Re: [Dots] AD evaluation of draft-ietf-dots-signal-call-home-09: Section 1
tirumal reddy <kondtir@gmail.com> Thu, 15 October 2020 06:47 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92CA43A12F8; Wed, 14 Oct 2020 23:47:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 48jj3YESqAtU; Wed, 14 Oct 2020 23:46:59 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8188B3A12F7; Wed, 14 Oct 2020 23:46:59 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id d20so2958435iop.10; Wed, 14 Oct 2020 23:46:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=77bvwYX4GzV5nvZFhIqlm8vXaMxKwnUSEQJKUING1P8=; b=FpbzrwymX7/JPsBLmPKvudAdne8cEaHHXBpRi3nuyEZyxIzyMCuBGSMEOFGgrAgZMp XlOQYPJNkjCGKTf8/As0NgD4Nvnn8z9nXF9PHgwu8ZOBYkRHmbuFsNXGmmsFMxDfNumF XMVxe/vfo5IS8vgTISz1yBA6sZmsVEYmYWcySbOec1OYgq+bbSbiYyfWEBAdOhhWTwd3 H6OiU4Qf5KsFRWGh0171C6cGE5CRPWg5FPyZG6gmmihYQ49luoNA3RGR5jeK/R/JuFWd Ml8iPbFeKwO9FaDJwEwvYzzUGssuK7R9cBrzY7B82GpQUBigy5pXES/Thkb4hnNzD5Z7 YZaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=77bvwYX4GzV5nvZFhIqlm8vXaMxKwnUSEQJKUING1P8=; b=najQybU4dSKA8oqFMso1rrg9AHgnqhq98Madp4vtpH+GwEqvGwIJmEwKDkrtqN1ez1 5lEL7X5Mx1aeYLloblvKBcrDpi5oAuS4tzuZZD5Gn7Zy6mLumCdBMHhaSVvNM2RR/XYv ueP6l+D+7kqBd9RWRT3dMJEpzGR/1oBAI/ib7bu0QEAQB+34rnkN/nb27+bemGKTE9TH rnxFCQ4vOQiFGGce2DVuV/P+GXvs+Y0qsV0AB5ZfBUu6WxvZz7uSNRdSxg62bDsEnbcO +BjOHSyzkz3WLh3LeoFjrDMBNv1b2JOjQVcIK8/kNai6Ae84OUNQHJoc+uj6zPHEDmtC utyw==
X-Gm-Message-State: AOAM533eOpwemhofFlafKyrZdRyjHEdEIylHuGphuXwJDznjXOdizGFz bcUG0Jnp4g+q+novUPhOQcGX80ec5/5TowYhq/w=
X-Google-Smtp-Source: ABdhPJxT9WPzcKmApzgzbg5nSFaNXJ/JnhpnTjv0f6IIJXS5kHCgyvr3T3zKqorysi1M7vTYFM+YpBC3FJ/BZCboFOI=
X-Received: by 2002:a02:94cd:: with SMTP id x71mr2315379jah.124.1602744418607; Wed, 14 Oct 2020 23:46:58 -0700 (PDT)
MIME-Version: 1.0
References: <7048_1602675845_5F86E485_7048_112_3_787AE7BB302AE849A7480A190F8B93303155FF8F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <7048_1602675845_5F86E485_7048_112_3_787AE7BB302AE849A7480A190F8B93303155FF8F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
From: tirumal reddy <kondtir@gmail.com>
Date: Thu, 15 Oct 2020 12:16:47 +0530
Message-ID: <CAFpG3gfDseNiLxQ3J8RkoKCzkiu1HtnU=PQWVWq-H-FvP85xfg@mail.gmail.com>
To: Mohamed Boucadair <mohamed.boucadair@orange.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, "draft-ietf-dots-signal-call-home.all@ietf.org" <draft-ietf-dots-signal-call-home.all@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bca77105b1b003af"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/wGztrWWHF15qTqr1FhGMj7UUwVo>
Subject: Re: [Dots] AD evaluation of draft-ietf-dots-signal-call-home-09: Section 1
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2020 06:47:03 -0000
On Wed, 14 Oct 2020 at 17:14, <mohamed.boucadair@orange.com> wrote: > Hi Ben, > > Thank you for the detailed review. > > Please see inline. > > Cheers, > Med > > > -----Message d'origine----- > > De : Benjamin Kaduk [mailto:kaduk@mit.edu] > > Envoyé : mercredi 14 octobre 2020 01:08 > > À : draft-ietf-dots-signal-call-home.all@ietf.org > > Cc : dots@ietf.org > > Objet : AD evaluation of draft-ietf-dots-signal-call-home-09 > > > > Hi all, > > > > Nothing super-earth-shattering in here, but there's enough that > > we'll need a revised I-D and some more WG input before I'm ready to > > start the IETF LC. > > > > -Ben > > > > > > YANG lint says: > > > > ietf-dots-call-home@2020-07-07.yang:11: warning: imported module > > "ietf-dots-signal-channel" not used > > > > AFAICT that's a yanglint bug, since we do augment nodes from the > > signal channel. > > [Med] Yes, it is a pyang issue. We have a similar warning for RFC8791 > (where sx is defined): > > == > $ pyang -f tree --tree-print-structures example-module-aug\@2020-07-07.yang > example-module-aug@2020-07-07.yang:9: warning: imported module > "example-module" not used > module: example-module-aug > > augment-structure /exm:address-book/exm:address: > +-- county? string > +-- zipcode? string > == > > > > > I see that this document has a few IPR notices against it; in > > particular, the one at https://datatracker.ietf.org/ipr/3318/ does > > not list any licensing terms ("Unwilling to Commit to the Provisions > > of a), b), or c) Above", where a/b/c are "no license needed for > > implementation"/"RAND with no fee"/"RAND with possible fee"). > > I believe we are working to see if the situation can be clarified > > and the IPR disclosure updated, but I don't know that we need to > > delay any progress until that has occurred. That said, personally, > > I'm not very comfortable about a protocol that potentially is > > encumbered by IPR with unknown license terms. However, I am willing > > to at least advance the document to IETF LC if there is clear WG > > support for doing so, even knowing that use of the protocol would > > potentially be subject to arbitrary terms from the IPR holder. I > > would really like to hear from the WG members on this point. > > [Med] Actually, there is only one IPR disclosure (3328) that is directly > made for the document. Some more information below: > * The two IPR disclosures (3318/3337) were made in early stages of the > development of the individual submission, especially before WG adoption. > * 3328 is not a new disclosure but an update of 3337 to point to the > wg-adopted version. A note was sent to the chairs to inform them about the > update. > * I'm not sure that IPR disclosures are transitive. 3318 is not filled > directly against draft-ietf-dots-signal-call-home. > > > > > I mention it in the section-by-section comments, but we introduce > > the possibility of "wait for administrator approval" in the > > mitigation-request processing pipeline, which could exceed a normal > > CoAP request timeout. I think we need to have some substantive text > > discussion the expected behavior in this case. > > [Med] There is no request timeout because a request that requires an admin > validation can be first replied with attack-mitigation-in-progress status. > If the request is then rejected by the admin, the status will change to > attack-mitigation-withdrawn with conflict-status set to the new code > "mitigation-request-rejected" defined in the document. > > Will add more text. > > > > > Section 1.1 > > > > Some of the DDoS attacks like spoofed RST or FIN packets, > > Slowloris, > > and Transport Layer Security (TLS) re-negotiation are difficult > > to > > detect on a home network device without adversely affecting its > > > > (side note) TLS renegotiation as an attack is just keeping a TLS > > connection open and repeatedly re-negotiating to cause the server to > > burn CPU on signing operations? > > [Med] Yes. > > I don't think I've heard of that > > one before. > > [Med] Some DoS tools are supporting this, but I don't have data about > recent attacks exploiting it. Unless there is an objection (Tiru?), I would > remove the example as we don't need to be exhaustive anyway. > SSL renegotiation is a popular DDoS attack, see https://blog.radware.com/security/ssl/2020/08/ssl-protective-technology-turned-attack-vector/ -Tiru > > > > Section 1.2 > > > > 'DOTS signal channel Call Home' (or DOTS Call Home, for short) > > refers > > to a DOTS signal channel established at the initiative of a DOTS > > server. That is, the DOTS server initiates a secure connection > > to a > > DOTS client, and uses that connection to receive the attack > > traffic > > information (e.g., attack sources) from the DOTS client. More > > details are provided in Section 3. > > > > I think this introductory section needs to be crystal clear for the > > reader about the relationship between the "conventional" signal > > channel DOTS client and the corresponding call home DOTS client for > > a given mitigation process. Some people will expect both things > > with "client" > > in the name to be on the same device, and some people will expect > > the (call home) client to be