Re: [Dots] I-D Action: draft-ietf-dots-signal-channel-23.txt

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 11 September 2018 10:31 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEA3E130E43 for <dots@ietfa.amsl.com>; Tue, 11 Sep 2018 03:31:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1pzHSEJjuuQ8 for <dots@ietfa.amsl.com>; Tue, 11 Sep 2018 03:31:19 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 919D8130DE7 for <dots@ietf.org>; Tue, 11 Sep 2018 03:31:19 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1536661881; h=From: To:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-microsoft-antispam-prvs:x-exchange-antispam-report-test: x-ms-exchange-senderadcheck:x-exchange-antispam-report-cfa-test: x-forefront-prvs:x-forefront-antispam-report: received-spf:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=h bO80VI29mYPE9c98YlBzXCCog4iDrBUhI31MkjMLM 8=; b=j4bJOCFn3nNgV1Q49yDZAAOIXYy2j6D5viwQMeU5CpoU n1nS6P2qhZFtJN3PmhPwCAsyn/g0/QZm/DoUZ2f+mdwQDMAsiv Sw6kijpGC0Uq/sFsy4rq1KLZ1IGMjSqGmRAPfeDNw53/QWQeV8 15jvJwXqUqWxxngk7Vykp1L/AfE=
Received: from DNVEXAPP1N06.corpzone.internalzone.com (unknown [10.44.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 7e63_b5d4_66ece2cb_7aa8_40ba_b8be_8559ed26e73b; Tue, 11 Sep 2018 05:31:20 -0500
Received: from DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 11 Sep 2018 04:30:53 -0600
Received: from DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) by DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 11 Sep 2018 04:30:52 -0600
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Tue, 11 Sep 2018 04:30:52 -0600
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (10.44.176.243) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 11 Sep 2018 04:30:51 -0600
Received: from BN6PR16MB1425.namprd16.prod.outlook.com (10.172.207.19) by BN6PR16MB1603.namprd16.prod.outlook.com (10.172.208.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1122.15; Tue, 11 Sep 2018 10:30:49 +0000
Received: from BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::517:e3a:5fb2:8a75]) by BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::517:e3a:5fb2:8a75%5]) with mapi id 15.20.1122.019; Tue, 11 Sep 2018 10:30:49 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Jon Shallow <supjps-ietf@jpshallow.com>, 'kaname nishizuka' <kaname@nttv6.jp>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] I-D Action: draft-ietf-dots-signal-channel-23.txt
Thread-Index: AQHUNiXwJ7qUEGeO/kqEzSoNu5xIs6TU5dOAgABVjMCACQRVgIAAAFHggAF0eACAABFf0IAKr3yAgABVrQCAABeIMIAADHkAgAAMaACAAAxQEA==
Date: Tue, 11 Sep 2018 10:30:49 +0000
Message-ID: <BN6PR16MB1425F6240EF1AE7937DA6E8AEA040@BN6PR16MB1425.namprd16.prod.outlook.com>
References: <153450832098.18132.7342824614297335945@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93302DFAB5EC@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <63f96d7b-77f0-e5c4-6759-1225079f84f6@nttv6.jp> <BN6PR16MB14250EB96CE34C0846F73B10EA0A0@BN6PR16MB1425.namprd16.prod.outlook.com> <5407aeab-0712-7c78-83eb-cb4078f1fabe@nttv6.jp> <BN6PR16MB1425F8408EE866874368C39DEA0C0@BN6PR16MB1425.namprd16.prod.outlook.com> <2c4a0f54-fbcd-7479-44c5-6e4480387642@nttv6.jp> <BN6PR16MB14255CE5FFC87137449808BAEA030@BN6PR16MB1425.namprd16.prod.outlook.com> <7903e0ee-628b-cb9a-f1a2-d9675d433093@nttv6.jp> <787AE7BB302AE849A7480A190F8B93302DFDDACD@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <BN6PR16MB1425E6B244129E36A39B408DEA040@BN6PR16MB1425.namprd16.prod.outlook.com> <af177bd5-d4bd-49b5-0eae-3cbe026c72f9@nttv6.jp> <036901d449b3$dd77da20$98678e60$@jpshallow.com>
In-Reply-To: <036901d449b3$dd77da20$98678e60$@jpshallow.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.0.500.52
