[Dots] Adam Roach's Discuss on draft-ietf-dots-signal-channel-31: (with DISCUSS and COMMENT)
Adam Roach via Datatracker <noreply@ietf.org> Thu, 02 May 2019 05:00 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: dots@ietf.org
Delivered-To: dots@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 04B21120006; Wed, 1 May 2019 22:00:35 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Adam Roach via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dots-signal-channel@ietf.org, Liang Xia <frank.xialiang@huawei.com>, dots-chairs@ietf.org, frank.xialiang@huawei.com, dots@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.95.1
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Adam Roach <adam@nostrum.com>
Message-ID: <155677323500.2690.13635225040710635105.idtracker@ietfa.amsl.com>
Date: Wed, 01 May 2019 22:00:35 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/psj6gBt8HH4ZvmraKV10U700nUE>
Subject: [Dots] Adam Roach's Discuss on draft-ietf-dots-signal-channel-31: (with DISCUSS and COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2019 05:00:35 -0000
Adam Roach has entered the following ballot position for draft-ietf-dots-signal-channel-31: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dots-signal-channel/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thanks for all the work everyone put into this document. I think it's great to have a solution defined for automating these kinds of operations, and look forward to widespread deployment of this technology. I do have a small number of comments that I think we need to close on prior to publication, and a handful of other suggestions of varying (but lesser) importance. --------------------------------------------------------------------------- This is a discuss because the current document attempts to override normative language in an external document. §4.3: > In reference to Figure 4, the DOTS client sends two TCP SYNs and two > DTLS ClientHello messages at the same time over IPv6 and IPv4. This is problematic for the reason described in RFC 8305 §5 ("In order to avoid unreasonable network load, connection attempts SHOULD NOT be made simultaneously"). To be clear, my discuss is only on the fact that this document violates a normative statement in RFC 8305. The following comments are merely my thoughts on the best way to resolve this issue. It's also worth noting that RFC 8305 is geared towards getting users the fastest possible response to a user action, while the text in DOTS implies that the selection of the "most preferred" connection is significantly more important (e.g., it talks about migrating from TCP to UDP, and performing periodic checks to enable such a migration). This factor, combined with the fact that this is not a transaction that involves user interactivity requirements, would seem to increase, rather than decrease, the desire to space out checks across the various transport/address-family pairs. My strong recommendation would be remove the specific description of happy-eyeballs-like behavior from this document, and to instead defer all such specification to the text in RFC 8305. I would further recommend specification of a "Connection Attempt Delay" (as that term is defined in RFC 8305) that is substantially larger than those used for interactive connections: something on the order of 2 to 5 seconds would be my suggestion. Of course, be sure to adjust the example to match the specified handling. --------------------------------------------------------------------------- This is a discuss because it impacts interoperability. §4.4.1: > target-uri: A list of Uniform Resource Identifiers (URIs) [RFC3986] > identifying resources under attack. This definition needs to be clearer about what parts of the URI are used for what purposes. For example: - The URI scheme can be taken to specify a 'target-protocol' - The URI host can be taken to specify a 'target-fqdn' or 'target-prefix' - The URI port (or scheme, if absent) can be taken to specify a 'target-port-range' It is unclear whether this specification intends the URI to impact one, two, or all three of these. This can result in a client asking for one thing and the server doing something else. --------------------------------------------------------------------------- This is a discuss because it impacts interoperability. §6: The handling of 64-bit values in Table 4 seems problematic. Section 3 specifies: > Representing these data > as CBOR data can either follow the rules in [I-D.ietf-core-yang-cbor] > or those in [RFC7951] combined with JSON/CBOR conversion rules in > [RFC7049]; both approaches produce a valid encoding. However, if