Re: [Dots] AD review of draft-ietf-dots-requirements-15
Benjamin Kaduk <kaduk@mit.edu> Wed, 17 October 2018 18:41 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1875A130E0E for <dots@ietfa.amsl.com>; Wed, 17 Oct 2018 11:41:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BCVNm-SUr2MS for <dots@ietfa.amsl.com>; Wed, 17 Oct 2018 11:41:08 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3439F128C65 for <dots@ietf.org>; Wed, 17 Oct 2018 11:41:07 -0700 (PDT)
X-AuditID: 12074425-d49ff7000000457e-3b-5bc7824055b0
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id F5.0D.17790.14287CB5; Wed, 17 Oct 2018 14:41:05 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id w9HIf2bq024080; Wed, 17 Oct 2018 14:41:03 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w9HIewJZ032617 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 17 Oct 2018 14:41:01 -0400
Date: Wed, 17 Oct 2018 13:40:58 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Mortensen, Andrew" <Andrew.Mortensen@netscout.com>
Cc: dots <dots@ietf.org>
Message-ID: <20181017184058.GE19309@kduck.kaduk.org>
References: <20181008145601.GL56675@kduck.kaduk.org> <B95EFE9F-EC44-4443-9CBF-7D7F0C6D7399@netscout.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <B95EFE9F-EC44-4443-9CBF-7D7F0C6D7399@netscout.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprNKsWRmVeSWpSXmKPExsUixCmqrevYdDza4NlSI4sP/b8ZLda+OcLq wOSxZMlPJo8HDawBTFFcNimpOZllqUX6dglcGct+97EUTJ/EWDGv7RNjA+OL/C5GTg4JAROJ 2Qtus3cxcnEICSxmkjh26TuUs5FRYu7kdcwQzlUmib3b57GCtLAIqErc/zWbDcRmE1CRaOi+ zAxiiwiYSxz6/RishllAQqL3+GxGEFtYwFJi1d8vTCA2L9C6f729YDVCAlkSN7d/YoWIC0qc nPmEBaJXXeLPvEtAMzmAbGmJ5f84IMLyEs1bZ4Ot4hRwkDi9+T7YCaICyhJ7+w6xT2AUnIVk 0iwkk2YhTJqFZNICRpZVjLIpuVW6uYmZOcWpybrFyYl5ealFuhZ6uZkleqkppZsYQWHN7qK6 g3HOX69DjAIcjEo8vA9Sj0cLsSaWFVfmHmKU5GBSEuWd/uNYtBBfUn5KZUZicUZ8UWlOavEh RgkOZiUR3ipFoHLelMTKqtSifJiUNAeLkjjvpJbF0UIC6YklqdmpqQWpRTBZGQ4OJQneGY1A jYJFqempFWmZOSUIaSYOTpDhPEDD+0BqeIsLEnOLM9Mh8qcYLTm2nemcwczR9vQ6kOwAkUIs efl5qVLivDtAGgRAGjJK8+BmgtKURPb+mleM4kAvCvP+aACq4gGmOLipr4AWMgEtdLc9ArKw JBEhJdXA6HXldMkDyUPPvhwRexdeW24fkKy1ee8DBn8b+9Clbts/dvIyGx/jKhNcuKqVIfnx tmPB/nH7+3Y5fkyX80xVnSSVY9z1ZuYZs8/PJu5s8WqRK9DxetJ6Tfq10dUNLqGXputNFTnL Pp9720btxOstDSkvbs22PvDE16zmXkeijR2r8eVDszOzlFiKMxINtZiLihMBgodATi4DAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/qWnBLpXvSaHKtAPvA_PoUQI312M>
Subject: Re: [Dots] AD review of draft-ietf-dots-requirements-15
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Oct 2018 18:41:13 -0000
Excellent; thank you! -Ben On Wed, Oct 17, 2018 at 02:16:00PM +0000, Mortensen, Andrew wrote: > Hi Ben. Thanks for this helpful feedback. I’ve been working on incorporating the changes, and should have an updated revision ready shortly. > > andrew > > > > > On Oct 8, 2018, at 10:56 AM, Benjamin Kaduk <kaduk@mit.edu> wrote: > > > > [EXTERNAL EMAIL] > > > > Hi all, > > > > Thanks for the fine document, and sorry for the processing delay -- the > > timing interacted poorly with my travel schedule. > > > > I just have some editorial notes that it would be nice to fix before we send > > this out for broader review; I'll list them section-by-section. > > > > Section 1.1 > > > > A standardized method to coordinate a real-time response among > > involved operators will increase the speed and effectiveness of DDoS > > attack mitigation, and reduce the impact of these attacks. This > > document describes the required characteristics of protocols that > > enable attack coordination and mitigation of DDoS attacks. > > > > "protocols that enable attack coordination" can be read as if we are > > generating DDoS attacks, which is probably not the intention. > > > > Section 1.2 > > > > RFC 8174 has updated BCP 14 boilerplate; proactively changing to use it > > will save lots of reviewers from pointing this out. > > > > Mitigator: An entity, typically a network element, capable of > > performing mitigation of a detected or reported DDoS attack. The > > means by which this entity performs these mitigations and how they > > are requested of it are out of scope. The mitigator and DOTS > > server receiving a mitigation request are assumed to belong to the > > same administrative entity. > > > > It may be best to avoid an unqualified "out of scope" and be clear about if > > it's out of scope for this document, for the WG, etc. > > > > DOTS signal: A concise authenticated status/control message > > transmitted over the signal channel between DOTS agents, used to > > indicate the client's need for mitigation, as well as to convey > > the status of any requested mitigation. > > > > Is the message itself authenticated in addition to the authentication > > provided by the signal channel? It might be confusing to mention > > authentication in both places if it's just the channel providing > > authentication. > > > > Also, I would suggest to s/as well as/or/, since (presumably) a single > > message can do just one or the other. > > > > Data channel: A bidirectional, mutually authentication communication > > channel between two DOTS agents used for infrequent but reliable > > bulk exchange of data not easily or appropriately communicated > > through the signal channel under attack conditions. > > > > This definition left me wondering whether the data channel is supposed to > > function during attack conditions (i.e., if the attack condition rendered > > the signal channel unusable for this purpose, so the data channel was > > created to still work under attack conditions). The rest of the document > > seems to clarify that the data channel is not expected to be useful during > > attack conditions, so perhaps this could be clarified here. > > > > Blacklist: A list of filters indicating sources from which traffic > > should be blocked, regardless of traffic content. > > > > Whitelist: A list of filters indicating sources from which traffic > > should always be allowed, regardless of contradictory data gleaned > > in a detected attack. > > > > I note without further comment that there was recently a long thread on > > ietf@ietf.org about potentially offensive terminology, which included both > > of these words as examples. > > > > Section 2 > > > > The DOTS protocol must at a minimum make it possible for a DOTS > > client to request aid mounting a defense, coordinated by a DOTS > > server, against a suspected attack, signaling within or between > > domains as requested by local operators. [...] > > > > This sentence has a lot of commas that breaks up the flow trying to read > > it. It could perhaps be split into two, as > > > > % The DOTS protocol must at a minimum make it possible for a DOTS > > % client to request aid mounting a defense against a suspected attack. > > % This defense could be coordinated by a DOTS server and include signaling > > % within or between domains as requested by local operators. > > > > [...] > > clients need to justify withdrawing help requests: the decision is > > local to the DOTS clients' domain. Multi-homed DOTS clients must be > > able to select the appropriate DOTS server(s) to which a mitigation > > request is to be sent. The method for selecting the appropriate DOTS > > server in a multi-homed environment is out of scope. > > > > (same comment about "out of scope"). > > > > DOTS protocol implementations face competing operational goals when > > maintaining this bidirectional communication stream. On the one > > hand, DOTS must include protections ensuring message confidentiality, > > integrity and authenticity to keep the protocols from becoming > > additional vectors for the very attacks it is meant to help fight > > off. [...] > > > > It's probably worth including freshness/replay protection in this list. > > > > Section 2.1 > > > > GEN-001 Extensibility: Protocols and data models developed as part > > of DOTS MUST be extensible in order to keep DOTS adaptable to > > operational and proprietary DDoS defenses. Future extensions MUST > > be backward compatible. DOTS protocols MUST use a version number > > system to distinguish protocol revisions. Implementations of > > older protocol versions SHOULD ignore information added to DOTS > > messages as part of newer protocol versions. > > > > No change specifically needed, but I'll note that using a version number > > mostly precludes using individual per-feature tags to indicate feature > > support. It's okay for a WG to be making such a design choice at this > > point in the process; I'm just pointing out that it is something of a > > design choice. > > > > GEN-002 Resilience and Robustness: The signaling protocol MUST be > > designed to maximize the probability of signal delivery even under > > the severely constrained network conditions caused by particular > > attack traffic. [...] > > > > The word choice "particular" makes it sound as if there is a specific > > attack that the author has in mind, leaving the reader wondering what > > attack that is. It may be better to just remove the word entirely or give > > some description of what attack type(s) are relevant. > > > > GEN-003 Bulk Data Exchange: Infrequent bulk data exchange between > > DOTS agents can also significantly augment attack response > > coordination, permitting such tasks as population of black- or > > white-listed source addresses; address or prefix group aliasing; > > exchange of incident reports; and other hinting or configuration > > supplementing attack response. > > > > As the resilience requirements for the DOTS signal channel mandate > > small signal message size, a separate, secure data channel > > utilizing a reliable transport protocol MUST be used for bulk data > > exchange. > > > > (This could potentially also clarify if it's expected to be useful during > > attack conditions.) > > > > GEN-004 Mitigation Hinting: DOTS clients may have access to attack > > details which can be used to inform mitigation techniques. > > Example attack details might include locally collected > > fingerprints for an on-going attack, or anticipated or active > > attack focal points based on other threat intelligence. DOTS > > clients MAY