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR16MB1603; 6:O5zvwf7oiUJB1zo5v+021XjdpUS3rD7bFZ4tNoDBZaWv/t/bKcQKLvAX6FagwKEHmIQS9Xsaux1s5nAKmEwM9ePwnDYendFrWmd52K6kPCRO6zYSOkOEPcrGP6xWoRV0DfqFr9uVrhWgv1vaKtLqBFFbwE4bVemgQX6gERSPFsvwji1l/TuUE3N8g1DON6aJabJl6Qc9QpfhP8ekdIpR0kmoEdqK4b1pBmXZdsvvZuTInxbUmTOTYnJwakAnqenXgQYfrtzLr6y66KP6yn2R84jzJFNc38YL4t4aobfiwDA4oyJrc42hUzrSvIxXRKsYKpruNAiYsmGoBsz1mCB5zfxPNRw9TdToJ93SgKDlPf3AolIVNQYyGIxZ8l2ta49BvFiveLR2olZ0Hi7ANUgZnFtI70UJHJC6GPSVCMsbxCBw3OkpiJMq++DaVaqEXRQOMU/fYYeCJLDfV+LSO218OQ==; 5:rRCLkAZZ3pe1MjTXaC46bUBORT0xnmWpnLRwC0IBB7FSZ1bvH5ttvM7ikwmjD/zN12fBgkQ5MioM3W0p5o8+kv8t3/HbYPnIoY6DkPX3uy/98DZK340tCzVHfs3Bkt3orp8ylV618yPloccoH9MjwWTZeL+zbeLoYQ7eUShQCDo=; 7:70BYyARO0wDpuiviyTJVegFVWfo7MJJMaUuxfwqFuNuotE3Xdqy7Ff/FCjHLAQyMbshLN5pk7PPpWIJ0QECDOJhk4sf7Td7nJLQacAOAk8Q6rLpnFnQlrQGPnOEQ7bToFbM05+ZxIqvQu8LRB1fICMiMsCvchydZNQzbE3AmV1KkS7OZYDRgPCgE8SMgg10850OomhN91OHBaiINyRF/2ATaskarDNEIvpX/NdPRWNEo8UwkjOxkMvg3h10dkN2w
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 7dc4f2fd-1990-44a4-cfc7-08d617d1a4b6
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:BN6PR16MB1603;
x-ms-traffictypediagnostic: BN6PR16MB1603:
x-microsoft-antispam-prvs: <BN6PR16MB16031E0FB6ED982AA65FDD80EA040@BN6PR16MB1603.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(120809045254105)(103651359005742)(161740460382875)(18271650672692)(21748063052155)(123452027830198);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3002001)(10201501046)(3231311)(944501410)(52105095)(93006095)(93001095)(149027)(150027)(6041310)(20161123562045)(20161123564045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699050); SRVR:BN6PR16MB1603; BCL:0; PCL:0; RULEID:; SRVR:BN6PR16MB1603;
x-forefront-prvs: 0792DBEAD0
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(136003)(376002)(39860400002)(396003)(366004)(32952001)(53754006)(51914003)(199004)(189003)(55784004)(236005)(54896002)(86362001)(5250100002)(486006)(55016002)(8936002)(606006)(7736002)(6306002)(53936002)(97736004)(26005)(316002)(6506007)(53546011)(8676002)(2501003)(446003)(11346002)(9686003)(25786009)(110136005)(2906002)(81166006)(72206003)(478600001)(105586002)(14444005)(256004)(5024004)(81156014)(16200700003)(21615005)(2201001)(476003)(561944003)(53946003)(68736007)(966005)(14454004)(6436002)(76176011)(74316002)(93886005)(66066001)(80792005)(3846002)(790700001)(6116002)(2900100001)(106356001)(102836004)(229853002)(7696005)(186003)(33656002)(5660300001)(6246003)(99286004)(85282002)(579004)(559001)(569006); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR16MB1603; H:BN6PR16MB1425.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: ZucpW9e45/mz4O6gzUow+D2eHPugYG+jKpJJmtzvEJ6hfbdC+e0wilk7Afg2YIDO8NRIwxCM6MudU8Opscdd36xZHzTyK9KrgdjYGs6DNs3XBHRFJASRI/+IHSuAGzfHoNE+7xMTelaeowOAOYBEgNbKoxnMkMu/lx0r+nNIJnDFBlQBfS3ugX8NWNMgz71LJU3Ios7bieIQKVJDKaSLdDruynFqbAqPFohXVWI8NqxIAZ95r/LygeLWCuUhKCrOqcNvJ0pEsh+dBmQk8iPz1wvnF5w8SiVHJrYzEKMA5iMAknjE7A8ObBvoVe0FuVEqTIwDKZO0HTz5H74wLlqfJkJIAC61zeIZ5e0GH3d1Zhk=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN6PR16MB1425F6240EF1AE7937DA6E8AEA040BN6PR16MB1425namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 7dc4f2fd-1990-44a4-cfc7-08d617d1a4b6
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Sep 2018 10:30:49.6989 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR16MB1603
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6370> : inlines <6870> : streams <1798130> : uri <2708095>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/wD3SWaJ-Az1d_0Tq3TusO7Alj_o>
Subject: Re: [Dots] I-D Action: draft-ietf-dots-signal-channel-23.txt
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Sep 2018 10:31:24 -0000

