IETF Logo Mail Archive

Re: [Dots] Adoption call for draft-reddy-dots-home-network-04

<mohamed.boucadair@orange.com> Wed, 24 April 2019 11:18 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A2A212023C; Wed, 24 Apr 2019 04:18:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u1EvKgZpffm1; Wed, 24 Apr 2019 04:18:26 -0700 (PDT)
Received: from orange.com (mta134.mail.business.static.orange.com [80.12.70.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F0B412006B; Wed, 24 Apr 2019 04:18:26 -0700 (PDT)
Received: from opfednr01.francetelecom.fr (unknown [xx.xx.xx.65]) by opfednr23.francetelecom.fr (ESMTP service) with ESMTP id 44pyVS5hsDz5wBh; Wed, 24 Apr 2019 13:18:24 +0200 (CEST)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.38]) by opfednr01.francetelecom.fr (ESMTP service) with ESMTP id 44pyVS4SKzzDq7P; Wed, 24 Apr 2019 13:18:24 +0200 (CEST)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM5C.corporate.adroot.infra.ftgroup ([fe80::393d:418c:3f1d:991d%21]) with mapi id 14.03.0439.000; Wed, 24 Apr 2019 13:18:24 +0200
From: mohamed.boucadair@orange.com
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, Valery Smyslov <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>
CC: "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "kaduk@mit.edu" <kaduk@mit.edu>
Thread-Topic: [Dots] Adoption call for draft-reddy-dots-home-network-04
Thread-Index: AdTuHVZNyfDh6IMnTiyfhZP8vM2pOAMPXcMAAAHlewAAACVi8AABQijQAAj4x4AAAJCXsA==
Date: Wed, 24 Apr 2019 11:18:23 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA64C46@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <023d01d4ee1f$c2bcb190$483614b0$@smyslov.net> <019001d4fa5a$cf08fb60$6d1af220$@smyslov.net> <787AE7BB302AE849A7480A190F8B93302EA648E7@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB27907ABC5E91DD572EBE7807EA3C0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA649DB@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790ED963937C8C15B319F63EA3C0@BYAPR16MB2790.namprd16.prod.outlook.com>
In-Reply-To: <BYAPR16MB2790ED963937C8C15B319F63EA3C0@BYAPR16MB2790.namprd16.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/rtHy2aSekrrkEOR1pMNg7ZcPzw0>
Subject: Re: [Dots] Adoption call for draft-reddy-dots-home-network-04
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2019 11:18:28 -0000

