Re: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

["Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>]

Hi Jon,

If the ultimate DOTS server supports only direct configuration, it should reject the DOTS data channel connection from the DOTS client, for example appropriate error response code (e.g. TLS fatal alert) can be returned.  The error returned by the ultimate DOTS server can be propagated by the DOTS gateway to the DOTS client. DOTS client will eventually have to rely on direct configuration.

-Tiru

From: Jon Shallow <supjps-ietf@jpshallow.com>
Sent: Thursday, September 6, 2018 5:43 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; dots@ietf.org; Mortensen, Andrew <amortensen@arbor.net>
Subject: RE: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi Tiru,

Yes, only one or the other method (data channel v direct) should be used.

However, both the DOTS client and DOTS server need to be configured that this is the way to do it, but then if the DOTS server is actually is a DOTS gateway, then the upstream (ultimate) DOTS server (which could be in the same domain or not) needs to be configured in the same way as the initial DOTS client.  A recipe for misconfiguration and confusion.

The DOTS client needs to be told by the (ultimate) DOTS server which method is being used / supported, and this can be in the response code (or embedded in the response message) when the client (due to misconfiguration) does an unexpected DELETE or PUT.  It could be in the GET response where the alias is marked as ‘permanent’.

Regards

Jon

From: Dots [mailto: dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>] On Behalf Of Konda, Tirumaleswar Reddy
Sent: 06 September 2018 11:26
To: Jon Shallow; dots@ietf.org<mailto:dots@ietf.org>; Mortensen, Andrew
Subject: Re: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

Hi Jon,

I thought we agreed direct configuration and DOTS data channel are mutually exclusive. If a client uses DOTS data channel, it must not perform direct configuration and vice-versa.

Cheers,
-Tiru

From: Dots <dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>> On Behalf Of Jon Shallow
Sent: Thursday, September 6, 2018 2:39 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>>; dots@ietf.org<mailto:dots@ietf.org>; Mortensen, Andrew <amortensen@arbor.net<mailto:amortensen@arbor.net>>
Subject: Re: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi Tiru,

If that is the case (and I do not disagree with what you have said – I think it is the right thing to do to support direct configuration), then we go back to the original question (with manual replaced by direct)

How does the DOTS client know that it is trying to delete an alias that was directly configured?

This then leads to another question.  What happens if the DOTS client tries to PUT update a direct configuration?

Two use cases for consideration.

First, the direct configuration specifies the CUID.

Second, the direct configuration is CUID agnostic and applies to all DOTS clients.
[The PUT could create an alias+CUID which takes precedence over direct-alias]

Regards

Jon

From: Dots [mailto: dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>] On Behalf Of Konda, Tirumaleswar Reddy
Sent: 06 September 2018 09:52
To: Jon Shallow; dots@ietf.org<mailto:dots@ietf.org>; Mortensen, Andrew
Subject: Re: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

Hi Jon,

Direct configuration is possible when the DOTS client and server are in the same domain.

-Tiru

From: Jon Shallow <supjps-ietf@jpshallow.com<mailto:supjps-ietf@jpshallow.com>>
Sent: Wednesday, September 5, 2018 7:28 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>>; dots@ietf.org<mailto:dots@ietf.org>; Mortensen, Andrew <amortensen@arbor.net<mailto:amortensen@arbor.net>>
Subject: RE: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi Tiru,

I guess I missed / don’t currently recall that WG discussion (but can see the merit in having a standard set of aliases available to the DOTS clients which are just configured on the DOTS server).  I am trying to think of how the DOTS client configures directly without the data channel, but am failing to come up with how to do that without, say,  the operator doing it directly on the DOTS server.  “or other means” gets even more confusing.

I agree that directly/data channel methods are potentially mutually exclusive, but then the DOTS client/DOTS server need to negotiate which exclusive method to use…

It may just be simpler to drop a small amount of text.

Regards

Jon

From: Dots [mailto: dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>] On Behalf Of Konda, Tirumaleswar Reddy
Sent: 05 September 2018 14:44
To: Jon Shallow; dots@ietf.org<mailto:dots@ietf.org>; Mortensen, Andrew
Subject: Re: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

We meant DOTS client either uses data channel or direct configuration to create the aliases but not use both. It was discussed in the WG sometime back that DOTS client may or may not use DOTS data channel to create aliases and hence direct configuration got added but both modes are mutually exclusive.

-Tiru

From: Jon Shallow <supjps-ietf@jpshallow.com<mailto:supjps-ietf@jpshallow.com>>
Sent: Wednesday, September 5, 2018 6:49 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>>; dots@ietf.org<mailto:dots@ietf.org>; Mortensen, Andrew <amortensen@arbor.net<mailto:amortensen@arbor.net>>
Subject: RE: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi Tiru,

I meant the draft requirements document (and for some reason looking at an old draft (not the -15 version )) – I guess that this text needs to get updated then to remove the possibility of manual / direct configurations.

SIG-008
….
Old
      DOTS agents MUST support mitigation scope aliases, allowing DOTS
      client and server to refer to collections of protected resources
      by an opaque identifier created through the data channel, direct
      configuration, or other means.

SIG-008
….
New:
      DOTS agents MUST support mitigation scope aliases, allowing DOTS
      clients and servers to refer to collections of protected resources
      by an opaque identifier created through the data channel.

Regards

Jon

From: Dots [mailto: dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>] On Behalf Of Konda, Tirumaleswar Reddy
Sent: 05 September 2018 14:01
To: Jon Shallow; dots@ietf.org<mailto:dots@ietf.org>
Subject: Re: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

Hi Jon,

It looks like an oversight to me. If multiple modes of configuration is supported for aliases, it’s a troubleshooting nightmare, could lead to race condition and inconsistent configuration, and as you know one the goals of DOTS is to avoid manual configuration.

-Tiru

From: Jon Shallow <supjps-ietf@jpshallow.com<mailto:supjps-ietf@jpshallow.com>>
Sent: Wednesday, September 5, 2018 5:35 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>>; dots@ietf.org<mailto:dots@ietf.org>
Subject: RE: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi Tiru,

Unfortunately, manual / direct configuration is supported in the architecture draft, so cannot just be avoided.

SIG-007
….
      DOTS agents MUST support mitigation scope aliases, allowing DOTS
      client and server to refer to collections of protected resources
      by an opaque identifier created through the data channel, direct
      configuration, or other means.

I agree with there being potential confusion when things are configured in multiple places, and troubleshooting  can get complicated.

I think we need a way of reflecting back to the DOTS client what is happening.

Regards

Jon

From: Dots [mailto: dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>] On Behalf Of Konda, Tirumaleswar Reddy
Sent: 05 September 2018 11:38
To: Jon Shallow; dots@ietf.org<mailto:dots@ietf.org>
Subject: Re: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

Manual configuration creates conflicts with the DOTS protocols (just like the conflicts network devices would face if configured using both SDN and manual configuration) and I guess should be avoided.

-Tiru

From: Dots <dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>> On Behalf Of Jon Shallow
Sent: Wednesday, September 5, 2018 3:57 PM
To: dots@ietf.org<mailto:dots@ietf.org>
Subject: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi There,

When there is a manual configuration on the DOTS server of an alias by an operator, not created by the DOTS client, what should happen if the DOTS client tries to delete the alias?

The DOTS client will see the alias in a GET request for all aliases (as it is entitled to use it)

Returning a 404 (Not Found) could be confusing

Returning a 204 (No Content) is not right as it has not been deleted per se.

Should the alias in the GET response be marked as permanent (or some equivalent)?

The same is true for ACLs

Regards

Jon