send mitigation hints derived from attack details to > > DOTS servers, in the full understanding that the DOTS server MAY > > ignore mitigation hints. Mitigation hints MAY be transmitted > > across either signal or data channel. [...] > > > > My colleagues on the IESG tend to ask questions when there are multiple > > options permitted but no discussion of why one might prefer one option or > > the other. (That is, they prefer a single mandatory option for reasons of > > protocol simplicity.) > > > > Section 2.2 > > > > SIG-002 Sub-MTU Message Size: To avoid message fragmentation and the > > consequently decreased probability of message delivery over a > > congested link, signaling protocol message size MUST be kept under > > signaling Path Maximum Transmission Unit (PMTU), including the > > byte overhead of any encapsulation, transport headers, and > > transport- or message-level security. > > DOTS agents SHOULD attempt to learn the PMTU through mechanisms > > such as Path MTU Discovery [RFC1191] or Packetization Layer Path > > MTU Discovery [RFC4821]. If the PMTU cannot be discovered, DOTS > > agents SHOULD assume a PMTU of 1280 bytes. If IPv4 support on > > legacy or otherwise unusual networks is a consideration and PMTU > > nit: "the PMTU" > > is unknown, DOTS implementations MAY rely on a PMTU of 576 bytes, > > as discussed in [RFC0791] and [RFC1122]. > > > > SIG-003 Bidirectionality: To support peer health detection, to > > maintain an active signal channel, and increase the probability of > > nit: "to increase" > > signal delivery during an attack, the signal channel MUST be > > bidirectional, with client and server transmitting signals to each > > other at regular intervals, regardless of any client request for > > mitigation. Unidirectional messages MUST be supported within the > > bidirectional signal channel to allow for unsolicited message > > delivery, enabling asynchronous notifications between DOTS agents. > > > > This sentence about unidirectional messages left me a bit confused on first > > read, I think just because of the way it was phrased. It's basically just > > saying that the signal channel is not necessarily request/reply pairs, but > > can include oneshot notification messages that don't get an > > application-level reply (but could still get a transport-level ack), right? > > I don't have any specific text suggestions here, and it's probably okay to > > leave it as-is. (I have no particular reason to think that other people > > get confused in the same ways that I do, after all.) > > > > SIG-005 Channel Redirection: In order to increase DOTS operational > > flexibility and scalability, DOTS servers SHOULD be able to > > redirect DOTS clients to another DOTS server at any time. DOTS > > clients MUST NOT assume the redirection target DOTS server shares > > security state with the redirecting DOTS server. DOTS clients are > > free to attempt abbreviated security negotiation methods supported > > by the protocol, such as DTLS session resumption, but MUST be > > prepared to negotiate new security state with the redirection > > target DOTS server. > > > > When redirection occurs, is it always within the same "authentication > > domain"? There are perhaps additional complications about authenticating > > the two servers and the redirection action if they are managed by different > > entities or the client will be using different credentials with them. > > > > SIG-006 Mitigation Requests and Status: Authorized DOTS clients MUST > > [...] > > The initial active-but-terminating period is implementation- and > > deployment- specific, but SHOULD be sufficiently long to absorb > > latency incurred by route propagation. If the client requests > > mitigation again before the initial active-but-terminating period > > > > Just to check my understanding: this new mitigation request serves only to > > extend the current termination period, and so the client would have to make > > yet another mitigation request after mitigation terminates? > > > > elapses, the DOTS server MAY exponentially increase the active- > > but-terminating period up to a maximum of 300 seconds (5 minutes). > > > > "exponentially" requires specifying an exponent base -- is the period > > doubling each request, increasing by a factor of 1.5, ...? > > > > After the active-but-terminating period elapses, the DOTS server > > MUST treat the mitigation as terminated, as the DOTS client is no > > longer responsible for the mitigation. > > > > > > SIG-008 Mitigation Scope: DOTS clients MUST indicate desired > > mitigation scope. The scope type will vary depending on the > > resources requiring mitigation. All DOTS agent implementations > > MUST support the following required scope types: > > > > * IPv4 prefixes in CIDR notation [RFC4632] > > > > I don't see why CIDR notation comes into play for the protocol itself; why > > not just say "IPv4 prefixes" to match the "IPv6 prefixes" below? > > > > If there is additional information available narrowing the scope > > of any requested