Re: [Dots] New Version Notification for draft-ietf-dots-telemetry-05.txt
mohamed.boucadair@orange.com Fri, 03 April 2020 05:53 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 826073A1018 for <dots@ietfa.amsl.com>; Thu, 2 Apr 2020 22:53:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p22nybqsSo0I for <dots@ietfa.amsl.com>; Thu, 2 Apr 2020 22:53:44 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED45B3A1016 for <dots@ietf.org>; Thu, 2 Apr 2020 22:53:43 -0700 (PDT)
Received: from opfednr02.francetelecom.fr (unknown [xx.xx.xx.66]) by opfednr20.francetelecom.fr (ESMTP service) with ESMTP id 48tpyY6wmDz1yJ1; Fri, 3 Apr 2020 07:53:41 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1585893222; bh=XRgdjYyQKKvtmlru0bRifFKpMooV5RXPi9aou4hfiTI=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=FSP7XaSA0fDn9ACmV6Y4rxJm25r3xbh0cLmlxnLlz0pXMa2WonLp44yZBiRkuGyhF iv2XerCvBse2HXcjehf+nlWmZ8EpyY+Ct0Y7ZMh8NeXpyPhwtmIfZaVHdZupBrnEg8 ifhoeN6LtaMLNSXzrC6y3NZl9XGeTMkmo0PwnDqXkhXksI9TH9X8s21BhfyYjZJx1m 2Zpa1INazHZkwCZnGEqRNdkINcMQHnm5cNRIUO8KesPk76DUyHw7ePfxe+BQjqbYFl 4tmshh2KNKHr7rw9fTkNigs2grygGy/UgCggmyEXUjfijrDkvGVJaCCeUIYwSqpOxh 0UtaYoB6TyGAA==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.92]) by opfednr02.francetelecom.fr (ESMTP service) with ESMTP id 48tpyY6By7z8sYj; Fri, 3 Apr 2020 07:53:41 +0200 (CEST)
From: mohamed.boucadair@orange.com
To: Jon Shallow <supjps-ietf@jpshallow.com>, "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>, kaname nishizuka <kaname@nttv6.jp>
CC: "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] New Version Notification for draft-ietf-dots-telemetry-05.txt
Thread-Index: AQKpDKSlae91Qx1rveAaG4y93fawwwGS0CN0ActngzYBop/8/AGLlQYiAqtlZCwC5xXv2wJXxJ8rAWqlVlgB+pAcCQK0mLlyAOa0qGymFG2a0IAAsLmg
Date: Fri, 03 Apr 2020 05:53:41 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93303148D4EE@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <158532456961.24330.9684049527965442282@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93303148203F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <0acd01d60458$9df439f0$d9dcadd0$@jpshallow.com> <787AE7BB302AE849A7480A190F8B933031482353@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <0b7501d604f9$40fd53c0$c2f7fb40$@jpshallow.com> <787AE7BB302AE849A7480A190F8B933031483683@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <0db001d606d0$3f6312b0$be293810$@jpshallow.com> <787AE7BB302AE849A7480A190F8B933031489524@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <0ed901d6079d$ad34b1e0$079e15a0$@jpshallow.com> <787AE7BB302AE849A7480A190F8B93303148B373@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <101201d60868$affd91a0$0ff8b4e0$@jpshallow.com> <787AE7BB302AE849A7480A190F8B93303148D091@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <112b01d60927$b2ae7300$180b5900$@jpshallow.com>
In-Reply-To: <112b01d60927$b2ae7300$180b5900$@jpshallow.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/veYoqZQpbhMVfOmo-m59ai8nyP8>
Subject: Re: [Dots] New Version Notification for draft-ietf-dots-telemetry-05.txt
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 05:53:50 -0000
Hi Jon,
Moving the discussion to the WG list as this is an important design change we need to make.
Please see inline.
Cheers,
Med
> -----Message d'origine-----
> De : Jon Shallow [mailto:supjps-ietf@jpshallow.com]
> Envoyé : jeudi 2 avril 2020 21:49
> À : BOUCADAIR Mohamed TGI/OLN; Konda, Tirumaleswar Reddy; kaname
> nishizuka
> Objet : RE: [Dots] New Version Notification for draft-ietf-dots-
> telemetry-05.txt
>
> Stepping back to look at the bigger picture, I think that I would be
> more interested in the detail of a potentially multi-vectored mutating
> attack, and so question whether having target-protocol as an overall
> restrictive view of all the detail makes sense. It is easier to
> filter out data that I do not want / care about after receiving it.
