IETF Logo Mail Archive

Re: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue

<mohamed.boucadair@orange.com> Thu, 25 April 2019 12:07 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A75F120169 for <dots@ietfa.amsl.com>; Thu, 25 Apr 2019 05:07:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.4
X-Spam-Level: **
X-Spam-Status: No, score=2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_SUMOF=5, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lahiaklZFXKw for <dots@ietfa.amsl.com>; Thu, 25 Apr 2019 05:07:21 -0700 (PDT)
Received: from orange.com (mta239.mail.business.static.orange.com [80.12.66.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2706D120150 for <dots@ietf.org>; Thu, 25 Apr 2019 05:07:21 -0700 (PDT)
Received: from opfedar04.francetelecom.fr (unknown [xx.xx.xx.6]) by opfedar23.francetelecom.fr (ESMTP service) with ESMTP id 44qbXR22BnzBrlH; Thu, 25 Apr 2019 14:07:19 +0200 (CEST)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.86]) by opfedar04.francetelecom.fr (ESMTP service) with ESMTP id 44qbXR0y44z1xnn; Thu, 25 Apr 2019 14:07:19 +0200 (CEST)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBMA4.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0439.000; Thu, 25 Apr 2019 14:07:18 +0200
From: mohamed.boucadair@orange.com
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, Jon Shallow <supjps-ietf@jpshallow.com>, 'kaname nishizuka' <kaname@nttv6.jp>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue
Thread-Index: AdT6ZmI8uG0f606MQBW+/9uvcTWn6QA3ueOAAAD5v4AAAuISAAACLWCw
Date: Thu, 25 Apr 2019 12:07:18 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA6591A@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <787AE7BB302AE849A7480A190F8B93302EA649B4@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <c3c9614f-908a-c132-cd35-6c627e341f2b@nttv6.jp> <012601d4fb49$3328c000$997a4000$@jpshallow.com> <BYAPR16MB279020119E24ADCB54B339E3EA3D0@BYAPR16MB2790.namprd16.prod.outlook.com>
In-Reply-To: <BYAPR16MB279020119E24ADCB54B339E3EA3D0@BYAPR16MB2790.namprd16.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/te2mQFS9tw3RUO36M9AlKCrMPr4>
Subject: Re: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2019 12:07:23 -0000

Tiru, 

Even if we assume that ACL-specific stats can be communicated via the signal channel (which we don't have an agreement on it so far), this is not specific to the filter-control spec but the same reasoning would apply for all ACLs instructed by the DOTS client (not only those that are adjusted during attack times).

