Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt

kaname nishizuka <kaname@nttv6.jp> Tue, 23 July 2019 12:29 UTC

Return-Path: <kaname@nttv6.jp>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6795412023D for <dots@ietfa.amsl.com>; Tue, 23 Jul 2019 05:29:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nttv6.jp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O4XddJ3XR_RH for <dots@ietfa.amsl.com>; Tue, 23 Jul 2019 05:29:22 -0700 (PDT)
Received: from guri.nttv6.jp (guri.nttv6.jp [115.69.228.140]) by ietfa.amsl.com (Postfix) with ESMTP id 8B57B120230 for <dots@ietf.org>; Tue, 23 Jul 2019 05:29:21 -0700 (PDT)
Received: from z.nttv6.jp (z.nttv6.jp [192.168.8.15]) by guri.nttv6.jp (NTTv6MTA) with ESMTP id 6E19625F6BB; Tue, 23 Jul 2019 21:29:20 +0900 (JST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nttv6.jp; s=20180820; t=1563884960; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OR11CmdQW5tCZwlDBgl28d76kwnfBz49AC2hD6HO0OI=; b=HoUWCN6484MH9ggPoB5mYlBVUUPvvNmzV9yrHXNc2hqGGTLflLsTtiHpCaYCx4bGSa2xrQ DibgFPguVKgTWba2MMLW5j0VPWw0CpOvp6JvcGeh5ZF3NIwwqI5Xw0tOJfvkHSk+1FYdiN amVOAkDxDdzmbL+MD06okTkXfehDGkw=
Received: from MacBook-Pro-17.local (fujiko.nttv6.jp [IPv6:2402:c800:ff06:136::141]) by z.nttv6.jp (NTTv6MTA) with ESMTP id BA4E0763504; Tue, 23 Jul 2019 21:29:19 +0900 (JST)
To: Jon Shallow <supjps-ietf@jpshallow.com>, "'Konda, Tirumaleswar Reddy'" <TirumaleswarReddy_Konda@mcafee.com>, dots@ietf.org
References: <156233245922.21720.2303446065970922340.idtracker@ietfa.amsl.com> <CAFpG3gcgpJRyLSoLkOMuUWY8pZrBPDCCz6-sc8A=1KW3GMpm+g@mail.gmail.com> <9401a258-5a32-b612-450b-10d3452777ac@nttv6.jp> <DM5PR16MB17054921F8CC3C2C90CB6A4BEAC40@DM5PR16MB1705.namprd16.prod.outlook.com> <a70c3aad-8b41-3d3c-7cd9-88d681e888b6@nttv6.jp> <MWHPR16MB171185CA2F151A9A5C9AAB78EAC70@MWHPR16MB1711.namprd16.prod.outlook.com> <0db301d54139$220ee340$662ca9c0$@jpshallow.com>
From: kaname nishizuka <kaname@nttv6.jp>
Message-ID: <f5203ce5-c827-4be5-6cd0-416357ca27f2@nttv6.jp>
Date: Tue, 23 Jul 2019 21:29:19 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <0db301d54139$220ee340$662ca9c0$@jpshallow.com>
Content-Type: multipart/alternative; boundary="------------9A36705E1DEC196350CEC33C"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/u8XvHLMz1BUvoNvIZ7cSbDG118s>
Subject: Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 12:29:25 -0000

Hi Jon,

Please see inline.

On 2019/07/23 18:29, Jon Shallow wrote:
>
> Hi Kaname,
>
> “When an attack occur, the DDoS detection system will notice that the customer is under attack, then the pre-mitigation DOTS telemetry(= attack details) can be signaled from the DOTS server to the (associated) DOTS client”
>
> How is the DOTS telemetry information signalled/pushed from the DOTS server to the DOTS client?
>
[kaname]Yes, that is the question. I think it should be discussed in the meeting with regard to the telemetry I-D.


> Can it be assumed that a mitigation request is already active from the DOTS client and the telemetry update is piggybacked on a mitigation observe response?
>
[kaname]No. Currently the notification (via e-mail etc...) is done before any mitigation request.
If we allowed a dummy mitigation request for that observation purpose, it could be yes. (I don't think it's a good strategy)


> Is it down to the client doing a periodic poll of a (potentially new) resource?
>
[kaname]It could be one solution, however I'd like to seek a way with push notification.


> [The call home concept could cover this, but the client and server roles need to be clearly defined with possibly a client and server being resident in each peer]
>
[kaname] Yes, the telemetry I-D is covering the information exchange in both directions(server->client, client->server). Then I think it's a typical deployment for ISPs and mobile carriers that the DOTS server is in the provider's network and the DOTS client in the customer's network, as Meiling agreed with the usecase.