> The remote peer may not have the same view of what to send v what I am
> interested in.
>
> [I am concerned about over-filling a packet and having to go into CoAP
> Block2 mode though which will fail on a saturated link. I have not
> done any sizing of that yet with genuine attack information]
>
> So, for the /tm and /tm-setup stuff do we really need target-protocol
> and could just have protocol as an optional, but array, entity?
[Med] It is important to provide details per protocol as this will help identifying abnormal patterns.
We could associate 0 to mean "all" protocols but I know this will hurt many. We can consider the following change:
OLD
| +--rw baseline* [id]
| +--rw id uint32
| +--rw target-prefix* inet:ip-prefix
| +--rw target-port-range* [lower-port]
| | +--rw lower-port inet:port-number
| | +--rw upper-port? inet:port-number
| +--rw target-protocol* uint8
| +--rw target-fqdn* inet:domain-name
| +--rw target-uri* inet:uri
| +--rw total-traffic-normal-baseline* [unit protocol]
| | +--rw unit unit
| | +--rw protocol uint8
| | +--rw low-percentile-g? yang:gauge64
| | +--rw mid-percentile-g? yang:gauge64
| | +--rw high-percentile-g? yang:gauge64
| | +--rw peak-g? yang:gauge64
NEW:
| +--:(baseline)
| +--rw baseline* [id]
| +--rw id uint32
| +--rw target-prefix* inet:ip-prefix
| +--rw target-port-range* [lower-port]
| | +--rw lower-port inet:port-number
| | +--rw upper-port? inet:port-number
| +--rw target-protocol* uint8
| +--rw target-fqdn* inet:domain-name
| +--rw target-uri* inet:uri
| +--rw alias-name* string
| +--rw total-traffic-normal* [unit]
| | +--rw unit unit
| | +--rw low-percentile-g? yang:gauge64
| | +--rw mid-percentile-g? yang:gauge64
| | +--rw high-percentile-g? yang:gauge64
| | +--rw peak-g? yang:gauge64
| +--rw total-traffic-normal-per-protocol* [unit protocol]
| | +--rw unit unit
| | +--rw protocol uint8
| | +--rw low-percentile-g? yang:gauge64
| | +--rw mid-percentile-g? yang:gauge64
| | +--rw high-percentile-g? yang:gauge64
| | +--rw peak-g? yang:gauge64
Of course, the protocol must be listed in target-protocol (if present).
>
> Then for /mitigate, target-protocol is ignored in deciding what to
> send back, but the use of an optional protocol array can reduce some
> of the packet size.
>
> total-attack-connection / total-connection-capacity will only be for
> connection based connections - primarily TCP I suspect.
[Med] Agree.
However
> (target) ports may be relevant here - a server may be able to support
> X HTTPS connections, but only Y DNS (TCP) connections - or a load-
> balancer in the path is only capable of handling Z connections - no
> matter what the port is.. So, do we want to introduce optional ports?
[Med] These ports have to be listed in target-port-range (if present). If we include port to the existing list, we can't maintain two entries for the same protocol but with distinct port. It may be more simple to make this change:
OLD:
| +--rw total-connection-capacity* [protocol]
| +--rw protocol uint8
| +--rw connection? uint64
| +--rw connection-client? uint64
| +--rw embryonic? uint64
| +--rw embryonic-client? uint64
| +--rw connection-ps? uint64
| +--rw connection-client-ps? uint64
| +--rw request-ps? uint64
| +--rw request-client-ps? uint64
| +--rw partial-request-ps? uint64
| +--rw partial-request-client-ps? uint64
NEW:
| +--rw total-connection-capacity* [protocol]
| | +--rw protocol uint8
| | +--rw connection? uint64
| | +--rw connection-client? uint64
| | +--rw embryonic? uint64
| | +--rw embryonic-client? uint64
| | +--rw connection-ps? uint64
| | +--rw connection-client-ps? uint64
| | +--rw request-ps? uint64
| | +--rw request-client-ps? uint64
| | +--rw partial-request-ps? uint64
| | +--rw partial-request-client-ps? uint64
| +--rw total-connection-capacity-per-port* [protocol lower-port]
| +--rw protocol uint8
| +--rw lower-port inet:port-number
| +--rw connection? uint64
| +--rw connection-client? uint64
| +--rw embryonic? uint64
| +--rw embryonic-client? uint64
| +--rw connection-ps? uint64
| +--rw connection-client-ps? uint64
| +--rw request-ps? uint64
| +--rw request-client-ps? uint64
| +--rw partial-request-ps? uint64
| +--rw partial-request-client-ps? uint64
>
> > > NEW:
> > > "Sending a DELETE with no 'tmid' indicates that all 'tmids' must
> be
> > > deactivated."
