Re: [Dots] 答复: Hi, authors. 3 comments:
<mohamed.boucadair@orange.com> Wed, 06 March 2019 10:08 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABC8F130EDC; Wed, 6 Mar 2019 02:08:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.588
X-Spam-Level:
X-Spam-Status: No, score=-2.588 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Li-dnRLxdXif; Wed, 6 Mar 2019 02:08:04 -0800 (PST)
Received: from orange.com (mta241.mail.business.static.orange.com [80.12.66.41]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7197F130DF1; Wed, 6 Mar 2019 02:08:03 -0800 (PST)
Received: from opfedar05.francetelecom.fr (unknown [xx.xx.xx.7]) by opfedar26.francetelecom.fr (ESMTP service) with ESMTP id 44DqFs2c6HzFqtq; Wed, 6 Mar 2019 11:08:01 +0100 (CET)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.57]) by opfedar05.francetelecom.fr (ESMTP service) with ESMTP id 44DqFs12kRz2xCK; Wed, 6 Mar 2019 11:08:01 +0100 (CET)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM6D.corporate.adroot.infra.ftgroup ([fe80::4c24:f1ba:2b1:e490%21]) with mapi id 14.03.0435.000; Wed, 6 Mar 2019 11:08:00 +0100
From: mohamed.boucadair@orange.com
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>, kaname nishizuka <kaname@nttv6.jp>, "draft-nishizuka-dots-signal-control-filtering.authors@ietf.org" <draft-nishizuka-dots-signal-control-filtering.authors@ietf.org>
CC: "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] 答复: Hi, authors. 3 comments:
Thread-Index: AQHU00Ah5CPMIOlBWE2bR1sZTjFXVKX+JvMAgAARgWCAACFhwIAABmwA
Date: Wed, 06 Mar 2019 10:08:00 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA29592@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <C02846B1344F344EB4FAA6FA7AF481F12C9D756B@dggemm511-mbx.china.huawei.com> <21e92c8d-8df0-576a-db08-3163c74bba59@nttv6.jp> <787AE7BB302AE849A7480A190F8B93302EA287D5@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <C02846B1344F344EB4FAA6FA7AF481F12C9D76C2@dggemm511-mbx.china.huawei.com> <BYAPR16MB2790365CF9FAEB543CB34EB1EA730@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA29424@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790BE0170815A6AB7AE65E7EA730@BYAPR16MB2790.namprd16.prod.outlook.com>
In-Reply-To: <BYAPR16MB2790BE0170815A6AB7AE65E7EA730@BYAPR16MB2790.namprd16.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B93302EA29592OPEXCAUBMA2corp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/rmJRa7g1nnJlCU7-Ok7vW_ywmzc>
Subject: Re: [Dots] 答复: Hi, authors. 3 comments:
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 10:08:08 -0000
Re-, Please see inline. Cheers, Med De : Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com] Envoyé : mercredi 6 mars 2019 10:41 À : BOUCADAIR Mohamed TGI/OLN; Xialiang (Frank, Network Standard & Patent Dept); kaname nishizuka; draft-nishizuka-dots-signal-control-filtering.authors@ietf.org Cc : dots@ietf.org Objet : RE: [Dots] 答复: Hi, authors. 3 comments: Hi Med, Please see inline [TR2] From: mohamed.boucadair@orange.com <mohamed.boucadair@orange.com> Sent: Wednesday, March 6, 2019 1:17 PM To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; Xialiang (Frank, Network Standard & Patent Dept) <frank.xialiang@huawei.com>; kaname nishizuka <kaname@nttv6.jp>; draft-nishizuka-dots-signal-control-filtering.authors@ietf.org Cc: dots@ietf.org Subject: RE: [Dots] 答复: Hi, authors. 3 comments: CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe. ________________________________ Hi Tiru, Please see inline. Cheers, Med De : Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com] Envoyé : mercredi 6 mars 2019 07:47 À : Xialiang (Frank, Network Standard & Patent Dept); BOUCADAIR Mohamed TGI/OLN; kaname nishizuka; draft-nishizuka-dots-signal-control-filtering.authors@ietf.org<mailto:draft-nishizuka-dots-signal-control-filtering.authors@ietf.org> Cc : dots@ietf.org<mailto:dots@ietf.org> Objet : RE: [Dots] 答复: Hi, authors. 3 comments: Hi Kaname, Please see inline When a DOTS client noticed that a system in its domain is being attacked, it will try to ask for help to a DOTS server in its transit provider (or somewhere in upstream networks). Sometimes it is hard to get any information from the DOTS server if the upstream is saturated by attack traffic. [TR] Agreed, but once the DDoS Mitigator starts scrubbing incoming traffic, attack traffic will be dropped and mitigation updates from the DOTS server will reach the DOTS client. [Med] Agree. It is good strategy to enable ACL(set by data-channel) immediately first via signal-channel. Especially if it is rate-limit ACL, it will make a room for further communication over signal-channel. [TR] If all of the incoming traffic is rate-limited, both good and bad traffic will be dropped and may not be acceptable. [Med] Only the traffic matching the ACL will be rate-limited. Of course, that acl may be defined to cover all the traffic. This scenario is basically as follows: • Detect suspicious traffic in a client domain • Send a first mitigation with a wide scope + activate some ACLs. Which acls to activate is deployment-specific. • Later, send a second mitigation request with an adjusted scope. [TR2] If the DOTS client knows the target resource, why send the mitigation request for wide scope ? [Med] The assumption is it does not know the exact “scope”. If the DOTS client does not know the target