IETF Logo Mail Archive

Re: [Dots] AD evaluation of draft-ietf-dots-signal-call-home-09: Section 1

tirumal reddy <kondtir@gmail.com> Thu, 15 October 2020 06:47 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92CA43A12F8; Wed, 14 Oct 2020 23:47:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 48jj3YESqAtU; Wed, 14 Oct 2020 23:46:59 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8188B3A12F7; Wed, 14 Oct 2020 23:46:59 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id d20so2958435iop.10; Wed, 14 Oct 2020 23:46:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=77bvwYX4GzV5nvZFhIqlm8vXaMxKwnUSEQJKUING1P8=; b=FpbzrwymX7/JPsBLmPKvudAdne8cEaHHXBpRi3nuyEZyxIzyMCuBGSMEOFGgrAgZMp XlOQYPJNkjCGKTf8/As0NgD4Nvnn8z9nXF9PHgwu8ZOBYkRHmbuFsNXGmmsFMxDfNumF XMVxe/vfo5IS8vgTISz1yBA6sZmsVEYmYWcySbOec1OYgq+bbSbiYyfWEBAdOhhWTwd3 H6OiU4Qf5KsFRWGh0171C6cGE5CRPWg5FPyZG6gmmihYQ49luoNA3RGR5jeK/R/JuFWd Ml8iPbFeKwO9FaDJwEwvYzzUGssuK7R9cBrzY7B82GpQUBigy5pXES/Thkb4hnNzD5Z7 YZaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=77bvwYX4GzV5nvZFhIqlm8vXaMxKwnUSEQJKUING1P8=; b=najQybU4dSKA8oqFMso1rrg9AHgnqhq98Madp4vtpH+GwEqvGwIJmEwKDkrtqN1ez1 5lEL7X5Mx1aeYLloblvKBcrDpi5oAuS4tzuZZD5Gn7Zy6mLumCdBMHhaSVvNM2RR/XYv ueP6l+D+7kqBd9RWRT3dMJEpzGR/1oBAI/ib7bu0QEAQB+34rnkN/nb27+bemGKTE9TH rnxFCQ4vOQiFGGce2DVuV/P+GXvs+Y0qsV0AB5ZfBUu6WxvZz7uSNRdSxg62bDsEnbcO +BjOHSyzkz3WLh3LeoFjrDMBNv1b2JOjQVcIK8/kNai6Ae84OUNQHJoc+uj6zPHEDmtC utyw==
X-Gm-Message-State: AOAM533eOpwemhofFlafKyrZdRyjHEdEIylHuGphuXwJDznjXOdizGFz bcUG0Jnp4g+q+novUPhOQcGX80ec5/5TowYhq/w=
X-Google-Smtp-Source: ABdhPJxT9WPzcKmApzgzbg5nSFaNXJ/JnhpnTjv0f6IIJXS5kHCgyvr3T3zKqorysi1M7vTYFM+YpBC3FJ/BZCboFOI=
X-Received: by 2002:a02:94cd:: with SMTP id x71mr2315379jah.124.1602744418607; Wed, 14 Oct 2020 23:46:58 -0700 (PDT)
MIME-Version: 1.0
References: <7048_1602675845_5F86E485_7048_112_3_787AE7BB302AE849A7480A190F8B93303155FF8F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <7048_1602675845_5F86E485_7048_112_3_787AE7BB302AE849A7480A190F8B93303155FF8F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
From: tirumal reddy <kondtir@gmail.com>
Date: Thu, 15 Oct 2020 12:16:47 +0530
Message-ID: <CAFpG3gfDseNiLxQ3J8RkoKCzkiu1HtnU=PQWVWq-H-FvP85xfg@mail.gmail.com>
To: Mohamed Boucadair <mohamed.boucadair@orange.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, "draft-ietf-dots-signal-call-home.all@ietf.org" <draft-ietf-dots-signal-call-home.all@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bca77105b1b003af"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/wGztrWWHF15qTqr1FhGMj7UUwVo>
Subject: Re: [Dots] AD evaluation of draft-ietf-dots-signal-call-home-09: Section 1
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2020 06:47:03 -0000

On Wed, 14 Oct 2020 at 17:14, <mohamed.boucadair@orange.com> wrote:

> Hi Ben,
>
> Thank you for the detailed review.
>
> Please see inline.
>
> Cheers,
> Med
>
> > -----Message d'origine-----
> > De : Benjamin Kaduk [mailto:kaduk@mit.edu]
> > Envoyé : mercredi 14 octobre 2020 01:08
> > À : draft-ietf-dots-signal-call-home.all@ietf.org
> > Cc : dots@ietf.org
> > Objet : AD evaluation of draft-ietf-dots-signal-call-home-09
> >
> > Hi all,
> >
> > Nothing super-earth-shattering in here, but there's enough that
> > we'll need a revised I-D and some more WG input before I'm ready to
> > start the IETF LC.
> >
> > -Ben
> >
> >
> > YANG lint says:
> >
> > ietf-dots-call-home@2020-07-07.yang:11: warning: imported module
> > "ietf-dots-signal-channel" not used
> >
> > AFAICT that's a yanglint bug, since we do augment nodes from the
> > signal channel.
>
> [Med] Yes, it is a pyang issue. We have a similar warning for RFC8791
> (where sx is defined):
>
> ==
> $ pyang -f tree --tree-print-structures example-module-aug\@2020-07-07.yang
> example-module-aug@2020-07-07.yang:9: warning: imported module
> "example-module" not used
> module: example-module-aug
>
>   augment-structure /exm:address-book/exm:address:
>     +-- county?    string
>     +-- zipcode?   string
> ==
>
> >
> > I see that this document has a few IPR notices against it; in
> > particular, the one at https://datatracker.ietf.org/ipr/3318/ does
> > not list any licensing terms ("Unwilling to Commit to the Provisions
> > of a), b), or c) Above", where a/b/c are "no license needed for
> > implementation"/"RAND with no fee"/"RAND with possible fee").
> > I believe we are working to see if the situation can be clarified
> > and the IPR disclosure updated, but I don't know that we need to
> > delay any progress until that has occurred.  That said, personally,
> > I'm not very comfortable about a protocol that potentially is
> > encumbered by IPR with unknown license terms.  However, I am willing
> > to at least advance the document to IETF LC if there is clear WG
> > support for doing so, even knowing that use of the protocol would
> > potentially be subject to arbitrary terms from the IPR holder.  I
> > would really like to hear from the WG members on this point.
>
> [Med] Actually, there is only one IPR disclosure (3328) that is directly
> made for the document. Some more information below:
> * The two IPR disclosures (3318/3337) were made in early stages of the
> development of the individual submission, especially before WG adoption.
> * 3328 is not a new disclosure but an update of 3337 to point to the
> wg-adopted version. A note was sent to the chairs to inform them about the
> update.
> * I'm not sure that IPR disclosures are transitive. 3318 is not filled
> directly against draft-ietf-dots-signal-call-home.
>
> >
> > I mention it in the section-by-section comments, but we introduce
> > the possibility of "wait for administrator approval" in the
> > mitigation-request processing pipeline, which could exceed a normal
> > CoAP request timeout.  I think we need to have some substantive text
> > discussion the expected behavior in this case.
>
> [Med] There is no request timeout because a request that requires an admin
> validation can be first replied with attack-mitigation-in-progress status.
> If the request is then rejected by the admin, the status will change to
> attack-mitigation-withdrawn with conflict-status set to the new code
> "mitigation-request-rejected" defined in the document.
>
> Will add more text.
>
> >
> > Section 1.1
> >
> >    Some of the DDoS attacks like spoofed RST or FIN packets,
> > Slowloris,
> >    and Transport Layer Security (TLS) re-negotiation are difficult
> > to
> >    detect on a home network device without adversely affecting its
> >
> > (side note) TLS renegotiation as an attack is just keeping a TLS
> > connection open and repeatedly re-negotiating to cause the server to
> > burn CPU on signing operations?
>
> [Med] Yes.
>
>   I don't think I've heard of that
> > one before.
>
> [Med] Some DoS tools are supporting this, but I don't have data about
> recent attacks exploiting it. Unless there is an objection (Tiru?), I would
> remove the example as we don't need to be exhaustive anyway.
>

