Re: [Dots] draft-ietf-dots-telemetry: Large responses
mohamed.boucadair@orange.com Mon, 06 April 2020 12:57 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75B7D3A05A0 for <dots@ietfa.amsl.com>; Mon, 6 Apr 2020 05:57:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WRabIn50J_gY for <dots@ietfa.amsl.com>; Mon, 6 Apr 2020 05:56:44 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 638C83A0597 for <dots@ietf.org>; Mon, 6 Apr 2020 05:56:40 -0700 (PDT)
Received: from opfednr03.francetelecom.fr (unknown [xx.xx.xx.67]) by opfednr27.francetelecom.fr (ESMTP service) with ESMTP id 48wrCB44nbz4wZY; Mon, 6 Apr 2020 14:56:38 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1586177798; bh=m4iCRCmBY3Kfe+TaebO8RtUSo3HxtumXnhd2HlD/UKU=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=UXOVipEyFO6pZY5faNkbGPVNZkdDS9lJhh5k31Qd6LHzt49Q7PNv/8mX2Qihi7Qsz t8UB/WXc/PZi5HZ1y4ZH2H+xO1ACV4GNAoy+IdI8iJSpeyVo8fGdvHmA73CKCpzUlZ oOI5ewsok052idjSO3Rpqpc606tGDG4NbTNx/OWiqSuZ5MNhUIn12GQhKpwEa1Ga5V Xi6r0XFWHs38o+eAF7qRJy0MQ+MiOxCEh2S31rSSmbQvZo9xV94DxvuJMfdNkJHUAn 7pedyJhsLFr7bA7/XR8LPm+GTyLtMEjPKOqgEWhuv2HrHuqa7bBIUn8Hjg7QxFUqy6 MBBmlPApHrQbw==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.48]) by opfednr03.francetelecom.fr (ESMTP service) with ESMTP id 48wrCB3DPHzDq7q; Mon, 6 Apr 2020 14:56:38 +0200 (CEST)
From: mohamed.boucadair@orange.com
To: Jon Shallow <supjps-ietf@jpshallow.com>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] draft-ietf-dots-telemetry: Large responses
Thread-Index: AdYL9q+Bp8yfeG8pQDShfjmRU2oGhAAEpjqQ
Date: Mon, 06 Apr 2020 12:56:37 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93303148EF95@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <154301d60bf6$b21158f0$16340ad0$@jpshallow.com>
In-Reply-To: <154301d60bf6$b21158f0$16340ad0$@jpshallow.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/pSU1LAa99yvjA1MLRDjgKLtAeZc>
Subject: Re: [Dots] draft-ietf-dots-telemetry: Large responses
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2020 12:57:25 -0000
Jon, If we had https://tools.ietf.org/html/draft-ietf-tsvwg-udp-options-08#section-5.7, this would solve the issue. Nevertheless, this is not implemented/deployed. Your proposed option mimics the UDP FRAG behavior. Because re-assembly would fail if a fragment is missing, notification fragments with the new options should be sent, e.g., three times. Ideally, we need a solution that allows to make use of partial responses even if other fragments are lost. Before considering a new option, let's see if we can solve this at the DOTS layer. For example, we do have the following to avoid fragmentation: If the total request size exceeds the path MTU then the DOTS client MUST split the DOTS signal into separate messages; for example, the list of addresses in the 'target- prefix' parameter could be split into multiple lists and each list conveyed in a new PUT request. Does your implementation allow to follow a similar approach when sending notifications? For example, a first notification can include attack-traffic metrics and others include attack-details? Because all these notifications are bound to the same tmid, the DOTS client will update its local records with the data received in multiple notifications. Cheers, Med > -----Message d'origine----- > De : Dots [mailto:dots-bounces@ietf.org] De la part de Jon Shallow > Envoyé : lundi 6 avril 2020 11:35 > À : dots@ietf.org > Objet : [Dots] draft-ietf-dots-telemetry: Large responses > > Hi All, > > With support for telemetry status updates, there is a good chance that > a > status response will not fit into a single IP packet. > > Do we need a new CoAP Option or response code? > > These status responses are sent back using CoAP NON-confirmable > packets - in > other words the DOTS client does not have to acknowledge receipt of > the > packet which works in an environment where there is heavy packet loss > in the > same direction as the status packet - the DOTS server is not waiting > on > acknowledgement of the previous status packet before sending out the > next > one (which too may get dropped). > > For the status data that is larger than an IP packet, this can > currently be > handled in 2 ways that I can think of > 1- Let IP fragmentation be used by sending large data that is > fragmented > across several IP packets > 2- Make use of the CoAP BLOCK2 option (RFC9759) which is already > referred to > in the signal draft to create CoAP fragmentation. > > The disadvantage of (1) is that the receiving CoAP library has to have > a > large enough receive data buffer size to handle both the encrypted and > then > plaintext data. The libcoap library I use has the default receive > buffer > sized for that of an IP packet that is not fragmented. This buffer > can be > made bigger, but how big? > What if the DOTS client is a constrained device with RAM etc. > limitations? > There is also a challenge of managing missing IP fragmented packets > which is > primarily done by the network stack. > > The disadvantage of (2) is that BLOCK2 is a synchronous transmission > where > the DOTS client receives a block of data and then has to request the > next > block of data. With a lossy network, if the client does not see a > block of > data then this status data transmission will stall and not recover > leaving > the DOTS server with outstanding data that cannot be transmitted and > hence > the need for garbage collection of failed transmissions. > Furthermore with (2), RFC9759 recommends use of CONfirmable responses > to > handle potential packet loss - which does not work with a flooded pipe > DDoS > situation. > > I agree that if all can fit into one packet then this is not an issue, > but > enforcing that is difficult unless there are data reduction policies > in > place (such as using Queries or the remainder of the data is not sent > (parameter/values deleted) and a response (may need new code) that > says > status is too large to fit into a packet or has been truncated). > > Another possibility is to create a new CoAP option that is equivalent > to > BLOCK2 in format but does not need to work symmetrically. Here, the > DOTS > server sequentially sends all of the CoAP fragmented data without > requiring > the DOTS client to request the next block (just as fragmented IP > packets > would be sent). It would then be up to the DOTS client to do the CoAP > plain > text block fragmentation re-assembly (again a limitation requiring > more RAM > on the DOTS client and garbage collection if there are missing > packets). > Using this new option reduces the load on the DOTS server who could be > serving many DOTS clients. > > Thoughts? > > Regards > > Jon > > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots
- [Dots] draft-ietf-dots-telemetry: Large responses Jon Shallow
- Re: [Dots] draft-ietf-dots-telemetry: Large respo… mohamed.boucadair
- Re: [Dots] draft-ietf-dots-telemetry: Large respo… Jon Shallow