Agree with the response from Jon, will fix the draft to clarify that GET+sid returns both the current and min/max values.
OLD:
   A DOTS client may issue a GET message with 'sid' Uri-Path parameter
   to retrieve the negotiated configuration.
NEW:
   A DOTS client may issue a GET message with 'sid' Uri-Path parameter
   to retrieve the acceptable and negotiated configuration.

-Tiru

From: Jon Shallow <supjps-ietf@jpshallow.com>
Sent: Tuesday, September 11, 2018 3:13 PM
To: 'kaname nishizuka' <kaname@nttv6.jp>jp>; Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>om>; mohamed.boucadair@orange.com; dots@ietf.org
Subject: RE: [Dots] I-D Action: draft-ietf-dots-signal-channel-23.txt


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi Kaname,

I like to think of this as there being an initial set of defaults for the configuration which are used by the DOTS server for any new session.

It has to be assumed that both the DOTS client and DOTS server “remember” the current values, especially as there could be a change from peace time to mitigation and vice versa.

The DOTS client can then update the “current” values by using a PUT with a sid.  If the updated “current” are not refreshed by the DOTS client within the MAX_AGE time, then I see them as reverting back to the initial defaults.

To refresh the DOTS server’s notion of what should be current, this could just be done with a “PUT + sid”.  However, as Med points out, there needs to be a way of determining whether the session configuration parameters have been re-configured on the DOTS server by the DOTS client.  This means that a GET has to be executed prior to doing a PUT + sid to see if there have been any changes.   Using a “GET + sid” replaces (a traffic reduction) the need for the GET + “PUT + sid”.  At the time of the response of the “GET + sid”, both the DOTS client and DOTS server have the same configuration so is there really a need for the additional “PUT + sid” to cause the DOTS server to reset the timer for the current session?
- Just use the “GET + sid” to cause the server timer to get refreshed.

[If the DOTS client does not agree with the updated values, it can do another PUT with an incremented sid].

As Tiru says, doing a GET without sid will not cause the updated “current” values to get refreshed for another MAX_AGE.  So the DOTS server will revert back to the initial default values.  Only a GET + sid will do this refresh.

[I have noticed that I misunderstood the response of a GET + sid.  My code currently only returns the “current” values, not the min/max as well – maybe this was in a previous iteration of the draft – I will get it corrected to the current draft]

Regards

Jon


From: Dots [mailto: dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>] On Behalf Of kaname nishizuka
Sent: 11 September 2018 09:59
To: Konda, Tirumaleswar Reddy; mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>; dots@ietf.org<mailto:dots@ietf.org>; Jon Shallow
Subject: Re: [Dots] I-D Action: draft-ietf-dots-signal-channel-23.txt

Hi Med, Tiru,

Thanks for the clarification. I can trace the way, but I feel it is going to implementation specific.
> some implementations may override the config hence the decision to go with GET + sid to mimic the behavior of sending a GET and then a PUT.
What I've not been convinced of is why some (presumably Jon's) implementations requires it.
If it is useful, I'm happy to implement it, but currently the advantage is unclear for me. I want to hear from Jon.
As for the text in the draft, if "refresh" means override of the config, it should be said so. Otherwise, the first reader will have the same question as I had.

thanks,
Kaname
On 2018/09/11 17:19, Konda, Tirumaleswar Reddy wrote:
Further, ‘sid’ is a mandatory parameter to update the DOTS signal channel session config, hence it is a mandatory parameter to refresh the config.