thanks,
Kaname
>
> Regards
>
> Jon
>
> *From:*Dots [mailto: dots-bounces@ietf.org] *On Behalf Of *Konda, Tirumaleswar Reddy
> *Sent:* 23 July 2019 08:04
> *To:* kaname nishizuka; tirumal reddy; dots@ietf.org
> *Subject:* Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
>
> Thanks for the clarification. I don’t think any of the DOTS use cases documents discuss this deployment. DOTS signal channel looks more suitable for these Pre-mitigation DOTS Telemetry Attributes than the DOTS data channel.
>
> Cheers,
>
> -Tiru
>
> *From:*kaname nishizuka <kaname@nttv6.jp>;
> *Sent:* Monday, July 22, 2019 8:26 PM
> *To:* Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;; tirumal reddy <kondtir@gmail.com>;; dots@ietf.org
> *Subject:* Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
>
> *CAUTION*:External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Hi Tiru,
>
> Let me explain it.
> There is a service by several transit providers such as detection capabilities to notify clients of potential attacks.
> It is assumed that they have a DDoS mitigation system and a DDoS detection system (for example, a flow collector) separately.
> It is a realistic deployment that the DOTS server is integrated with the flow collector.
>
> When an attack occur, the DDoS detection system will notice that the customer is under attack, then the pre-mitigation DOTS telemetry(= attack details) can be signaled from the DOTS server to the (associated) DOTS client.
>
> Here is one of the traffic anomaly detection notification example (threshold basis) quoted from some actual service.
> Organization:       XXX
> Attack ID:          13227
> Start Time:         2019/06/05 22:52:30 JST+0900
> Level:              1
> Traffic Amount:     4.02k pps
> Threshold:          4.00k pps
> Direction:          incoming
> Victim IP Address:  x.x.x.x/32
> Attack Type:        TCP SYN
>
> It says like "it seems you're under attack, what will you do? (We can offer some protection)"
>
> regards,
> Kaname
>
> On 2019/07/22 23:11, Konda, Tirumaleswar Reddy wrote:
>
>     Thanks Kaname for the support. I did not get the comment. what type of pre-mitigation DOTS telemetry attributes can be signaled from the DOTS server to the DOTS client ?
>
>     And How will the DOTS server know the pre-mitigation DOTS telemetry attributes relevant or associated with a DOTS client ?
>
>     Cheers,
>
>     -Tiru
>
>     *From:*Dots <dots-bounces@ietf.org>; <mailto:dots-bounces@ietf.org> *On Behalf Of *kaname nishizuka
>     *Sent:* Monday, July 22, 2019 6:44 PM
>     *To:* tirumal reddy <kondtir@gmail.com>; <mailto:kondtir@gmail.com>; dots@ietf.org <mailto:dots@ietf.org>
>     *Subject:* Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt
>
>     *CAUTION*:External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>     ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>     I support this draft.
>
>     I'd like to mention about the telemetry attributes from a DOTS server to a DOTS client.
>     Currently, several transit ISPs are providing DDoS detection and protection services.
>     In such a service, they send a DDoS detection notification via e-mail when they noticed that their customer is under attack.
>     The mail includes the telemetry information such as 4.1.5. Attack Details.
>     This info can be used for further decision of protection strategy by the customer's security operators.
>     I think it should be covered by the DOTS telemetry specification.
>
>     One suggestion to the draft:
>     Pre-mitigation DOTS Telemetry Attributes can also be signaled from the DOTS server to the DOTS client.
>
>     thanks,
>     Kaname
>
>
>     On 2019/07/05 22:20, tirumal reddy wrote:
>
>         Hi all,
>
>         https://tools.ietf.org/html/draft-reddy-dots-telemetry-00 aims to enrich DOTS protocols with various telemetry attributes allowing optimal DDoS attack mitigation. This document specifies the normal traffic baseline and attack traffic telemetry attributes a DOTS client can convey to its DOTS server in the mitigation request, the mitigation status telemetry attributes a DOTS server can communicate to a DOTS client, and the mitigation efficacy telemetry attributes a DOTS client can communicate to a DOTS server. The telemetry attributes can assist the mitigator to choose the DDoS mitigation techniques and perform optimal DDoS attack mitigation.
>
>         Comments, suggestions, and questions are more than welcome.
>
>
>         Cheers,
>
>         -Tiru
>
>         ---------- Forwarded message ---------
>         From: <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>>
>         Date: Fri, 5 Jul 2019 at 18:44
>         Subject: New Version Notification for draft-reddy-dots-telemetry-00.txt
>         To: Tirumaleswar Reddy <kondtir@gmail.com <mailto:kondtir@gmail.com>>, Ehud Doron <ehudd@radware.com <mailto:ehudd@radware.com>>, Mohamed Boucadair <mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com>>
>
>
>
>
>         A new version of I-D, draft-reddy-dots-telemetry-00.txt
>         has been successfully submitted by Tirumaleswar Reddy and posted to the
>         IETF repository.
>
>         Name:           draft-reddy-dots-telemetry
>         Revision:       00
>         Title:          Distributed Denial-of-Service Open Threat Signaling (DOTS) Telemetry
>         Document date:  2019-07-05
>         Group:          Individual Submission
>         Pages:          13
>         URL: https://www.ietf.org/internet-drafts/draft-reddy-dots-telemetry-00.txt
>         Status: https://datatracker.ietf.org/doc/draft-reddy-dots-telemetry/
>         Htmlized: https://tools.ietf.org/html/draft-reddy-dots-telemetry-00
>         Htmlized: https://datatracker.ietf.org/doc/html/draft-reddy-dots-telemetry
>
>
>         Abstract:
>            This document aims to enrich DOTS signal channel protocol with
>            various telemetry attributes allowing optimal DDoS attack mitigation.
>            This document specifies the normal traffic baseline and attack
>            traffic telemetry attributes a DOTS client can convey to its DOTS
>            server in the mitigation request, the mitigation status telemetry
>            attributes a DOTS server can communicate to a DOTS client, and the
>            mitigation efficacy telemetry attributes a DOTS client can
>            communicate to a DOTS server.  The telemetry attributes can assist
>            the mitigator to choose the DDoS mitigation techniques and perform
>            optimal DDoS attack mitigation.
>
>
>
>
>         Please note that it may take a couple of minutes from the time of submission
>         until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org>;.
>
>         The IETF Secretariat
>
>
>
>         _______________________________________________
>
>         Dots mailing list
>
>         Dots@ietf.org <mailto:Dots@ietf.org>
>
>         https://www.ietf.org/mailman/listinfo/dots
>
>     _______________________________________________
>
>     Dots mailing list
>
>     Dots@ietf.org <mailto:Dots@ietf.org>
>
>     https://www.ietf.org/mailman/listinfo/dots
>
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots