IETF Logo Mail Archive

Re: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Mon, 02 October 2017 12:53 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CED3A134606 for <dots@ietfa.amsl.com>; Mon, 2 Oct 2017 05:53:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.309
X-Spam-Level:
X-Spam-Status: No, score=-4.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HRxnB_Tldc7c for <dots@ietfa.amsl.com>; Mon, 2 Oct 2017 05:53:51 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5F00134605 for <Dots@ietf.org>; Mon, 2 Oct 2017 05:53:49 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1506948828; h=From: To:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: authentication-results:x-originating-ip:x-ms-publictraffictype: x-microsoft-exchange-diagnostics:x-ms-exchange-antispam-srfa-diagnostics: x-ms-office365-filtering-correlation-id:x-microsoft-antispam: x-ms-traffictypediagnostic:x-exchange-antispam-report-test: x-microsoft-antispam-prvs:x-exchange-antispam-report-cfa-test: x-forefront-prvs:x-forefront-antispam-report: received-spf:spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:MIME-Version:X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=vyUl+AtYjOkcNV+doqFJ3jtEe465Hbr9VG9cUU HCXQk=; b=Up1kXUm9LcIow7YocLHmF0rxJRXOA7cuEo5O+GXD 30vInlHV+ERwamNB5SSqEOgOZpPdW073rWD1zFxZkUS6mL46lp /FgyWa3fywAp2Thm4MGVNapW5Noh+bfOXYaVf5Ak/Uw9JPstJc 2tiYcfvakVEgitmH/8HheRzjNE78Y30=
Received: from DNVEXAPP1N04.corpzone.internalzone.com (unknown [10.44.48.88]) by DNVWSMAILOUT1.mcafee.com with smtp id 50c5_9522_c834c160_023c_425b_8f05_0cad2b89ccfe; Mon, 02 Oct 2017 07:53:47 -0500
Received: from DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 2 Oct 2017 06:53:46 -0600
Received: from DNVEXUSR1N13.corpzone.internalzone.com (10.44.48.86) by DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 2 Oct 2017 06:53:45 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXUSR1N13.corpzone.internalzone.com (10.44.48.86) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Mon, 2 Oct 2017 06:53:45 -0600
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (10.44.176.243) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 2 Oct 2017 06:53:43 -0600
Received: from DM5PR16MB1788.namprd16.prod.outlook.com (10.172.44.144) by DM5PR16MB1786.namprd16.prod.outlook.com (10.172.44.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Mon, 2 Oct 2017 12:53:44 +0000
Received: from DM5PR16MB1788.namprd16.prod.outlook.com ([10.172.44.144]) by DM5PR16MB1788.namprd16.prod.outlook.com ([10.172.44.144]) with mapi id 15.20.0077.016; Mon, 2 Oct 2017 12:53:43 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: kaname nishizuka <kaname@nttv6.jp>, "Xialiang (Frank)" <frank.xialiang@huawei.com>, "Dots@ietf.org" <Dots@ietf.org>
Thread-Topic: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?
Thread-Index: AdMPF2QONmutCNOvSwe0CfD0yMkBTgAACUnwAA6poPAABEOgkAAAs7nQClUTPoAAB3H3QACYkqsAABC6pfA=
Date: Mon, 02 Oct 2017 12:53:43 +0000
Message-ID: <DM5PR16MB178859DFEEE4C31F5907FBF6EA7D0@DM5PR16MB1788.namprd16.prod.outlook.com>
References: <C02846B1344F344EB4FAA6FA7AF481F12BB2D185@DGGEML502-MBX.china.huawei.com> <C02846B1344F344EB4FAA6FA7AF481F12BB2D19B@DGGEML502-MBX.china.huawei.com> <DM5PR16MB17880F012FB44009155ADCA1EAB50@DM5PR16MB1788.namprd16.prod.outlook.com> <C02846B1344F344EB4FAA6FA7AF481F12BB2D39C@DGGEML502-MBX.china.huawei.com> <DM5PR16MB17888218351CF06BDF691F34EAB50@DM5PR16MB1788.namprd16.prod.outlook.com> <2acd7300-6684-1491-4f98-7029d0b7c1b0@nttv6.jp> <DM5PR16MB17880DA8BDE932F1A758E27AEA7E0@DM5PR16MB1788.namprd16.prod.outlook.com> <b6399159-a13e-ac06-f876-00285511b1f7@nttv6.jp>
In-Reply-To: <b6399159-a13e-ac06-f876-00285511b1f7@nttv6.jp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [122.172.220.42]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR16MB1786; 6:dHFMl+3WiUROSq57FlpOlbGZTWcIdjp7LSyMa/GWpuM5vadRasGp+raq/2kTJwxxHO5bLyEvPzOG1GHBVGV7ADYOz3EAH7d08jeT4j9QVdfw6AstsXo2dDH8PtnLbj1YpkNP7H1jA50zzSKY715eAa24EZyajkDJz8qYb5Wlqsc2T0UKuMF+Fo5Pz8vrFEi2IQF2hD8unRfsALReWfxFiVwyzPRGttbxmzo4qbOmLtZlmIrX/mXR0tuTH9EMErakgaxnJ/bhjt1byAeUGav27keG4goVZLUaTB0gE45PeKoNHUzdF/2kEzMPIrhu2gJ51O4IBp9S3TQ/9Sn/OGxJDA==; 5:tFhHGi/FR72gbmgOVj3CkrgDmdS4//QSkUPuwy+dcEqqGtDwxicFQfoIU7ngVqj5RVoQusANCTJ8XeEX+XU5D97JkkACMB2jeZtVbX3NX3pE5p1EAMVVe5pDgIVV2Ndqzwg0yLfxzk1HT3tzXImVA00NPGrPY6JevMV4QVB7vcs=; 24:ANWTT3ZJgCjVDLNAIOu6MvP0iIRgQDQQngCSuNPjghTNT/p7/6Y5xmvjOmC0h5kDxPlmMeRBcB+snSiYX90Byt8q5hom4dAODKeRVgvqtBQ=; 7:/jjiivbbGqsaQqvX9JyiEVPZo6fB/Zxk/yWniDmEk0RDQzhl31gvLHFUBkG82sRwlh/fpx12/xfNzf/vJm5g1TogN5n8ByBdPT1h8tEvSYHBWpk3lMUvZuG6HAaHKae3TH5FWBsWEAaMRt/G72DmW+q7+Bnk3KFBaP4aNM/uT1RHVN0yLBsNZ+pG13OUptA84niGndyk395tob1xHSpp4i5GIabn4Lcx08W7ksRR5Q4=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 1b7c5bac-586d-4c0e-6081-08d509949cf4
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254152)(2017052603199)(201703131423075)(201703031133081)(201702281549075); SRVR:DM5PR16MB1786;
x-ms-traffictypediagnostic: DM5PR16MB1786:
x-exchange-antispam-report-test: UriScan:(158342451672863)(50582790962513)(21748063052155)(123452027830198);
x-microsoft-antispam-prvs: <DM5PR16MB1786BAE6D0E3873651250706EA7D0@DM5PR16MB1786.namprd16.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3002001)(100000703101)(100105400095)(6041248)(20161123564025)(20161123562025)(20161123558100)(20161123560025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM5PR16MB1786; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM5PR16MB1786;
x-forefront-prvs: 0448A97BF2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(24454002)(51444003)(377454003)(199003)(32952001)(189002)(55016002)(93886005)(6506006)(6436002)(6246003)(102836003)(790700001)(6116002)(2900100001)(33656002)(68736007)(25786009)(54356999)(478600001)(97736004)(76176999)(9686003)(2501003)(966005)(66066001)(50986999)(86362001)(5660300001)(72206003)(236005)(316002)(2906002)(80792005)(77096006)(3660700001)(3280700002)(189998001)(53936002)(54896002)(6306002)(99286003)(101416001)(110136005)(3846002)(53546010)(229853002)(2950100002)(81156014)(106356001)(7696004)(606006)(81166006)(74316002)(14454004)(105586002)(8936002)(224303003)(7736002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB1786; H:DM5PR16MB1788.namprd16.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR16MB178859DFEEE4C31F5907FBF6EA7D0DM5PR16MB1788namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Oct 2017 12:53:43.5395 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB1786
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.5
X-NAI-Spam-Version: 2.3.0.9418 : core <6127> : inlines <6104> : streams <1765541> : uri <2510036>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/ofRobGdy3FJETS1FFqLsLzteRZo>
Subject: Re: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Oct 2017 12:53:54 -0000

From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of kaname nishizuka
Sent: Monday, October 2, 2017 10:24 AM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; Xialiang (Frank) <frank.xialiang@huawei.com>; Dots@ietf.org
Subject: Re: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

OK!