SSL renegotiation is a popular DDoS attack, see
https://blog.radware.com/security/ssl/2020/08/ssl-protective-technology-turned-attack-vector/


-Tiru


> >
> > Section 1.2
> >
> >    'DOTS signal channel Call Home' (or DOTS Call Home, for short)
> > refers
> >    to a DOTS signal channel established at the initiative of a DOTS
> >    server.  That is, the DOTS server initiates a secure connection
> > to a
> >    DOTS client, and uses that connection to receive the attack
> > traffic
> >    information (e.g., attack sources) from the DOTS client.  More
> >    details are provided in Section 3.
> >
> > I think this introductory section needs to be crystal clear for the
> > reader about the relationship between the "conventional" signal
> > channel DOTS client and the corresponding call home DOTS client for
> > a given mitigation process.  Some people will expect both things
> > with "client"
> > in the name to be on the same device, and some people will expect
> > the (call home) client to be the device that makes mitigation
> > requests, but both cannot be right.  The phrase "role reversal"
> > might be useful in describing these interpretations, as might a
> > forward reference to section 1.4.  (Yes, I understand that there is
> > no need for either DOTS call home peer to be colocated with any base
> > signal channel element, but I think that the default scenario in
> > many readers' minds will be the simple role-reversal setup.)
> >
>
> [Med] The NEW text is as follows:
>
> NEW:
>    'DOTS signal channel Call Home' (or DOTS Call Home, for short) refers
>    to a DOTS signal channel established at the initiative of a DOTS
>    server thanks to a role reversal at the (D)TLS layer (Section 3.1).
>           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    That is, the DOTS server initiates a secure connection to a DOTS
>    client, and uses that connection to receive the attack traffic
>    information (e.g., attack sources) from the DOTS client.
>
>    DOTS agents involved in the DOTS Call Home adhere to the DOTS roles
>    as defined in [RFC8612].  For clarity, this document uses "Call Home
>    DOTS client" (or "Call Home DOTS server") to refer to a DOTS client
>    (or DOTS server) deployed in a Call Home scenario (Figure 1).  DOTS
>    Call Home agents may (or not) be co-located with DOTS agents that are
>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    compliant with [I-D.ietf-dots-rfc8782-bis] (see Section 1.4 for more
>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    details).
>
>
> > Section 1.3
> >
> > It's a little unfortunate that we are using the "DMS" acronym in the
> > figure here, when we only mention the terminology of RFC 8612 in
> > section 2.  (That said, I'm willing to leave it as-is for now and
> > see if anyone
> > complains.)
>
> [Med] Added this NEW text to the terminology section:
>
>    DDoS Mitigation System (DMS) refers to a system that performs DDoS
>    mitigation.
>
> >
> > Section 3.1
> >
> >    The DOTS signal channel Call Home preserves all but one of the
> > DOTS
> >    client/server roles in the DOTS protocol stack, as compared to
> > DOTS
> >    client-initiated DOTS signal channel protocol
> >
> > I suppose one could quibble about whether "party allowed to behave
> > passively with respect to heartbeats" qualifies as a "client/server
> > role" ... I think I'm okay leaving this as-is for now, though.
> >
> >    For example, a home network element (e.g., home router) co-
> > located
> >    with a Call Home DOTS server is the (D)TLS server.  However, when
> >
> > Figure 7 has a box labelled "Call Home DOTS server" and also "(D)TLS
> > client" (not server).  At first I thought this was trying to make an
> > analogy to a (normal) signal channel DOTS server as being the (D)TLS
> > server, but that would not be in a home network element.  So maybe
> > this is just a typo?
>
> [Med] This is a typo in the text. The figure is correct. Thanks for
> catching this.
>
> >
> >    calling home, the DOTS server initially assumes the role of the
> >    (D)TLS client, but the network element's role as a DOTS server
> >
> > We may want to continue using "DOTS Call Home server" in these two
> > lines.
>
> [Med] OK.
>
>
>
> _________________________________________________________________________________________________________________________
>
> Ce message et ses pieces jointes peuvent contenir des informations
> confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez
> recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
> electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou
> falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged
> information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and
> delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been
> modified, changed or falsified.
> Thank you.
>
>

v2.23.0 | Report a Bug | By Email