> > >
>
> I found this (but I prefer your addition for consistency)
>
> A DOTS client that lost the state of its active 'tmids' or has to
> set
> 'tmid' back to zero (e.g., crash or restart) MUST send a GET
> request
> to the DOTS server to retrieve the list of active 'tmid'. The DOTS
> client may then delete 'tmids' that should not be active anymore.
>
[Med] Yes. The NEW text will be right after this one.
> Other minor nits
>
> OLD
> attack-severity: Attack severity. These values are supported:
> Emergency (1), critical (2), and alert (3).
> NEW (case of emergency)
> attack-severity: Attack severity. These values are supported:
> emergency (1), critical (2), and alert (3).
>
> OLD
> tmid: Telemetry Identifier is an identifier for the DOTS pre-or-
> ongoing-mitigation telemetry data represented as an integer.
> This identifier MUST be generated by DOTS clients. 'tsid'
> values
> NEW tsid -> tmid
> tmid: Telemetry Identifier is an identifier for the DOTS pre-or-
> ongoing-mitigation telemetry data represented as an integer.
> This identifier MUST be generated by DOTS clients. 'tmid'
> values
>
[Med] Fixed. Thanks.
> Regards
>
> Jon
>
>
> > -----Original Message-----
> > From: mohamed.boucadair@orange.com
> [mailto:mohamed.boucadair@orange.com]
> > Sent: 02 April 2020 19:42
> > To: Jon Shallow; Konda, Tirumaleswar Reddy; kaname nishizuka
> > Subject: RE: [Dots] New Version Notification for draft-ietf-dots-
> telemetry-05.txt
> >
> > Re-,
> >
> > The same issue applies as well for the baseline component:
> >
> > If we convey multiple protocols in target-prefix and want to signal
> all total-
> > traffic-normal-baseline + total-traffic-normal-baseline of each
> protocol listed in
> > target-prefix, we will need to have to use an index in addition to
> the unit.
> > Protocol can then become optional. The same apply for total-
> connection-
> > capacity.
> >
> > I need to think about this further.
> >
> > Cheers,
> > Med
> >
> > > -----Message d'origine-----
> > > De : BOUCADAIR Mohamed TGI/OLN
> > > Envoyé : jeudi 2 avril 2020 19:29
> > > À : 'Jon Shallow'; Konda, Tirumaleswar Reddy; kaname nishizuka
> > > Objet : RE: [Dots] New Version Notification for draft-ietf-dots-
> > > telemetry-05.txt
> > >
> > > Hi Jon,
> > >
> > > Please see inline.
> > >
> > > Cheers,
> > > Med
> > >
> > > > -----Message d'origine-----
> > > > De : Jon Shallow [mailto:supjps-ietf@jpshallow.com]
> > > > Envoyé : mercredi 1 avril 2020 23:01
> > > > À : BOUCADAIR Mohamed TGI/OLN; Konda, Tirumaleswar Reddy; kaname
> > > > nishizuka
> > > > Objet : RE: [Dots] New Version Notification for draft-ietf-dots-
> > > > telemetry-05.txt
> > > >
> > > > Hi Med et al,
> > > >
> > > > Other nits (as well as 2 following sections)
> > > >
> > > > OLD:
> > > >
> > > > ongoing-mitigation telemetry data from the DOTS server. The
> GET
> > > > request specify a 'tmid' (Figure 31) or not (Figure 32).
> > > >
> > > > NEW:
> > > >
> > > > ongoing-mitigation telemetry data from the DOTS server. The
> GET
> > > > request specifies a 'tmid' (Figure 31) or not (Figure 32).
> > > >
> > >
> > > [Med] Fixed.
