Re: [Dots] draft-ietf-dots-signal-channel-33: trigger-mitigation
"Panwei (William)" <william.panwei@huawei.com> Thu, 16 May 2019 07:51 UTC
Return-Path: <william.panwei@huawei.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7946912004D for <dots@ietfa.amsl.com>; Thu, 16 May 2019 00:51:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RhYR0RLYftos for <dots@ietfa.amsl.com>; Thu, 16 May 2019 00:51:01 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E1A6120047 for <dots@ietf.org>; Thu, 16 May 2019 00:51:00 -0700 (PDT)
Received: from lhreml701-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 005A97ECFEB8CA0CD8E6 for <dots@ietf.org>; Thu, 16 May 2019 08:50:57 +0100 (IST)
Received: from lhreml714-chm.china.huawei.com (10.201.108.65) by lhreml701-cah.china.huawei.com (10.201.108.42) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 16 May 2019 08:50:57 +0100
Received: from lhreml714-chm.china.huawei.com (10.201.108.65) by lhreml714-chm.china.huawei.com (10.201.108.65) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Thu, 16 May 2019 08:50:57 +0100
Received: from NKGEML412-HUB.china.huawei.com (10.98.56.73) by lhreml714-chm.china.huawei.com (10.201.108.65) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.1.1713.5 via Frontend Transport; Thu, 16 May 2019 08:50:57 +0100
Received: from NKGEML513-MBX.china.huawei.com ([169.254.1.144]) by nkgeml412-hub.china.huawei.com ([10.98.56.73]) with mapi id 14.03.0415.000; Thu, 16 May 2019 15:50:06 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: MeiLing Chen <chenmeiling@chinamobile.com>, "mohamed.boucadair" <mohamed.boucadair@orange.com>, "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
CC: dots <dots@ietf.org>
Thread-Topic: [Dots] draft-ietf-dots-signal-channel-33: trigger-mitigation
Thread-Index: AQHVCxGWZnBXOukF3UaD5GqNN8YLzKZtCiBKgABRZ7A=
Date: Thu, 16 May 2019 07:50:05 +0000
Message-ID: <30E95A901DB42F44BA42D69DB20DFA6A69F47E19@nkgeml513-mbx.china.huawei.com>
References: <2019051517083625930510@chinamobile.com>, <2019051518171308785722@chinamobile.com>, <787AE7BB302AE849A7480A190F8B93302EA7E396@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <2019051610354984340514@chinamobile.com>
In-Reply-To: <2019051610354984340514@chinamobile.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.134.37.117]
Content-Type: multipart/alternative; boundary="_000_30E95A901DB42F44BA42D69DB20DFA6A69F47E19nkgeml513mbxchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/rKnyb_866PF28uUhtVpZ23A-OEQ>
Subject: Re: [Dots] draft-ietf-dots-signal-channel-33: trigger-mitigation
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 May 2019 07:51:04 -0000
Hi Meiling, I think this design is used for the case that DOTS server fails to receive a real-time mitigation request from DOTS client during attack time. The mitigation request with trigger-mitigation set to false is a pre-configured mitigation request, it is sent before a DDoS attack happens. When DOTS server receives such mitigation request, it just saves this request and won’t trigger mitigation immediately. When the DDoS attack really happens, the DOTS server may receive no messages from DOTS client because the link is congested by attack traffic, then the pre-configured mitigation request will be triggered when DOTS server considers the session is lost. Without this pre-configured mitigation request, the DDoS attack won’t be mitigated at this time. So I don’t think it is “almost never used”. Best Regards Wei Pan From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of MeiLing Chen Sent: Thursday, May 16, 2019 10:36 AM To: mohamed.boucadair <mohamed.boucadair@orange.com>; Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com> Cc: dots <dots@ietf.org> Subject: Re: [Dots] draft-ietf-dots-signal-channel-33: trigger-mitigation Hi Med, It looks like that trigger-mitigation set to false almost never used unless session is lost and then the DOTS client initiate another mitigation request with the trigger-mitigation value of false. De : MeiLing Chen [mailto:chenmeiling@chinamobile.com] Envoyé : mercredi 15 mai 2019 12:17 À : Konda, Tirumaleswar Reddy; BOUCADAIR Mohamed TGI/OLN Cc : dots Objet : draft-ietf-dots-signal-channel-33: trigger-mitigation Hi Tiru, Med; I read draft-ietf-dots-signal-channel-33, I have a question about the parameter of trigger-mitigation, trigger-mitigation: If the parameter value is set to 'false', DDoS mitigation will not be triggered for the mitigation request unless the DOTS signal channel session is lost. If the DOTS client ceases to respond to heartbeat messages, the DOTS server can detect that the DOTS signal channel session is lost. More details are discussed in Section 4.7. Reddy, et al. Expires November 11, 2019 [Page 18] Internet-Draft DOTS Signal Channel Protocol May 2019 The default value of the parameter is 'true' (that is, the mitigation starts immediately). If 'trigger-mitigation' is not present in a request, this is equivalent to receiving a request with 'trigger-mitigation' set to 'true'. question1: When send mitigation request first time, trigger-mitigation is set true; when session is lost, trigger-mitigation set false will work, so how to know session is lost? [Med] the absence of traffic or replies to server-initiated heartbeats are used to that aim. This covered by this text in the spec: If the DOTS server does not receive any traffic from the peer DOTS client, then the DOTS server sends heartbeat requests to the DOTS client and after maximum 'missing-hb-allowed' threshold is reached, the DOTS server concludes the session is disconnected. The DOTS server can then trigger pre-configured mitigation requests for this DOTS client (if any). question2: Why need this parameter and What was the initial requirements scenario? [Med] Please check: https://tools.ietf.org/html/draft-ietf-dots-architecture-13#section-3.3.3
- [Dots] draft-ietf-dots-signal-channel-33 MeiLing Chen
- [Dots] draft-ietf-dots-signal-channel-33: trigger… MeiLing Chen
- Re: [Dots] draft-ietf-dots-signal-channel-33: tri… mohamed.boucadair
- Re: [Dots] draft-ietf-dots-signal-channel-33 Konda, Tirumaleswar Reddy
- Re: [Dots] draft-ietf-dots-signal-channel-33 MeiLing Chen
- Re: [Dots] draft-ietf-dots-signal-channel-33: tri… MeiLing Chen
- Re: [Dots] draft-ietf-dots-signal-channel-33 Konda, Tirumaleswar Reddy
- Re: [Dots] draft-ietf-dots-signal-channel-33: tri… Panwei (William)