Re: [Dots] FW: New Version Notification for draft-reddy-dots-transport-05.txt
kaname nishizuka <kaname@nttv6.jp> Thu, 18 August 2016 10:02 UTC
Return-Path: <kaname@nttv6.jp>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B92C112D8AB for <dots@ietfa.amsl.com>; Thu, 18 Aug 2016 03:02:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.149
X-Spam-Level:
X-Spam-Status: No, score=-3.149 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.247, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uAyhXSpd9kKw for <dots@ietfa.amsl.com>; Thu, 18 Aug 2016 03:02:02 -0700 (PDT)
Received: from guri.nttv6.jp (guri.nttv6.jp [IPv6:2402:c800:ff06:a::4]) by ietfa.amsl.com (Postfix) with ESMTP id 7B1D112D8A8 for <dots@ietf.org>; Thu, 18 Aug 2016 03:02:02 -0700 (PDT)
Received: from z.nttv6.jp (z.nttv6.jp [IPv6:2402:c800:ff06:6::f]) by guri.nttv6.jp (NTTv6MTA) with ESMTP id BE8604E67D; Thu, 18 Aug 2016 19:02:00 +0900 (JST)
Received: from SR2-nishizuka.local (fujiko.nttv6.jp [IPv6:2402:c800:ff06:136::141]) by z.nttv6.jp (NTTv6MTA) with ESMTP id AC2C73AC83; Thu, 18 Aug 2016 19:02:00 +0900 (JST)
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, "dots@ietf.org" <dots@ietf.org>
References: <20160706073427.7900.59549.idtracker@ietfa.amsl.com> <50de5af611944788898536433cc1dfbd@XCH-RCD-017.cisco.com> <e5c1665f-4a5b-dc52-602f-66aab2e310d6@nttv6.jp> <f00f640674e24663ac738f759898bc2e@XCH-RCD-017.cisco.com>
From: kaname nishizuka <kaname@nttv6.jp>
Message-ID: <0cc9e275-8cfa-b172-1cae-11b79e7c84fb@nttv6.jp>
Date: Thu, 18 Aug 2016 19:02:02 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <f00f640674e24663ac738f759898bc2e@XCH-RCD-017.cisco.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/rFdZ2GIag4UTwByNuwHQGlhOCx4>
Subject: Re: [Dots] FW: New Version Notification for draft-reddy-dots-transport-05.txt
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2016 10:02:06 -0000
Hi Tiru, On 2016/08/08 15:46, Tirumaleswar Reddy (tireddy) wrote: > Hi Kaname, > > Yes, DOTS data channel should also cover pre-provisioning. As per our discussion at IETF, will remove DOTS channel from this draft, and create a new draft and pick specific sections and JSON attributes from draft-nishizuka-dots-inter-domain-mechanism and include pre-provisioning. OK, That's great. > Please see inline > >> -----Original Message----- >> From: kaname nishizuka [mailto:kaname@nttv6.jp] >> Sent: Friday, July 22, 2016 12:22 PM >> To: Tirumaleswar Reddy (tireddy) <tireddy@cisco.com>; dots@ietf.org >> Subject: Re: [Dots] FW: New Version Notification for draft-reddy-dots- >> transport-05.txt >> >> Hi Tiru, >> >> I have a comment on section 6. DOTS Data Channel. >> >> * Data channel is for bulk data exchanges >> * Rough Consensus @ Design Team Meeting: Data channel is for pre- >> provisioning > Yup. > >> I think we need 2 types of filtering. >> 1. filtering which limit the scope of mitigation >> * example >> - if an organization have other sites from which only legitimate traffic in >> coming and is afraid of false positive, the sites should be treated as a >> exception of mitigation with white-list. > Yes, white-list rules can also be created using the DOTS data channel discussed in the draft (see traffic-rate attribute defined in DOTS data channel). > >> - if a service is working only on port 80, traffic destined to other port can >> be dropped without any consideration. > Yes, the above rule can also be provisioned during peacetime using the DOTS data channel proposed in the draft. > >> * this type of filtering may be installed in pre-provisioning phase (on data >> channel) >> - can be changed even while it is under attack > What is the use case for changing these type of filters during the attack ? One, human make mistakes. Two, white-list type of filtering rule could need to be more specific in order to filter out the attack more precisely. >> Also there should be a limitation on a request >> * requests from DOTS clients should be limited > It's an implementation detail, what do you suggest needs to be discussed in this draft ? OK, it's an implementation detail. I just wanted to point out that the DOTS server should not accept all of the filtering request from the DOTS client without checking the CIDR block of the DOTS clients' domain. >> - request for blocking, rate-limiting, etc.. can be another attack vector if the >> request is