the device that makes mitigation > > requests, but both cannot be right. The phrase "role reversal" > > might be useful in describing these interpretations, as might a > > forward reference to section 1.4. (Yes, I understand that there is > > no need for either DOTS call home peer to be colocated with any base > > signal channel element, but I think that the default scenario in > > many readers' minds will be the simple role-reversal setup.) > > > > [Med] The NEW text is as follows: > > NEW: > 'DOTS signal channel Call Home' (or DOTS Call Home, for short) refers > to a DOTS signal channel established at the initiative of a DOTS > server thanks to a role reversal at the (D)TLS layer (Section 3.1). > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > That is, the DOTS server initiates a secure connection to a DOTS > client, and uses that connection to receive the attack traffic > information (e.g., attack sources) from the DOTS client. > > DOTS agents involved in the DOTS Call Home adhere to the DOTS roles > as defined in [RFC8612]. For clarity, this document uses "Call Home > DOTS client" (or "Call Home DOTS server") to refer to a DOTS client > (or DOTS server) deployed in a Call Home scenario (Figure 1). DOTS > Call Home agents may (or not) be co-located with DOTS agents that are > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > compliant with [I-D.ietf-dots-rfc8782-bis] (see Section 1.4 for more > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > details). > > > > Section 1.3 > > > > It's a little unfortunate that we are using the "DMS" acronym in the > > figure here, when we only mention the terminology of RFC 8612 in > > section 2. (That said, I'm willing to leave it as-is for now and > > see if anyone > > complains.) > > [Med] Added this NEW text to the terminology section: > > DDoS Mitigation System (DMS) refers to a system that performs DDoS > mitigation. > > > > > Section 3.1 > > > > The DOTS signal channel Call Home preserves all but one of the > > DOTS > > client/server roles in the DOTS protocol stack, as compared to > > DOTS > > client-initiated DOTS signal channel protocol > > > > I suppose one could quibble about whether "party allowed to behave > > passively with respect to heartbeats" qualifies as a "client/server > > role" ... I think I'm okay leaving this as-is for now, though. > > > > For example, a home network element (e.g., home router) co- > > located > > with a Call Home DOTS server is the (D)TLS server. However, when > > > > Figure 7 has a box labelled "Call Home DOTS server" and also "(D)TLS > > client" (not server). At first I thought this was trying to make an > > analogy to a (normal) signal channel DOTS server as being the (D)TLS > > server, but that would not be in a home network element. So maybe > > this is just a typo? > > [Med] This is a typo in the text. The figure is correct. Thanks for > catching this. > > > > > calling home, the DOTS server initially assumes the role of the > > (D)TLS client, but the network element's role as a DOTS server > > > > We may want to continue using "DOTS Call Home server" in these two > > lines. > > [Med] OK. > > > > _________________________________________________________________________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez > recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages > electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou > falsifie. Merci. > > This message and its attachments may contain confidential or privileged > information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and > delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been > modified, changed or falsified. > Thank you. > >
- Re: [Dots] AD evaluation of draft-ietf-dots-signa… mohamed.boucadair
- Re: [Dots] AD evaluation of draft-ietf-dots-signa… Benjamin Kaduk
- Re: [Dots] AD evaluation of draft-ietf-dots-signa… tirumal reddy
- Re: [Dots] AD evaluation of draft-ietf-dots-signa… tirumal reddy