we consider, say, mitigation-start: > +----------------------+-------------+-----+---------------+--------+ > | Parameter Name | YANG | CBOR| CBOR Major | JSON | > | | Type | Key | Type & | Type | > | | | | Information | | > +----------------------+-------------+-----+---------------+--------+ > ... > | mitigation-start | uint64 | 15 | 0 unsigned | String | If an implementation follows the first path (draft-ietf-core-yang-cbor), then this value is sent on the wire as a CBOR 64-bit unsigned integer type. If an implementation instead uses RFC 7951 followed by RFC 7049 §4, the resulting value is encoded on the wire as a CBOR string. If this is the intention, then it represents a huge gotcha for implementors of both clients and of servers, as all implementations must be ready to accept both strings and 64-bit data types for these fields. If this is the intention, please add strongly-worded text warning implementors of this particular gotcha, since it's pretty non-obvious. It's worth noting that, while some implementations may set limits on the precision of JSON Numbers, and that such limits may be smaller than 64 bits, nothing in the format defined by RFC 8259 has any such inherent limitations. There is a similar (but subtly different) problem with the handling of enumerations that may cause them to be encoded as either strings or as integers: > | status | enumeration | 16 | 0 unsigned | String | If you choose to maintain the situation currently described in the document, then the table in section 9.6.1.2 needs to be updated to allow both formats; e.g.: > +----------------------+-------+-------+------------+---------------+ > | Parameter Name | CBOR | CBOR | Change | Specification | > | | Key | Major | Controller | Document(s) | > | | Value | Type | | | > +----------------------+-------+-------+------------+---------------+ ... > | mitigation-start | 15 | 0 or 3| IESG | [RFCXXXX] | ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- §3: > The other method > DOTS agents use to indicate that a CBOR data structure is a DOTS > signal channel object is the use of the "application/dots+cbor" > content type (Section 9.3). Nit: "...structure as a..." --------------------------------------------------------------------------- §4.4.1: > Figure 6: PUT to Convey DOTS Mitigation Requests (Message Body > Schema) This seems to be a very informal sketch rather than a formal schema. It's probably worth calling forward to Section 6 as the formal definition of the schema, and being clearer that this figure (and other similar figures) are non-normative sketches of the rough structure. --------------------------------------------------------------------------- §4.4.1: > Implementations SHOULD set 'cuid' to the output of a cryptographic > hash algorithm whose input is the Distinguished Encoding Rules > (DER)-encoded Abstract Syntax Notation One (ASN.1) representation > of the Subject Public Key Info (SPKI) of the DOTS client X.509 > certificate [RFC5280], the DOTS client raw public key [RFC7250], > or the "Pre-Shared Key (PSK) identity" used by the DOTS client in > the TLS ClientKeyExchange message. In this version of the > specification, the cryptographic hash algorithm used is SHA-256 > [RFC6234]. The output of the cryptographic hash algorithm is > truncated to 16 bytes; truncation is done by stripping off the > final 16 bytes. The truncated output is base64url encoded. It's not clear how much of this is a recommendation and how much of it is mandatory. For example: if I'm a server, would it be reasonable for me to expect the CUID to be BASE-64 (e.g., to minimize the size of an index structure) and error out if it contains characters other than those allowed in base64url? It's also not clear that "SHOULD" is entirely called for here, especially since the following paragraph's statement that 'cuid' can vary based on remote host (which requires a variation from the normative algorithm). Consider the definition of SHOULD: 3. SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course. This seems potentially stronger than what is called for here. Consider specifying this behavior non-normatively, and reserve the normative language for the actual requirement (e.g., "MUST be globally unique") --------------------------------------------------------------------------- §4.4.1: > As a reminder, the prefix length must be less than or equal to 32 > (resp. 128) for IPv4 (resp. IPv6). This is a notation that I haven't seen before, and it may serve to confuse implementors. Consider rephrasing as: "...less than or equal to 32 for IPv4, and less than or equal to 128 for