-Tiru

From: mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> <mohamed.boucadair@orange.com><mailto:mohamed.boucadair@orange.com>
Sent: Tuesday, September 11, 2018 12:20 PM
To: kaname nishizuka <kaname@nttv6.jp><mailto:kaname@nttv6.jp>; Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com><mailto:TirumaleswarReddy_Konda@McAfee.com>; dots@ietf.org<mailto:dots@ietf.org>; Jon Shallow <supjps-ietf@jpshallow.com><mailto:supjps-ietf@jpshallow.com>
Subject: RE: [Dots] I-D Action: draft-ietf-dots-signal-channel-23.txt


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi Kaname,

As a reminder, the functionality we wanted to achieve is to inform a client about a configuration change occurred at the DOTS server. An initial version of the configuration was agreed as a result of a PUT. The natural way to achieve the functionality is to use a PUT, but some implementations may override the config hence the decision to go with GET + sid to mimic the behavior of sending a GET and then a PUT.

The presence of sid is an indicator that an initial configuration was first agreed between the client/server; but then get updated by the server. The client is aware of that.

Cheers,
Med

De : Dots [mailto:dots-bounces@ietf.org] De la part de kaname nishizuka
Envoyé : mardi 11 septembre 2018 03:43
À : Konda, Tirumaleswar Reddy; dots@ietf.org<mailto:dots@ietf.org>; Jon Shallow
Objet : Re: [Dots] I-D Action: draft-ietf-dots-signal-channel-23.txt

Hi Tiru, Jon,

I read the thread again and would like to raise the same question to Jon.

Here is a statement from Jon in the thread.
```
How will the GET request (I presume with SID) refresh the DOTS signal channel configuration parameters ?
Jon> By doing the GET, both ends are in agreement (at that point in time), so the current configuration is “fresh” and so no need to do a “refresh”.
```

My question is, what behavior of the DOTS server represents that they are in the "agreement".
The DOTS server need not to have a counter for age of the configuration freshness because it only sends Max-Age, so it is stateless.
The second question is that why only GET request with SID can take effect.
For example,  GET request without 'sid' also returns the current and acceptable configuration.
If it is not treated as an agreement on the DOTS server, what different behavior the DOTS server would have?

Again, for me, not mentioning 'sid' in this case is sufficient (it will allow both with and without sid).
```
   If a non-zero value of Max-Age Option is received by a DOTS client,
   it MUST issue a GET request  to retrieve
   the current and acceptable configuration before the expiry of the
   value enclosed in the Max-Age option.
```

thanks,
Kaname
On 2018/09/04 15:55, Konda, Tirumaleswar Reddy wrote:
Hi Kaname,

Please see inline [TR3]

From: kaname nishizuka <kaname@nttv6.jp><mailto:kaname@nttv6.jp>
Sent: Tuesday, September 4, 2018 11:01 AM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com><mailto:TirumaleswarReddy_Konda@McAfee.com>; dots@ietf.org<mailto:dots@ietf.org>
Subject: Re: [Dots] I-D Action: draft-ietf-dots-signal-channel-23.txt


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi Tiru,

Please see inline [kaname2]
On 2018/09/03 16:32, Konda, Tirumaleswar Reddy wrote:
Hi Kaname,

Please see inline [TR2]

From: kaname nishizuka <kaname@nttv6.jp><mailto:kaname@nttv6.jp>
Sent: Monday, September 3, 2018 12:46 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com><mailto:TirumaleswarReddy_Konda@McAfee.com>; dots@ietf.org<mailto:dots@ietf.org>
Subject: Re: [Dots] I-D Action: draft-ietf-dots-signal-channel-23.txt


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi Tiru,

Please see inline.
On 2018/08/28 22:42, Konda, Tirumaleswar Reddy wrote:
Hi Kaname,

Please see inline.

