter-
>> control-04
>>>> 
>>>> Reviewer: Tim Chown
>>>> Review result: Has Nits
>>>> 
>>>> Hi,
>>>> 
>>>> I have reviewed this document as part of the Operational directorate's
>>>> ongoing
>>>> effort to review all IETF documents being processed by the IESG.  These
>>>> comments were written with the intent of improving the operational
>> aspects
>>>> of
>>>> the IETF drafts. Comments that are not addressed in last call may be
>>>> included
>>>> in AD reviews during the IESG review.  Document editors and WG chairs
>>>> should
>>>> treat these comments just like any other last call comments.
>>>> 
>>>> This document is one of a set of documents produced by the DDoS Open
>> Threat
>>>> Signalling (DOTS) working group, and builds on previously published RFCs
>>>> (RFC
>>>> 8782, 8783). It describes a mechanism by which the DOTS signalling
>> channel
>>>> defined in RFC 8782 can be used to allow a DOTS client that is under
>> attack
>>>> to
>>>> change the filtering rules and thus the mitigation behaviour being
>> applied
>>>> to
>>>> it via a DOTS server, even when the downstream to it may be saturated.
>>>> 
>>>> The text is well-written with a good structure and a healthy number of
>>>> examples. I would asses its current state as Ready with Nits.  The new
>>>> capability seems very useful.
>>>> 
>>>> General comments:
>>>> 
>>>> I am not wholly clear about some terms, e.g. “idle time” seems to be
>> when
>>>> no
>>>> mitigation is in place, but does this mean no filtering rules are
>> active,
>>>> or no
>>>> anti-DDoS rules are active?  Or are all DOTS rules there for mitigation
>>>> rather
>>>> than general protection?
>>> 
>>> [Med] Idle time refers to when there is no active mitigation. This is
>> mentioned in Section 1.1:
>>> 
>>>  A typical case is a DOTS client which configures during 'idle' time
>>>  (i.e., no mitigation is active) ...
>>> 
>>> Filtering can be activated even if no mitigation is active. This is
>> controlled by the DOTS client by setting "activation-type" to "immediate".
>>> 
>>> I updated the abstract as follows:
>>> 
>>> OLD:
>>>  Particularly, this extension allows a DOTS client to activate or de-
>>>  activate existing filtering rules during a DDoS attack.  The
>>>  characterization of these filtering rules is supposed to be conveyed
>>>  by a DOTS client during an idle time by means of the DOTS data
>>>  channel protocol.
>>> 
>>> NEW:
>>>  Particularly, this extension allows a DOTS client to activate or de-
>>>  activate existing filtering rules during a DDoS attack.  The
>>>  characterization of these filtering rules is supposed to be conveyed
>>>  by a DOTS client during an idle time (i.e., no mitigation is active)
>>>                                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>  by means of the DOTS data channel protocol.
>> 
>> [TC] I think the problem (for me) here is I don’t understand how the client
>> knows whether there is active mitigation;
> 
> [Med] Mitigations can be initiated by the client or triggered by a signal loss. In both cases, the client is aware whether a mitigation is ongoing. All these details are supposed to be covered in the base specs. That's said, and for the reader's convenience, we have now a sentence that recalls that a client sends a mitigation request. 
> 
> does the client have a state
>> stable of which filters it has requested the server to activate?
> 
> [Med] Yes. 
> 
>> 
>> Is there a difference between filters being active, and mitigation being
>> active? 
> 
> [Med] Yes. Mitigation is said to be active if there is a mitigation request received from the client or when a pre-configured mitigation is triggered upon signal loss. Filters can be active even if no attack is detected. 
> 
> Are all filters mitigation against a current attack?
> 
> [Med] No. see above. 
> 
>> 
>>>> If I understand correctly, this extension allows new filter rules to be
>>>> added,
>>>> such as rate limits, so it’s not just that the signal channel can be
>> used
>>>> to
>>>> control (activate and deactivate) existing filters.
>>> 
> 
> 
> _________________________________________________________________________________________________________________________
> 
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
> 
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
>

v2.23.0 | Report a Bug | By Email