IETF Logo Mail Archive

Re: [Dots] draft-ietf-dots-filter-control: acl updates

kaname nishizuka <kaname@nttv6.jp> Wed, 15 May 2019 07:59 UTC

Return-Path: <kaname@nttv6.jp>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 822641200C5 for <dots@ietfa.amsl.com>; Wed, 15 May 2019 00:59:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nttv6.jp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kZ4D9JeNrOUP for <dots@ietfa.amsl.com>; Wed, 15 May 2019 00:59:12 -0700 (PDT)
Received: from guri.nttv6.jp (guri.nttv6.jp [115.69.228.140]) by ietfa.amsl.com (Postfix) with ESMTP id 49B78120020 for <dots@ietf.org>; Wed, 15 May 2019 00:59:12 -0700 (PDT)
Received: from z.nttv6.jp (z.nttv6.jp [IPv6:2402:c800:ff06:6::f]) by guri.nttv6.jp (NTTv6MTA) with ESMTP id 40E4D25F68C; Wed, 15 May 2019 16:59:09 +0900 (JST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nttv6.jp; s=20180820; t=1557907149; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DQXSLR6o1jQL9QoRiShjYjtQFXsh16aOMXjqiCl6p+8=; b=NlhQtUK0KjAanwHvxLm+wr2uJuQ8vQNBxjDJK0IjhZfOS0salAyNUfRu1Rhfg/ec0cUNdk 1SY2mVgpMOYt0ImvGgy8jDx76jKtPysks1s/jCYQyR9EbsGb8Xa4zVkRnGSrmTpPFNj2gk mVISL9f7vC9XRkP3lOiE2CS7vY+5cM8=
Received: from MacBook-Pro-17.local (fujiko.nttv6.jp [IPv6:2402:c800:ff06:136::141]) by z.nttv6.jp (NTTv6MTA) with ESMTP id 14DDF759063; Wed, 15 May 2019 16:59:09 +0900 (JST)
To: mohamed.boucadair@orange.com, "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, "dots@ietf.org" <dots@ietf.org>
References: <787AE7BB302AE849A7480A190F8B93302EA7DAAF@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB279089B075158BFF8C8B2E5FEA090@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA7E01D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
From: kaname nishizuka <kaname@nttv6.jp>
Message-ID: <7f1f7363-11d0-9acd-32a5-ba9fc92cf433@nttv6.jp>
Date: Wed, 15 May 2019 16:59:08 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA7E01D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Content-Type: multipart/alternative; boundary="------------57AA555CDE27F9C3D1F7C605"
Content-Language: en-US
Authentication-Results: guri.nttv6.jp; spf=pass smtp.mailfrom=kaname@nttv6.jp
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/rNrtOUgIgS8M2SBrVWTbGQwzKpI>
Subject: Re: [Dots] draft-ietf-dots-filter-control: acl updates
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 May 2019 07:59:15 -0000

Hi Tiru, Med,

I agree with Tiru.

 > FWIW, the changes to implement (2) can be seen at:
 >
 > https://github.com/boucadair/filter-control/blob/master/wdiff%20draft-ietf-dots-signal-filter-control-00.txt%20draft-ietf-dots-signal-filter-control-01.pdf
 >
Could you specify where it is?
(2) is taken account as the current version of the draft allows to include acl attributes in requests with new ‘mid’s.

regards,
Kaname

On 2019/05/15 16:28, mohamed.boucadair@orange.com wrote:
>
> Hi Tiru,
>
> Agree.
>
> Looking forward to hear  more.
>
> FWIW, the changes to implement (2) can be seen at:
>
> https://github.com/boucadair/filter-control/blob/master/wdiff%20draft-ietf-dots-signal-filter-control-00.txt%20draft-ietf-dots-signal-filter-control-01.pdf
>
> Cheers,
>
> Med
>
> *De :*Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
> *Envoyé :* mercredi 15 mai 2019 09:11
> *À :* BOUCADAIR Mohamed TGI/OLN; dots@ietf.org
> *Objet :* RE: draft-ietf-dots-filter-control: acl updates
>
> I don’t think approach (1) is a good idea because of out of order delivery of packets. Further, the anti-relay detection technique in DTLS uses sliding windows procedure. An MITM can possibility cache and drop the packets from the client, and replay the cached packets that fall within the sliding window. For instance in the below example, the server could receive packets in the order T0, T4, T1, T2.
>
> Monotonically increasing ‘mid’ is the only defense against this mechanism, and I don’t think the signal channel draft needs any update.
>
> Cheers,
>
> -Tiru
>
> *From:*Dots <dots-bounces@ietf.org> *On Behalf Of *mohamed.boucadair@orange.com
> *Sent:* Tuesday, May 14, 2019 8:14 PM
> *To:* dots@ietf.org
> *Subject:* [Dots] draft-ietf-dots-filter-control: acl updates
>
> *CAUTION*:External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Hi all,
>
> The current version of the draft allows to include acl attributes in requests with new or existing ‘mid’s. By “existing mid’, we meant an existing request which does not include acl attributes when the request was initially created. For such requests, the activation-type of the same acl can be changed as the attack evolve or even control other ACLs. This is supposed to be covered by this text:
>
>    When acl-* attributes are to be
>
>    included in a mitigation request with an existing 'mid', the DOTS
>
>    client MUST repeat all the other parameters as sent in the original
>
>    mitigation request (i.e., having that 'mid') apart from a possible
>
>    change to the lifetime parameter value.
>
> For example:
>
> T0: R(mid)
>
> T1: R(mid, acl1, activation-type=value1)
>
> T2: R(mid, acl2, activation-type=value2)
>
> T3: R(mid, acl1, activation-type=value2)
>
> T4: R(mid)
>
> ...
>
> Now, if acl attributes are included in a request with a new mid, we need to specify how activation-type (and acl-list in general) can be updated. We do have two options:
>
>  1. Update the draft with this NEW text:
>
>    If 'acl-list', 'acl-name', and 'activation-type' attributes are
>    included in the initial mitigation request (that is, a mitigation
>    request with a new 'mid'), the DOTS client may update the
>    'acl-list' as an active attack evolves.  To do so, the DOTS
>    client MUST repeat all the other parameters as sent in the original
>    mitigation request apart from a possible change to the 'acl-list’
>    and the lifetime parameter values.
>
>    And the signal channel spec as follows:
>
>    For a mitigation request to continue beyond the initial negotiated
>    lifetime, the DOTS client has to refresh the current mitigation
>    request by sending a new PUT request..  This PUT request MUST use the
>    same 'mid' value, and MUST repeat all the other parameters as sent in
>    the original mitigation request apart from a possible change to the
>    lifetime parameter value or other changes to attributes defined in future extensions.
>                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> For example:
>
> T0: R(mid, acl1, activation-type=value1)
>
> T1: R(mid, acl2, activation-type=value2)
>
> T2: R(mid, acl1, activation-type=value2)
>
> ..
>
>  2. Require a new mid each time a client has to insert acl attributes.
>
> For example:
>
> T0: R(mid0)
>
> T1: R(mid1, acl1, activation-type=value1)
>
> T2: R(mid2, acl2, activation-type=value2)
>
> T3: R(mid3, acl1, activation-type=value2)
>
> ...
>
> Thoughts?
>
> Cheers,
>
> Med
>
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email