Cheers,
Med

> -----Message d'origine-----
> De : Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
> Envoyé : jeudi 25 avril 2019 13:04
> À : Jon Shallow; 'kaname nishizuka'; BOUCADAIR Mohamed TGI/OLN; dots@ietf.org
> Objet : RE: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue
> 
> > -----Original Message-----
> > From: Dots <dots-bounces@ietf.org> On Behalf Of Jon Shallow
> > Sent: Thursday, April 25, 2019 2:58 PM
> > To: 'kaname nishizuka' <kaname@nttv6.jp>;
> > mohamed.boucadair@orange.com; dots@ietf.org
> > Subject: Re: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue
> >
> > This email originated from outside of the organization. Do not click links
> or
> > open attachments unless you recognize the sender and know the content is
> > safe.
> >
> > Hi there,
> >
> > The advantage of separating out the counters for the different ACLs is that
> > the DOTS client can then determine what is being effective or not.
> However,
> > if (signal) data is able to get from the DOTS server to the DOTS client,
> then it
> > is likely that the data channel will still be operable and can be used to
> get
> > these numbers so I still do not think that this should be over the signal
> > channel.
> >
> > I think that that the GET response (or observe response) bytes-dropped etc.
> > should be the total dropped - i.e. the sum of the ACls and what the DMS is
> > otherwise doing as it refers to the mitigation request.
> 
> If the DOTS server knows the traffic dropped by ACLs and the traffic dropped
> by DMS, why can't it provide this statistics separately instead of summing
> it.  If the incoming link is saturated, data channel will not function  but
> signal channel (using UDP) will work and there is a good possibility that one
> of the GET responses periodically sent will reach the client (As you already
> know, DOTS signal channel is tolerant to high packet loss in one direction).
> 
> -Tiru
> 
> >
> > Regards
> >
> > Jon
> >
> > > -----Original Message-----
> > > From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of kaname
> > > nishizuka
> > > Sent: 25 April 2019 10:00
> > > To: mohamed.boucadair@orange.com; dots@ietf.org
> > > Subject: Re: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats
> > > issue
> > >
> > > Hi Med, all,
> > >
> > > Regarding with the issue, I'm not convinced of the benefit to return
> > > the activated ACL statistics over signal-channel.
> > >
> > > The idea of this draft is based on this situation (quoted from Jon's
> > > comment):
> > > (It is) very unreliable when the inbound pipe is running full.  If the
> > > pipe is not running full, then this information can be obtained over the
> data
> > channel.
> > >
> > > ACL stats can be get over the data-channel. I don't see any reason to
> > > reproduce the same function.
> > >
> > > Further more, I don't think the DOTS server should notify that DOTS
> > > client with the change by including the corresponding acl-* parameters
> > > in an asynchronous notification.
> > > The basic behavior is already written in the draft:
> > >     This specification does not require any modification to the efficacy
> > >     update and the withdrawal procedures defined in
> > >     [I-D.ietf-dots-signal-channel].  In particular, ACL-related clauses
> > >     are not included in a PUT request used to send an efficacy update and
> > >     DELETE requests.
> > >
> > > If so, the server need not to store any resource about acl-* per
> > > mitigation request, which make the function of the signal-filter-control
> > simple enough.
> > >
> > > thanks,
> > > Kaname
> > >
> > > On 2019/04/24 15:24, mohamed.boucadair@orange.com wrote:
> > > > Hi all,
> > > >
> > > > We do have one pending issue to be resolved for this draft. The
> > > > issue is
> > > available at:
> > > > https://github.com/boucadair/filter-control/issues/1
> > > >
> > > > We need your feedback on this.
> > > >
> > > > Cheers,
> > > > Med
> > > >
> > > >> -----Message d'origine-----
> > > >> De : Dots [mailto:dots-bounces@ietf.org] De la part de internet-
> > > >> drafts@ietf.org Envoyé : mercredi 24 avril 2019 07:34 À :
> > > >> i-d-announce@ietf.org Cc : dots@ietf.org Objet : [Dots] I-D Action:
> > > >> draft-ietf-dots-signal-filter-control-00.txt
> > > >>
> > > >>
> > > >> A New Internet-Draft is available from the on-line Internet-Drafts
> > > >> directories.
> > > >> This draft is a work item of the DDoS Open Threat Signaling WG of
> > > >> the
> > > IETF.
> > > >>
> > > >>          Title           : Controlling Filtering Rules Using
> Distributed
> > > >> Denial-of-Service Open Threat Signaling (DOTS) Signal Channel
> > > >>          Authors         : Kaname Nishizuka
> > > >>                            Mohamed Boucadair
> > > >>                            Tirumaleswar Reddy
> > > >>                            Takahiko Nagata
> > > >> 	Filename        : draft-ietf-dots-signal-filter-control-00.txt
> > > >> 	Pages           : 23
> > > >> 	Date            : 2019-04-23
> > > >>
> > > >> Abstract:
> > > >>     This document specifies an extension to the DOTS signal channel so
> > > >>     that DOTS clients can control their filtering rules when an attack
> > > >>     mitigation is active.
> > > >>
> > > >>     Particularly, this extension allows a DOTS client to activate or
> de-
> > > >>     activate existing filtering rules during a DDoS attack.  The
> > > >>     characterization of these filtering rules is supposed to be
> conveyed
> > > >>     by a DOTS client during an idle time by means of the DOTS data
> > > >>     channel protocol.
> > > >>
> > > >> Editorial Note (To be removed by RFC Editor)
> > > >>
> > > >>     Please update these statements within the document with the RFC
> > > >>     number to be assigned to this document:
> > > >>
> > > >>     o  "This version of this YANG module is part of RFC XXXX;"
> > > >>
> > > >>     o  "RFC XXXX: Controlling Filtering Rules Using Distributed
> Denial-
> > > >>        of-Service Open Threat Signaling (DOTS) Signal Channel";
> > > >>
> > > >>     o  reference: RFC XXXX
> > > >>
> > > >>     o  [RFCXXXX]
> > > >>
> > > >>     Please update these statements with the RFC number to be assigned
> > to
> > > >>     the following documents:
> > > >>
> > > >>     o  "RFC SSSS: Distributed Denial-of-Service Open Threat Signaling
> > > >>        (DOTS) Signal Channel Specification" (used to be
> > > >>        [I-D.ietf-dots-signal-channel])
> > > >>
> > > >>     o  "RFC DDDD: Distributed Denial-of-Service Open Threat Signaling
> > > >>        (DOTS) Data Channel Specification" (used to be
> > > >>        [I-D.ietf-dots-data-channel])
> > > >>
> > > >>     Please update the "revision" date of the YANG module.
> > > >>
> > > >>
> > > >> The IETF datatracker status page for this draft is:
> > > >> https://datatracker.ietf.org/doc/draft-ietf-dots-signal-filter-cont
> > > >> rol/
> > > >>
> > > >> There are also htmlized versions available at:
> > > >> https://tools.ietf.org/html/draft-ietf-dots-signal-filter-control-0
> > > >> 0
> > > >> https://datatracker.ietf.org/doc/html/draft-ietf-dots-signal-filter
> > > >> -control-
> > > >> 00
> > > >>
> > > >>
> > > >> Please note that it may take a couple of minutes from the time of
> > > submission
> > > >> until the htmlized version and diff are available at tools.ietf.org.
> > > >>
> > > >> Internet-Drafts are also available by anonymous FTP at:
> > > >> ftp://ftp.ietf.org/internet-drafts/
> > > >>
> > > >> _______________________________________________
> > > >> Dots mailing list
> > > >> Dots@ietf.org
> > > >> https://www.ietf.org/mailman/listinfo/dots
> > > > _______________________________________________
> > > > Dots mailing list
> > > > Dots@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/dots
> > >
> > > _______________________________________________
> > > Dots mailing list
> > > Dots@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dots
> >
> > _______________________________________________
> > Dots mailing list
> > Dots@ietf.org
> > https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email