resource, how can it adjust the scope in the second mitigation request ? [Med] It will conclude that as the attack is progressing. I don’t understand how the rate-limit ACL is useful in this case ? [Med] We don’t need to focus on the rate-limit. I guess Kaname provided that as an example. The ACL can activate an accept-list or whatever actions is judged adequate by the client. I don’t think that we are introducing here a new use case. All these pieces are already covered/allowed by existing specs. -Tiru Then, it will send mitigation request to the DOTS server. [TR] The mitigation request can also enable the ACL (set by data-channel), I don’t get the reason to send the mitigation request again. [Med] This is required to adjust the scope. A new request is needed. This kind of procedure is really used by manual operation. Combination of ACL-based filtering and mitigation appliance is cost effective. The proposed draft (signal-control-filtering) enable automation of it. Cheers, -Tiru From: Dots <dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>> On Behalf Of Xialiang (Frank, Network Standard & Patent Dept) Sent: Tuesday, March 5, 2019 4:09 PM To: mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>; kaname nishizuka <kaname@nttv6.jp<mailto:kaname@nttv6.jp>>; draft-nishizuka-dots-signal-control-filtering.authors@ietf.org<mailto:draft-nishizuka-dots-signal-control-filtering.authors@ietf.org> Cc: dots@ietf.org<mailto:dots@ietf.org> Subject: [Dots] 答复: Hi, authors. 3 comments: CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe. ________________________________ Hi Med, Thanks for the clarification, we are on the same page now. B.R. Frank 发件人: mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> [mailto:mohamed.boucadair@orange.com] 发送时间: 2019年3月5日 18:30 收件人: kaname nishizuka <kaname@nttv6.jp<mailto:kaname@nttv6.jp>>; Xialiang (Frank, Network Standard & Patent Dept) <frank.xialiang@huawei.com<mailto:frank.xialiang@huawei.com>>; draft-nishizuka-dots-signal-control-filtering.authors@ietf.org<mailto:draft-nishizuka-dots-signal-control-filtering.authors@ietf.org> 抄送: dots@ietf.org<mailto:dots@ietf.org> 主题: RE: [Dots] Hi, authors. 3 comments: Hi Frank, Kaname, Please see inline. Cheers, Med De : Dots [mailto:dots-bounces@ietf.org] De la part de kaname nishizuka Envoyé : mardi 5 mars 2019 09:01 À : Xialiang (Frank, Network Standard & Patent Dept); draft-nishizuka-dots-signal-control-filtering.authors@ietf.org<mailto:draft-nishizuka-dots-signal-control-filtering.authors@ietf.org> Cc : dots@ietf.org<mailto:dots@ietf.org> Objet : Re: [Dots] Hi, authors. 3 comments: Hi Frank, On 2019/03/05 15:26, Xialiang (Frank, Network Standard & Patent Dept) wrote: Hi authors, I have 3 general comments as below: 1. Can you clarify the DOTS server administrative domain a little bit? What is the goal we define it? We'll clarify it and update the draft. [Med] This is what is called “DOTS server domain” in DOTS drafts. The notion of “administrative domain” is already used/discussed in the arch I-D. 2. Will this document open a door to make signal channel to cover the functions of data channel more and more? [Med] No. We do already have this text: A DOTS client MUST NOT use the filtering control over DOTS signal channel if no attack (mitigation) is active; such requests MUST be discarded by the DOTS server with 4.00 (Bad Request). By default, ACL-related operations are achieved using the DOTS data channel [I-D.ietf-dots-data-channel<https://tools.ietf.org/html/draft-nishizuka-dots-signal-control-filtering-04#ref-I-D.ietf-dots-data-channel>] when no attack is ongoing. The draft focuses only on tweaking the status of **existing** filters. 3. I can accept the situation of changing the accept-list to the “deactivate” status, but is it a common use case we need to change a deny-list to the “immediate” status? Regarding with 2 and 3, I can add one usecase to the draft. When a DOTS client noticed that a system in its domain is being attacked, it will try to ask for help to a DOTS server in its transit provider (or somewhere in upstream networks). Sometimes it is hard to get any information from the DOTS server if the upstream is saturated by attack traffic. It is good strategy to enable ACL(set by data-channel) immediately first via signal-channel. Especially if it is rate-limit ACL, it will make a room for further communication over signal-channel. Then, it will send mitigation request to the DOTS server. This kind of procedure is really used by manual operation. Combination of ACL-based filtering and mitigation appliance is cost effective. The proposed draft (signal-control-filtering) enable automation of it. regards, Kaname Thanks! B.R. Frank
- [Dots] Hi, authors. 3 comments: Xialiang (Frank, Network Standard & Patent Dept)
- Re: [Dots] Hi, authors. 3 comments: kaname nishizuka
- [Dots] 答复: Hi, authors. 3 comments: Xialiang (Frank, Network Standard & Patent Dept)
- Re: [Dots] Hi, authors. 3 comments: mohamed.boucadair
- [Dots] 答复: Hi, authors. 3 comments: Xialiang (Frank, Network Standard & Patent Dept)
- Re: [Dots] 答复: Hi, authors. 3 comments: Konda, Tirumaleswar Reddy
- Re: [Dots] 答复: Hi, authors. 3 comments: mohamed.boucadair
- Re: [Dots] 答复: Hi, authors. 3 comments: Konda, Tirumaleswar Reddy
- Re: [Dots] 答复: Hi, authors. 3 comments: mohamed.boucadair