From: Dots <dots-bounces@ietf.org><mailto:dots-bounces@ietf.org> On Behalf Of kaname nishizuka
Sent: Tuesday, August 28, 2018 1:58 PM
To: dots@ietf.org<mailto:dots@ietf.org>
Subject: Re: [Dots] I-D Action: draft-ietf-dots-signal-channel-23.txt


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi,

I did a review on -23 of the signal channel draft:





1. [correction] GET request can be without 'sid' Uri-Path parameter.

<

   If a non-zero value of Max-Age Option is received by a DOTS client,

   it MUST issue a GET request with 'sid' Uri-Path parameter to retrieve

   the current and acceptable configuration before the expiry of the

   value enclosed in the Max-Age option.

>

   If a non-zero value of Max-Age Option is received by a DOTS client,

   it MUST issue a GET request to retrieve

   the current and acceptable configuration before the expiry of the

   value enclosed in the Max-Age option.



[TR] The proposed line is not correct. The client has to use GET request with ‘sid’ to refresh the configuration parameters it had previously negotiated.

[kaname]The client can get current values by GET request without 'sid' (4.5.1).



[TR2] Yes.



It seems that it hasn't been specified in the draft that previously negotiated configuration parameters are returned only by GET request with ‘sid’.



[TR2] No, GET request without ‘sid’ will not refresh the previously negotiated configuration parameters but will return the current, min and max values.

[kaname2] I'm still confused. GET request with and without ‘sid’ can get the current, min and max values.



[TR3] Yes.



 Why the draft exclude GET request without ‘sid’. In this case, what does "refresh" exactly mean? What will happen on the DOTS server side in both with and without 'sid' cases?



[TR3] Refresh is way for the client to learn the confirmation parameters updated by the server and for the server refresh the configuration after the validity time of the configuration. ‘sid’ is a mandatory parameter to create and refresh the configuration (please see the discussion we had with Jon and you https://mailarchive.ietf.org/arch/msg/dots/GJnWZTiiREjxZ_4SZEmRJVRI51M)



2. [proposal] Adding trigger-mitigation to several example figures about mitigation request



[TR] The default value of trigger-mitigation is ‘true’, I don’t see the need to explicitly convey the attribute in the mitigation request.

 [kaname] yes, but I've thought it makes the example more helpful because "trigger-mitigation" is important concept in mitigation request. To feed examples with "trigger-mitigation": false is also fine for me.



[TR2] Agree it’s a critical parameter and is discussed in detail in the specification but don’t want to confuse readers by adding the default value of “trigger-mitigation”: true to the example.

[kaname2] OK, we are on the same page and I understood.



[TR3] Thanks.



-Tiru



-Tiru


regards,
kaname



-Tiru



Figure 7.

{

 "ietf-dots-signal-channel:mitigation-scope": {

   "scope": [

     {

       "target-prefix": [

          "2001:db8:6401::1/128",

          "2001:db8:6401::2/128"

        ],

       "target-port-range": [

         {

           "lower-port": 80

         },

         {

           "lower-port": 443

         },

         {

            "lower-port": 8080

         }

        ],

        "target-protocol": [

          6

        ],

       "lifetime": 3600,

       "trigger-mitigation": true

     }

   ]

 }

}



Figure 8.

A1                                      # map(1)

   01                                   # unsigned(1)

   A1                                   # map(1)

      02                                # unsigned(2)

      81                                # array(1)

         A5                             # map(5)

            06                          # unsigned(6)

            82                          # array(2)

               74                       # text(20)

                  323030313A6462383A363430313A3A312F313238 # "2001:db8:6401::1/128"

               74                       # text(20)

                  323030313A6462383A363430313A3A322F313238 # "2001:db8:6401::2/128"

            07                          # unsigned(7)

            83                          # array(3)

               A1                       # map(1)

                  08                    # unsigned(8)

                  18 50                 # unsigned(80)

               A1                       # map(1)