IPv6." --------------------------------------------------------------------------- §4.4.1: > This PUT request MUST use the > same 'mid' value, and MUST repeat all the other parameters as sent in > the original mitigation request apart from a possible change to the > lifetime parameter value. Is the server intended to detect violations of this? How would it react? (Section 4.4.3 says to send a 4.00 if the request was an Efficacy Update; this is probably the correct general answer, and should be specified here). --------------------------------------------------------------------------- §4.4.2: > { > "ietf-dots-signal-channel:mitigation-scope": { > "scope": [ > { > "mid": 12332, > "mitigation-start": "1507818434", > "target-prefix": [ > "2001:db8:6401::1/128", > "2001:db8:6401::2/128" > ], > "target-protocol": [ > 17 > ], > "lifetime": 1756, > "status": "attack-successfully-mitigated", > "bytes-dropped": "134334555", > "bps-dropped": "43344", > "pkts-dropped": "333334444", > "pps-dropped": "432432" > }, > { > "mid": 12333, > "mitigation-start": "1507818393", > "target-prefix": [ > "2001:db8:6401::1/128", > "2001:db8:6401::2/128" > ], > "target-protocol": [ > 6 > ], > "lifetime": 1755, > "status": "attack-stopped", > "bytes-dropped": "0", > "bps-dropped": "0", > "pkts-dropped": "0", > "pps-dropped": "0" > } > ] > } > } I get that this is intended to be an informal example, but the use of quotes around values that are formally encoded as integers -- such as "mitigation-start" -- may trip up users. I would strongly suggest removing quotes from anything encoded as an integer. This applies especially to "status". Since these figures have explicitly been called out as JSON diagnostic notation (and *not* the JSON structure produced by RFC 7951), the values need to be the CBOR values sent on the wire. (This relies on an assumption on my part that may be incorrect, depending on the resolution of the points I raise about section 6 in my DISCUSS). This comment applies to several other examples, such as Figure 16. For Figure 20 (and several subsequent figures), it also applies to those values encoded as decimals, such as "max-value-decimal". --------------------------------------------------------------------------- §4.4.2: > bps-dropped: The average number of dropped bytes per second for the > mitigation request since the attack mitigation is triggered. This > average SHOULD be over five-minute intervals. The first sentence conflicts with the second: - The first sentence says this is the average since mitigation was triggered. - The second sentence says this is a five-minute (rolling?) average. Please make them agree with each other. If something more subtle is meant -- like measuring bytes into five-minute buckets and then averaging these buckets over the time since the mitigation was triggered -- then the text needs more detail to convey it. This same comment applies to "pps-dropped," as well as the descriptions of both properties in §5.3. --------------------------------------------------------------------------- §5.1: > A DOTS signal > message can either be a mitigation or a configuration message. This is at odds with both the tree and the text in the YANG module in §5.3, both of which specify three message types rather than two (mitigation, configuration, and redirect). --------------------------------------------------------------------------- §5.1: > | +--ro bps-dropped? yang:zero-based-counter64 ... > | +--ro pps-dropped? yang:zero-based-counter64 These aren't counters in the way that RFC 6021 defines counters. Both need to be of type "yang:gauge64." This comment, of course, also bears on §5.3 as well as Table 4. --------------------------------------------------------------------------- §6: > | trigger-mitigation | boolean | 45 | 7 bits 20 | False | > | | | | 7 bits 21 | True | You might consider cleaning up the JSON column here to just say "Boolean," as "True" and "False" are values rather than any of the six types defined in RFC 8259. Similarly, to be consistent with the rest of the table, perhaps the CBOR column here should simply say "7 simple value". Failing that, consider at least labeling the CBOR values as "False" and "True" rather than "bits 20" and "bits 21".
- [Dots] Adam Roach's Discuss on draft-ietf-dots-si… Adam Roach via Datatracker
- Re: [Dots] Adam Roach's Discuss on draft-ietf-dot… mohamed.boucadair
- Re: [Dots] Adam Roach's Discuss on draft-ietf-dot… Benjamin Kaduk
- Re: [Dots] Adam Roach's Discuss on draft-ietf-dot… Konda, Tirumaleswar Reddy
- Re: [Dots] Adam Roach's Discuss on draft-ietf-dot… Benjamin Kaduk
- Re: [Dots] Adam Roach's Discuss on draft-ietf-dot… Konda, Tirumaleswar Reddy