The reason why I need the clarification is that the line in Section 9 "Also, DOTS gateway and DOTS server MUST perform mutual authentication using certificates." is confusing.
I feel it is needed to be clarified in the signal channel draft or the new draft that in which case the certificates are mandatory.
I think that is the case DOTS agents are in the different domain.
Yes, updated above line to say “Also, DOTS gateway and DOTS server located in different domains MUST perform mutual authentication using certificates.”
-Tiru


thanks,
kaname

On 2017/09/29 13:22, Konda, Tirumaleswar Reddy wrote:
The signal channel draft does not mandate certificates for mutual authentication (Using an AAA server is only an example deployment). DOTS agents in the same domain can use other mechanisms like TLS-PSK and SPKI. Andrew and I am planning put up a draft on DOTS provisioning.

-Tiru

From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of kaname nishizuka
Sent: Friday, September 29, 2017 6:02 AM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com><mailto:TirumaleswarReddy_Konda@McAfee.com>; Xialiang (Frank) <frank.xialiang@huawei.com><mailto:frank.xialiang@huawei.com>; Dots@ietf.org<mailto:Dots@ietf.org>
Subject: Re: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

Hi Tiru,

in section 9 of signal-channel draft, AAA server exists.
Let me clarify the text.

Mutual authentication between a DOTS client and a DOTS gateway MUST use (client) certificates?
Between them (in the same domain), a mutual authentication without certificates (i.e. choices other than EAP-TLS) would be a good option, if it meets the mutual authentication and encryption requirement.

TLS-PSK mode and Subject Public Key Info (SPKI)  looks good to me.

I hope those options would be discussed in WGmeeting.



On 2017/08/07 19:19, Konda, Tirumaleswar Reddy wrote:
You may want to look into https://tools.ietf.org/html/rfc6959#section-7
<snip>
   Even if every Internet-connected network implements source address
   validation at the ultimate network ingress, and assurances exist that
   intermediate devices are to never modify datagram source addresses,
   source addresses cannot be used as an authentication mechanism.

-Tiru

From: Xialiang (Frank) [mailto:frank.xialiang@huawei.com]
Sent: Monday, August 7, 2017 3:28 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com><mailto:TirumaleswarReddy_Konda@McAfee.com>; Dots@ietf.org<mailto:Dots@ietf.org>
Subject: 答复: another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

Hi Tiru,
Thanks for your analysis. It makes sense to me~~

To be accurate, IP whitelist does not relax the mutual authentication requirement, but indeed lose the encryption benefits.

B.R.
Frank

发件人: Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
发送时间: 2017年8月7日 17:51
收件人: Xialiang (Frank); Dots@ietf.org<mailto:Dots@ietf.org>
主题: RE: another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

TLS supports pre-shared key based authentication. The other mechanisms are Subject Public Key Info (SPKI) Fingerprint pin set for mutual authentication (self-signed certificates or raw public keys) without having to deal with CA.

I don’t think DOTS should relax the mutual authentication and encryption requirements.

-TIru

From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Xialiang (Frank)
Sent: Monday, August 7, 2017 6:25 AM
To: Dots@ietf.org<mailto:Dots@ietf.org>
Subject: [Dots] another option://答复: Can DOTS protocol support IP whitelist for DOTS client's AA?

In addition to IP whitelist and certificate, pre-share key can also be an option.
Right?

发件人: Dots [mailto:dots-bounces@ietf.org] 代表 Xialiang (Frank)
发送时间: 2017年8月7日 8:52
收件人: Dots@ietf.org<mailto:Dots@ietf.org>
主题: [Dots] Can DOTS protocol support IP whitelist for DOTS client's AA?

Hi,
I think the direct use of IP whitelist on the DOTS server to authenticate and authorize the DOTS client is a simple and effect method, at least in some special use cases, like: DOTS client does not support certificate, an ISP which detects the spoofed source address, etc.

So, should we support this as an optional way for the DOTS client’s AA and add it into the DOTS protocol drafts?

B.R.
Frank





_______________________________________________

Dots mailing list

Dots@ietf.org<mailto:Dots@ietf.org>

https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email