> > >
> > >
> > > > DELETE /tm
> > > >
> > > > Does no tmid= delete all tmids ?
> > > > - In particular after a restart of a client?
> > > >
> > >
> > > [Med] Yes, they should be "deactivated".
> > >
> > > NEW:
> > > "Sending a DELETE with no 'tmid' indicates that all 'tmids' must
> be
> > > deactivated."
> > >
> > > > >
> > > > > .. The below is coming from what the server sends to the
> client
> > > > perspective. I
> > > > > accept that in the client sending to the server having target-
> > > > protocol and
> > > > > protocol may give rise to some potential confusion...
> > > > >
> > >
> > > [Med] Let's see how to avoid the inconsistency. The YANG module is
> > > currently reflecting the text we have I draft-ietf-dots-telemetry-
> > > 04#section-7.1. We need to check that section to see where the
> per-
> > > transport is mentioned and make sure we don't break things.
> > >
> > > For example, if protocol is present in the target, we to avoid
> > > conflicting (and redundant) information to be supplied in the
> > > telemetry data.
> > >
> > > > > >
> > > > > > In terms of protocol, there are still some consistencies
> even if
> > > > you accept the
> > > > > > argument that protocol is already defined in the mitigation
> > > scope
> > > > (which I am
> > > > > > not happy with).
> > > > > >
> > > > > > 1) target-protocol is optionally set and it is an array
> whereas
> > > > protocol is
> > > > > singular
> > > > > >
> > > > > > 2) protocol is defined mitigation scope augment as per
> > > > > > module: ietf-dots-telemetry
> > > > > > augment /ietf-signal:dots-signal/ietf-signal:message-
> > > type/ietf-
> > > > > signal:mitigation-
> > > > > > scope/ietf-signal:scope:
> > > > > > +--ro total-traffic* [unit protocol] {dots-telemetry}?
> > > > > > | +--ro unit unit
> > > > > > | +--ro protocol uint8
> > > > > > | +--ro low-percentile-g? yang:gauge64
> > > > > > | +--ro mid-percentile-g? yang:gauge64
> > > > > > | +--ro high-percentile-g? yang:gauge64
> > > > > > | +--ro peak-g? yang:gauge64
> > > > > > +--rw total-attack-traffic* [unit] {dots-telemetry}?
> > > > > > | +--rw unit unit
> > > > > > | +--rw low-percentile-g? yang:gauge64
> > > > > > And so there is no consistency between total-traffic and
> total-
> > > > attack-traffic
> > >
> > > [Med] The idea was to have a view of total traffic bound to a
> target
> > > prefix/domain. We should clarify or remove the protocol for this
> one.
> > > Fair enough.
> > >
> > > > > >
> > > > > > 3) For /tm you have
> > > > > > +--:(telemetry) {dots-telemetry}?
> > > > > > +--rw pre-or-ongoing-mitigation* [cuid tmid]
> > > > > > ..
> > > > > > | +--rw target-protocol* uint8
> > > > > > ..
> > > > > > +--rw total-traffic* [unit protocol]
> > > > > > | +--rw unit unit
> > > > > > | +--rw protocol uint8
> > > > > > ..
> > > > > > +--rw total-attack-traffic* [unit protocol]
> > > > > > | +--rw unit unit
> > > > > > | +--rw protocol uint8
> > > > > >
> > > > > > And so could argue here that protocol is not needed
> > >
> > > [Med] but we may have many protocols listed under target-protocol.
> > >
> > > > > >
> > > > > > 4) If target-protocol is not specified, then it refers to
> any
> > > > protocol. If target-
> > > > > > protocol is not defined in /mitigate, then I have no way of
> > > > indicating which is a
> > > > > > problematic protocol if protocol is not supported.
> > >
> > > [Med] Good point. This one (and the following one) justifies that
> we
> > > need to revisit the design.
> > >
> > > We ca group the data by target-protocol and send many tmids if
> many
> > > protocols need to be returned. Protocol can be then optional.
> > >
> > > Would that be better?
> > >
> > >
>
- Re: [Dots] New Version Notification for draft-iet… mohamed.boucadair
- Re: [Dots] New Version Notification for draft-iet… mohamed.boucadair
- Re: [Dots] New Version Notification for draft-iet… mohamed.boucadair
- Re: [Dots] New Version Notification for draft-iet… Jon Shallow