attack response, such as targeted port range, > > protocol, or service, DOTS clients SHOULD include that information > > in client mitigation requests. DOTS clients MAY also include > > additional attack details. DOTS servers MAY ignore such > > supplemental information when enabling countermeasures on the > > mitigator. > > > > Is it implicit from this that the signal channel needs to provide some way > > in which to convey this sort of structured data that makes the semantics > > clear (as opposed to, say, implementation-defined)? > > > > Section 2.3 > > > > DATA-002 Data privacy and integrity: Transmissions over the data > > channel are likely to contain operationally or privacy-sensitive > > information or instructions from the remote DOTS agent. Theft or > > modification of data channel transmissions could lead to > > information leaks or malicious transactions on behalf of the > > sending agent (see Section 4 below). Consequently data sent over > > > > It may be worth mentioning the risk of replay explicitly. > > > > the data channel MUST be encrypted and authenticated using current > > IETF best practices. DOTS servers MUST enable means to prevent > > > > Do we need to provide an extensible model or negotiation scheme for the > > encryption/authentication algorithms, so that implementations can adapt as > > best practices change? > > > > leaking operationally or privacy-sensitive data. Although > > administrative entities participating in DOTS may detail what data > > may be revealed to third-party DOTS agents, such considerations > > are not in scope for this document. > > > > DATA-003 Resource Configuration: To help meet the general and signal > > channel requirements in Section 2.1 and Section 2.2, DOTS server > > implementations MUST provide an interface to configure resource > > identifiers, as described in SIG-007. [...] > > > > I think this is SIG-008, not SIG-007. > > > > Section 2.4 > > > > SEC-001 Peer Mutual Authentication: DOTS agents MUST authenticate > > each other before a DOTS signal or data channel is considered > > valid. The method of authentication is not specified, but should > > follow current industry best practices with respect to any > > cryptographic mechanisms to authenticate the remote peer. > > > > Authentication is great. What model is used for making authorization > > decisions? > > > > SEC-002 Message Confidentiality, Integrity and Authenticity: DOTS > > [...] > > In order for DOTS protocols to remain secure despite advancements > > in cryptanalysis and traffic analysis, DOTS agents MUST be able to > > negotiate the terms and mechanisms of protocol security, subject > > to the interoperability and signal message size requirements in > > Section 2.2. > > > > I'd probably say "securely negotiate" just to avoid any questions. > > > > SEC-004 Authorization: DOTS servers MUST authorize all messages from > > DOTS clients which pertain to mitigation, configuration, > > filtering, or status. > > > > Are there any message types left (that would not need authorization)? > > > > Section 2.5 > > > > DM-004 Mitigation Scope Representation: The data model MUST support > > representation of a requested mitigation's scope. As mitigation > > scope may be represented in several different ways, per SIG-007 > > above, the data model MUST be capable of flexible representation > > of mitigation scope. > > > > Is "flexible" intended to encompass a generic extensibility to represent > > new types of data and new semantics? > > > > DM-007 Acceptable Signal Loss Representation: The data model MUST be > > able to represent the DOTS agent's preference for acceptable > > signal loss when establishing a signal channel, as described in > > GEN-002. > > > > Is this prefernce expressed as a threshold percentage of packet loss, a > > timeout for keepalive messages, some other way, or we don't care? > > > > Section 4 > > > > Impersonation of either DOTS server or DOTS client could have > > > > nit: "a DOTS server", "a DOTS client" > > > > Blocking communication between DOTS agents has the potential to > > disrupt the core function of DOTS, which is to request mitigation of > > active or expected DDoS attacks. The DOTS signal channel is expected > > to operate over congested inbound links, and, as described in > > Section 2.2, the signal channel protocol must be designed for minimal > > data transfer to reduce the incidence of signal blocking. > > > > "signal blocking" makes me think of an explicit firewall-like > > functionality, whereas I think the threat here is more of an accidental > > dropping of packets due to congestion and network elmeent overload. > > > > > > > > Hopefully we can get a new rev out quickly and then I can request the IETF > > Last Call! > > > > Thanks to everyone for the good work that went into this document. > > > > -Ben > > >
- Re: [Dots] AD review of draft-ietf-dots-requireme… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-requireme… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-requireme… Mortensen, Andrew