                  08                    # unsigned(8)

                  19 01BB               # unsigned(443)

               A1                       # map(1)

                  08                    # unsigned(8)

                  19 1F90               # unsigned(8080)

            0A                          # unsigned(10)

            81                          # array(1)

               06                       # unsigned(6)

            0E                          # unsigned(14)

            19 0E10                     # unsigned(3600)

            18 2D                       # unsigned(45)

            F5                          # primitive(21)





thanks,

Kaname


On 2018/08/17 21:28, mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> wrote:

Hi all,



This version follows the recommendations from the core WG:

* Move Hop-Limit text to a separate I-D: I-D.boucadair-core-hop-limit.

* Abandon the use of 3.00, but use 5.03 instead.



The good news is that these changes are straightforward and do not hold publication because I-D.boucadair-core-hop-limit is not a normative reference.



We also updated the text to reflect the recent publication of RFC8446 (TLS 1.3). Changes are tweaked to be aligned with the discussion with Benjamin (thanks).



Chairs, the token is yours now :)



Cheers,

Med



-----Message d'origine-----

De : I-D-Announce [mailto:i-d-announce-bounces@ietf.org] De la part de

internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>

Envoyé : vendredi 17 août 2018 14:19

À : i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>

Cc : dots@ietf.org<mailto:dots@ietf.org>

Objet : I-D Action: draft-ietf-dots-signal-channel-23.txt





A New Internet-Draft is available from the on-line Internet-Drafts

directories.

This draft is a work item of the DDoS Open Threat Signaling WG of the IETF.



        Title           : Distributed Denial-of-Service Open Threat Signaling

(DOTS) Signal Channel Specification

        Authors         : Tirumaleswar Reddy

                          Mohamed Boucadair

                          Prashanth Patil

                          Andrew Mortensen

                          Nik Teague

  Filename        : draft-ietf-dots-signal-channel-23.txt

  Pages           : 87

  Date            : 2018-08-17



Abstract:

   This document specifies the DOTS signal channel, a protocol for

   signaling the need for protection against Distributed Denial-of-

   Service (DDoS) attacks to a server capable of enabling network

   traffic mitigation on behalf of the requesting client.



   A companion document defines the DOTS data channel, a separate

   reliable communication layer for DOTS management and configuration

   purposes.



Editorial Note (To be removed by RFC Editor)



   Please update these statements within the document with the RFC

   number to be assigned to this document:



   o  "This version of this YANG module is part of RFC XXXX;"



   o  "RFC XXXX: Distributed Denial-of-Service Open Threat Signaling

      (DOTS) Signal Channel Specification";



   o  "| [RFCXXXX] |"



   o  reference: RFC XXXX



   Please update TBD statements with the port number to be assigned to

   DOTS Signal Channel Protocol.



   Also, please update the "revision" date of the YANG module.





The IETF datatracker status page for this draft is:

https://datatracker.ietf.org/doc/draft-ietf-dots-signal-channel/



There are also htmlized versions available at:

https://tools.ietf.org/html/draft-ietf-dots-signal-channel-23

https://datatracker.ietf.org/doc/html/draft-ietf-dots-signal-channel-23



A diff from the previous version is available at:

https://www.ietf.org/rfcdiff?url2=draft-ietf-dots-signal-channel-23





Please note that it may take a couple of minutes from the time of submission

until the htmlized version and diff are available at tools.ietf.org.



Internet-Drafts are also available by anonymous FTP at:

ftp://ftp.ietf.org/internet-drafts/



_______________________________________________

I-D-Announce mailing list

I-D-Announce@ietf.org<mailto:I-D-Announce@ietf.org>

https://www.ietf.org/mailman/listinfo/i-d-announce

Internet-Draft directories: http://www.ietf.org/shadow.html

or ftp://ftp.ietf.org/ietf/1shadow-sites.txt



_______________________________________________

Dots mailing list

Dots@ietf.org<mailto:Dots@ietf.org>

https://www.ietf.org/mailman/listinfo/dots







_______________________________________________

Dots mailing list

Dots@ietf.org<mailto:Dots@ietf.org>

https://www.ietf.org/mailman/listinfo/dots