spoofed. > DOTS client has to authenticate to the DOTS server, how will DOTS requests be spoofed ? As described above, the DOTS client can spoof the prefixes of filtering request (not the DOTS client's address itself) in order to block traffic not to its domain but to other organization. >> - limitation on possible range of target (=IP addresses/prefixes) should be >> pre-defined per customer basis. >> - installed in pre-provisioning phase (on data channel) >> > Agreed. > >> [note]:this filtering is required without regard to protection methods > I did not get the above line, please clarify. It was meant to say that "The range of target (=IP addresses/prefixes) in the requests from DOTS clients should be checked by DOTS server. It is independent of the protection methods the DOTS server will take." >> 2. filtering instruction for mitigation >> * filtering of traffic is one of protection methods taken by mitigators > Okay. > >> * DOTS client can request filtering of traffic with desired action (blocking, >> rate-limiting...) >> * instructed while it is under attack (on signaling channel) > DOTS signaling channel does not signal filtering rules, it's the job of DOTS data channel. > >> Data model of Filtering Rules described in section 6 (DOTS Data Channel) >> looks like type 2 of filtering. > No, Filtering rules can be provisioned either before or during the attack. > I will update the draft to clarify, currently the draft is only high-lighting the example of black-list rules provisioned during an attack. Okay, I'll see that. regards, kaname > -Tiru > >> So I think it looks like for signaling channel. >> >> >> best regards, >> kaname nishizuka >> >> >> On 2016/07/06 9:46, Tirumaleswar Reddy (tireddy) wrote: >>> Added new section https://tools.ietf.org/html/draft-reddy-dots-transport- >> 05#section-8 to discuss about mutual authentication of DOTS Agents & >> authorization of DOTS clients. Comments and suggestions are welcome. >>> Cheers, >>> -Tiru >>> >>> -----Original Message----- >>> From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] >>> Sent: Wednesday, July 06, 2016 1:04 PM >>> To: Prashanth Patil (praspati); Dan Wing (dwing); Mike Geller >>> (mgeller); Robert Moskowitz; Mohamed Boucadair; Tirumaleswar Reddy >>> (tireddy) >>> Subject: New Version Notification for >>> draft-reddy-dots-transport-05.txt >>> >>> >>> A new version of I-D, draft-reddy-dots-transport-05.txt has been >>> successfully submitted by Tirumaleswar Reddy and posted to the IETF >>> repository. >>> >>> Name: draft-reddy-dots-transport >>> Revision: 05 >>> Title: Co-operative DDoS Mitigation >>> Document date: 2016-07-06 >>> Group: Individual Submission >>> Pages: 26 >>> URL: https://www.ietf.org/internet-drafts/draft-reddy-dots-transport- >> 05.txt >>> Status: https://datatracker.ietf.org/doc/draft-reddy-dots-transport/ >>> Htmlized: https://tools.ietf.org/html/draft-reddy-dots-transport-05 >>> Diff: https://www.ietf.org/rfcdiff?url2=draft-reddy-dots-transport-05 >>> >>> Abstract: >>> This document specifies a mechanism that a DOTS client can use to >>> signal that a network is under a Distributed Denial-of-Service (DDoS) >>> attack to an upstream DOTS server so that appropriate mitigation >>> actions are undertaken (including, blackhole, drop, rate-limit, or >>> add to watch list) on the suspect traffic. The document specifies >>> both DOTS signal and data channels. Happy Eyeballs considerations >>> for the DOTS signal channel are also elaborated. >>> >>> >>> >>> >>> Please note that it may take a couple of minutes from the time of >>> submission until the htmlized version and diff are available at tools.ietf.org. >>> >>> The IETF Secretariat >>> >>> _______________________________________________ >>> Dots mailing list >>> Dots@ietf.org >>> https://www.ietf.org/mailman/listinfo/dots
- Re: [Dots] FW: New Version Notification for draft… Jérôme François
- [Dots] FW: New Version Notification for draft-red… Tirumaleswar Reddy (tireddy)
- Re: [Dots] FW: New Version Notification for draft… Tirumaleswar Reddy (tireddy)
- Re: [Dots] FW: New Version Notification for draft… kaname nishizuka
- Re: [Dots] FW: New Version Notification for draft… Tirumaleswar Reddy (tireddy)
- Re: [Dots] FW: New Version Notification for draft… kaname nishizuka
- Re: [Dots] FW: New Version Notification for draft… Tirumaleswar Reddy (tireddy)