[Dots] Some comments on draft-reddy-dots-home-network
"Panwei (William)" <william.panwei@huawei.com> Sat, 27 October 2018 03:43 UTC
Return-Path: <william.panwei@huawei.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95E291292AD for <dots@ietfa.amsl.com>; Fri, 26 Oct 2018 20:43:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a2EmVuTZqWmj for <dots@ietfa.amsl.com>; Fri, 26 Oct 2018 20:43:10 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75625126BED for <dots@ietf.org>; Fri, 26 Oct 2018 20:43:10 -0700 (PDT)
Received: from lhreml705-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 6E40B87E8366A for <dots@ietf.org>; Sat, 27 Oct 2018 04:43:07 +0100 (IST)
Received: from NKGEML413-HUB.china.huawei.com (10.98.56.74) by lhreml705-cah.china.huawei.com (10.201.108.46) with Microsoft SMTP Server (TLS) id 14.3.408.0; Sat, 27 Oct 2018 04:43:07 +0100
Received: from NKGEML513-MBX.china.huawei.com ([169.254.1.10]) by NKGEML413-HUB.china.huawei.com ([10.98.56.74]) with mapi id 14.03.0415.000; Sat, 27 Oct 2018 11:42:58 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: "dots@ietf.org" <dots@ietf.org>
CC: "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com>
Thread-Topic: Some comments on draft-reddy-dots-home-network
Thread-Index: AdRtpgRgty6p189FRMWoghGoq+28Mw==
Date: Sat, 27 Oct 2018 03:42:57 +0000
Message-ID: <30E95A901DB42F44BA42D69DB20DFA6A608A1CBB@nkgeml513-mbx.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.134.37.117]
Content-Type: multipart/alternative; boundary="_000_30E95A901DB42F44BA42D69DB20DFA6A608A1CBBnkgeml513mbxchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/vvMboqdsn2l59s-QV1-Fn5smYmc>
Subject: [Dots] Some comments on draft-reddy-dots-home-network
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Oct 2018 03:43:14 -0000
Hi authors of draft-reddy-dots-home-network, I've gone through the DOTS Signal Channel Call Home draft. In my opinion, the scenario described in this draft is important and the solution is very useful. In this draft, you described the problem which IoT devices in home network faced and the corresponding solution. These IoT devices may be easily compromised to become the DDoS attackers. For this situation, the most effective ways to mitigate the attack are blocking the traffic from these IoT devices to the attack targets and quarantining the devices. We can also consider the ways as attack mitigation near the source. For this draft I also have some comments as follows. Comment 1: The draft can extend the scenario. I think other scenarios may have the similar problems and the solution can be similar too. For example, the devices in the DC scenario may not only be the victims of DDoS attacks, but also can be compromised and used for launching DDoS attacks in some cases. If the latter situation happens, the solution described in the draft will be helpful too. Comment 2: The draft should specific the way that the DOTS server learns its own scope of domain. Comment 3: The draft should extend the protocol to convey the scope of the DOTS server's domain to the DOTS client. In the section 3.2.1, it says "the DOTS client MUST validate that attacker prefixes are within the scope of the DOTS server's domain". To achieve this goal, I think the two issues list above should be solved first. The scope of the DOTS server's domain may be configured by the administrator directly, or it can be learned by the DOTS server automatically if possible. If the configuration way is a better choice, the YANG module may be worth to be defined. Without conveying the scopes of each DOTS server to the DOTS client, the DOTS client will not be able to find the exact DOTS server to send the mitigation request. Comment 4: The draft should consider more for Network Address Translation. Due to the exhaustion of IP addresses, the NAT function has been used more and more widely, so the home network is very likely to be behind NAT equipment. With this background, I think we should consider more about the problems brought by NAT functions and the methods how we solve these problems, otherwise the whole solution will be very restricted in use. One problem has been described in section 3.2.1 where it says "When a translator is on-path, the DOTS server uses the attack traffic information to find the internal source IP address of the compromised device". But before the DOTS server receives the mitigation request from the DOTS client, the DOTS client must know the DOTS server's external scope, otherwise the DOTS client can't find the correct DOTS server to send the mitigation request. So the DOTS server should know its own external scope first, then convey the external scope to the DOTS client, and at last find the internal source IP address when receive a mitigation request. Comment 5: The Attack Name/Type or ID is optional to be conveyed. >From my point of view, the detailed information of the attack, like attack type, may be mainly helpful for diagnostic purpose. Its help for mitigating the attack is limited. Best Regards Wei Pan
- [Dots] Some comments on draft-reddy-dots-home-net… Panwei (William)
- Re: [Dots] Some comments on draft-reddy-dots-home… mohamed.boucadair