Re-,

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
> Envoyé : mercredi 24 avril 2019 13:01
> À : BOUCADAIR Mohamed TGI/OLN; Valery Smyslov; dots@ietf.org
> Cc : dots-chairs@ietf.org; kaduk@mit.edu
> Objet : RE: [Dots] Adoption call for draft-reddy-dots-home-network-04
> 
> > -----Original Message-----
> > From: mohamed.boucadair@orange.com
> > <mohamed.boucadair@orange.com>
> > Sent: Wednesday, April 24, 2019 12:18 PM
> > To: Konda, Tirumaleswar Reddy
> > <TirumaleswarReddy_Konda@McAfee.com>; Valery Smyslov
> > <valery@smyslov.net>; dots@ietf.org
> > Cc: dots-chairs@ietf.org; kaduk@mit.edu
> > Subject: RE: [Dots] Adoption call for draft-reddy-dots-home-network-04
> >
> >
> >
> > Re-,
> >
> > Please see inline.
> >
> > Cheers,
> > Med
> >
> > > -----Message d'origine-----
> > > De : Konda, Tirumaleswar Reddy
> > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > Envoyé : mercredi 24 avril 2019 08:13
> > > À : BOUCADAIR Mohamed TGI/OLN; Valery Smyslov; dots@ietf.org Cc :
> > > dots-chairs@ietf.org; kaduk@mit.edu Objet : RE: [Dots] Adoption call
> > > for draft-reddy-dots-home-network-04
> > >
> > > > -----Original Message-----
> > > > From: Dots <dots-bounces@ietf.org> On Behalf Of
> > > > mohamed.boucadair@orange.com
> > > > Sent: Wednesday, April 24, 2019 11:26 AM
> > > > To: Valery Smyslov <valery@smyslov.net>; dots@ietf.org
> > > > Cc: dots-chairs@ietf.org; kaduk@mit.edu
> > > > Subject: Re: [Dots] Adoption call for
> > > > draft-reddy-dots-home-network-04
> > > >
> > > > This email originated from outside of the organization. Do not click
> > > > links
> > > or
> > > > open attachments unless you recognize the sender and know the
> > > > content is safe.
> > > >
> > > > Re-,
> > > >
> > > > Please see inline.
> > > >
> > > > Cheers,
> > > > Med
> > > >
> > > > > -----Message d'origine-----
> > > > > De : Dots [mailto:dots-bounces@ietf.org] De la part de Valery
> > > > > Smyslov Envoyé : mercredi 24 avril 2019 07:02 À : dots@ietf.org Cc :
> > > > > dots-chairs@ietf.org; kaduk@mit.edu Objet : Re: [Dots] Adoption
> > > > > call for draft-reddy-dots-home-network-04
> > > > >
> > > > > Hi,
> > > > >
> > > > > we received a lot of replies supporting adoption of the document.
> > > > > So, the document is adopted. Authors, please re-submit it as WG
> draft.
> > > > >
> > > > > A couple of comments.
> > > > > 1. The draft uses few times a keyword "MAY NOT". This combination is
> > not
> > > > >      among the list of RFC requirement keywords (it is not listed
> neither
> > > > >      in RFC2119, nor in RFC8174). If the intent was to use RFC
> > > requirement
> > > > >      language, then I'd suggest replacing it with one of MUST NOT,
> > > > > SHALL NOT,
> > > > >      SHOULD NOT. Otherwise please make it lowcase.
> > > > >
> > > >
> > > > [Med] Good catch. Fixed.
> > > >
> > > > > 2. When describing transport, the draft allows both TLS and DTLS.
> What
> > > > >      makes me confusing is that the draft describes it several
> > > > > times as "TCP/TLS or DTLS".
> > > > >      Why TCP is ever mentioned here? We all know that TLS usually
> > > > > runs
> > > over
> > > > >      TCP (however we now have QUICK) and DTLS runs over UDP.
> > > > >      The way it is presented in the draft makes me think that
> probably
> > > > >      plain TCP is also allowed as a transport, but is seems to
> contradict
> > > > >      everything I read about DOTS. Am I missing something here?
> > > > >
> > > >
> > > > [Med] Plain TCP is not allowed. The intent was to be explicit that
> > > > there is
> > > a
> > > > reversal in both TCP and TLS layers, but as you rightfully raised
> > > > this may
> > > be
> > > > confusing since, for the DOTS case, it is trivial that the reversal
> > > > of TLS
> > > roles
> > > > implies the reversal of TCP ones.
> > >
> > > RESTCONF call home only reverses the TCP role but not the TLS role. In
> > > DOTS case, the server has to initiate DTLS handshake for UDP. To keep
> > > the roles same for TCP,  TLS handshake is also initiated by the server.
> >
> > [Med] You missed "for the DOTS case" in my previous reply :-)
> >
> > We do have the following in the draft:
> >
> >                    DOTS                                DOTS
> >                   Server                              Client
> >                     |                                    |
> >                     |         1. (D)TLS connection       |
> >                     |----------------------------------->|
> >                     |         2. Mitigation request      |
> >                     |<-----------------------------------|
> >                     |                                    |
> >
> > That can be trivially expanded as follows for the TLS case:
> >
> >                    DOTS                                DOTS
> >                   Server                              Client
> >                     |                                    |
> >                     |         1.1. TCP                   |
> >                     |----------------------------------->|
> >                     |         1.2. TLS                   |
> >                     |----------------------------------->|
> >                     |         2. Mitigation request      |
> >                     |<-----------------------------------|
> >                     |                                    |
> 
> Okay.
> 
> >
> >
> > As mentioned earlier, the use of TCP/TLS is OK but it may be confusing as
> > initially raised by Valery.
> 
> The updated text is not accurate if TCP is not covered, role reversal at TLS
> does not mean role reversal at TCP.

[Med] The updated text is still fine (ref to Figure 1). We don't have any ambiguity in the procedure part with regards to TCP. We explicitly say the following:  

       If TCP is used, the DOTS server begins by initiating a TCP
       connection to the DOTS client.  The DOTS client MUST support
       accepting TCP connections on the IANA-assigned port number
       defined in Section 4.1, but MAY be configured to listen to a
       different port number.  Using this TCP connection, the DOTS
       server initiates a TLS connection to the DOTS client.

> Similar to (D)TLS, I prefer explicit text to say role reversal at TCP.

[Med] We already have such text (see the above excerpt). 

 The
> security considerations section says " DOTS agents MUST authenticate each
> other using (D)TLS before a DOTS
> signal channel session is considered valid.", so clear text DOTS traffic is
> ruled out.

[Med] Fully agree.

v2.23.0 | Report a Bug | By Email